JP6264935B2 - Authentication method for information processing apparatus - Google Patents

Description

  The present invention relates to an information processing apparatus authentication method, and more particularly, to a technique in which one information processing apparatus authenticates the other information processing apparatus as a valid apparatus by processing involving encryption of a random code.

  When a pair of information processing apparatuses start communication with each other, an authentication process for confirming the validity of the counterpart apparatus in advance is indispensable. As such an authentication process, the most popular method at present is a challenge-response authentication method that performs a process involving encryption of a random code.

  When the first information processing apparatus confirms the legitimacy of the second information processing apparatus by this authentication method, first, the first information processing apparatus generates a random code called “challenge”, which is used as the second code. To the information processing apparatus. The second information processing apparatus uses a predetermined cryptographic algorithm (usually a mathematical arithmetic algorithm using a specific cryptographic key. The arithmetic algorithm itself does not necessarily have to be a secret, The encryption key is kept secret.) And sent back to the first information processing apparatus in the form of an authentication token called “response”. On the other hand, also in the first information processing apparatus, the “challenge” is encrypted using the same encryption algorithm, and it is determined whether or not the result matches the returned “response”. If the two match, the second information processing apparatus can be authenticated as a legitimate apparatus. For example, Patent Document 1 and Patent Document 2 below disclose such challenge-response authentication methods.

  By adopting the above authentication method, as long as the encryption key is kept confidential, it is possible to prevent an unauthorized authentication act that impersonates an unauthorized device as a legitimate device. In general, even if the communication path between information processing devices is wiretapped and the "challenge" and "response" exchanged between the two are intercepted, if the cryptographic algorithm is mathematically robust, that alone Is unlikely to be exposed. Actually, it is extremely difficult to analyze the currently used encryption algorithm only from “challenge” and “response” obtained by intercepting communication between information processing apparatuses.

  However, in recent years, attacks using a cryptographic analysis technique called side channel analysis (side channel attacks) have become a problem. Side channel analysis is an analysis method for estimating a cryptographic algorithm by monitoring power consumption, calculation processing time, generated electromagnetic waves, and the like for an information processing apparatus that is executing encryption processing. When this side channel analysis method is combined with the “challenge” and “response” information obtained by communication interception, it becomes easy to estimate the encryption algorithm, so even if a mathematically strong encryption algorithm is adopted, There is concern about the possibility of unauthorized authentication.

  Therefore, for example, Patent Document 3 below discloses a technique for preventing an attack on a relay terminal by devising a processing time for key processing. Further, as a countermeasure against the side channel attack, Patent Document 4 discloses a method of generating an encryption key based on a physical phenomenon, and Patent Document 5 restricts reuse of the encryption key. A method of performing encryption with a device having a function of keeping the inside secret is disclosed. Further, Patent Document 6 discloses a technique for combating a side channel attack at a circuit level, and Patent Document 7 discloses a technique for combating a side channel attack by randomly adopting a plurality of encryption keys. Has been.

WO2005 / 057447 JP 2000-183869 A JP 2006-197458 A Special table 2012-519987 gazette Special table 2013-513312 gazette WO2012 / 014291 WO2012 / 131926

  As described above, various methods have been proposed as countermeasures against side channel attacks on information processing apparatuses having an authentication function. However, the countermeasures that have been proposed in the past require a dedicated hardware facility or complicated software processing, which complicates the configuration and is not always efficient. It is not a serious countermeasure. For this reason, there is a problem in that introduction costs a certain amount and causes the product price to rise.

  Therefore, an object of the present invention is to provide an authentication method for an information processing apparatus that can sufficiently withstand an attack that combines communication interception and side channel analysis, and that can perform efficient processing.

(1) Basic invention according to the first embodiment (see FIG. 5)
According to a first aspect of the present invention, there is provided an authentication method for an information processing device in which the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
The first information processing apparatus generates a random code in which characters or numbers are enumerated using a random number, and transmits the random code to the second information processing apparatus;
The second information processing apparatus receives a random code, rearranges its constituent elements by a random first rearrangement method, and generates a rearrangement code;
The second information processing apparatus encrypts the rearrangement code by an encryption operation based on a predetermined encryption algorithm, and generates an encryption code;
The second information processing apparatus rearranges the constituent elements of the encryption code by a random second rearrangement method to generate a rearrangement encryption code;
The second information processing apparatus transmits rearrangement information indicating one or both of the first rearrangement method and the second rearrangement method together with the rearrangement encryption code to the first information processing apparatus. When,
The first information processing apparatus receives the rearrangement information together with the rearrangement encryption code, and verifies the validity of the received rearrangement encryption code based on the rearrangement process based on the received rearrangement information and the encryption algorithm. A step of checking by calculation or decoding operation;
Is to do.

(2) Variation of the basic invention according to the first embodiment (encryption of rearrangement information)
According to a second aspect of the present invention, in the authentication method for an information processing device according to the first aspect described above,
Transmission of the rearrangement information from the second information processing apparatus to the first information processing apparatus is performed in an encrypted state.

(3) Invention according to Example A (see FIG. 8)
According to a third aspect of the present invention, there is provided an authentication method for an information processing device in which the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus that uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A rearrangement table generation stage in which a second information processing device generates a first rearrangement table and a second rearrangement table using random numbers;
A second information processing device, based on the first rearrangement table, rearranges the components of the random code to generate a rearrangement code generation stage;
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the rearrangement code by an encryption operation based on a predetermined encryption algorithm;
A second information processing apparatus, based on the second rearrangement table, rearranges the constituent elements of the cipher code and generates a rearranged cipher code; and
A table encryption stage in which the second information processing apparatus encrypts the first rearrangement table and the second rearrangement table, respectively, and generates the first encryption table and the second encryption table;
The second information processing apparatus transmits the first encryption table and the second encryption table together with the rearrangement encryption code to the first information processing apparatus;
The first information processing apparatus receives the first encryption table and the second encryption table together with the rearrangement encryption code, and receives the rearrangement encryption code reception stage.
A table decryption stage in which the first information processing device decrypts the first encryption table and the second encryption table, respectively, and restores the first rearrangement table and the second rearrangement table;
The collation rearrangement code generation stage in which the first information processing apparatus rearranges the components of the random code generated in the random code generation stage based on the first rearrangement table to generate the collation rearrangement code. When,
The first information processing apparatus encrypts the collation rearrangement code by the encryption operation based on the encryption algorithm to generate the collation encryption code generation stage;
The first information processing device rearranges the constituent elements of the verification encryption code based on the second rearrangement table to generate the verification rearrangement encryption code generation stage;
Whether the first information processing apparatus matches the reordered encryption code received at the reordered encryption code receiving stage and the reordered encryption code for verification generated at the verification reordered encryption code generation stage. A collation determination step of determining, when matching, that the second information processing apparatus is an apparatus whose validity has been confirmed;
Is to do.

(4) Invention according to Example B (see FIG. 9)
According to a fourth aspect of the present invention, there is provided an authentication method for an information processing device in which the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus that uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A rearrangement table generation stage in which a second information processing device generates a first rearrangement table and a second rearrangement table using random numbers;
A second information processing device, based on the first rearrangement table, rearranges the components of the random code to generate a rearrangement code generation stage;
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the rearrangement code by an encryption operation based on a predetermined encryption algorithm;
A second information processing apparatus, based on the second rearrangement table, rearranges the constituent elements of the cipher code and generates a rearranged cipher code; and
A table encryption stage in which the second information processing apparatus encrypts the first rearrangement table and the second rearrangement table, respectively, and generates the first encryption table and the second encryption table;
The second information processing apparatus transmits the first encryption table and the second encryption table together with the rearrangement encryption code to the first information processing apparatus;
The first information processing apparatus receives the first encryption table and the second encryption table together with the rearrangement encryption code, and receives the rearrangement encryption code reception stage.
A table decryption stage in which the first information processing device decrypts the first encryption table and the second encryption table, respectively, and restores the first rearrangement table and the second rearrangement table;
The collation rearrangement code generation stage in which the first information processing apparatus rearranges the components of the random code generated in the random code generation stage based on the first rearrangement table to generate the collation rearrangement code. When,
A first verification encryption code generating step of generating a verification encryption code by encrypting the verification rearrangement code by an encryption operation based on the encryption algorithm;
The first information processing apparatus rearranges the components of the reordered encryption code received in the reordered encryption code reception stage based on the table obtained by reversing the second reordering table, and generates a verification encryption code. A verification encryption code second generation stage;
The first information processing apparatus collates whether or not the verification encryption code generated in the verification encryption code first generation stage matches the verification encryption code generated in the verification encryption code second generation stage. And a collation determination stage for determining, when they match, that the second information processing apparatus is an apparatus whose validity has been confirmed;
Is to do.

(5) Invention according to Example C (see FIG. 10)
According to a fifth aspect of the present invention, in the authentication method for an information processing device, the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus that uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A rearrangement table generation stage in which a second information processing device generates a first rearrangement table and a second rearrangement table using random numbers;
A second information processing device, based on the first rearrangement table, rearranges the components of the random code to generate a rearrangement code generation stage;
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the rearrangement code by an encryption operation based on a predetermined encryption algorithm;
A second information processing apparatus, based on the second rearrangement table, rearranges the constituent elements of the cipher code and generates a rearranged cipher code; and
A table encryption stage in which the second information processing apparatus encrypts the first rearrangement table and the second rearrangement table, respectively, and generates the first encryption table and the second encryption table;
The second information processing apparatus transmits the first encryption table and the second encryption table together with the rearrangement encryption code to the first information processing apparatus;
The first information processing apparatus receives the first encryption table and the second encryption table together with the rearrangement encryption code, and receives the rearrangement encryption code reception stage.
A table decryption stage in which the first information processing device decrypts the first encryption table and the second encryption table, respectively, and restores the first rearrangement table and the second rearrangement table;
The first information processing apparatus rearranges the components of the reordered encryption code received in the reordered encryption code reception stage based on the table obtained by reversing the second reordering table, and generates a verification encryption code. A verification encryption code generation stage;
A collation rearrangement code generation stage in which the first information processing apparatus generates a collation rearrangement code by decrypting the collation cipher code by a decryption operation based on the encryption algorithm;
A collating random code generation stage in which the first information processing apparatus rearranges the constituent elements of the collating reordering code based on the table obtained by reversing the first reordering table to generate a collating random code;
When the first information processing apparatus collates whether or not the random code generated in the random code generation stage matches the verification random code generated in the verification random code generation stage. A collation determination stage for determining that the second information processing apparatus is a verified apparatus;
Is to do.

(6) Invention according to Example D (see FIG. 11)
According to a sixth aspect of the present invention, there is provided an authentication method for an information processing device in which the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus that uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A rearrangement table generation stage in which a second information processing device generates a first rearrangement table and a second rearrangement table using random numbers;
A second information processing device, based on the first rearrangement table, rearranges the components of the random code to generate a rearrangement code generation stage;
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the rearrangement code by an encryption operation based on a predetermined encryption algorithm;
A second information processing apparatus, based on the second rearrangement table, rearranges the constituent elements of the cipher code and generates a rearranged cipher code; and
A table encryption stage in which the second information processing apparatus encrypts the first rearrangement table and the second rearrangement table, respectively, and generates the first encryption table and the second encryption table;
The second information processing apparatus transmits the first encryption table and the second encryption table together with the rearrangement encryption code to the first information processing apparatus;
The first information processing apparatus receives the first encryption table and the second encryption table together with the rearrangement encryption code, and receives the rearrangement encryption code reception stage.
A table decryption stage in which the first information processing device decrypts the first encryption table and the second encryption table, respectively, and restores the first rearrangement table and the second rearrangement table;
The first information processing apparatus rearranges the components of the reordered encryption code received in the reordered encryption code reception stage based on the table obtained by reversing the second reordering table, and generates a verification encryption code. A verification encryption code generation stage;
A collation rearrangement code first generation stage in which the first information processing apparatus decrypts the collation cipher code by the decryption operation based on the cipher algorithm and generates a collation rearrangement code;
Based on the first rearrangement table, the first information processing apparatus rearranges the components of the random code generated at the random code generation stage to generate the collation rearrangement code second. Generation stage,
Does the first information processing apparatus match the collation rearrangement code generated in the collation rearrangement code first generation stage with the collation rearrangement code generated in the second collation rearrangement code generation stage? A collation determination step of determining whether or not the second information processing apparatus is a confirmed apparatus when matching,
Is to do.

(7) Invention according to Example E (see FIG. 12)
According to a seventh aspect of the present invention, there is provided an authentication method for an information processing device in which the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus that uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A rearrangement table generation stage in which a second information processing device generates a first rearrangement table and a second rearrangement table using random numbers;
A second information processing device, based on the first rearrangement table, rearranges the components of the random code to generate a rearrangement code generation stage;
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the rearrangement code by an encryption operation based on a predetermined encryption algorithm;
A second information processing apparatus, based on the second rearrangement table, rearranges the constituent elements of the cipher code and generates a rearranged cipher code; and
A table encryption stage in which the second information processing apparatus encrypts the first rearrangement table and generates the first encryption table;
A second information processing apparatus transmits a first encryption table together with the rearrangement encryption code to the first information processing apparatus;
A first information processing apparatus receives a first encryption table together with a rearranged encryption code;
A table decryption stage in which the first information processing apparatus decrypts the first encryption table and restores the first rearrangement table;
The collation rearrangement code generation stage in which the first information processing apparatus rearranges the components of the random code generated in the random code generation stage based on the first rearrangement table to generate the collation rearrangement code. When,
The first information processing apparatus encrypts the collation rearrangement code by the encryption operation based on the encryption algorithm to generate the collation encryption code generation stage;
A configuration in which the first information processing apparatus is included in the constituent encryption code received in the rearrangement encryption code receiving stage and the verification encryption code generated in the verification encryption code generation stage. A collation determination step of collating whether or not the elements correspond to each other, and determining that the second information processing apparatus is an apparatus whose validity has been confirmed,
Is to do.

(8) Invention according to Example F (see FIG. 13)
According to an eighth aspect of the present invention, there is provided an authentication method for an information processing device in which the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus that uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A rearrangement table generation stage in which a second information processing device generates a first rearrangement table and a second rearrangement table using random numbers;
A second information processing device, based on the first rearrangement table, rearranges the components of the random code to generate a rearrangement code generation stage;
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the rearrangement code by an encryption operation based on a predetermined encryption algorithm;
A second information processing apparatus, based on the second rearrangement table, rearranges the constituent elements of the cipher code and generates a rearranged cipher code; and
A table encryption stage in which the second information processing apparatus encrypts the second rearrangement table and generates a second encryption table;
A second encryption information transmitting step in which the second information processing device transmits the second encryption table together with the replacement encryption code to the first information processing device;
A first information processing apparatus that receives a second encryption table together with a rearranged encryption code;
A table decryption stage in which the first information processing device decrypts the second encryption table and restores the second rearrangement table;
The first information processing apparatus rearranges the components of the reordered encryption code received in the reordered encryption code reception stage based on the table obtained by reversing the second reordering table, and generates a verification encryption code. A verification encryption code generation stage;
A collation rearrangement code generation stage in which the first information processing apparatus generates a collation rearrangement code by decrypting the collation cipher code by a decryption operation based on the encryption algorithm;
Components included in the random code generated in the random code generation stage by the first information processing apparatus, and components included in the collation rearrangement code generated in the collation rearrangement code generation stage And a collation determination step of determining that the second information processing device is a device whose validity has been confirmed.
Is to do.

(9) Invention according to Example G (see FIG. 14)
According to a ninth aspect of the present invention, in the authentication method for an information processing device, the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus that uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A rearrangement table generation stage in which a second information processing device generates a rearrangement table using random numbers;
A second information processing device, based on the rearrangement table, rearranges random code components to generate a rearrangement code generation stage;
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the rearrangement code by an encryption operation based on a predetermined encryption algorithm;
A second information processing apparatus that generates a predetermined function value by applying a one-way function to the encryption code; and
A table encryption stage in which the second information processing apparatus encrypts the rearrangement table and generates an encryption table;
A function value transmission stage in which the second information processing apparatus transmits the encryption table together with the function value to the first information processing apparatus;
A function value receiving stage in which the first information processing apparatus receives the encryption table together with the function value;
A table decryption stage in which the first information processing apparatus decrypts the encryption table and restores the rearrangement table;
A collation rearrangement code generation stage in which the first information processing device rearranges the components of the random code generated in the random code generation stage based on the rearrangement table to generate a collation rearrangement code;
The first information processing apparatus encrypts the collation rearrangement code by the encryption operation based on the encryption algorithm to generate the collation encryption code generation stage;
A first unidirectional function value generation stage in which the first information processing apparatus generates the verification function value by applying the unidirectional function to the verification encryption code;
The first information processing apparatus collates whether or not the function value received at the function value receiving stage matches the matching function value generated at the matching one-way function value generating stage. A collation determination stage for determining that the second information processing apparatus is a verified apparatus;
Is to do.

(10) Variations of Examples A to F (same sort table)
A tenth aspect of the present invention is the information processing apparatus authentication method according to the third to eighth aspects described above,
The same table is used as the first rearrangement table and the second rearrangement table.

(11) Variations of Examples A to G (public key cryptosystem)
An eleventh aspect of the present invention is the information processing apparatus authentication method according to the third to tenth aspects described above.
The second information processing apparatus encrypts the rearrangement table using one of a pair of keys used for the public key cryptosystem in the table encryption stage,
In the table decryption stage, the first information processing apparatus decrypts the rearrangement table using the other key of the pair of keys.

(12) Basic invention according to the second embodiment (see FIG. 15)
According to a twelfth aspect of the present invention, in the authentication method for an information processing device, the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing device generates a random code enumerating numbers using random numbers and transmits the random code to the second information processing device;
The second information processing apparatus receives a random code, and generates a correction code by performing a first correction operation using the first correction number generated at random for each number that is a component of the random code. And the stage of
A step in which the second information processing apparatus encrypts the correction code by an encryption operation based on a predetermined encryption algorithm, and generates an encryption code;
A step in which the second information processing apparatus performs a second correction operation using a second correction number generated at random on each number as a constituent element of the encryption code to generate a corrected encryption code; ,
A step in which the second information processing apparatus transmits correction information indicating one or both of the first correction calculation and the second correction calculation together with the correction encryption code to the first information processing apparatus;
The first information processing apparatus receives the modification information together with the modified encryption code, and the validity of the received modified encryption code is determined by the modification operation based on the received modification information and the encryption operation or decryption operation based on the encryption algorithm. A stage to check,
Is to do.

(13) Variation of the basic invention according to the second embodiment (encryption of correction information)
A thirteenth aspect of the present invention is the information processing apparatus authentication method according to the twelfth aspect described above,
The correction information is transmitted from the second information processing apparatus to the first information processing apparatus in an encrypted state.

(14) Invention according to Example a (see FIG. 18)
According to a fourteenth aspect of the present invention, in the authentication method for an information processing device, the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus generates a random code using a random number to generate a random code that enumerates constituent numbers,
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A correction number generation stage in which the second information processing apparatus generates a first correction number and a second correction number using a random number;
A correction code generation stage in which the second information processing apparatus generates a correction code by performing a first correction operation using the first correction number on each number that is a constituent element of the received random code; ,
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the correction code by an encryption operation based on a predetermined encryption algorithm;
A modified encryption code generation stage in which the second information processing apparatus performs a second modification operation using the second modification number on each number that is a constituent element of the encryption code to generate a modified encryption code; ,
A modified number encryption stage in which the second information processing apparatus encrypts the first modified number and the second modified number, respectively, and generates the first encrypted modified number and the second encrypted modified number;
A modified encryption code transmission stage in which the second information processing apparatus transmits the first encryption modification number and the second encryption modification number together with the modified encryption code to the first information processing apparatus;
A modified encryption code receiving stage in which the first information processing apparatus receives the first encryption modification number and the second encryption modification number together with the modified encryption code;
A modified number decryption stage in which the first information processing device decrypts the first encrypted modified number and the second encrypted modified number, respectively, and restores the first modified number and the second modified number;
The first information processing apparatus performs a first correction operation using the first correction number on each number that is a constituent element of the random code generated at the random code generation stage, and performs a correction code for verification. A verification correction code generation stage for generating
The first information processing apparatus encrypts the verification correction code and generates a verification encryption code by an encryption operation based on the encryption algorithm;
The first information processing apparatus performs a second correction operation using the second correction number on each number that is a constituent element of the verification encryption code to generate a verification corrected encryption code A modified cryptographic code generation stage;
The first information processing apparatus collates whether or not the modified encrypted code received in the modified encrypted code receiving stage matches the matched modified encrypted code generated in the collated modified encrypted code generation stage. A collation determination stage for determining that the second information processing device is a device whose validity has been confirmed.
It is what I do.

(15) Invention according to Example b (see FIG. 19)
According to a fifteenth aspect of the present invention, in the authentication method for an information processing device, the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus generates a random code using a random number to generate a random code that enumerates constituent numbers,
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A correction number generation stage in which the second information processing apparatus generates a first correction number and a second correction number using a random number;
A correction code generation stage in which the second information processing apparatus generates a correction code by performing a first correction operation using the first correction number on each number that is a constituent element of the received random code; ,
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the correction code by an encryption operation based on a predetermined encryption algorithm;
A modified encryption code generation stage in which the second information processing apparatus performs a second modification operation using the second modification number on each number that is a constituent element of the encryption code to generate a modified encryption code; ,
A modified number encryption stage in which the second information processing apparatus encrypts the first modified number and the second modified number, respectively, and generates the first encrypted modified number and the second encrypted modified number;
A modified encryption code transmission stage in which the second information processing apparatus transmits the first encryption modification number and the second encryption modification number together with the modified encryption code to the first information processing apparatus;
A modified encryption code receiving stage in which the first information processing apparatus receives the first encryption modification number and the second encryption modification number together with the modified encryption code;
A modified number decryption stage in which the first information processing device decrypts the first encrypted modified number and the second encrypted modified number, respectively, and restores the first modified number and the second modified number;
The first information processing apparatus performs a first correction operation using the first correction number on each number that is a constituent element of the random code generated at the random code generation stage, and performs a correction code for verification. A verification correction code generation stage for generating
A first verification encryption code generating step of generating a verification encryption code by encrypting the verification correction code by an encryption operation based on the encryption algorithm;
The first information processing apparatus generates a verification encryption code by performing an operation opposite to the second correction operation using the second correction number on each number that is a component of the correction encryption code. A verification encryption code second generation stage,
The first information processing apparatus collates whether or not the verification encryption code generated in the verification encryption code first generation stage matches the verification encryption code generated in the verification encryption code second generation stage. And a collation determination stage for determining, when they match, that the second information processing apparatus is an apparatus whose validity has been confirmed;
Is to do.

(16) Invention according to Example c (see FIG. 20)
According to a sixteenth aspect of the present invention, in the authentication method for an information processing device, the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus generates a random code using a random number to generate a random code that enumerates constituent numbers,
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A correction number generation stage in which the second information processing apparatus generates a first correction number and a second correction number using a random number;
A correction code generation stage in which the second information processing apparatus generates a correction code by performing a first correction operation using the first correction number on each number that is a constituent element of the received random code; ,
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the correction code by an encryption operation based on a predetermined encryption algorithm;
A modified encryption code generation stage in which the second information processing apparatus performs a second modification operation using the second modification number on each number that is a constituent element of the encryption code to generate a modified encryption code; ,
A modified number encryption stage in which the second information processing apparatus encrypts the first modified number and the second modified number, respectively, and generates the first encrypted modified number and the second encrypted modified number;
A modified encryption code transmission stage in which the second information processing apparatus transmits the first encryption modification number and the second encryption modification number together with the modified encryption code to the first information processing apparatus;
A modified encryption code receiving stage in which the first information processing apparatus receives the first encryption modification number and the second encryption modification number together with the modified encryption code;
A modified number decryption stage in which the first information processing device decrypts the first encrypted modified number and the second encrypted modified number, respectively, and restores the first modified number and the second modified number;
The first information processing apparatus performs an operation opposite to the second correction operation using the second correction number for each number that is a component of the corrected encryption code received in the correction encryption code reception stage. A verification cryptographic code generation stage for performing verification and generating a verification cryptographic code;
A verification correction code generation stage in which the first information processing apparatus generates a verification correction code by decrypting the verification encryption code by a decryption operation based on the encryption algorithm;
The first information processing apparatus performs an operation opposite to the first correction operation using the first correction number on each number that is a component of the correction code for verification to generate a random code for verification. A verification random code generation stage to generate;
When the first information processing apparatus collates whether or not the random code generated in the random code generation stage matches the verification random code generated in the verification random code generation stage. A collation determination stage for determining that the second information processing apparatus is a verified apparatus;
Is to do.

(17) Invention according to Example d (see FIG. 21)
According to a seventeenth aspect of the present invention, in the authentication method for an information processing device, the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus generates a random code using a random number to generate a random code that enumerates constituent numbers,
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A correction number generation stage in which the second information processing apparatus generates a first correction number and a second correction number using a random number;
A correction code generation stage in which the second information processing apparatus generates a correction code by performing a first correction operation using the first correction number on each number that is a constituent element of the received random code; ,
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the correction code by an encryption operation based on a predetermined encryption algorithm;
A modified encryption code generation stage in which the second information processing apparatus performs a second modification operation using the second modification number on each number that is a constituent element of the encryption code to generate a modified encryption code; ,
A modified number encryption stage in which the second information processing apparatus encrypts the first modified number and the second modified number, respectively, and generates the first encrypted modified number and the second encrypted modified number;
A modified encryption code transmission stage in which the second information processing apparatus transmits the first encryption modification number and the second encryption modification number together with the modified encryption code to the first information processing apparatus;
A modified encryption code receiving stage in which the first information processing apparatus receives the first encryption modification number and the second encryption modification number together with the modified encryption code;
A modified number decryption stage in which the first information processing device decrypts the first encrypted modified number and the second encrypted modified number, respectively, and restores the first modified number and the second modified number;
The first information processing apparatus performs an operation opposite to the second correction operation using the second correction number for each number that is a component of the corrected encryption code received in the correction encryption code reception stage. A verification cryptographic code generation stage for performing verification and generating a verification cryptographic code;
A first correction code for collation generating a correction code for collation by decrypting the cipher code for collation by a decryption operation based on the encryption algorithm;
The first information processing apparatus performs a first correction operation using the first correction number on each number that is a constituent element of the random code generated at the random code generation stage, and performs a correction code for verification. A correction code second generation stage for generating a verification code;
The first information processing apparatus collates whether or not the collation correction code generated in the collation correction code first generation stage matches the collation correction code generated in the collation correction code second generation stage. And a collation determination stage for determining, when they match, that the second information processing apparatus is an apparatus whose validity has been confirmed;
Is to do.

(18) Invention according to Example e (see FIG. 22)
According to an eighteenth aspect of the present invention, in the authentication method for an information processing device, the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus generates a random code using a random number to generate a random code that enumerates constituent numbers,
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A correction number generation stage in which the second information processing apparatus generates a first correction number and a second correction number using a random number;
A correction code generation stage in which the second information processing apparatus generates a correction code by performing a first correction operation using the first correction number on each number that is a constituent element of the received random code; ,
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the correction code by an encryption operation based on a predetermined encryption algorithm;
A modified encryption code generation stage in which the second information processing apparatus performs a second modification operation using the second modification number on each number that is a constituent element of the encryption code to generate a modified encryption code; ,
A correction number encryption stage in which the second information processing apparatus encrypts the first correction number and generates the first encryption correction number;
A modified encryption code transmission stage in which the second information processing apparatus transmits the first encrypted modification number together with the modified encryption code to the first information processing apparatus;
A modified encryption code receiving stage in which the first information processing apparatus receives the first encryption modification number together with the modified encryption code;
A modified number decryption stage in which the first information processing apparatus decrypts the first encrypted modified number and restores the first modified number;
The first information processing apparatus performs a first correction operation using the first correction number on each number that is a constituent element of the random code generated at the random code generation stage, and performs a correction code for verification. A verification correction code generation stage for generating
The first information processing apparatus encrypts the verification correction code and generates a verification encryption code by an encryption operation based on the encryption algorithm;
A component included in the modified encryption code received by the first information processing apparatus in the modified encryption code reception stage; and a component included in the verification encryption code generated in the verification encryption code generation stage; Is verified whether the second information processing apparatus has a consistent correspondence as a numerical value before and after the calculation by the second correction operation. A collation determination stage for determining the device;
Is to do.

(19) Invention according to Example f (see FIG. 23)
According to a nineteenth aspect of the present invention, in the authentication method for an information processing device, the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus generates a random code using a random number to generate a random code that enumerates constituent numbers,
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A correction number generation stage in which the second information processing apparatus generates a first correction number and a second correction number using a random number;
A correction code generation stage in which the second information processing apparatus generates a correction code by performing a first correction operation using the first correction number on each number that is a constituent element of the received random code; ,
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the correction code by an encryption operation based on a predetermined encryption algorithm;
A modified encryption code generation stage in which the second information processing apparatus performs a second modification operation using the second modification number on each number that is a constituent element of the encryption code to generate a modified encryption code; ,
A modified number encryption stage in which the second information processing apparatus encrypts the second modified number and generates a second encrypted modified number;
A modified encryption code transmission stage in which the second information processing apparatus transmits the second encrypted modification number together with the modified encryption code to the first information processing apparatus;
A modified encryption code receiving stage in which the first information processing apparatus receives the second encrypted modification number together with the modified encryption code;
A modified number decryption stage in which the first information processing apparatus decrypts the second encrypted modified number and restores the second modified number;
The first information processing apparatus performs an operation opposite to the second correction operation using the second correction number for each number that is a component of the corrected encryption code received in the correction encryption code reception stage. A verification cryptographic code generation stage for performing verification and generating a verification cryptographic code;
A verification correction code generation stage in which the first information processing apparatus generates a verification correction code by decrypting the verification encryption code by a decryption operation based on the encryption algorithm;
The first information processing apparatus includes a component included in the random code generated in the random code generation stage, a component included in the verification correction code generated in the verification correction code generation stage, Is verified as a numerical value before and after the calculation by the first correction calculation, and the second information processing apparatus is confirmed to be valid when it has a consistent correspondence. A matching determination stage for determining
Is to do.

(20) Invention according to Example g (see FIG. 24)
According to a twentieth aspect of the present invention, there is provided an authentication method for an information processing device in which the first information processing device authenticates the second information processing device as a device whose validity has been confirmed.
A first information processing apparatus generates a random code using a random number to generate a random code that enumerates constituent numbers,
A random code transmission stage in which the first information processing device transmits a random code to the second information processing device;
A random code receiving stage in which the second information processing apparatus receives a random code;
A correction number generation stage in which the second information processing apparatus generates a correction number using a random number;
A correction code generation stage in which the second information processing apparatus generates a correction code by performing a correction operation using the correction number for each number that is a constituent element of the received random code;
An encryption code generation stage in which the second information processing apparatus generates an encryption code by encrypting the correction code by an encryption operation based on a predetermined encryption algorithm;
A second information processing apparatus that generates a predetermined function value by applying a one-way function to the encryption code; and
A correction number encryption stage in which the second information processing apparatus encrypts the correction number and generates an encrypted correction number;
A function value transmission stage in which the second information processing apparatus transmits the encryption correction number together with the function value to the first information processing apparatus;
A function value receiving stage in which the first information processing apparatus receives the encryption correction number together with the function value;
A first information processing apparatus decrypts the encrypted correction number and restores the correction number;
The first information processing device performs a correction operation using the correction number on each number that is a constituent element of the random code generated at the random code generation stage to generate a correction code for verification A modified code generation stage;
The first information processing apparatus encrypts the verification correction code and generates a verification encryption code by an encryption operation based on the encryption algorithm;
A first unidirectional function value generation stage in which the first information processing apparatus generates the verification function value by applying the unidirectional function to the verification encryption code;
The first information processing apparatus collates whether or not the function value received at the function value receiving stage matches the matching function value generated at the matching one-way function value generating stage. A collation determination stage for determining that the second information processing apparatus is a verified apparatus;
Is to do.

(21) Variations of Examples a to f (the same number of modifications)
According to a twenty-first aspect of the present invention, in the authentication method for an information processing device according to the fourteenth to nineteenth aspects described above,
The same correction number is used as the first correction number and the second correction number.

(22) Variations of Examples ag (public key cryptosystem)
According to a twenty-second aspect of the present invention, in the authentication method for an information processing device according to the fourteenth to twenty-first aspects described above,
The second information processing apparatus performs encryption of the correction number using one of the pair of keys used for the public key cryptosystem in the correction number encryption stage,
The first information processing apparatus is configured to decrypt the modified number using the other key of the pair of keys in the modified number decryption stage.

(23) Variations of Examples a to g (addition / subtraction of correction number)
According to a twenty-third aspect of the present invention, in the information processing apparatus authentication method according to the fourteenth to twenty-second aspects described above,
A positive or negative number generated using a random number is used as the correction number, and an operation for adding or subtracting the correction number to each number is performed as the correction operation.

(24) Variations of Examples ag (Limitation of numerical range)
According to a twenty-fourth aspect of the present invention, in the authentication method for an information processing device according to the twenty-third aspect described above,
When performing the correction operation so that the individual numbers that are the constituent elements of the random code and the individual numbers that are the constituent elements of the encryption code are numerical values within the range of N to M (where N <M), When the calculated numerical value V is V <N, correction is performed by adding (M−N + 1), and when the calculated numerical value V is V> M, correction is performed by subtracting (M−N + 1). The numerical value after the correction calculation is set to a numerical value within the range of N to M.

(25) Variations of Examples ag (Individual correction for each component)
According to a twenty-fifth aspect of the present invention, in the information processing apparatus authentication method according to the fourteenth to twenty-fourth aspects described above,
For a code including a plurality of n numbers as constituent elements, a correction number is separately generated for each of the n constituent elements, and a correction operation is performed using a sequence of n correction numbers. Processing device authentication method.

(26) Variations of the basic invention according to the second embodiment (code including characters)
According to a twenty-sixth aspect of the present invention, in the authentication method for an information processing apparatus according to the twelfth to twenty-fifth aspects described above,
As the first information processing device and the second information processing device, devices that handle characters associated with specific numbers are used to generate a code including characters as a random code or an encryption code. The processing is handled as a corresponding number.

(27) Variations of the present invention as a whole (mutual authentication)
A twenty-seventh aspect of the present invention is the information processing apparatus authentication method according to the first to twenty-sixth aspects described above.
By further performing a process in which each processing stage performed by the first information processing apparatus and each processing stage performed by the second information processing apparatus are interchanged, the first information processing apparatus changes the second information processing apparatus. While authenticating as a device whose validity has been confirmed, the second information processing device performs processing for authenticating the first information processing device as a device whose validity has been confirmed.

(28) Variation of the present invention as a whole (information processing device)
A twenty-eighth aspect of the present invention has a function of executing each stage performed by the first information processing apparatus or the second information processing apparatus in the information processing apparatus authentication method according to the first to twenty-sixth aspects described above. A device is provided.

(29) Variations (programs) for the present invention as a whole
According to a twenty-ninth aspect of the present invention, there is provided a program for causing a computer to execute each step performed by the first information processing apparatus or the second information processing apparatus in the authentication method for the information processing apparatus according to the first to twenty-sixth aspects. It is intended to provide.

  According to the authentication method of the information processing apparatus according to the present invention, when the random code (challenge) transmitted from the first information processing apparatus is encrypted by the second information processing apparatus, before and after the encryption process. Since the code rearrangement process, the correction process, or the action process of the one-way function is performed, the challenge and response transmitted / received via the communication path and the plaintext and ciphertext to be encrypted are , The data will be different from each other. That is, the challenge and response obtained by communication interception do not directly correspond to the plaintext and ciphertext used in the encryption processing to be subjected to side channel analysis. Therefore, even if an attack that combines communication interception and side channel analysis is performed, it is not possible to easily estimate the encryption algorithm that is used, and an authentication method that can sufficiently withstand such a combined attack. Can be provided. In introducing the present invention, it is only necessary to perform code rearrangement processing, correction processing, or one-way function operation processing before and after the encryption processing. This can be achieved and the introduction cost can be suppressed.

It is a block diagram which shows the authentication method of a general challenge response system. It is a figure which shows an example of the concrete encryption algorithm A utilized for convenience by description of this application. It is a block diagram which shows the transition of the concrete data at the time of using the encryption algorithm A shown in FIG. 2 for the authentication method shown in FIG. It is a figure which shows the attack which combined the communication interception and side channel analysis with respect to the authentication method shown in FIG. It is a block diagram which shows the basic concept of the authentication method which concerns on the 1st Embodiment of this invention. It is a figure which shows the specific rearrangement method used by embodiment of FIG. It is a figure which shows the attack which combined communication interception and side channel analysis with respect to the authentication method shown in FIG. It is a block diagram which shows the specific Example A of 1st Embodiment shown in FIG. It is a block diagram which shows the specific Example B of 1st Embodiment shown in FIG. It is a block diagram which shows the specific Example C of 1st Embodiment shown in FIG. It is a block diagram which shows the specific Example D of 1st Embodiment shown in FIG. It is a block diagram which shows the specific Example E of 1st Embodiment shown in FIG. It is a block diagram which shows the specific Example F of 1st Embodiment shown in FIG. It is a block diagram which shows the specific Example G of 1st Embodiment shown in FIG. It is a block diagram which shows the basic concept of the authentication method which concerns on the 2nd Embodiment of this invention. It is a figure which shows the specific correction calculation used in embodiment of FIG. It is a figure which shows the attack which combined the communication interception and side channel analysis with respect to the authentication method shown in FIG. It is a block diagram which shows the specific Example a of 2nd Embodiment shown in FIG. It is a block diagram which shows the specific Example b of 2nd Embodiment shown in FIG. It is a block diagram which shows the specific Example c of 2nd Embodiment shown in FIG. It is a block diagram which shows the specific Example d of 2nd Embodiment shown in FIG. It is a block diagram which shows the specific Example e of 2nd Embodiment shown in FIG. It is a block diagram which shows the specific Example f of 2nd Embodiment shown in FIG. It is a block diagram which shows the specific Example g of 2nd Embodiment shown in FIG.

  Hereinafter, the present invention will be described based on the illustrated embodiments.

<<< §1. General challenge-response authentication method >>>
First, for the convenience of explanation, the basic principle of a general challenge-response authentication method that has been widely used in the past will be briefly described. Here, as shown in FIG. 1, the first information processing apparatus 10 (for example, a server apparatus) specifically takes a process of confirming the validity of the second information processing apparatus 20 (for example, a client apparatus) as an example. The procedure according to the data flow is described.

  In the case of the illustrated example, as the components involved in the authentication process, the first information processing apparatus 10 includes a random code generation unit 11, a verification encryption code generation unit 13, a verification determination unit 15, a random code transmission unit 16, The encryption code receiving unit 17 is provided, and the second information processing apparatus 20 is provided with a random code receiving unit 21, an encryption code generating unit 23, and an encryption code transmitting unit 25.

  Of course, in reality, each of the information processing apparatuses 10 and 20 incorporates various components necessary for executing the original functions, but only the components involved in the authentication processing are illustrated here. Only those components shown and described will be described. The same applies to the description of each embodiment of the present invention described below.

  Further, in the present application, each component of each information processing apparatus is indicated by a block called “XX part”, and the process executed by the “XX part” is called “XX process” or “XX stage”. I will decide. For example, in the example shown in FIG. 1, the process executed by the random code generation unit 11 is “random code generation process” or “random code generation stage”, and the process executed by the random code transmission unit 16 is “random code transmission”. This is called “processing” or “random code transmission stage”. Actually, each of these components is realized as an individual function of a computer or a semiconductor integrated circuit in which a dedicated program is incorporated, and each process and each stage is executed by the computer or the semiconductor integrated circuit. It will be.

  In order for the first information processing apparatus 10 to authenticate the second information processing apparatus 20 as an apparatus whose validity has been confirmed, first, a random code R enumerated by a random code generator 11 is used. Is generated. The random code generator 11 has a function of generating a random number, and a random code R composed of a plurality of characters or numbers is generated using this function. For example, it is only necessary to generate a random code R consisting of n bytes in which n constituent elements are enumerated, each of which consists of a number consisting of 1 byte. This random code generation stage process is performed every time authentication of the second information processing apparatus 20 is required, but since the random code R is a random code generated based on a random number, Its contents are different.

  The random code R generated in this way is transmitted to the second information processing apparatus 20 by the random code transmission unit 16. The random code R transmitted in this way is data generally called “challenge”. The data handled by the computer is binary digital data, but in this application, for convenience of explanation of the embodiments, the random code R and various codes derived therefrom are grasped as codes in which characters or numbers are enumerated. The following explanation will be given.

  On the other hand, in the second information processing apparatus 20, the random code R transmitted as “challenge” is received by the random code receiving unit 21 and delivered to the encryption code generating unit 23. The encryption code generation unit 23 encrypts the given random code R based on a predetermined encryption algorithm A, generates a encryption code Q, and supplies this to the encryption code transmission unit 25. The encryption code transmission unit 25 transmits this encryption code Q to the first information processing apparatus 10. The encryption code Q transmitted in this way is data generally called “response” (authentication token).

  Subsequently, in the first information processing apparatus 10, the encryption code Q transmitted as “response” is received by the encryption code receiving unit 17. The random code R generated by the random code generation unit 11 is delivered to the verification encryption code generation unit 13. The verification encryption code generation unit 13 is a component having the same function as the encryption code generation unit 23 in the second information processing apparatus 20, and encrypts the given random code R based on the encryption algorithm A, Processing for generating a verification encryption code Q is performed.

  The encryption algorithm A used in the verification encryption code generation unit 13 in the first information processing apparatus 10 is exactly the same algorithm as the encryption algorithm A used in the encryption code generation unit 23 in the second information processing apparatus 20. It is. In the drawing, in order to clearly show this point, a symbol of a circle A is written in each of the blocks 13 and 23. Therefore, the verification encryption code Q generated by the verification encryption code generation unit 13 should be identical to the encryption code Q generated by the encryption code generation unit 23. The collation determination unit 15 collates whether or not both match, and performs a collation determination process that determines that the second information processing device 20 is a device whose validity has been confirmed.

  In short, the random code R generated by the first information processing apparatus 10 is given as a challenge (plain text) to the second information processing apparatus 200, encrypted by the second information processing apparatus 200, and the obtained encryption code Q is obtained. By making a response (ciphertext) as a response and determining in the first information processing apparatus 10 whether or not the response (ciphertext) is correct according to the challenge (plaintext), the second information The validity of the processing device 200 is confirmed.

  By adopting such a challenge-response authentication method, as long as the encryption algorithm A is kept confidential, it is possible to prevent an unauthorized authentication act that impersonates an unauthorized device as a legitimate device. For example, even if the third information processing device 30 looks like the second information processing device 20 and attempts to perform an illegal act, the entity of the encryption algorithm A employed by the encryption code generation unit 23 can be grasped. Otherwise, since the correct response Q cannot be returned to the given challenge R, the first information processing apparatus 10 does not authenticate the third information processing apparatus 30 as a legitimate apparatus.

  As the encryption algorithm A, a complicated mathematical calculation process using a unique secret key is usually used. The term “encryption algorithm” in the present invention means not only such a mathematical operation processing procedure itself but also a concept including a unique secret key used for the operation. Therefore, even if the mathematical operation procedure itself leaks, the confidentiality of the “encryption algorithm” in the present invention can be maintained if the unique secret key used for the operation is in a confidential state.

  As described above, in a general challenge-response authentication method, an encryption algorithm including a complicated mathematical operation process using a unique secret key (encryption key) is usually used. However, in the following examples, for convenience of explanation, specific data transition examples will be shown based on an example in which a very simple encryption algorithm A as shown in FIG. 2 is adopted. The encryption algorithm A shown in FIG. 2 performs encryption processing and decryption processing using a table in which 10 types of numbers (1 to 9, 0) and 10 types of alphabets (A to J) correspond to each other in a one-to-one relationship. It is an example to do.

  For example, when plaintext data enclosing five numbers “12345” is given, if encryption processing is performed using the encryption algorithm A shown in FIG. 2, encrypted data enumerating five alphabets “ABCDE” Will be obtained. Conversely, if encrypted data “ABCDE” is given and decryption processing is performed using this encryption algorithm A, the original plaintext data “12345” is obtained. Note that the distinction between plaintext data / encrypted data and the distinction between encryption processing / decryption processing are determined according to the convenience of humans, and the names may be reversed.

  In short, the encryption algorithm A may be a logical algorithm for reversibly converting given data in the first state into data in the second state uniquely. Since it is a reversible conversion algorithm, naturally, the data in the second state can be uniquely returned to the data in the first state. As described above, an extremely simple cryptographic algorithm A as illustrated in FIG. 2 is not practically used. However, in this application, for convenience of explanation, an example using such a simple cryptographic algorithm A is used. It will be described below.

  FIG. 3 is a block diagram showing a specific data transition when the encryption algorithm A shown in FIG. 2 is used in the authentication method shown in FIG. FIG. 3 shows an example in which the random code generator 11 generates a random code R in which five numbers “12345” are enumerated. In the drawing, this specific code is shown in parentheses. The random code R “12345” generated in this way is transmitted as a “challenge” by the random code transmitting unit 16 and received by the random code receiving unit 21.

  Subsequently, the encryption code generation unit 23 performs an encryption process using the encryption algorithm A shown in FIG. 2 on the random code R “12345” to generate an encryption code Q “ABCDE”. The encryption code Q “ABCDE” is returned as a “response” from the encryption code transmission unit 25 and is received by the encryption code reception unit 17.

  On the other hand, the random code R “12345” generated by the random code generation unit 11 is encrypted by the verification encryption code generation unit 13. Since the verification encryption code generation unit 13 performs encryption processing using the same encryption algorithm A as the encryption code generation unit 23, the random code R “12345” is also converted into the encryption code Q “ABCDE”. Finally, in the verification determination unit 15, the verification encryption code Q “ABCDE” generated by the verification encryption code generation unit 13 matches the encryption code Q “ABCDE” received by the encryption code reception unit 17. Whether or not the second information processing apparatus 20 is authenticated as a legitimate apparatus. In the illustrated example, both encryption codes are “ABCDE”, and the second information processing apparatus 20 is authenticated as a legitimate apparatus.

  Such a challenge-response authentication method functions as an effective authentication method as long as the encryption algorithm A is kept confidential. In the above example, the random code R generated by the random code generator 11 is “12345”, but the random code R is a random code generated every time authentication is performed based on a random number. Because every time is different. For example, in the second authentication, a random code R such as “67890” is generated as a “challenge”, and an encryption code Q “FGHIJ” is returned as a “response”. Become. Therefore, as long as the encryption algorithm A is kept secret, a correct “response” cannot be generated, and authentication can be prevented from being performed in an unauthorized manner.

  However, if the contents of the encryption algorithm A are estimated, an illegal act of authenticating any information processing apparatus having an encryption processing function based on the encryption algorithm A as a legitimate apparatus becomes possible.

  As a method of analyzing the encryption algorithm A, a method of intercepting communication between the information processing apparatuses 10 and 20 has been known for a long time. In the case of the illustrated example, if the information flowing on the communication path between the two is wiretapped, it can be recognized that a response of the encryption code Q “ABCDE” is obtained in response to the challenge by the random code R “12345”. Similarly, at the time of another authentication, it can be recognized that a response of the encryption code Q “FGHIJ” is obtained in response to the challenge with the random code R “67890”.

  Of course, a person who has obtained the second information processing apparatus 20 can systematically check what response is returned when an arbitrary code is given as a challenge. “Communication interception” in the present application is a concept including an act in which a person who has obtained the second information processing apparatus 20 in this way intentionally gives a specific challenge and checks what kind of response is returned. It is.

  The combination of challenge and response obtained by such communication interception estimates the encryption algorithm A (algorithm shown in FIG. 2) used in the encryption processing executed in the second information processing apparatus 20. Give a hint. A simple algorithm A as illustrated in FIG. 2 can be analyzed by collecting several combinations of challenges and responses, and can be easily estimated by communication interception.

  However, as described above, in practice, a cryptographic algorithm comprising a complicated mathematical operation process using a unique secret key is used, and its defense is quite strong mathematically. Therefore, it can be said that it is extremely difficult to estimate a cryptographic algorithm that is currently generally used only by a method of communication interception, and it is unlikely that the cryptographic algorithm is revealed by itself. However, there is concern that the encryption algorithm can be easily estimated by combining side channel analysis, which has been regarded as a problem in recent years.

  In the case of the example shown in FIG. 3, the side channel analysis is to monitor power consumption, calculation processing time, generated electromagnetic waves, and the like for the second information processing apparatus 20 that is executing encryption processing based on the encryption algorithm A. Is done by. For example, if encryption processing is executed with various measurement devices attached to the second information processing device 20, what kind of calculation is performed in the device when generating a specific response to a specific challenge. This will provide important clues for estimating whether the process is taking place.

FIG. 4 is a diagram illustrating an attack that combines communication interception and side channel analysis for the authentication method illustrated in FIG. 3. In the case of the illustrated example, first, the fact that a response of the encryption code Q “ABCDE” is obtained with respect to the challenge by the random code R “12345” can be recognized by communication interception. At this time, encryption processing based on the encryption algorithm A is executed in the encryption code generation unit 23. Therefore, if the side channel analysis is performed at the same time, information such as power consumption, calculation processing time, and generated electromagnetic wave when the code generation unit 23 executes calculation for converting the code “12345” into the code “ABCDE” can be obtained. It will be.

  As described above, when information obtained by side channel analysis is combined with information obtained by communication interception, it cannot be denied that estimation of the encryption algorithm A becomes easy. For this reason, even if a mathematically strong cryptographic algorithm is adopted, there is a risk of exposure to unauthorized attacks. The present invention proposes a method for solving such a problem, and an object thereof is to provide an authentication method for an information processing apparatus that can sufficiently withstand an attack combining communication interception and side channel analysis. To do.

<<< §2. Basic concept of authentication method according to first embodiment of the present invention >>>
Here, the basic concept of the authentication method according to the first embodiment of the present invention will be described with reference to FIG. Specifically, a process according to the flow of data, taking as an example a process in which the first information processing apparatus 100 (for example, a server apparatus) confirms the validity of the second information processing apparatus 200 (for example, a client apparatus). The procedure will be described.

  In the case of the illustrated example, the first information processing apparatus 100 includes a random code generation unit 110, a collation rearrangement code generation unit 120, a collation encryption code generation unit 130, and a collation element as components involved in the authentication process. A rearrangement encryption code generation unit 140, a collation determination unit 150, a random code transmission unit 160, and a rearrangement encryption code reception unit 170 are provided. The second information processing apparatus 200 includes a random code reception unit 210, a rearrangement encryption code reception unit 170, and a rearrangement encryption code reception unit 170. A code generation unit 220, an encryption code generation unit 230, a rearrangement encryption code generation unit 240, and a rearrangement encryption code transmission unit 250 are provided.

  When the first information processing apparatus 100 (the apparatus of the present invention) shown in FIG. 5 is compared with the first information processing apparatus 10 (conventional apparatus) shown in FIG. 3, the random code generation unit 110 is a random code generation unit. 11, the verification encryption code generation unit 130 corresponds to the verification encryption code generation unit 13, the verification determination unit 150 corresponds to the verification determination unit 15, and the random code transmission unit 160 corresponds to the random code transmission unit 16. Correspondingly, the rearranged encryption code receiving unit 170 corresponds to the encryption code receiving unit 17. The function of each of these corresponding components is basically the same.

  Therefore, the major feature of the first information processing apparatus 100 (the apparatus of the present invention) shown in FIG. 5 is that the first information processing apparatus 10 (conventional apparatus) shown in FIG. That is, the unit 120 and the collation rearranged encryption code generation unit 140 are added. The role of these new components 120 and 140 is to rearrange the data before and after the encryption processing in the verification encryption code generation unit 130.

  On the other hand, when the second information processing device 200 (device of the present invention) shown in FIG. 5 is compared with the second information processing device 20 (conventional device) shown in FIG. 3, the random code receiving unit 210 receives the random code. The encryption code generation unit 230 corresponds to the encryption code generation unit 23, and the rearrangement encryption code transmission unit 250 corresponds to the encryption code transmission unit 25. The function of each of these corresponding components is basically the same.

  Therefore, the major feature of the second information processing apparatus 200 (the apparatus of the present invention) shown in FIG. 5 is further different from the second information processing apparatus 20 (conventional apparatus) shown in FIG. In other words, the permutation encryption code generation unit 240 is added. The role of these new components 220 and 240 is to rearrange the data before and after the encryption process in the encryption code generation unit 230.

  More specifically, the collation rearrangement code generation unit 120 in the first information processing apparatus 100 and the rearrangement code generation unit 220 in the second information processing apparatus 200 are both given random codes. The function of rearranging the constituent elements of R to generate a rearrangement code R ′ is achieved. Specifically, in the case of the illustrated example, based on the first rearrangement method X1, the random code R “12345” formed by enumerating five numbers is rearranged in the order “35214”. Code R 'is generated. A circle X1 in the block 220 in FIG. 5 indicates that rearrangement is performed by the method X1 (the same applies hereinafter).

  FIG. 6 (a) is a diagram showing a first rearrangement table T1 that defines the first rearrangement method X1. This table T1 is for defining a rearrangement for an arbitrary code consisting of five constituent elements m1 to m5. Specifically, the constituent elements m1, m2, m3, m4 and m5 are listed in this order. For the code thus formed, a rearrangement method is defined in which each component is arranged in the order of m3, m5, m2, m1, and m4. In the example shown in FIG. 5, in the collation rearrangement code generation unit 120 and the rearrangement code generation unit 220, each component of the random code R “12345” is rearranged based on the first rearrangement table T1. As a result, the rearrangement code R ′ “35214” is generated.

  Eventually, the collation encryption code generation unit 130 and the encryption code generation unit 230 are provided with the rearrangement code R ′ “35214” instead of the random code R “12345”. Therefore, the encryption process is performed on the rearrangement code R ′ “35214”. As described above, here, for convenience of explanation, the encryption processing is performed based on a simple encryption algorithm A as shown in FIG. Therefore, the encryption code Q “CEBAD” is generated by performing the encryption process on the rearrangement code R ′ “35214”.

  On the other hand, the collation rearrangement encryption code generation unit 140 in the first information processing apparatus 100 and the rearrangement encryption code generation unit 240 in the second information processing apparatus 200 are both constituent elements of the given encryption code Q. Are rearranged to generate a rearranged encryption code Q ′. Specifically, in the case of the illustrated example, based on the second rearrangement method X2, the encryption code Q “CEBAD” formed by enumerating five alphabets is rearranged in the order of “BEDAC”. An encryption code Q ′ is generated.

  FIG. 6 (b) is a diagram showing a second rearrangement table T2 that defines the second rearrangement method X2. This table T2 is for defining a rearrangement for an arbitrary code consisting of five constituent elements m1 to m5. Specifically, the constituent elements m1, m2, m3, m4 and m5 are arranged in this order. A rearrangement method is defined so that the constituent elements are arranged in the order of m3, m2, m5, m4, and m1 for the enumerated codes. In the example shown in FIG. 5, in the collation rearrangement encryption code generation unit 140 and the rearrangement encryption code generation unit 240, the constituent elements of the encryption code “CEBAD” are arranged based on the second rearrangement table T2. As a result, the rearrangement encryption code Q ′ “BEDAC” is generated.

  In this way, the rearranged encryption code Q ′ “BEDAC” is returned from the rearranged encryption code transmission unit 250 to the rearrangement encryption code reception unit 170. The collation determination unit 150 includes a rearrangement encryption code Q ′ “BEDAC” received by the rearrangement encryption code reception unit 170, a rearrangement encryption code Q ′ “BEDAC” generated by the comparison rearrangement encryption code generation unit 140, Are matched, and if they match, the second information processing device 200 is determined to be a device whose validity has been confirmed.

  The first rearrangement method X1 used for the rearrangement process executed by the rearrangement code generation unit 220 and the second rearrangement method used for the rearrangement process executed by the rearrangement encryption code generation unit 240. X2 is defined at random each time authentication processing is performed. That is, each time the random code receiving unit 210 receives a new random code R, the rearrangement code generation unit 220 and the rearrangement encryption code generation unit 240 use the new rearrangement methods X1 and X2 defined at random. Thus, rearrangement based on a different rearrangement method is performed each time.

  On the other hand, the rearrangement method X1 used by the collation rearrangement code generation unit 120 needs to be the same as the rearrangement method X1 used by the rearrangement code generation unit 220 at that time. The rearrangement method X2 used by the generation unit 140 needs to be the same as the rearrangement method X2 used by the rearrangement encryption code generation unit 240 at that time. Therefore, the rearrangement encryption code transmission unit 250, together with the rearrangement encryption code Q ′, the first rearrangement method X1 used by the rearrangement code generation unit 220 and the second rearrangement used by the rearrangement encryption code generation unit 240. The rearrangement information indicating the replacement method X2 is transmitted to the rearrangement encryption code receiving unit 170.

  The rearrangement encryption code receiving unit 170 delivers the received rearrangement encryption code Q ′ to the collation determination unit 150 and receives the received rearrangement information (that is, the first rearrangement method X1 and the second rearrangement method X2). Is transferred to the collation rearrangement code generation unit 120 and the collation rearrangement encryption code generation unit 140. Thereby, the collation rearrangement code generation unit 120 can perform rearrangement processing based on the first rearrangement method X1, and the collation rearrangement encryption code generation unit 140 performs rearrangement based on the second rearrangement method X2. Replacement processing can be performed.

  In short, when the authentication method shown in FIG. 5 is adopted, if a random code R “12345” is given as a challenge from the first information processing apparatus 100 to the second information processing apparatus 200, a rearranged code is generated. In the unit 220, the random code R “12345” is rearranged based on the first rearrangement method X1 and converted into the rearrangement code R ′ “35214”. Then, the encryption code generation unit 230 performs encryption processing based on the encryption algorithm A on the rearrangement code R ′ “35214” to generate the encryption code Q “CEBAD”. Further, in the rearrangement encryption code generation unit 240, the encryption code Q “CEBAD” is rearranged based on the second rearrangement method X2 and converted into the rearrangement encryption code Q ′ “BEDAC”. The rearrangement encryption code Q ′ “BEDAC” is returned as a response.

  FIG. 7 is a diagram showing an attack combining communication interception and side channel analysis for the authentication method shown in FIG. Of course, even when the authentication method shown in FIG. 5 is adopted, communication interception and side channel analysis are possible. However, since there is no direct relationship between information obtained by communication interception and information obtained by side channel analysis, it is difficult to estimate the encryption algorithm A even if both are combined.

  That is, when the authentication method shown in FIG. 5 is adopted, the information obtained by the communication interception is a response of the rearrangement encryption code Q ′ “BEDAC” to the challenge by the random code R “12345” as shown in FIG. Is the fact that However, at this time, the operation of the encryption process performed in the encryption code generation unit 230 is not the operation of converting the random code R “12345” into the replacement encryption code Q ′ “BEDAC”, but the replacement code. This is an operation for converting R ′ “35214” into a cipher code Q “CEBAD”. Information obtained by side channel analysis is shown in FIG. 7 in which the rearrangement code R ′ “35214” is converted into the cipher code Q “CEBAD”. This means information such as power consumption, calculation processing time, and generated electromagnetic waves when executing the conversion operation.

  In other words, even if the challenge “12345” and the response “BEDAC” are specified by the communication interception in an attempt to analyze the encryption algorithm A employed by the encryption code generation unit 230, Since the calculation process is an operation for converting another code “35214” into “CEBAD”, it is difficult to estimate the encryption algorithm A even if analysis is performed by combining the two codes. This is the basic technical idea of the present invention, which is a basic principle that can realize an authentication method that can sufficiently withstand an attack that combines communication interception and side channel analysis. In addition, when introducing the present invention, it is only necessary to add a process for performing relatively simple data processing (in the case of FIG. 5, rearrangement processing) before and after the encryption processing, which is very efficient. By the simple processing, a countermeasure against the above attack can be prepared, and the introduction cost can be suppressed.

  After all, when the authentication method of the information processing apparatus according to the first embodiment of the present invention is summarized, the following process is performed. That is, in order for the first information processing apparatus 100 to authenticate the second information processing apparatus 200 as an apparatus whose validity has been confirmed, first, on the first information processing apparatus 100 side, a character is used by using a random number. Alternatively, a step of generating a random code R enumerating numbers and transmitting it to the second information processing apparatus 200 (processing by the random code generation unit 110 and the random code transmission unit 160) is performed.

  Subsequently, the second information processing apparatus 200 side receives the transmitted random code R, rearranges its constituent elements by the random first rearrangement method X1, and generates a rearrangement code R ′. (Processing by the random code receiving unit 210 and the rearrangement code generation unit 220) and the step of encrypting the rearrangement code R ′ by an encryption operation based on A with a predetermined encryption algorithm to generate an encryption code Q (encryption code Processing by the generation unit 230) and a step of rearranging the constituent elements of the encryption code Q by the random second rearrangement method X2 to generate the rearrangement encryption code Q ′ (processing by the rearrangement encryption code generation unit 240) And rearrangement information indicating the first rearrangement method X1 and the second rearrangement method X2 together with the rearrangement encryption code Q ′ is transmitted to the first information processing apparatus 100. And step (processing by rearranging encryption code transmission unit 250), is performed.

  Then, the first information processing apparatus 100 side receives the rearrangement information together with the rearrangement encryption code Q ′ (processing by the rearrangement encryption code receiver 170), and confirms the validity of the received rearrangement encryption code Q ′. Based on the same encryption algorithm A as the rearrangement process based on the received rearrangement information (the process by the collation rearrangement code generation unit 120 and the collation rearrangement encryption code generation unit 140) and the encryption process by the encryption code generation unit 230 A step of confirming by an encryption operation (processing by the verification encryption code generation unit 130) is performed.

  Note that the transmission of rearrangement information (information indicating the first rearrangement method X1 and the second rearrangement method X2) from the second information processing apparatus 200 to the first information processing apparatus 100 is actually encrypted. It is preferable to carry out in the state of being converted. That is, the second information processing apparatus 200 performs encryption processing of the rearrangement information, and the rearrangement information in the encrypted state is transmitted from the rearrangement encryption code transmission unit 250 to the rearrangement encryption code reception unit 170. Thus, if this is decoded on the first information processing apparatus 100 side and restored, the rearrangement information can be prevented from being revealed even if the communication is intercepted.

  In the example illustrated in FIG. 5, the same encryption operation as that performed on the second information processing apparatus 200 side is performed on the first information processing apparatus 100 side, and the collation determination unit 150 performs both processes. Although the authentication is performed by confirming the matching of the resulting rearranged encryption code Q ′, the present invention is not necessarily limited to the example in which the matching is confirmed by such a procedure. For example, on the first information processing apparatus 100 side, collation is performed by executing a decryption operation based on the reordered encryption code Q ′ (a decryption operation based on the same encryption algorithm A as the encryption processing by the encryption code generation unit 230). It doesn't matter.

  Furthermore, in the example shown in FIG. 5, the second information processing apparatus 200 performs the rearrangement for the random code R based on the rearrangement method X1 and the rearrangement for the encryption code Q based on the rearrangement method X2. Accordingly, on the first information processing apparatus 100 side as well, rearrangement for the random code R based on the rearrangement method X1 and rearrangement for the encryption code Q based on the rearrangement method X2 are performed. Yes. However, the present invention is not necessarily limited to an example in which matching is confirmed by such a procedure. For example, one rearrangement process can be omitted on the first information processing apparatus 100 side. . In this case, the rearrangement encryption code transmission unit 250 does not need to transmit rearrangement information indicating both the first rearrangement method and the second rearrangement method together with the rearrangement encryption code Q ′. It is sufficient to transmit rearrangement information indicating.

  As described above, the basic concept of the first embodiment of the present invention has been described based on the basic example shown in FIG. 5, but actually, various variations in which detailed portions are changed are conceivable. . Therefore, in §3 below, some examples relating to such variations will be described.

<<< §3. Specific Example of First Embodiment >>>
The feature of the first embodiment of the present invention is that, as described in the basic concept using the example of FIG. 5, when performing authentication, a rearrangement method as illustrated in FIG. 6 is randomly defined, The rearrangement process is performed when the encryption process is performed. Several specific examples will be described below.

<3-1. Example A: Verification by Encryption Part 1>
FIG. 8 is a block diagram showing Example A of the first embodiment shown in FIG. Here, the basic concept of the authentication method according to the embodiment A will be described with reference to FIG. In Example A, the first information processing apparatus 100A performs processing for confirming the validity of the second information processing apparatus 200A.

  As shown in the figure, in this embodiment, the first information processing apparatus 100A includes a random code generation unit 110, a collation rearrangement code generation unit 120, a collation encryption code generation unit as constituent elements involved in the authentication process. 130, a collation rearrangement encryption code generation unit 140, a collation determination unit 150, a random code transmission unit 160, a rearrangement encryption code reception unit 170, and a table decryption unit 180 are provided. Here, the components 110 to 170 are the same as the components 110 to 170 in the basic embodiment shown in FIG. The component 180 is a component newly introduced in the embodiment A, and is a component that performs a process of decrypting the rearrangement table transmitted in an encrypted state.

  On the other hand, the second information processing apparatus 200A includes a random code reception unit 210, a rearrangement code generation unit 220, an encryption code generation unit 230, a rearrangement encryption code generation unit 240, a rearrangement encryption code transmission unit 250, and table encryption. 260 and a rearrangement table generation unit 270 are provided. Here, the components 210 to 250 are the same as the components 210 to 250 of the basic embodiment shown in FIG. Also, the constituent elements 260 and 270 are constituent elements newly introduced in the embodiment A, and rearrangement tables T1 and T2 are generated to define the code rearrangement methods X1 and X2. It is a component that performs processing to be converted.

After all, in the embodiment A shown in FIG. 8, the first rearrangement table T1 and the second rearrangement table using random numbers in the second information processing apparatus 200 in the basic embodiment shown in FIG. The rearrangement table generation unit 270 that generates T2, and the first rearrangement table T1 and the second rearrangement table T2 are respectively encrypted, and the first encryption table T1 ^* and the second encryption table T2 ^* are encrypted ^. Is added to the table encryption unit 260 for generating.

  The rearrangement table generation unit 270 performs a process of generating the first rearrangement table T1 and the second rearrangement table T2 each time the random code reception unit 210 receives a new random code R. Then, the rearrangement code generator 220 generates a random code R based on the first rearrangement method X1 (for example, the method shown in FIG. 6A) defined by the first rearrangement table T1 thus generated. A process of rearranging the constituent elements is generated to generate a rearrangement code R ′. Similarly, the rearrangement encryption code generation unit 240 performs encryption based on the second rearrangement method X2 (for example, the method shown in FIG. 6B) defined by the second rearrangement table T2 thus generated. A process of rearranging the constituent elements of the code Q to generate a rearranged encryption code Q ′ is performed.

  The specific form of the rearrangement table is a specific rearrangement of the arrangement order of the constituent elements (individual characters or numbers) of the random code R and the encryption code Q as illustrated in FIGS. 6 (a) and 6 (b). Any form can be used as long as it can be defined to change based on the method. In the case of the illustrated example, the random code R and the encryption code Q are both composed of five components, so the rearrangement tables T1 and T2 are tables that define the rearrangement for the five components. Of course, the rearrangement table is a table corresponding to the number of components of the random code R and the encryption code Q.

The rearrangement tables T1 and T2 generated in this way are encrypted by the table encryption unit 260 to become encryption tables T1 ^* and T2 ^* . Therefore, rearrangement encryption code transmission unit 250 transmits encryption tables T1 ^* and T2 ^* together with rearrangement encryption code Q ′ to first information processing apparatus 100A.

The rearrangement encryption code receiving unit 170 receives the rearrangement encryption code Q ′ and the encryption tables T1 ^* and T2 ^* thus transmitted. The received rearrangement encryption code Q ′ is given to the collation determination unit 150, and the received encryption tables T 1 ^* , T 2 ^* are given to the table decryption unit 180. The table decryption unit 180 decrypts the encryption tables T1 ^* and T2 ^* , and performs processing for restoring the original rearrangement tables T1 and T2.

  The collation rearrangement code generation unit 120 rearranges the constituent elements of the random code R based on the first rearrangement method X1 defined by the first rearrangement table T1 restored in this way, thereby rearranging the rearrangement code R ′. Process to generate. Similarly, the collation rearrangement cipher code generation unit 140 rearranges the constituent elements of the cipher code Q based on the second rearrangement method X2 defined by the second rearrangement table T2 restored in this way. A process for generating a replacement encryption code Q ′ is performed.

It should be noted that public key cryptography is preferably used for encryption and decryption of the rearrangement tables T1 and T2. Specifically, the table encryption unit 260 encrypts the rearrangement tables T1 and T2 using one of the pair of keys used in the public key cryptosystem, and obtains the encryption tables T1 ^* and T2 ^* . And the table decrypting unit 180 decrypts the cipher tables T1 ^* and T2 ^* using the other key of the pair of keys to generate the original rearrangement tables T1 and T2. That's fine.

  For example, when the first information processing apparatus 100A is a server apparatus and the second information processing apparatus 200A is a client apparatus, the table encryption unit 260 performs encryption using the public key of the person who manages the server apparatus 100A. The table decryption unit 180 can perform decryption using the secret key of the person who manages the server device 100A.

As described above, each of the rearrangement tables T1 and T2 is a random table that is newly generated by using a random number on the second information processing apparatus 200A side every time the illustrated authentication process is performed. 1 to the information processing apparatus 100A side. In the embodiment A shown here, the rearrangement tables T1 and T2 can be encrypted and transmitted in the form of the encryption tables T1 ^* and T2 ^*. Will not be exposed directly. Therefore, defense against unauthorized attacks can be further enhanced.

  FIG. 6 shows an example in which different tables are generated as the first rearrangement table T1 and the second rearrangement table T2, but the tables T1 and T2 are not necessarily different tables. The same table may be used. However, preparing different tables is more effective in increasing defense against unauthorized attacks, so practically, as in the example shown in FIG. 6, the first sort table T1 and the second table It is preferable to generate different tables as the rearrangement table T2.

  Subsequently, with reference to FIG. 8, the specific processing content of the authentication method in the embodiment A, that is, the first information processing apparatus 100A authenticates the second information processing apparatus 200A as the apparatus whose validity has been confirmed. The specific procedure for doing this will be explained in order following the flow of data.

  First, the random code generation unit 110 uses a random number to perform a random code generation stage for generating a random code R in which characters or numbers as constituent elements are enumerated. The illustrated example is an example in which a random code R “12345” in which five numbers are arranged is generated. Practically, it is preferable to generate a random code R in which n numbers represented by 1 byte are arranged. Then, the random code transmission unit 160 performs a random code transmission step of transmitting the random code R “12345” to the second information processing apparatus 200A.

  Subsequently, the random code receiving unit 210 performs a random code receiving step of receiving the transmitted random code R “12345”, and the rearrangement table generating unit 270 uses a random number, and is illustrated in FIG. A rearrangement table generation step for generating the first rearrangement table T1 and the second rearrangement table T2 is performed.

  Then, the rearrangement code generator 220 rearranges the components of the random code R “12345” on the basis of the first rearrangement table T1 (based on the first rearrangement method X1), thereby rearranging the rearrangement code R. ′ “35214” is generated, and the encryption code generation unit 230 encrypts the replacement code R ′ “35214” by an encryption operation based on a predetermined encryption algorithm A to generate the encryption code Q An encryption code generation stage for generating “CEBAD” is performed, and the rearrangement encryption code generation unit 240 rearranges the components of the encryption code Q “CEBAD” on the basis of the second rearrangement table T2. A rearrangement encryption code generation step for generating the replacement encryption code Q ′ “BEDAC” is performed.

The table encryption unit 260 encrypts the first rearrangement table T1 and the second rearrangement table T2, respectively, and generates a first encryption table T1 ^* and a second encryption table T2 ^*. An encryption stage is performed. Then, rearrangement encryption code transmission unit 250 transmits first encryption table T1 ^* and second encryption table T2 ^* together with rearrangement encryption code Q ′ “BEDAC” to first information processing apparatus 100A. A reordering encryption code transmission step is performed.

On the other hand, the rearrangement encryption code receiving unit 170 receives the rearrangement encryption code Q ′ “BEDAC” that has been transmitted, and the rearrangement encryption code that receives the first encryption table T1 ^* and the second encryption table T2 ^*. The code reception stage is performed, and the table decryption unit 180 decrypts the first encryption table T1 ^* and the second encryption table T2 ^* , respectively, and the first rearrangement table T1 and the second rearrangement table T2. A table decoding stage is performed to restore.

  In the collation rearrangement code generation unit 120, the constituent elements of the random code R “12345” generated by the random code generation unit 110 are rearranged based on the restored first rearrangement table T1 for collation. A collation rearrangement code generation stage for generating rearrangement code R ′ “35214” is performed, and the collation encryption code generation unit 130 uses the same encryption algorithm A as the encryption algorithm A employed by the encryption code generation unit 230. A verification encryption code generation step of generating a verification encryption code Q “CEBAD” by encrypting the verification rearrangement code R ′ “35214” is performed by the encryption operation based on the above, and further, a verification rearrangement encryption code generation is performed. In component 140, based on the restored second rearrangement table T2, components of verification encryption code Q “CEBAD” Verification rearrangement encryption code generation step of generating a collation for sorting encryption code Q ' "BEDAC" by rearranging is performed.

  Finally, in collation determination unit 150, reordered encryption code Q ′ “BEDAC” received by reordered encryption code receiving unit 170 and the reordered encryption code for verification generated by reordered encryption code generation unit 140 for verification. It is checked whether or not Q ′ “BEDAC” matches, and if they match, a matching determination step is performed in which the second information processing device 200A is determined to be a device whose validity has been confirmed.

  After all, when the authentication method according to the embodiment A shown in FIG. 8 is adopted, when the random code R “12345” is given as a challenge from the first information processing apparatus 100A to the second information processing apparatus 200A. In the rearrangement code generation unit 220, the random code R “12345” is rearranged based on the first rearrangement table T1 and converted into the rearrangement code R ′ “35214”. Then, the encryption code generation unit 230 performs encryption processing based on the encryption algorithm A on the rearrangement code R ′ “35214” to generate the encryption code Q “CEBAD”. Further, in the rearrangement encryption code generation unit 240, the encryption code Q “CEBAD” is rearranged based on the second rearrangement table T2 and converted into the rearrangement encryption code Q ′ “BEDAC”. The rearrangement encryption code Q ′ “BEDAC” is returned as a response.

  At this time, the rearrangement tables T1 and T2 are transmitted to the first information processing apparatus 100A together with this response in an encrypted state. In addition, the verification encryption code generation unit 130 has a function of executing an encryption process using the same encryption algorithm A as the encryption code generation unit 230. Therefore, on the first information processing apparatus 100A side as well, a procedure similar to the procedure executed on the second information processing apparatus 200A side is executed, and the random code R “12345” → the rearrangement code R ′ “35214”. → Cryptographic code Q “CEBAD” → Reordered cipher code Q ′ “BEDAC” can be traced to obtain rearranged cipher code Q ′ “BEDAC”. By confirming the coincidence of the encryption code Q ′ “BEDAC”, the validity of the second information processing apparatus 200A is confirmed.

  As described with reference to FIG. 7, the authentication method shown in the embodiment A fulfills a sufficient defense function against an attack combining communication interception and side channel analysis. That is, when the authentication method shown in FIG. 8 is adopted, information obtained by communication interception is a response of a rearranged encryption code Q ′ “BEDAC” in response to a challenge with a random code R “12345” as shown in FIG. Is the fact that

  However, at this time, the operation of the encryption process performed in the encryption code generation unit 230 is not an operation for converting the random code R “12345” into the replacement encryption code Q ′ “BEDAC”, but a rearrangement code. This is an operation for converting R ′ “35214” into a cipher code Q “CEBAD”. Information obtained by side channel analysis is shown in FIG. 7 in which the rearrangement code R ′ “35214” is converted into the cipher code Q “CEBAD”. This means information such as power consumption, calculation processing time, and generated electromagnetic waves when executing the conversion operation.

  As described above, even if the challenge “12345” and the response “BEDAC” are specified by the communication interception, the operation of the encryption process actually performed converts another code “35214” into “CEBAD”. Since it is an operation, it is difficult to estimate the encryption algorithm A even if analysis is performed by combining the two.

<3-2. Example B: Verification by Encryption Part 2>
Next, Example B of the first embodiment of the present invention will be described with reference to FIG. In Example B, the first information processing apparatus 100B performs processing for confirming the validity of the second information processing apparatus 200B. The embodiment B is obtained by slightly changing the collation process in the above-described embodiment A, and the basic configuration is almost the same as that of the embodiment A. Therefore, only the differences from the embodiment A will be described below.

  First, the second information processing apparatus 200B is exactly the same as the configuration of the second information processing apparatus 200A shown in the embodiment A, and thus the description thereof is omitted here. In the first information processing apparatus 100B, the constituent elements 110, 120, 160, 170, and 180 are exactly the same as the constituent elements assigned the same reference numerals in the embodiment A. The difference from the embodiment A is that a verification encryption code first generation unit 130B, a verification encryption code second generation unit 140B, and a verification determination unit 150B are provided instead of the constituent elements 130, 140, and 150. It is. Therefore, the functions of these three components will be described below. Of the constituent elements of the embodiment B, those different from the constituent elements of the embodiment A are indicated by “B” at the end of the reference numerals.

  First, the verification encryption code first generation unit 130B is actually a component having the same function as the verification encryption code generation unit 130 in the embodiment A, and the encryption code executed by the encryption code generation unit 230 is the same. The verification encryption code first generation stage is executed in which the verification rearrangement code R ′ “35214” is encrypted by the encryption operation based on the same encryption algorithm A as the algorithm A to generate the verification encryption code Q “CEBAD”. . Therefore, in FIG. 9, it may be called “verification encryption code generation unit 130” instead of “verification encryption code first generation unit 130B”, but here, in order to avoid confusion with the component 140B, Since “first” is inserted in the name, the code is also given a new code “130B” instead of “130”.

  On the other hand, the verification encryption code second generation unit 140B has the configuration of the rearrangement encryption code Q ′ “BEDAC” received by the rearrangement encryption code reception unit 170 based on the table obtained by reversing the second rearrangement table T2. This is a constituent element that performs a second verification encryption code generation step of rearranging the elements to generate a verification encryption code Q “CEBAD”. Both the verification encryption code first generation unit 130B and the verification encryption code second generation unit 140B are components having a function of generating the verification encryption code Q “CEBAD”. The verification encryption code Q “CEBAD” is generated by the encryption process for R ′ “35214”, whereas the latter is performed by the rearrangement process for the rearrangement encryption code Q ′ “BEDAC”. Will be generated.

  Here, the table obtained by reversing the second rearrangement table T2 is a table showing rearrangement opposite to the table T2 shown in FIG. 6B, that is, the direction of the arrow in the figure is reversed, This means a table indicating a rearrangement method for converting from the rearrangement order to the upper order. In the drawing of the present application, a table obtained by reversing an arbitrary rearrangement table T is indicated by a reference symbol with a bar on the upper side of the reference symbol T, and a rearrangement method obtained by reversing the arbitrary rearrangement method X is indicated by a reference symbol X. This is indicated by a symbol with a bar attached to the top. Further, in the specification, they are expressed as a table T bar and a rearrangement method X bar, respectively.

  As described above, the verification encryption code second generation unit 140B performs the process of converting the given reordered encryption code Q ′ “BEDAC” into the verification encryption code Q “CEBAD”. This means a rearrangement process based on the rearrangement method X2 bar indicated by the reverse rotation table T2 bar.

  Actually, each rearrangement table T is a table having commutability, and the table T and the reverse rotation table T bar can be said to be essentially tables having the same information and are described in the table. The only difference is the direction in which the sort operation is applied. Therefore, in the figure, it is described that the verification encryption code second generation unit 140B performs the rearrangement process based on the reverse rotation table T2 bar. The rearrangement table T2 is given as it is, and the verification encryption code second generation unit 140B may perform rearrangement by applying this table T2 in the reverse direction. The same applies to the following embodiments.

  Eventually, the verification encryption code second generation unit 140B in the embodiment B performs a reordering process reverse to that of the reordering encryption code generation unit 240, and converts the reordering encryption code Q ′ “BEDAC” into the recognizing encryption code. Q is converted to “CEBAD”. In other words, in this embodiment B, the reordered encryption code Q ′ “BEDAC” obtained by the reordering process by the reordered encryption code generation unit 240 when the collation determination is performed has the original order of arrangement. The verification is performed by returning to the state of the encrypted code Q “CEBAD” and confirming the match in that state.

  That is, the collation determination unit 150B includes the collation cipher code Q “CEBAD” generated by the collation cipher code first generation unit 130B and the collation cipher code Q “CEBAD” generated by the collation cipher code second generation unit 140B. Are matched, and if they match, a collation determination stage is performed in which the second information processing apparatus 200B is determined to be an apparatus whose validity has been confirmed.

  In short, in the case of the embodiment A, the matching determination is performed in the state of the rearrangement encryption code Q ′ “BEDAC” obtained by rearranging the encryption code Q “CEBAD”. In the case of Example B, the rearrangement encryption code Q ′ “BEDAC” is returned to the encryption code Q “CEBAD” which is the state before the rearrangement, and the match determination is performed in the state of the encryption code Q “CEBAD”. Therefore, there is no essential difference between Examples A and B, and the same effect as Example A can be obtained for Example B.

<3-3. Example C: Verification by Decoding Part 1>
Here, Example C of the first embodiment of the present invention will be described with reference to FIG. In Example C, the first information processing apparatus 100C performs processing for confirming the validity of the second information processing apparatus 200C. In the embodiment C, the collation process in the embodiment A described above is slightly changed, and the basic configuration is almost the same as that in the embodiment A. Therefore, only the differences from the embodiment A will be described below.

  First, the second information processing apparatus 200C is exactly the same as the configuration of the second information processing apparatus 200A shown in the embodiment A, and the description thereof is omitted here. In the first information processing apparatus 100C, the constituent elements 110, 160, 170, and 180 are exactly the same as the constituent elements assigned the same reference numerals in the embodiment A. The difference from the embodiment A is that, instead of the constituent elements 120, 130, 140, 150, a collating random code generating unit 120C, a collating rearranged code generating unit 130C, a collating cryptographic code generating unit 140C, a collation determining unit 150C is provided. Therefore, the functions of these four components will be described below. Of the constituent elements of the embodiment C, those different from the constituent elements of the embodiment A are indicated by “C” at the end of the reference numerals.

  First, the verification encryption code generation unit 140C has the configuration of the rearrangement encryption code Q ′ “BEDAC” received by the rearrangement encryption code reception unit 170 based on the table T2 bar obtained by reversing the second rearrangement table T2. This is a constituent element for performing a verification encryption code generation stage for rearranging the elements to generate a verification encryption code Q “CEBAD”. The function of the verification encryption code generation unit 140C is exactly the same as the function of the verification encryption code second generation unit 140B of Example B, and detailed description thereof is omitted.

  Next, the collation rearrangement code generation unit 130C performs the collation encryption code Q “CEBAD” by a decryption operation based on the same encryption algorithm A as the encryption algorithm A used when the encryption code generation unit 230 performs the encryption process. Is a component that performs a collation rearrangement code generation stage for generating collation rearrangement code R ′ “35214”. The encryption code generation unit 230 performs the process of generating the encryption code Q “CEBAD” by encrypting the rearrangement code R ′ “35214” by the encryption operation based on the encryption algorithm A. The code generation unit 130C performs a process of decrypting the encrypted code Q “CEBAD” and returning it to the original rearranged code R ′ “35214” by a process completely opposite to this.

  On the other hand, the matching random code generation unit 120C rearranges the constituent elements of the matching rearrangement code R ′ “35214” based on the table T1 bar obtained by reversing the first rearrangement table T1, thereby matching the random code for matching. This is a constituent element that performs a collating random code generation stage for generating R “12345”. Here, the table T1 bar obtained by reversing the first rearrangement table T1 is a table showing rearrangement opposite to the table T1 shown in FIG. 6A, that is, the direction of the arrow in the figure is reversed. This means a table indicating a rearrangement method for converting from the lower order to the upper order.

  As described above, in the figure, the collating random code generating unit 120C and the collating cryptographic code generating unit 140C are described so as to perform the rearrangement process based on the reverse rotation table T1 bar and T2 bar. In practice, the rearrangement may be performed by applying the tables T1 and T2 given from the table decoding unit 180 in the reverse direction.

  Then, the collation determination unit 150C determines whether or not the random code R “12345” generated by the random code generation unit 110 matches the collation random code R “12345” generated by the collation random code generation unit 120C. This is a constituent element that performs a collation determination stage in which the second information processing device 200C is determined to be a device whose validity has been confirmed.

  Eventually, in this example C, in the second information processing apparatus 200C, the random code R “12345” → reorder code R ′ “35214” → encryption code Q “CEBAD” → rearrangement encryption code Q ′ “BEDAC” The point that the rearrangement encryption code Q ′ “BEDAC” is obtained by following the transition accompanied by the encryption processing is exactly the same as the embodiment A described so far, but in the authentication process in the first information processing apparatus 100C. On the contrary, the random code R “12345” is traced through the transition accompanied by the decryption process of the rearrangement encryption code Q ′ “BEDAC” → the encryption code Q “CEBAD” → reorder code R ′ “35214” → random code R “12345”. ”And confirming whether or not this matches the original random code R“ 12345 ”, the correctness of the second information processing apparatus 200C So that sex is confirmed.

  In short, in the case of the embodiment A, the first information processing apparatus 100 performs the verification after the encryption, whereas in the case of the embodiment C, the first information processing apparatus 100C performs the decryption. After that, the verification is performed. Therefore, there is no essential difference between Examples A and C, and the same effect as Example A can be obtained for Example C.

<3-4. Example D: Verification by Decoding Part 2>
Here, Example D of the first embodiment of the present invention will be described with reference to FIG. In Example D, the first information processing apparatus 100D performs processing for confirming the validity of the second information processing apparatus 200D. The embodiment D is obtained by slightly changing the collation process in the above-described embodiment A, and the basic configuration is almost the same as the embodiment A. Therefore, only the differences from the embodiment A will be described below.

  First, the second information processing apparatus 200D is completely the same as the configuration of the second information processing apparatus 200A shown in the embodiment A, and thus the description thereof is omitted here. Further, regarding the first information processing apparatus 100D, the constituent elements 110, 160, 170, and 180 are exactly the same as the constituent elements denoted by the same reference numerals in the embodiment A. The difference from the embodiment A is that instead of the components 120, 130, 140, 150, the collation rearrangement code second generation unit 120D, the collation rearrangement code first generation unit 130D, the collation encryption code generation unit 140D and the collation determination part 150D are provided. Therefore, the functions of these four components will be described below. Of the constituent elements of the embodiment D, those different from the constituent elements of the embodiment A are indicated by “D” at the end of the reference numerals.

  First, the verification encryption code generation unit 140D configures the rearrangement encryption code Q ′ “BEDAC” received by the rearrangement encryption code reception unit 170 based on the table T2 bar obtained by reversing the second rearrangement table T2. This is a constituent element for performing a verification encryption code generation stage for rearranging the elements to generate a verification encryption code Q “CEBAD”. The function of the verification encryption code generation unit 140D is exactly the same as the function of the verification encryption code second generation unit 140B of Example B, and a detailed description thereof is omitted.

  Next, the collation rearrangement code first generation unit 130D performs the collation encryption code Q "by performing a decryption operation based on the same encryption algorithm A as the encryption algorithm A used when the encryption code generation unit 230 performs the encryption process. This is a constituent element that performs a collation rearrangement code first generation step of decoding “CEBAD” to generate collation rearrangement code R ′ “35214”. The encryption code generation unit 230 performs the process of generating the encryption code Q “CEBAD” by encrypting the rearrangement code R ′ “35214” by the encryption operation based on the encryption algorithm A. The code first generation unit 130D performs a process of decrypting the encrypted code Q “CEBAD” and returning it to the original rearranged code R ′ “35214” by a process completely opposite to this.

  The collation rearrangement code first generation unit 130D is actually a component having the same function as the collation rearrangement code generation unit 130C in the embodiment C, but the collation rearrangement code second generation is performed. In order to avoid confusion with the part 120D, here, for the component 130D, “first” is inserted in the name, and for the component 120D, “second” is inserted in the name. 1 generation unit 130D and collation rearrangement code second generation unit 120D.

  The collation rearrangement code second generation unit 120D rearranges the constituent elements of the random code R “12345” generated by the random code generation unit 110 on the basis of the first rearrangement table T1, and performs collation rearrangement. This is a component for executing the collation rearrangement code second generation stage for generating the replacement code R ′ “35214”. The collation rearrangement code second generation unit 120D is actually a component having the same function as the collation rearrangement code generation unit 120 in the embodiment A. However, as described above, In order to avoid confusion with the replacement code first generation unit 130D, here, it is called the collation replacement code second generation unit 120D.

  Then, the collation determination unit 150D includes the collation rearrangement code R ′ “35214” generated by the collation rearrangement code first generation unit 130D and the collation rearrangement code second generation unit 120D. It is a component that performs a collation determination step of collating whether or not the code R ′ “35214” matches, and determining that the second information processing device 200D is a device whose validity has been confirmed if they match. .

  Eventually, in Example C, in the second information processing apparatus 200D, a random code R “12345” → reorder code R ′ “35214” → encryption code Q “CEBAD” → rearrangement encryption code Q ′ “BEDAC” The point that the rearrangement encryption code Q ′ “BEDAC” is obtained by following the transition accompanied by the encryption processing is exactly the same as the embodiment A described so far, but in the authentication process in the first information processing apparatus 100D, On the contrary, the rearrangement encryption code Q ′ “BEDAC” → the encryption code Q “CEBAD” → the rearrangement code R ′ “35214” is traced to obtain a rearrangement code R ′ “35214”. The original random code R “12345” → the rearrangement code R ′ “35214” is rearranged, and the obtained two rearrangement codes R ′ “35214” are one. By checking whether, so that the authenticity of the second information processing apparatus 200D is confirmed. Therefore, there is no essential difference between Examples A and D, and the same effect as Example A can be obtained for Example D.

<3-5. Example E: Simple verification by encryption>
Next, Example E of the first embodiment of the present invention will be described with reference to FIG. In Example E, the first information processing apparatus 100E performs processing for confirming the validity of the second information processing apparatus 200E. Example E is a simplified version of the verification process in Example A described above, and the basic configuration is almost the same as Example A. Therefore, only the differences from the embodiment A will be described below.

  First, regarding the second information processing apparatus 200E, the constituent elements 210, 220, 230, 240, and 270 are exactly the same as the constituent elements denoted by the same reference numerals in the embodiment A. The difference from the embodiment A is that a replacement encryption code transmission unit 250E and a table encryption unit 260E are provided instead of the components 250 and 260.

  On the other hand, for the first information processing apparatus 100E, the constituent elements 110, 120, 130, and 160 are exactly the same as the constituent elements assigned the same reference numerals in the embodiment A. The difference from the embodiment A is that a component corresponding to the component 140 is omitted, and a collation determining unit 150E, a reordered encryption code receiving unit 170E, a table instead of the components 150, 170, 180. A decryption unit 180E is provided. Therefore, these differences will be described below. Of the constituent elements of the embodiment E, those different from the constituent elements of the embodiment A are indicated by “E” at the end of the reference numerals.

The fundamental feature of the embodiment E is that transmission of the second encryption table T2 ^* from the second information processing apparatus 200 to the first information processing apparatus 100 in the embodiment A is omitted, and the first information The rearrangement work by the second rearrangement method X2 on the processing apparatus 100 side is omitted.

Therefore, on the second information processing apparatus 200E side, the rearrangement table generation unit 270 generates two sets of tables T1 and T2, and the rearrangement work in the rearrangement code generation unit 220 and the rearrangement in the rearrangement encryption code generation unit 240. Although the replacement work is the same as in the embodiment A, in the table encryption stage performed in the table encryption unit 260E, the first rearrangement table T1 is encrypted, and the first encryption table T1 ^* However, encryption of the second rearrangement table T2 is omitted. In the rearrangement encryption code transmission stage performed by the rearrangement encryption code transmission unit 250E, the first encryption table T1 ^* is transmitted to the first information processing apparatus 100E together with the rearrangement encryption code Q ′ “BEDAC”. However, transmission of the second encryption table T2 ^* is omitted.

As described above, since the transmission of the second encryption table T2 ^* is omitted, the processing on the first information processing apparatus 100E side also slightly changes. In other words, the reordered encryption code receiving unit 170E receives the first encryption table T1 ^* together with the reordered encryption code Q ′ “BEDAC”, but does not receive the second encryption table T2 ^* . Further, in the table decryption unit 180E, a process of decrypting the first encryption table T1 ^* and restoring the first rearrangement table T1 is performed, but the second encryption table T2 ^* is not decrypted. .

  Eventually, since the information of the second rearrangement table T2 is not transmitted to the first information processing apparatus 100E side, the rearrangement work based on the second rearrangement table T2 cannot be performed. In the embodiment A shown in FIG. 8, the reordering encryption code generation unit 140 for verification is provided in order to perform the reordering work based on the second reordering table T2, but the embodiment E shown in FIG. However, those corresponding to the component 140 are omitted. As a result, the verification encryption code Q “CEBAD” generated by the verification encryption code generation unit 130 is given to the verification determination unit 150E as it is.

  This means that the collation determination unit 150E cannot execute collation determination by the same method as the collation determination unit 150 of the embodiment A. Also in the illustrated example, the verification encryption code Q “CEBAD” provided from the verification encryption code generation unit 130 and the rearrangement encryption code Q ′ “BEDAC” provided from the rearrangement encryption code reception unit 170E are identical. I have not done it.

  However, if the verification encryption code Q “CEBAD” is rearranged based on the second rearrangement table T2, the rearrangement encryption code Q ′ “BEDAC” is obtained. If it is checked whether or not the member serving as an element is compatible, both correspond. That is, in the case of the above example, in any of the codes, the constituent members are five alphabets “A”, “B”, “C”, “D”, “E”, and the constituents are arranged in the order. If you ignore, they correspond to each other.

  Therefore, in the case of the embodiment E, the collation determining unit 150E includes the constituent elements (5 characters A to E) included in the reordered encryption code Q ′ “BEDAC” received by the reordered encryption code receiving unit 170E. When the corresponding components (5 characters A to E) included in the verification encryption code Q “CEBAD” generated by the verification encryption code generation unit 130 correspond to each other, Then, a collation determination stage is performed in which the second information processing apparatus 200E is determined to be an apparatus whose validity has been confirmed.

  As described above, in Example E, the reference for collation determination performed on the first information processing apparatus 100E side is relaxed compared to Examples A to D described so far. That is, instead of determining the complete match including the arrangement order of the two sets of codes to be collated, the one-to-one correspondence between the components is determined with the arrangement order being unquestioned. For this reason, although the strictness of authentication is slightly lowered in the embodiment E compared to the embodiments A to D, the second information processing apparatus 200E transmits the second rearrangement table T2. For this reason, the first information processing apparatus 100E side can omit the reception process and the rearrangement process related to the second rearrangement table T2, so that the process can be simplified. It is done. In the embodiment, for convenience of explanation, a simple example using a five-digit random code R has been shown. However, in practice, a random code R having a remarkably large number of digits is generally used. Even if the method of determining the one-to-one correspondence of the constituent elements without regard to the order is taken, the probability that an incorrect code coincides by chance is extremely low. In practice, there is no problem even if this Example E is adopted. Does not occur.

<3-6. Example F: Simple verification by decoding>
Next, Example F of the first embodiment of the present invention will be described with reference to FIG. In Example F, the first information processing apparatus 100F performs processing for confirming the validity of the second information processing apparatus 200F. As in the case of the embodiment E, the embodiment F is obtained by partially simplifying the matching process in the embodiment A, and the basic configuration is almost the same as that in the embodiment A. Therefore, only the differences from the embodiment A will be described below.

  First, regarding the second information processing apparatus 200F, the constituent elements 210, 220, 230, 240, and 270 are exactly the same as the constituent elements denoted by the same reference numerals in the embodiment A. The difference from the embodiment A is that a replacement encryption code transmission unit 250F and a table encryption unit 260F are provided instead of the components 250 and 260.

  On the other hand, for the first information processing apparatus 100F, the constituent elements 110 and 160 are exactly the same as the constituent elements assigned the same reference numerals in the embodiment A. The difference from the embodiment A is that the constituent elements corresponding to the constituent element 120 are omitted, and the collation rearrangement code generation unit 130F, collation instead of the constituent elements 130, 140, 150, 170, 180. An encryption code generation unit 140F, a collation determination unit 150F, a rearrangement encryption code reception unit 170E, and a table decryption unit 180E are provided. Therefore, these differences will be described below. Of the constituent elements of the embodiment F, those different from the constituent elements of the embodiment A are indicated by “F” at the end of the reference numerals.

The fundamental feature of the embodiment F is that the transmission of the first encryption table T1 ^* from the second information processing apparatus 200 to the first information processing apparatus 100 in the embodiment A is omitted, and the first information The rearrangement work by the first rearrangement method X1 on the processing apparatus 100 side is omitted. That is, while the transmission of the second encryption table T2 ^* is omitted in the embodiment E described above, the transmission of the first encryption table T1 ^* is omitted in the embodiment F described here. Is different.

Therefore, on the second information processing device 200F side, the rearrangement table generation unit 270 generates two sets of tables T1 and T2, and the rearrangement work in the rearrangement code generation unit 220 and the rearrangement encryption code generation unit 240 The rearrangement operation is performed in the same manner as in the embodiment A. However, in the table encryption stage performed in the table encryption unit 260F, the second rearrangement table T2 is encrypted and the second encryption table T2 is encrypted. Although the process of generating ^* is performed, the encryption of the first rearrangement table T1 is omitted. In the rearrangement encryption code transmission stage performed in rearrangement encryption code transmitter 250F, second encryption table T2 ^* is transmitted to first information processing apparatus 100F together with rearrangement encryption code Q ′ “BEDAC”. However, transmission of the first encryption table T1 ^* is omitted.

As described above, since the transmission of the first encryption table T1 ^* is omitted, the processing on the first information processing apparatus 100F side also slightly changes. That is, the reordered encryption code receiving unit 170F receives the second encryption table T2 ^* together with the reordered encryption code Q ′ “BEDAC”, but does not receive the first encryption table T1 ^* . The table decrypting unit 180F decrypts the second encryption table T2 ^* and restores the second rearrangement table T2, but does not decrypt the first encryption table T1 ^*. .

  Eventually, since the information of the first rearrangement table T1 is not transmitted to the first information processing apparatus 100F, the rearrangement work based on the first rearrangement table T1 cannot be performed. That is, on the first information processing apparatus 100F side, the rearrangement work for the random code R “12345” generated by the random code generation unit 110 cannot be performed. Processing corresponding to the encryption processing cannot be performed. Therefore, the collation determination work performed on the first information processing apparatus 100F side must be based on the decryption process, not the encryption process.

  From this point of view, in Example F, processing similar to Example C described above (collation processing by decoding) is performed. The basic concept is that in Example C shown in FIG. 10, the collating random code generation unit 120C is omitted, and the collation rearrangement code R ′ “35214” generated by the collation rearrangement code generation unit 130C is collated. Instead of determining the complete match including the order of arrangement of the two sets of codes in the collation determination unit 150C, directly changing the order to 150C, and modifying the order so that the one-to-one correspondence between the components is determined. It is in.

  Specifically, in the verification encryption code generation unit 140F, based on the table T2 bar obtained by reversing the second rearrangement table T2, the rearrangement encryption code Q ′ “BEDAC” received by the rearrangement encryption code reception unit 170F. The verification encryption code generation step of rearranging the constituent elements of “and generating the verification encryption code Q“ CEBAD ”is performed. Subsequently, the collation rearrangement code generation unit 130F performs a decryption operation based on the same encryption algorithm A as the encryption algorithm A used for the encryption process of the encryption code generation unit 230, and the verification encryption code Q “CEBAD” is obtained. A collation rearrangement code generation step of decrypting and generating collation rearrangement code R ′ “35214” is performed.

  As described above, since the information regarding the first rearrangement table T1 is not transmitted to the first information processing apparatus 100F side, the collation rearrangement code R ′ generated by the collation rearrangement code generation unit 130F. It is not possible to rearrange “35214”. Therefore, the collation rearrangement code R ′ “35214” is given to the collation determination unit 150F as it is.

  This means that the collation determination unit 150F cannot execute collation determination by the same method as the collation determination unit 150C of the embodiment C. Also in the illustrated example, the collation rearrangement code R ′ “35214” given from the collation rearrangement code generator 130F matches the random code R “12345” given from the random code generator 110. Absent.

  However, if the random code R “12345” is rearranged based on the first rearrangement table T1, the collation rearrangement code R ′ “35214” is obtained. If it is checked whether or not the corresponding member is compatible, both correspond. That is, in the case of the above example, in any code, the members that are constituent elements are five numbers “1”, “2”, “3”, “4”, “5”, and the constituent elements are mutually It will be supported.

  Therefore, in the case of Example F, the collation determination unit 150F generates the components included in the random code R “12345” generated by the random code generation unit 110 and the collation rearrangement code generation unit 130F. It is checked whether or not the constituent elements included in the collation rearrangement code R ′ “35214” correspond to each other, and in the case of correspondence, the second information processing device is determined to be a device whose validity has been confirmed. A collation judgment stage is performed.

As described above, in Example F, as in Example E, the criteria for collation determination performed on the first information processing apparatus 100F side are relaxed compared to Examples A to D described above. Although the strictness of authentication is slightly reduced, the second information processing apparatus 200F side can omit the process for transmitting the first rearrangement table T1, and the first information processing apparatus 100F can be omitted. On the side, since the reception process and the rearrangement process related to the first rearrangement table T1 can be omitted, there is an advantage that the process can be simplified.

<3-7. Example G: Use of Unidirectional Function>
Here, Example G of the first embodiment of the present invention will be described with reference to FIG. In Example G, the first information processing apparatus 100G performs processing for confirming the validity of the second information processing apparatus 200G. Example G is a slightly modified process in Example A described above, and the basic configuration is almost the same as Example A. Therefore, only the differences from the embodiment A will be described below.

  First, regarding the second information processing apparatus 200G, the constituent elements 210 and 230 are exactly the same as the constituent elements assigned the same reference numerals in the embodiment A. The difference from the embodiment A is that, instead of the components 220, 240, 250, 260, 270, a rearrangement code generation unit 220G, a one-way function value generation unit 240G, a function value transmission unit 250G, a table encryption unit 260G, the rearrangement table production | generation part 270G is provided.

  On the other hand, for the first information processing apparatus 100G, the constituent elements 110, 130, and 160 are exactly the same as the constituent elements assigned the same reference numerals in the embodiment A. The difference from the embodiment A is that, instead of the components 120, 140, 150, 170, 180, the collation rearrangement code generation unit 120G, the collation one-way function value generation unit 140G, the collation determination unit 150G, the function A value receiving unit 170G and a table decoding unit 180G are provided. Therefore, these differences will be described below. Of the constituent elements of the embodiment G, those different from the constituent elements of the embodiment A are indicated by “G” at the end of the reference numerals.

  The fundamental feature of the embodiment G is that although the rearrangement corresponding to the first rearrangement table T1 in the embodiment A is performed, the rearrangement corresponding to the second rearrangement table T2 is not performed. The point is to perform an operation that operates a one-way function. Therefore, in the embodiment G, terms “sorting table T” and “sorting method” are simply used as terms corresponding to “first sorting table T1” and “first sorting method X1” in the embodiment A. The term “X” will be used.

  Note that the rearrangement code generation unit 220G in the embodiment G is actually the same component as the rearrangement code generation unit 220 in the embodiment A, and the collation rearrangement code generation unit 120G in the embodiment G is Actually, it is the same component as the collation rearrangement code generation unit 120 in the embodiment A. Nonetheless, in Example G, these components are distinguished by adding the suffix G to the “first rearrangement table T1” and “first” in Example A as described above. This is because the “sorting method X1” is simply referred to as “sorting table T” and “sorting method X” in the embodiment G.

  That is, the rearrangement code generation unit 220G performs a rearrangement code generation step of rearranging the constituent elements of the random code R “12345” based on the rearrangement table T to generate the rearrangement code R ′ “35214”. The collation rearrangement code generation unit 120G rearranges the constituent elements of the random code R “12345” generated by the random code generation unit 110 based on the rearrangement table T and performs the collation rearrangement code R. 'This is a component that performs the collation rearrangement code generation stage for generating “35214”. Each of these components is substantially the same component as the rearrangement code generation unit 220 and the collation rearrangement code generation unit 120 in the embodiment A, but as described above, the “rearrangement table” and “ Since the term relating to “sorting method” is used properly, for the sake of convenience, a symbol G is added to the end for distinction.

Thus, in Example G, since only a single rearrangement table T is used, the rearrangement table generation unit 270G only needs to generate a single rearrangement table T, and the table encryption unit 260G It suffices to encrypt the single rearrangement table T to generate a single encryption table T ^* .

  The essential difference between the embodiment G and the embodiment A is that the encryption code generation unit 230 performs encryption processing on the rearrangement code R ′ “35214” to generate the encryption code Q “CEBAD”, and then encrypts the encryption code Q “CEBAD”. Instead of rearranging the code Q “CEBAD”, an operation that operates a one-way function is performed.

  Therefore, the one-way function value generation unit 240G performs a one-way function value generation step of generating a predetermined function value H by applying a one-way function to the encryption code Q “CEBAD”. Here, the one-way function is a function that can be converted into new data uniquely by applying some processing to the original data, and also restores the original data from the new data. A function that cannot perform reverse transformation. The encryption processing described so far is a reversible conversion process, and the reverse conversion process corresponds to a decryption process. On the other hand, the conversion process performed by the one-way function value generation unit 240G is a process that applies a one-way function, and is an irreversible conversion process.

  A representative example of such a one-way function is a HASH function. Hereinafter, a case where the HASH function value H is obtained by performing a conversion process in which the one-way function value generation unit 240G operates the HASH function will be described as an example. I will explain. The function value obtained by applying the HASH function has a reduced amount of information compared to the original data. Therefore, in the case of the illustrated example, for convenience, a specific value of the function value H obtained by applying the HASH function to the encryption code Q composed of five-character data “CEBAD” is represented by “h”. I will decide. Eventually, the one-way function value generation unit 240G performs an arithmetic process to generate the function value H (h) by applying the HASH function to the encryption code Q “CEBAD”.

The function value transmission unit 250G uses the function value H (h) generated by the one-way function value generation unit 240G and the encryption table T ^* encrypted by the table encryption unit 260G as the first information processing apparatus. It is a component that performs a function value transmission stage to be transmitted to 100G.

In this way, the function value H (h) and the encryption table T ^* transmitted from the second information processing apparatus 200G are received by the function value receiving unit 170G. The received encryption table T ^* is provided to the table decryption unit 180G, and the received function value H (h) is provided to the collation determination unit 150G. The table decryption unit 180G performs a table decryption step of decrypting the given encryption table T ^* and restoring the rearrangement table T.

  On the other hand, the collation rearrangement code generation unit 120G rearranges the constituent elements of the random code R “12345” generated by the random code generation unit 110 based on the restored rearrangement table T, thereby collating the rearrangement code. A collation rearrangement code generation step for generating R ′ “35214” is performed. The verification encryption code generation unit 130 obtains the verification rearrangement code R ′ “35214” by an encryption operation based on the same encryption algorithm A as the encryption algorithm A used for the encryption process of the encryption code generation unit 230. A verification encryption code generation stage is performed in which encryption is performed to generate a verification encryption code Q “CEBAD”.

  Subsequently, in the verification one-way function value generation unit 140G, the same one-way function (for the verification encryption code Q “CEBAD” as the one-way function used in the one-way function value generation unit 240G ( In the case of the example shown here, a collation one-way function value generation stage is performed in which the HASH function is applied to generate the collation function value H (h). Finally, in the matching determination unit 150G, the function value H (h) received by the function value receiving unit 170G, the matching function value H (h) generated by the matching one-way function value generating unit 140G, Are matched, and if they match, a collation determination stage is performed in which the second information processing apparatus 200G is determined to be an apparatus whose validity has been confirmed.

  As described above, in Example G, since the collation performed on the first information processing apparatus 100G side is performed in the process of confirming the match of the one-way function value, the strictness of authentication is slightly reduced. Since both the first information processing apparatus 100G and the second information processing apparatus 200G need only perform processing related to the single rearrangement table T, there is an advantage that the processing can be simplified.

<<< §4. Basic concept of the authentication method according to the second embodiment of the present invention >>>
So far, in §2 and §3, the first embodiment of the present invention has been described. Here, the basic concept of the authentication method according to the second embodiment of the present invention will be described with reference to FIG. Specifically, taking a process in which the first information processing apparatus 100 ′ (for example, a server apparatus) confirms the validity of the second information processing apparatus 200 ′ (for example, a client apparatus) as an example, The processing procedure will be described.

  The major difference between the first embodiment and the second embodiment of the present invention is that, in the former, data is rearranged before or after the encryption process, whereas in the latter, the encryption process is performed. This is the only substantial difference between the two. Therefore, the second embodiment will be described below in comparison with the first embodiment.

  In the second embodiment shown in FIG. 15, the first information processing apparatus 100 ′ includes a random code generation unit 110, a verification correction code generation unit 120 ′, a verification encryption code as constituent elements involved in the authentication process. A generation unit 130 ′, a verification correction encryption code generation unit 140 ′, a verification determination unit 150 ′, a random code transmission unit 160, and a correction encryption code reception unit 170 ′ are provided. The second information processing apparatus 200 ′ includes A random code receiving unit 210, a modified code generating unit 220 ′, an encrypted code generating unit 230 ′, a modified encrypted code generating unit 240 ′, and a modified encrypted code transmitting unit 250 ′ are provided.

  When the individual constituent elements according to the second embodiment shown in FIG. 15 are compared with the individual constituent elements according to the first embodiment shown in FIG. There is no difference between unit 110, random code transmission unit 160, and random code reception unit 210.

  Further, there is no essential difference between the encryption code generation units 230 and 230 ', and there is no essential difference between the verification encryption code generation units 130 and 130'. Both are components having a function of performing an encryption operation based on a predetermined encryption algorithm A on a given code and generating an encryption code. However, the encryption code generation unit 230 and the verification encryption code generation unit 130 illustrated in FIG. 5 perform processing of encrypting the rearrangement code R ′ “35214” and generating the encryption code Q “CEBAD”. The encryption code generation unit 230 ′ and the verification encryption code generation unit 130 ′ illustrated in FIG. 15 encrypt the correction code R ″ “45678” instead of the rearrangement code R ′ “35214” and encrypt the encryption code Q “DEFGH”. In FIG. 15, for the sake of convenience, “′” is added to the reference numerals for distinction. In other words, they are different only in the codes given, and the substantial processing functions are exactly the same.

  On the other hand, each component 120,140,220,240 shown in FIG. 5 and each component 120 ', 140', 220 ', 240' shown in FIG. 15 differ in the processing function. In other words, the former is a component that performs rearrangement processing as the word “reorder code” or “reorder encryption code” is used, whereas the latter is a “correction code” or “correction encryption code”. "Is a component that performs a correction process. Hereinafter, the difference between both will be described using the modified code generation unit 220 ′ illustrated in FIG. 15 and the rearrangement code generation unit 220 illustrated in FIG. 5 as examples.

  As described in §2, the rearrangement code generation unit 220 illustrated in FIG. 5 performs processing for rearranging the components of the given random code R and generating the rearrangement code R ′. Specifically, in the case of the illustrated example, the random code R “12345” formed by enumerating five numbers based on the first rearrangement method X1 shown in FIG. The rearrangement code R ′ is generated.

  On the other hand, the correction code generation unit 220 ′ shown in FIG. 15 uses the first correction number U1 generated at random for each number that is a constituent element of the given random code R. Processing for generating a correction code R ″ by performing the correction operation Y1 of 1 is performed. A circle Y1 in the block 220 ′ in FIG. 15 indicates that the correction operation Y1 is performed (the same applies hereinafter). Specifically, in the case of the illustrated example, as shown in FIG. 16 (a), the first correction number U1 is set to +3, and the first correction consisting of addition using the first correction number U1. By executing the calculation Y1, a correction code R ″ composed of five numbers “45678” is generated based on the original random code R “12345”. The function of the matching correction code generation unit 120 ′ shown in FIG. 15 is also the same, and the matching correction code R ″ “45678” is generated based on the random code R “12345”.

  The first correction operation Y1 shown in FIG. 16 (a) is set to the first correction number U1 = + 3, and the first correction number U1 is added to each number constituting the original code. This is an operation for obtaining a correction code. Therefore, as in the example shown in the figure, when the original code is composed of five numbers “12345”, “+3” is added to each of these five numbers to form five numbers “45678”. A modified code is generated. In other words, the original code has been modified to put three clogs on. Of course, a negative number can be set as the correction number, and subtraction can be set as the content of the correction calculation.

  As described above, since the correction operation is an arithmetic operation using a predetermined correction number, the calculation target is basically a number, but even in the case of a character, if it is associated with a specific number , And can be the target of correction calculation. FIG. 16B shows an example of a correction operation for a character string. That is, the second correction operation Y2 shown in FIG. 16 (b) is originally set to the second correction number U2 = + 6, and the second correction number is set for each number constituting the original code. This is an operation for obtaining a correction code by adding U2, but the figure shows an example in which the correction operation is applied to a character string.

  Specifically, in the case of this example, each of the letters A to Z is associated with numbers 1 to 26, and each character is treated as a corresponding number, thereby correcting the same as the number. Has been given. That is, the original code “DEFGH” is handled as the corresponding numbers “4, 5, 6, 7, 8”, and the second correction number U2 = + 6 is added to these corresponding numbers to obtain “10, 11”. , 12, 13, 14 "and then replacing it with the corresponding alphabet, the modified code" JKLMN "is obtained.

  In the case of the example shown in FIG. 15, the encryption code generation unit 230 ′ encrypts the given correction code R ″ “45678” based on the encryption algorithm shown in FIG. "Is generated. Then, the modified encryption code generation unit 240 ′ sets the second modification number U2 = + 6 for the encryption code Q “DEFGH” as shown in FIG. Y2 will be performed. In this case, the given encryption code Q “DEFGH” is handled as a corresponding number, and the modified encryption code Q ″ “JKLMN” is obtained by performing the addition process described above. The function of the verification correction encryption code generation unit 140 ′ shown in FIG. 15 is also the same, and the verification correction encryption code Q ″ “JKLMN” is generated based on the verification encryption code Q “DEFGH”.

  In short, as the first information processing apparatus 100 ′ and the second information processing apparatus 200 ′, if devices that handle characters associated with specific numbers are used, characters as random codes R or encryption codes Q are used. Even when a code including a character string is generated, if the process of handling each character as a corresponding number is performed, the correction operation described above can be performed on a code consisting of a character string.

  In practice, the individual numbers that are the constituent elements of the random code R and the individual numbers that are the constituent elements of the encryption code Q are numerical values within the range of N to M (where N <M). When the first correction calculation Y1 and the second correction calculation Y2 are performed, if the calculated numerical value V is V <N, correction is performed by adding (M−N + 1), and the calculated numerical value V When V> M, it is preferable to perform correction by subtracting (M−N + 1) so that the numerical value after the correction calculation is a numerical value within the range of N to M.

  For example, when each number that is a constituent element of the random code R and each number that is a constituent element of the encryption code Q is a 1-byte number, one number is a number in the range of 0 to 255 ( In the above formula, N = 0 and M = 255). In this case, the calculation can be simplified if the numerical value V after the correction calculation is also set to a 1-byte numerical value within the range of 0 to 255. Therefore, when the first correction calculation Y1 and the second correction calculation Y2 are performed, if the calculated numerical value V is V <0, correction is performed by adding 256, and the calculated numerical value V is V> In the case of 255, correction by subtracting 256 is performed so that the numerical value after the correction calculation is within a range of 0 to 255 (in practice, the remainder of division by 256 is obtained. Just fine).

  For example, when alphabets associated with numbers 1 to 26 are used as components of the random code R and components of the encryption code Q, specific numerical values associated with individual alphabets are 1 to 26. It becomes a numerical value within the range (in the above formula, N = 1, M = 26). In this case, if the numerical value V after the correction calculation is also set to a 1-byte numerical value within the range of 1 to 26, character representation using the corresponding alphabet becomes possible. Therefore, when the first correction calculation Y1 and the second correction calculation Y2 are performed, if the calculated value V is V <1, correction is performed by adding 26, and the calculated value V is V> In the case of 26, correction by subtracting 26 may be performed so that the numerical value after the correction calculation becomes a numerical value within the range of 1 to 26.

  As described above, in the authentication method according to the second embodiment, the value for the data is corrected before and after the encryption process, instead of rearranging the data. The procedure is almost the same as that of the first embodiment described so far.

  That is, first, the random code R “12345” generated by the random code generation unit 110 is transmitted from the random code transmission unit 160, and is received by the random code reception unit 210. Then, the correction code generation unit 220 ′ performs the first correction operation Y1 on the random code R “12345” to generate the correction code R ″ “45678”, and the encryption code generation unit 230 ′ encrypts this. To obtain the encryption code Q “DEFGH”. Further, the modified encryption code generation unit 240 ′ performs the second modification operation Y2 on the encryption code Q “DEFGH” to generate the modification encryption code Q ″ “JKLMN”, and the modification encryption code transmission unit 250 ′ The modified encryption code Q ″ “JKLMN” is transmitted to the first information processing apparatus 100 ′ together with the modification information indicating the modification operations Y1 and Y2.

  On the other hand, when the modified encrypted code receiving unit 170 ′ receives the modified encrypted code Q ″ “JKLMN” and the modified information indicating the modified operations Y1 and Y2, the verification modified code generating unit 120 ′ performs random code R “ The first correction operation Y1 for “12345” is performed to generate a correction code R ″ “45678”, and this is encrypted by the algorithm A in the verification encryption code generation unit 130 ′, and the verification encryption code Q “ A process of generating “DEFGH” is performed. Further, the verification modified encryption code generation unit 140 ′ performs a second modification operation Y2 on the encryption code Q “DEFGH” to generate a modified encryption code Q ″ “JKLMN”. Finally, in the collation determining unit 150 ′, the modified encryption code Q ″ “JKLMN” received by the modified encryption code receiving unit 170 ′ and the verification modified encryption code Q generated by the verification modified encryption code generation unit 140 ′. '' It is checked whether or not “JKLMN” matches, and if they match, the second information processing device 200 ′ is determined to be a device whose validity has been confirmed.

  Note that the first correction operation Y1 executed by the correction code generation unit 220 ′ and the second correction operation Y2 executed by the correction encryption code generation unit 240 ′ are defined randomly every time the authentication process is performed. To do. That is, every time the random code receiving unit 210 receives a new random code R, the modified code generating unit 220 ′ and the modified encrypted code generating unit 240 ′ each time based on the newly defined modified operations Y1 and Y2. , Perform different correction operations. In practice, as illustrated in FIG. 16, the content of the correction operation itself is fixed, for example, “addition”, and the first correction number U1 and the second correction number U2 are set as random numbers. It is sufficient to use and generate randomly.

  After all, when the authentication method shown in FIG. 15 is adopted, if the random code R “12345” is given as a challenge from the first information processing apparatus 100 ′ to the second information processing apparatus 200 ′, the second information processing apparatus 100 ′ In the information processing apparatus 200 ′, after the random code R “12345” → the modified code R ″ “45678” → the encryption code Q “DEFGH” → the modified encryption code Q ″ “JKLMN”, The code Q ″ “JKLMN” is returned as a response.

  As described above, if the authentication method according to the second embodiment shown in FIG. 15 is adopted, the information obtained by the interception of communication is the same as when the authentication method according to the first embodiment shown in FIG. 5 is adopted. Since there is no direct relationship with the information obtained by the side channel analysis, it is difficult to estimate the encryption algorithm A even if both are combined.

  That is, when the authentication method shown in FIG. 15 is adopted, the information obtained by the communication interception is a response of the modified encryption code Q ″ “JKLMN” to the challenge by the random code R “12345” as shown in FIG. Is the fact that However, at this time, the operation of the encryption process performed in the encryption code generation unit 230 ′ is not an operation for converting the random code R “12345” into the correction encryption code Q ″ “JKLMN”, but the correction code. This is an operation for converting R ″ “45678” into the encryption code Q “DEFGH”, and the information obtained by the side channel analysis is that the correction code R ″ “45678” is converted into the encryption code Q “DEFGH” as shown in FIG. That is, information on power consumption, calculation processing time, generated electromagnetic waves, and the like when executing the calculation to be converted into the above. Therefore, even when this second embodiment is adopted, an authentication method that can sufficiently withstand an attack combining communication interception and side channel analysis can be realized.

Also, when introducing the present invention, it is very efficient because it is only necessary to add a process for performing relatively simple data processing (in the case of the example, simple addition processing) before and after the encryption processing. By the simple processing, a countermeasure against the above attack can be prepared, and the introduction cost can be suppressed.

  As described above, in the authentication method for the information processing apparatus according to the second embodiment of the present invention, the first information processing apparatus 100 ′ authenticates the second information processing apparatus 200 ′ as an apparatus whose validity has been confirmed. For this purpose, first, on the first information processing apparatus 100 ′ side, a random code R in which numbers (which may be characters associated with specific numbers as described above) are enumerated is generated using random numbers. The step of transmitting this to the second information processing apparatus 200 ′ (processing by the random code generation unit 110 and the random code transmission unit 160) is performed.

  Subsequently, the second information processing apparatus 200 ′ side receives the transmitted random code R, and uses the first correction number U1 generated at random for each number as a constituent element. Performing the first correction operation Y1 to generate a correction code R ″ (processing by the random code receiving unit 210 and the correction code generation unit 220 ′), and using this correction code R ″ as a predetermined encryption algorithm for A A step of generating an encryption code Q by encryption based on the encryption operation (processing by the encryption code generation unit 230 '), and a second generated randomly for each number that is a constituent element of the encryption code Q Performing the second modification operation Y2 using the modification number U2 to generate the modified cryptographic code Q ″ (processing by the modified cryptographic code generation unit 240 ′), together with the modified cryptographic code Q ″ The correction information indicating a first correction operation Y1 and second correction operation Y2, and 'step of transmitting the (modified encryption code transmission unit 250' first information processing apparatus 100 treatment with), is performed.

  Then, on the first information processing apparatus 100 ′ side, the correction information is received together with the correction encryption code Q ″ (processing by the correction encryption code receiving unit 170 ′), and the validity of the received correction encryption code Q ″ is confirmed. Based on the same cryptographic algorithm A as the correction calculation process based on the received correction information (the process performed by the verification correction code generation unit 120 ′ and the verification correction encrypted code generation unit 140 ′) and the encryption process performed by the encryption code generation unit 230 ′ A step of confirmation is performed by an encryption operation (processing by the verification encryption code generation unit 130 ').

  Note that transmission of correction information (information indicating the first correction calculation Y1 and the second correction calculation Y2) from the second information processing apparatus 200 ′ to the first information processing apparatus 100 ′ is actually encrypted. It is preferable to carry out in such a state. That is, the correction information is encrypted on the second information processing apparatus 200 'side, and the encrypted correction information is transmitted from the corrected encryption code transmitting unit 250' to the corrected encryption code receiving unit 170 '. Thus, if this is decoded on the first information processing apparatus 100 ′ side and returned to its original state, it is possible to prevent the correction information from being exposed even if communication interception is performed.

  In the example shown in FIG. 15, the same encryption operation as that performed on the second information processing device 200 ′ is performed on the first information processing device 100 ′ side, and the collation determining unit 150 ′ Although the authentication is performed by confirming the matching of the modified encryption code Q ″ obtained as a result of both processes, the present invention is not necessarily limited to the example in which the matching is confirmed by such a procedure. . For example, the first information processing apparatus 100 ′ side performs verification by executing a decryption operation based on the modified encryption code Q ″ (a decryption operation based on the same encryption algorithm A as the encryption processing by the encryption code generation unit 230 ′). You can go.

  Further, in the example shown in FIG. 15, on the second information processing apparatus 200 ′ side, a correction process for the random code R based on the first correction calculation Y1 and a correction process for the encryption code Q based on the second correction calculation Y2 Accordingly, on the first information processing apparatus 100 ′ side as well, the correction process for the random code R based on the first correction operation Y1 and the encryption based on the second correction operation Y2 are performed accordingly. The correction process for the code Q is performed. However, the present invention is not necessarily limited to an example in which matching is confirmed by such a procedure. For example, one correction process can be omitted on the first information processing apparatus 100 'side. . In this case, the modified encryption code transmission unit 250 ′ does not need to transmit the modification information indicating both the first modification operation Y1 and the second modification operation Y2 together with the modification encryption code Q ″, and either one of them is transmitted. It is sufficient to send the correction information shown.

  As described above, the basic concept of the second embodiment of the present invention has been described based on the basic example shown in FIG. 15, but actually, various variations in which detailed portions are changed are conceivable. . Therefore, in the following §5, some examples relating to such variations will be described.

<<< §5. Specific Example of the Second Embodiment >>>
The feature of the second embodiment of the present invention is that, as described in the basic concept using the example of FIG. 15, when performing authentication, a correction operation as illustrated in FIG. The correction processing is performed when the conversion processing is performed. Several specific examples will be described below. Examples a to g according to the second embodiment described here correspond to Examples A to G according to the first embodiment described in §3, respectively. Therefore, in the following description, the features of each of the examples a to g will be described while comparing with the examples A to G as necessary.

<5-1. Example a: Verification by encryption part 1>
FIG. 18 is a block diagram illustrating Example a of the second embodiment. This example a corresponds to the example A of the first embodiment described in §3-1. Here, the first information processing apparatus 100a is the legitimacy of the second information processing apparatus 200a. The process of confirming is performed.

  As shown in the figure, in the case of the embodiment a, the first information processing apparatus 100a includes a random code generation unit 110, a verification correction code generation unit 120a, a verification encryption code generation unit as constituent elements involved in the authentication process. 130a, a verification modified encryption code generation unit 140a, a verification determination unit 150a, a random code transmission unit 160, a modified encryption code reception unit 170a, and a modification number decryption unit 180a are provided. On the other hand, the second information processing apparatus 200a includes a random code receiving unit 210, a modified code generating unit 220a, an encrypted code generating unit 230a, a modified encrypted code generating unit 240a, a modified encrypted code transmitting unit 250a, and a modified number encrypting unit 260a. A correction number generation unit 270a is provided.

  Here, the random code generation unit 110, the random code transmission unit 160, and the random code reception unit 210 are exactly the same as the components of the same reference numerals in the embodiment A shown in FIG. On the other hand, the other constituent elements indicated by the reference numeral a added to the end of the number correspond to the constituent elements indicated by the same reference numeral in the embodiment A shown in FIG. It has a function according to the constituent elements.

  The major difference between the embodiment A shown in FIG. 8 and the embodiment a shown in FIG. 18 is that the former components 120, 220, 140, and 240 rearrange the given code to change the rearranged code R ′. Alternatively, while the rearranged encryption code Q ′ is generated, the latter component 120a, 220a, 140a, 240a performs a correction operation on the given code to change the correction code R ″ or the correction encryption code Q ″. Is a point that generates

  Therefore, the constituent elements 130a and 230a perform encryption processing on the correction code R ″. In addition, each time the random code receiving unit 210 receives a new random code R, the correction number generation unit 270a obtains the first correction number U1 and the second correction number U2 that are random numerical values used for the correction calculation. Generate based on random numbers. The first modification number U1 is used for the first modification operation Y1 in the modification code generation unit 220a, and the second modification number U2 is used for the second modification operation Y2 in the modification encryption code generation unit 240a.

On the other hand, the modified number encryption unit 260a encrypts these to generate the first encrypted modified number U1 ^* and the second encrypted modified number U2 ^* , and the modified encrypted code transmission unit 250a performs the modified encrypted code. The first encryption modification number U1 ^* and the second encryption modification number U2 ^* are transmitted to the first information processing apparatus 100a together with the modified encryption code Q ″ generated by the generation unit 240a.

The modified encrypted code receiving unit 170a receives the modified encrypted code Q ″ and the encrypted modified numbers U1 ^* and U2 ^* transmitted in this way. The received modified encryption code Q ″ is provided to the collation determination unit 150a, and the received encrypted modification numbers U1 ^* and U2 ^* are provided to the modification number decryption unit 180a. The modification number decryption unit 180a performs a process of decrypting the encrypted modification numbers U1 ^* and U2 ^* , respectively, and restoring the original modification numbers U1 and U2.

  The verification correction code generation unit 120a performs a process of correcting the random code R based on the first correction operation Y1 using the first correction number U1 restored in this way and generating a correction code R ″. Similarly, the verification correction encryption code generation unit 140a corrects the verification encryption code Q based on the second correction operation Y2 using the second correction number U2 restored in this way, and the correction encryption code Q ″. Process to generate. For example, if it is determined that “addition” is performed as the content of each correction calculation, a specific correction calculation is uniquely determined when the number of corrections is determined.

Note that it is preferable to use a public key cryptosystem for encryption and decryption of the modified numbers U1 and U2. Specifically, the modification number encryption unit 260a encrypts the modification numbers U1 and U2 using one of a pair of keys used in the public key cryptosystem, and the encrypted modification numbers U1 ^* and U2 ^* , And the modified number decryption unit 180a decrypts the encrypted modified numbers U1 ^* and U2 ^* using the other key of the pair of keys to generate the original modified numbers U1 and U2. You just have to do it.

  For example, when the first information processing apparatus 100a is a server apparatus and the second information processing apparatus 200a is a client apparatus, the modification number encryption unit 260a performs encryption using the public key of the person who manages the server apparatus 100a. Then, the modified number decryption unit 180a can perform decryption using the secret key of the person who manages the server device 100a.

As described above, each of the correction numbers U1 and U2 is a random number newly generated by using a random number on the second information processing apparatus 200a each time the illustrated authentication process is performed. It is necessary to transmit to the information processing apparatus 100a side. In the embodiment a shown here, the modification numbers U1 and U2 can be encrypted and transmitted in the form of the encrypted modification numbers U1 ^* and U2 ^*. Therefore, even if communication interception is performed, the modification numbers U1 and U2 Will not be exposed directly. Therefore, defense against unauthorized attacks can be further enhanced.

  FIG. 16 shows an example in which different numerical values are generated as the first correction number U1 and the second correction number U2, but the correction numbers U1 and U2 are not necessarily different numerical values. The same numerical value may be used. However, since it is more effective to increase the defense against unauthorized attacks by preparing different numerical values, the first correction number U1 and the second correction are practically used as shown in FIG. It is preferable that different numerical values are randomly generated as the number U2.

  Subsequently, with reference to FIG. 18, the specific processing content of the authentication method in the embodiment a, that is, the first information processing apparatus 100a authenticates the second information processing apparatus 200a as the apparatus whose validity has been confirmed. The specific procedure for doing this will be explained in order following the flow of data.

  First, the random code generation unit 110 uses a random number to perform a random code generation stage for generating a random code R that enumerates numbers (which may be characters associated with specific numbers) as constituent elements. The illustrated example is an example in which a random code R “12345” in which five numbers are arranged is generated. In practice, an n-byte random code R in which n 1-byte numbers are arranged may be generated. Then, the random code transmission unit 160 performs a random code transmission step of transmitting the random code R “12345” to the second information processing apparatus 200a.

  Subsequently, the random code receiving unit 210 performs a random code receiving step of receiving the transmitted random code R “12345”, and the correction number generation unit 270a uses the random number to generate the first correction number U1. Then, a correction number generation stage for generating the second correction number U2 (U1 = + 3, U2 = + 6 in the example shown in FIG. 16) is performed.

  Then, in the correction code generation unit 220a, the first correction calculation Y1 based on the first correction number U1 (in the case of the example shown in FIG. 16) for each number that is a constituent element of the random code R “12345”. The operation of generating the correction code R ″ “45678” is performed by executing the calculation of adding the correction number +3), and the encryption code generation unit 230a performs the encryption operation based on the predetermined encryption algorithm A. The encrypted code generation step of encrypting the modified code R ″ “45678” to generate the encrypted code Q “DEFGH” is performed, and the modified encrypted code generation unit 240a further includes the constituent elements of the encrypted code Q “DEFGH”. Is added to the second correction operation Y2 based on the second correction number U2 (in the case of the example shown in FIG. 16, the correction number +6 is added). The modified cryptographic code generation stage for generating the modified cryptographic code Q ″ “JKLMN” is performed.

In addition, the modification number encryption unit 260a encrypts the first modification number U1 and the second modification number U2, respectively, and generates the first encryption modification number U1 ^* and the second encryption modification number U2 ^* . A modified number encryption step is performed. Then, in the modified encryption code transmission unit 250a, the first encryption modification number U1 ^* and the second encryption modification number U2 ^* are transmitted to the first information processing apparatus 100a together with the modification encryption code Q ″ “JKLMN”. A modified encryption code transmission stage for transmission is performed.

On the other hand, the modified encryption code receiving unit 170a receives the modified encryption code Q ″ “JKLMN” that has been transmitted, and the modified encryption code that receives the first encryption modification number U1 ^* and the second encryption modification number U2 ^*. The code reception stage is performed, and the modification number decryption unit 180a decrypts the first encryption modification number U1 ^* and the second encryption modification number U2 ^* , respectively, and the first modification number U1 and the second modification number. A modified number decoding step is performed to restore U2.

  In the verification correction code generation unit 120a, the restored first correction number U1 is used for each number that is a constituent element of the random code R “12345” generated by the random code generation unit 110. A verification correction code generation stage for generating a verification correction code R ″ “45678” by performing the first correction operation Y1 is performed. In the verification encryption code generation unit 130a, the encryption code generation unit 230a employs A verification encryption code generation stage is performed in which the verification correction code R ″ “45678” is encrypted and the verification encryption code Q “DEFGH” is generated by an encryption operation based on the same encryption algorithm A as the encryption algorithm A being used. Further, in the verification modified encryption code generation unit 140a, individual numbers that are constituent elements of the verification encryption code Q “DEFGH” On the other hand, the second modification operation Y2 using the restored second modification number U2 is performed, and the collation correction cipher code generation stage for generating the collation correction cipher code Q ″ “JKLMN” is performed. .

  Finally, in the collation determining unit 150a, the modified cryptographic code Q ″ “JKLMN” received by the modified cryptographic code receiving unit 170a and the modified cryptographic code Q ″ for verification generated by the verification modified cryptographic code generation unit 140a. Whether or not “JKLMN” matches is checked, and if it matches, a matching determination step is performed in which the second information processing device 200a is determined as a device whose validity has been confirmed.

  After all, when the authentication method according to the embodiment a shown in FIG. 18 is adopted, when the random code R “12345” is given as a challenge from the first information processing apparatus 100a to the second information processing apparatus 200a. In the correction code generation unit 220a, the random code R “12345” is converted into the correction code R ″ “45678” by the first correction operation Y1 using the first correction number U1. Then, the encryption code generation unit 230a performs encryption processing based on the encryption algorithm A on the modified code R ″ “45678” to generate the encryption code Q “DEFGH”. Further, in the modified encryption code generation unit 240a, this encryption code Q “DEFGH” is converted into the modified encryption code Q ″ “JKLMN” by the second modification operation Y2 using the second modification number U2. This modified encryption code Q ″ “JKLMN” is returned as a response.

  At this time, the correction numbers U1 and U2 are transmitted to the first information processing apparatus 100a together with this response in an encrypted state. Moreover, the verification encryption code generation unit 130a has a function of executing an encryption process using the same encryption algorithm A as the encryption code generation unit 230a. Therefore, on the first information processing apparatus 100a side as well, a procedure similar to the procedure executed on the second information processing apparatus 200a side is executed, and the random code R “12345” → the correction code R ″ “45678”. → Cryptographic code Q “DEFGH” → Modified cryptographic code Q ″ “JKLMN” can be traced to obtain the modified cryptographic code Q ″ “JKLMN”. By confirming the coincidence of the code Q ″ “JKLMN”, the validity of the second information processing apparatus 200a is confirmed.

  It is exactly the same as the first embodiment that the authentication method shown in Example a performs a sufficient defense function against an attack combining communication interception and side channel analysis. That is, when the authentication method shown in FIG. 18 is adopted, the information obtained by communication interception is the fact that a response of the modified encryption code Q ″ “JKLMN” is obtained in response to the challenge by the random code R “12345”. is there.

  However, at this time, the operation of the encryption process performed inside the encryption code generation unit 230a is not the operation of converting the random code R “12345” into the corrected encryption code Q ″ “JKLMN”, but the correction code R '' "45678" is an operation for converting the encryption code Q "DEFGH", and information obtained by the side channel analysis is an operation for converting the correction code R "" 45678 "into the encryption code Q" DEFGH ". This means information such as power consumption, calculation processing time, and generated electromagnetic waves.

  As described above, even if the challenge “12345” and the response “JKLMN” are specified by the communication interception, the operation of the encryption process actually performed converts another code “45678” to “DEFGH”. Since it is an operation, it is difficult to estimate the encryption algorithm A even if analysis is performed by combining the two.

<5-2. Example b: Verification by encryption, part 2>
Next, Example b of the second embodiment of the present invention will be described with reference to FIG. This Example b corresponds to Example B of the first embodiment described in §3-2. Here, the first information processing apparatus 100b is the validity of the second information processing apparatus 200b. The process of confirming is performed. The embodiment b is obtained by slightly changing the collation process in the embodiment a described above, and the basic configuration is almost the same as the embodiment a. Therefore, only the differences from the embodiment a will be described below.

  First, the second information processing apparatus 200b has the same configuration as that of the second information processing apparatus 200a shown in the embodiment a of FIG. In FIG. 19, “b” is added to the end of the reference numerals of the constituent elements 220b to 270b for convenience of distinguishing from the constituent elements of the embodiment A, but these constituent elements are shown in FIG. The components 220a to 270a of Example a are exactly the same.

  On the other hand, for the first information processing apparatus 100b, the constituent elements 110, 120b, 160, 170b, and 180b are exactly the same as the constituent elements 110, 120a, 160, 170a, and 180a in the embodiment a shown in FIG. The difference from the embodiment a is that a verification encryption code first generation unit 130b, a verification encryption code second generation unit 140b, and a verification determination unit 150b are provided instead of the constituent elements 130a, 140a, and 150a. It is. Therefore, the functions of these three components will be described below.

  First, the verification encryption code first generation unit 130b is actually a component having the same function as the verification encryption code generation unit 130a in the embodiment a, and the encryption code executed by the encryption code generation unit 230b. A verification encryption code first generation stage is executed in which the verification correction code R ″ “45678” is encrypted by the encryption operation based on the same encryption algorithm A as the algorithm A to generate the verification encryption code Q “DEFGH”. . Here, the reason why “first” is inserted in the name of the component 130b is to avoid confusion with the component 140b.

  On the other hand, the verification encryption code second generation unit 140b sets the second modification number U2 for each number that is a constituent element of the modified encryption code Q ″ “JKLMN” received by the modified encryption code receiving unit 170b. This is a component that performs the second verification encryption code generation step for generating the verification encryption code Q “DEFGH” by performing an operation opposite to the second correction operation Y2 used. Both the verification encryption code first generation unit 130b and the verification encryption code second generation unit 140b are components having a function of generating the verification encryption code Q “DEFGH”. The former is a verification correction code R '' The verification encryption code Q “DEFGH” is generated by the encryption process for “45678”, while the latter is the verification encryption code Q “DEFGH” by the correction operation for the correction encryption code Q ”“ JKLMN ”. Will be generated.

  Here, the operation opposite to the second modification operation Y2 using the second modification number U2 is the operation opposite to the modification operation Y2 performed by the modified encryption code generation unit 240b, and the modified encryption code If the “calculation for adding +6” shown in FIG. 16B (addition operation for which the correction number U2 = + 6) shown in FIG. 16B is performed in the generation unit 240b, the reverse calculation is performed as “correction number U2 = That is, "subtraction operation with +6". Specifically, the operation of generating the upper code “DEFGH” from the lower code “JKLMN” by reversing the direction of the arrow shown in FIG. 16B (the operation of subtracting +6 for the corresponding number) Will be done. In the drawing of the present application, an operation obtained by reversing an arbitrary correction operation Y is indicated by a symbol with a bar added above the symbol Y, and is denoted as a correction operation Y bar in the specification.

  In this way, the verification encryption code second generation unit 140b subtracts “+6” from the individual numbers (numbers corresponding to the characters) that are constituent elements of the given modified encryption code Q ″ “JKLMN”. The calculation is performed and the process is converted to the verification encryption code Q “DEFGH”. This process is a correction process based on the correction calculation Y2 bar. The reason for performing such processing is to return the modified encryption code Q ″ “JKLMN” to the state of the encryption code Q “DEFGH” having the original arrangement order, and to confirm the match in that state.

  That is, the collation determination unit 150b includes the collation encryption code Q “DEFGH” generated by the collation encryption code first generation unit 130b, and the collation encryption code Q “DEFGH” generated by the verification encryption code second generation unit 140b. Are matched, and if they match, a collation determination step is performed in which the second information processing device 200b is determined to be a device whose validity has been confirmed.

  In short, in the case of the embodiment a, the match determination is performed in the state of the modified encrypted code Q ″ “JKLMN” obtained by performing the modified operation on the encrypted code Q “DEFGH”. In the case of the example b, the modified encryption code Q ″ “JKLMN” is returned to the encryption code Q “DEFGH” which is the state before the modification operation, and the coincidence determination is performed in the state of the encryption code Q “DEFGH”. Therefore, there is no essential difference between Examples a and b, and the same effect as Example a can be obtained for Example b.

<5-3. Example c: Collation by Decoding Part 1>
Next, Example c of the second embodiment of the present invention will be described with reference to FIG. The example c corresponds to the example C of the first embodiment described in §3-3, and here, the first information processing apparatus 100c is the validity of the second information processing apparatus 200c. The process of confirming is performed. The embodiment c is a slight modification of the collation process in the embodiment a described above, and the basic configuration is almost the same as the embodiment a. Therefore, only the differences from the embodiment a will be described below.

  First, the second information processing apparatus 200c is completely the same as the configuration of the second information processing apparatus 200a shown in the embodiment a of FIG. In FIG. 20, “c” is added to the end of the reference numerals of the constituent elements 220 c to 270 c for convenience of distinguishing from the constituent elements of Example A, but these constituent elements are shown in FIG. 18. The components 220a to 270a of Example a are exactly the same.

  On the other hand, for the first information processing apparatus 100c, the constituent elements 110, 160, 170c, and 180c are exactly the same as the constituent elements 110, 160, 170a, and 180a in the embodiment a, respectively. The difference from the embodiment a is that, instead of the constituent elements 120a, 130a, 140a, 150a, a collation random code generation unit 120c, a collation correction code generation unit 130c, a collation encryption code generation unit 140c, and a collation determination unit 150c. Is a point provided. Therefore, the functions of these four components will be described below.

  First, the verification encryption code generation unit 140c uses the second modification number U2 for each number that is a component of the modification encryption code Q ″ “JKLMN” received by the modification encryption code reception unit 170c. This is a component that performs a verification encryption code generation stage for generating a verification encryption code Q “DEFGH” by performing a correction operation Y2 bar opposite to the second correction operation Y2. The function of the verification encryption code generation unit 140c is exactly the same as the function of the verification encryption code second generation unit 140b of the embodiment b, and detailed description thereof is omitted.

  Next, the verification correction code generation unit 130c obtains the verification encryption code Q “DEFGH” by a decryption operation based on the same encryption algorithm A as the encryption algorithm A used when the encryption code generation unit 230c performs the encryption process. This is a constituent element for performing a verification correction code generation stage for decoding and generating a verification correction code R ″ “45678”. The encryption code generation unit 230c performs the process of generating the encryption code Q “DEFGH” by encrypting the correction code R ″ “45678” by the encryption operation based on the encryption algorithm A. The generation unit 130c performs a process of decrypting the encryption code Q “DEFGH” and returning it to the original correction code R ″ “45678” by a process completely opposite to this.

  On the other hand, the collation random code generation unit 120c uses the first correction operation Y1 using the first correction number U1 for each number that is a component of the collation correction code R ″ “45678”. This is a constituent element for performing a collating random code generation step of generating a collating random code R “12345” by performing the reverse correction operation Y1 bar. Here, the correction calculation Y1 bar opposite to the first correction calculation Y1 reverses the direction of the arrow in the correction calculation shown in FIG. 16 (a), so that the lower code “45678” is changed to the upper code “12345”. "Is generated (calculation by subtracting +3).

  Then, the collation determining unit 150c determines whether or not the random code R “12345” generated by the random code generating unit 110 matches the collating random code R “12345” generated by the collating random code generating unit 120c. This is a component that performs a collation determination step of determining that the second information processing apparatus 200c is an apparatus whose validity has been confirmed.

  Eventually, in Example c, in the second information processing apparatus 200c, the random code R “12345” → the modified code R ″ “45678” → the encrypted code Q “DEFGH” → the modified encrypted code Q ″ “JKLMN” The point that the modified encryption code Q ″ “JKLMN” is obtained by following the transition accompanied by the encryption processing is exactly the same as the embodiment a described so far, but in the authentication process in the first information processing apparatus 100c. On the contrary, the random code R “12345” is traced through the transition accompanied by the decryption process of the modified encrypted code Q ″ “JKLMN” → the encrypted code Q “DEFGH” → the modified code R ″ “45678” → the random code R “12345”. And confirming whether or not this matches the original random code R “12345”, the legitimacy of the second information processing apparatus 200c Will be confirmed.

  In short, in the case of the embodiment a, the first information processing apparatus 100a performs the verification after the encryption, whereas in the case of the embodiment c, the first information processing apparatus 100c performs the decryption. After that, the verification is performed. Therefore, there is no essential difference between Examples a and c, and the same effect as Example a can be obtained for Example c.

<5-4. Example d: Verification by decryption 2>
Subsequently, Example d of the second embodiment of the present invention will be described with reference to FIG. The example d corresponds to the example D of the first embodiment described in §3-4. Here, the first information processing apparatus 100d is the legitimacy of the second information processing apparatus 200d. The process of confirming is performed. The embodiment d is obtained by slightly changing the collation process in the embodiment a described above, and the basic configuration is almost the same as the embodiment a. Therefore, only the differences from the embodiment a will be described below.

  First, the second information processing apparatus 200d is exactly the same as the configuration of the second information processing apparatus 200a shown in Example a of FIG. In FIG. 21, “d” is added to the end of the reference numerals of the constituent elements 220d to 270d for convenience of distinguishing from the constituent elements of the embodiment A, but these constituent elements are shown in FIG. The components 220a to 270a of Example a are exactly the same.

  On the other hand, for the first information processing apparatus 100d, the constituent elements 110, 160, 170d, and 180d are exactly the same as the constituent elements 110, 160, 170a, and 180a in the embodiment a of FIG. The difference from the embodiment a is that, instead of the components 120a, 130a, 140a, 150a, the verification correction code second generation unit 120d, the verification correction code first generation unit 130d, the verification encryption code generation unit 140d, This is the point that a collation determination unit 150d is provided. Therefore, the functions of these four components will be described below.

  First, the verification encryption code generation unit 140d uses the second modification number U2 for each number that is a constituent element of the modification encryption code Q ″ “JKLMN” received by the modification encryption code reception unit 170d. This is a component that performs a verification encryption code generation stage for generating a verification encryption code Q “DEFGH” by performing a correction operation Y2 bar opposite to the second correction operation Y2. The function of the verification encryption code generation unit 140d is exactly the same as the function of the verification encryption code second generation unit 140b of Example b, and a detailed description thereof is omitted.

  Next, the verification correction code first generation unit 130d performs the verification encryption code Q “DEFGH” by a decryption operation based on the same encryption algorithm A as the encryption algorithm A used when the encryption code generation unit 230d performs the encryption process. ”To generate a verification correction code R ″“ 45678 ”. The encryption code generation unit 230d performs the process of generating the encryption code Q “DEFGH” by encrypting the correction code R ″ “45678” by the encryption operation based on the encryption algorithm A. The first generation unit 130d performs a process of decrypting the encryption code Q “DEFGH” and returning it to the original correction code R ″ “45678” by a process completely opposite to this.

  The verification correction code first generation unit 130d is actually a component having the same function as the verification correction code generation unit 130c in the embodiment c, but the verification correction code second generation unit 120d Here, in order to avoid confusion, “first” is inserted into the name of the component 130d, and “second” is inserted into the name of the component 120d. Also, it will be referred to as a verification correction code second generation unit 120d.

  Then, the verification correction code second generation unit 120d uses the first correction number U1 for each number that is a constituent element of the random code R “12345” generated by the random code generation unit 110. This is a constituent element for executing the second verification correction code generation stage for generating the verification correction code R ″ “45678” by performing one correction operation Y1. The verification correction code second generation unit 120d is actually a component having the same function as the verification correction code generation unit 120a in the embodiment a. However, as described above, the verification correction code first In order to avoid confusion with the 1 generation unit 130d, here, it is referred to as a verification correction code second generation unit 120d.

  Then, the collation determination unit 150d generates the collation correction code R ″ “45678” generated by the collation correction code first generation unit 130d and the collation correction code R ′ generated by the collation correction code second generation unit 120d. 'Is a component that performs a collation determination step of collating whether or not “45678” matches, and determining that the second information processing device 200d is a device whose validity has been confirmed.

  Eventually, in this embodiment d, in the second information processing apparatus 200d, the random code R “12345” → the modified code R ″ “45678” → the encrypted code Q “DEFGH” → the modified encrypted code Q ″ “JKLMN”. The point that the modified encryption code Q ″ “JKLMN” is obtained by following the transition accompanied by the encryption processing is exactly the same as the embodiment a described so far, but in the authentication process in the first information processing apparatus 100d, On the contrary, the modified encryption code Q ″ “JKLMN” → the encryption code Q “DEFGH” → the modification code R ″ “45678” is traced to obtain a modification code R ″ “45678” by following the transition process accompanied by the decryption process. The original random code R “12345” → correction code R ″ “45678” is corrected, and the obtained two correction codes R ″ “45678” match. By confirming whether or not, the validity of the second information processing apparatus 200d is confirmed. Therefore, there is no essential difference between the embodiments a and d, and the same function and effect as the embodiment a can be obtained with respect to the embodiment d.

<5-5. Example e: Simple verification by encryption>
Next, Example e of the second embodiment of the present invention will be described with reference to FIG. This example e corresponds to the example E of the first embodiment described in §3-5. Here, the first information processing apparatus 100e is the legitimacy of the second information processing apparatus 200e. The process of confirming is performed. The embodiment e is a part of the collation process in the embodiment a described above, and the basic configuration is almost the same as that of the embodiment a. Therefore, only the differences from the embodiment a will be described below.

  First, regarding the second information processing apparatus 200e, the constituent elements 210, 220e, 230e, 240e, and 270e are exactly the same as the constituent elements 210, 220a, 230a, 240a, and 270a in the embodiment a of FIG. The difference from the embodiment a is that a modified encrypted code transmission unit 250e and a modified number encryption unit 260e are provided instead of the components 250a and 260a.

  On the other hand, regarding the first information processing apparatus 100e, the constituent elements 110, 120e, 130e, and 160 are exactly the same as the constituent elements 110, 120a, 130a, and 160 in the embodiment a of FIG. The difference from the embodiment a is that the constituent elements corresponding to the constituent element 140a are omitted, and in place of the constituent elements 150a, 170a, and 180a, the collation determining section 150e, the modified encrypted code receiving section 170e, the number of modifications A decryption unit 180e is provided. Therefore, these differences will be described below.

The fundamental feature of the embodiment e is that the transmission of the second encrypted modification number U2 ^* from the second information processing device 200a to the first information processing device 100a in the embodiment a is omitted, The correction process by the second correction calculation Y2 on the information processing apparatus 100e side is omitted.

Therefore, on the second information processing apparatus 200e side, the two correction numbers U1 and U2 are generated in the correction number generation unit 270e, and the correction processing in the correction code generation unit 220e and the correction processing in the correction encryption code generation unit 240e are performed. However, in the modification number encryption stage performed in the modification number encryption unit 260e, the first modification number U1 is encrypted to generate the first encrypted modification number U1 ^* . However, the encryption of the second modification number U2 is omitted. In the modified encryption code transmission stage performed in the modified encryption code transmission unit 250e, the first encryption modification number U1 ^* is transmitted to the first information processing apparatus 100e together with the modified encryption code Q ″ “JKLMN”. However, transmission of the second encryption modification number U2 ^* is omitted.

As described above, since the transmission of the second encryption modification number U2 ^* is omitted, the processing on the first information processing apparatus 100e side also slightly changes. That is, the modified encryption code receiving unit 170e receives the first encrypted modification number U1 ^* together with the modified encryption code Q ″ “JKLMN”, but does not receive the second encrypted modification number U2 ^* . The modification number decryption unit 180e performs a process of decrypting the first encryption modification number U1 ^* and restoring the first modification number U1, but the second encryption modification number U2 ^* is decrypted. I will not.

  Eventually, since the information of the second modification number U2 is not transmitted to the first information processing apparatus 100e side, the second modification calculation Y2 using the second modification number U2 cannot be performed. In the embodiment a shown in FIG. 18, the verification modified encryption code generation unit 140 a is provided in order to perform the second modification operation Y <b> 2 based on the second modification number U <b> 2, but the embodiment shown in FIG. 22. In e, those corresponding to the component 140a are omitted. As a result, the verification encryption code Q “DEFGH” generated by the verification encryption code generation unit 130e is given to the verification determination unit 150e as it is.

  This means that the collation determination unit 150e cannot execute collation determination by the same method as the collation determination unit 150a of the embodiment a. Also in the illustrated example, the verification encryption code Q “DEFGH” given from the verification encryption code generation unit 130e matches the correction encryption code Q ″ “JKLMN” supplied from the correction encryption code reception unit 170e. Not.

  However, if the verification encryption code Q "DEFGH" is modified by the second modification operation Y2 using the second modification number U2, the modified encryption code Q "" JKLMN "is obtained. 16 (for example, in the case of the specific example shown in FIG. 16, if the correction number itself is unknown), the two codes Q “DEFGH” and Q ″ It is possible to determine whether “JKLMN” has a consistent correspondence as numerical values before and after the correction calculation.

  For example, in the case of the above example, each character “D, E, F, G, H” constituting the code Q “DEFGH” is replaced with a corresponding number (a number indicating the alphabetical order) to “4”. 5,6,7,8 ", and each character" J, K, L, M, N "constituting the code Q" "JKLMN" is replaced with a corresponding numeral "10, 11". , 12, 13, 14 ". Therefore, when the constituent elements at the corresponding positions are combined in order from the top, five pairs of constituent elements “4 and 10”, “5 and 11”, “6 and 12”, “7 and 13”, “8” And 14 ”are obtained. When the difference Δ is obtained for each of these individual component pairs, the difference Δ = 6.

  This is because an addition operation for setting the second modification number U2 = + 6 is performed in the modified encryption code generation unit 240e of the second information processing apparatus 200e. In the embodiment e, the second modification number U2 is not transmitted to the first information processing apparatus 100e side. However, as shown in the above example, the collation determination unit 150e uses two codes Q “DEFGH” and Q ″ “. If the difference Δ is obtained for each component pair at the position corresponding to “JKLMN”, the difference Δ is the second modified operation Y2 (addition operation) used in the modified encrypted code generation unit 240e. This is the correction number U2.

  As described above, when the second correction operation Y2 is an addition or subtraction operation in which some correction number U2 is added to each component, it is obtained by the above-described method no matter what value the correction number U2 takes. All differences Δ should be equal. In other words, if the differences Δ obtained for all the component pairs are all equal, the two codes Q and Q ″ have a consistent correspondence as numerical values before and after the correction operation. If at least one difference Δ is obtained, the correspondence relationship is inconsistent.

Therefore, in the case of the embodiment e, the collation determining unit 150e includes the components included in the modified cryptographic code Q ″ “JKLMN” received by the modified cryptographic code receiving unit 170e and the verification cryptographic code generation unit 130e. Check whether the constituent elements included in the generated verification encryption code Q “DEFGH” have a consistent correspondence as a numerical value before and after the calculation by the second correction calculation Y2, and there is no conflict When there is a relationship, a collation determination step is performed in which the second information processing apparatus 200e is determined to be an apparatus whose validity has been confirmed.

  Specifically, as described above, the collation determination unit 150e performs an operation for obtaining the difference Δ in order from the top for each component pair of the two codes Q and Q ″, and the obtained difference Δ is What is necessary is just to perform sequentially the process which confirms whether it corresponds with the difference (DELTA) calculated | required about the immediately previous component pair.

  As described above, in the example e, the reference for collation determination performed on the first information processing apparatus 100e side is relaxed compared to the examples a to d described so far. That is, instead of determining whether or not two sets of codes to be collated match, it is determined whether or not there is a consistent correspondence as a numerical value before and after a predetermined correction calculation. For this reason, in this embodiment e, although the strictness of authentication is slightly lower than in the embodiments a to d, the second information processing apparatus 200e transmits the second correction number U2. Since the first information processing apparatus 100e can omit the reception process and the correction process related to the second modification number U2, there is an advantage that the process can be simplified.

<5-6. Embodiment f: Simple verification by decoding>
Next, Example f of the second embodiment of the present invention will be described with reference to FIG. This Example f corresponds to Example F of the first embodiment described in §3-6. Here, the first information processing apparatus 100f is the validity of the second information processing apparatus 200f. The process of confirming is performed. As in the case of the example e, the example f is a part of the verification process in the example a, and the basic configuration is almost the same as that of the example a. Therefore, only the differences from the embodiment a will be described below.

  First, regarding the second information processing apparatus 200f, the components 210, 220f, 230f, 240f, and 270f are exactly the same as the components 210, 220a, 230a, 240a, and 270a in the embodiment a of FIG. The difference from the embodiment a is that a modified encrypted code transmission unit 250f and a modified number encryption unit 260f are provided instead of the components 250a and 260a.

  On the other hand, for the first information processing apparatus 100f, the constituent elements 110 and 160 are exactly the same as the constituent elements 110 and 160 in the embodiment a of FIG. The difference from the embodiment a is that the component corresponding to the component 120a is omitted, and the verification correction code generation unit 130f and the verification are used instead of the components 130a, 140a, 150a, 170a, and 180a. An encryption code generation unit 140f, a collation determination unit 150f, a modified encryption code reception unit 170f, and a modification number decryption unit 180f are provided. Therefore, these differences will be described below.

The fundamental feature of the embodiment f is that the transmission of the first encryption modification number U1 ^* from the second information processing device 200a to the first information processing device 100a in the embodiment a is omitted, The first modification calculation Y1 based on the first modification number U1 on the information processing apparatus 100f side is omitted. That is, in the above-described embodiment e, the transmission of the second encryption modification number U2 ^* is omitted, whereas in the embodiment f described here, the transmission of the first encryption modification number U1 ^* is performed. Differences are omitted.

For this reason, on the second information processing device 200f side, two sets of correction numbers U1 and U2 are generated in the correction number generation unit 270f, and the first correction calculation Y1 and the correction encryption code generation unit 240f in the correction code generation unit 220f. The second correction operation Y2 is performed in the same way as in the embodiment a. However, in the correction number encryption stage performed in the correction number encryption unit 260f, the second correction number U2 is encrypted, The encryption modification number U2 ^* is generated, but the encryption of the first modification number U1 is omitted. In addition, in the modified encryption code transmission stage performed in the modified encryption code transmission unit 250f, the second encrypted modification number U2 ^* is transmitted to the first information processing apparatus 100f together with the modified encryption code Q ″ “JKLMN”. However, transmission of the first encryption modification number U1 ^* is omitted.

As described above, since the transmission of the first encryption modification number U1 ^* is omitted, the processing on the first information processing apparatus 100f side also slightly changes. That is, the modified encryption code receiving unit 170f receives the second encryption modification number U2 ^* together with the modification encryption code Q ″ “JKLMN”, but does not receive the first encryption modification number U1 ^* . The modification number decryption unit 180f performs a process of decrypting the second encryption modification number U2 ^* and restoring the second modification number U2. However, the first encryption modification number U1 ^* is decrypted. I will not.

  Eventually, since the information of the first modification number U1 is not transmitted to the first information processing apparatus 100f side, the first modification calculation Y1 based on the first modification number U1 cannot be performed. That is, since the first information processing apparatus 100f side cannot perform a correction operation on the random code R “12345” generated by the random code generation unit 110, the encryption performed on the second information processing apparatus 200f side. It is impossible to perform processing corresponding to the conversion processing. Therefore, the collation determination work performed on the first information processing apparatus 100f side must be based on the decryption process, not the encryption process.

  From this point of view, in the embodiment f, processing similar to the embodiment c described above (collation processing by decoding) is performed. The basic concept is that, in the embodiment c shown in FIG. 20, the collating random code generating unit 120c is omitted, and the collating correction code R ″ “45678” generated by the collating correcting code generating unit 130c is used as the collating determining unit. Instead of determining whether the two sets of codes coincide with each other directly in 150c, the collation determination unit 150c determines whether these two sets of codes have a consistent relationship as numerical values before and after the calculation by the correction calculation. There is a modification to do.

  Specifically, in the verification encryption code generation unit 140f, individual numbers (corresponding to characters in this example) that are constituent elements of the modification encryption code Q ″ “JKLMN” received by the modification encryption code reception unit 170f. A verification encryption code generation stage for generating a verification encryption code Q “DEFGH” by performing a correction operation Y2 bar opposite to the second correction operation Y2 using the second correction number U2. Is done. Subsequently, the verification correction code generation unit 130f performs a decryption operation based on the same encryption algorithm A as the encryption algorithm A used for the encryption process of the encryption code generation unit 230f, and decrypts the verification encryption code Q “DEFGH”. Then, a verification correction code generation stage for generating a verification correction code R ″ “45678” is performed.

  As described above, since the information regarding the first modification number U1 is not transmitted to the first information processing apparatus 100f side, the collation correction code R ″ “45678” generated by the collation correction code generation unit 130f. Cannot be performed (correction calculation Y1 bar opposite to the first correction calculation Y1). Therefore, the verification correction code R ″ “45678” is given to the verification determination unit 150f as it is.

  This means that the collation determination unit 150f cannot execute collation determination by the same method as the collation determination unit 150c of the embodiment c. Also in the illustrated example, the verification correction code R ″ “45678” given from the verification correction code generation unit 130f does not match the random code R “12345” given from the random code generation unit 110. .

  However, if the random code R “12345” is corrected by the first correction operation Y1 using the first correction number U1, similarly to the verification determination method in the embodiment e described above, the verification correction code R ′. '"45678" is obtained, so if the content of the correction operation is determined in advance, the two codes R "12345" and R "" 45678 " It is possible to determine whether or not there is a consistent correspondence as numerical values before and after.

  Therefore, in the case of the embodiment f, the collation determination unit 150f includes the components included in the random code R “12345” generated by the random code generation unit 110 and the collation generated by the verification correction code generation unit 130f. The constituent elements included in the correction code R ″ “45678” are collated with each other as to whether or not the numerical values before and after the calculation by the first correction calculation Y1 have a consistent correspondence, and the consistent correspondence In the case where the second information processing apparatus 200f is verified, the collation determination stage is performed to determine that the second information processing apparatus 200f is a verified apparatus.

  As described above, in the embodiment f, as in the embodiment e, the criteria for the collation determination performed on the first information processing apparatus 100f side are relaxed compared to the embodiments a to d described so far. Although the strictness of authentication is slightly reduced, the processing for transmitting the first modification number U1 can be omitted on the second information processing device 200f side, and the first information processing device 100f side Then, since the reception process and the rearrangement process regarding the first modification number U1 can be omitted, an advantage that the process can be simplified can be obtained.

<5-7. Example g: Use of one-way function>
Finally, Example g of the second embodiment of the present invention will be described with reference to FIG. This example g corresponds to the example G of the first embodiment described in §3-7. Here, the first information processing apparatus 100g is the legitimacy of the second information processing apparatus 200g. The process of confirming is performed. Example g is a slightly modified process in Example a described above, and the basic configuration is substantially the same as Example a. Therefore, only the differences from the embodiment a will be described below.

  First, regarding the second information processing apparatus 200g, the constituent elements 210 and 230g are exactly the same as the constituent elements 210 and 230a in the embodiment a of FIG. The difference from the embodiment a is that, instead of the components 220a, 240a, 250a, 260a, 270a, a correction code generation unit 220g, a one-way function value generation unit 240g, a function value transmission unit 250g, a correction number encryption unit 260 g and a correction number generation unit 270 g are provided.

  On the other hand, for the first information processing apparatus 100g, the constituent elements 110, 130g, and 160 are exactly the same as the constituent elements 110, 130a, and 160 in the embodiment a. The difference from the embodiment a is that, instead of the components 120a, 140a, 150a, 170a, 180a, the verification correction code generation unit 120g, the verification one-way function value generation unit 140g, the verification determination unit 150g, the function value A receiving unit 170g and a modified number decoding unit 180g are provided. Therefore, these differences will be described below.

  The fundamental feature of the embodiment g is that a unidirectional function is used as in the embodiment G. That is, although the first correction calculation Y1 in the embodiment a is performed, the second correction calculation Y2 is not performed, and instead, a calculation that operates a one-way function is performed. Therefore, in this embodiment g, the terms “correction number U” and “correction operation U” are simply used as terms corresponding to “first correction number U1” and “first correction operation Y1” in embodiment a. Will be used. Although there is a slight difference in terms as described above, the modified code generation unit 220g in the embodiment g is actually the same component as the modified code generation unit 220a in the embodiment a, and is used for collation in the embodiment g. The correction code generation unit 120g is actually the same component as the verification correction code generation unit 120a in the embodiment a.

  In other words, the correction code generation unit 220g generates the correction code R ″ “45678” by performing the correction operation Y using the correction number U on each number that is a constituent element of the random code R “12345”. The correction code generation unit 120g is a component that performs the correction code generation stage. The verification correction code generation unit 120g performs the correction number U for each number that is a component of the random code R “12345” generated by the random code generation unit 110. Is a component that performs a correction code generation step for inquiry to generate a correction code R ″ “45678” by performing a correction operation Y using.

Thus, in Example g, since only a single modification number U is used, the modification number generation unit 270g only needs to generate a single modification number U, and the modification number encryption unit 260g It is sufficient to perform encryption for one modification number U to generate a single encryption modification number U ^* .

  The essential difference between the embodiment g and the embodiment a is that the encryption code generation unit 230a performs encryption processing on the correction code R ″ “45678” to generate the encryption code Q “DEFGH”, and then the encryption code Instead of performing a correction operation on the code Q “DEFGH”, an operation that operates a one-way function is performed.

  Therefore, the one-way function value generation unit 240g performs a one-way function value generation step of generating a predetermined function value H by applying a one-way function to the encryption code Q “DEFGH”. The nature of this one-way function has already been described in §3-7, and here, an example using the HASH function as a representative one-way function will be described. Also in the example shown in the figure, for convenience, a specific value of the function value H obtained by applying the HASH function to the encryption code Q consisting of five-character data “DEFGH” is represented by “h”. To. In the case of this example, the one-way function value generation unit 240g performs a calculation process for generating the function value H (h) by applying the HASH function to the encryption code Q “DEFGH”.

The function value transmission unit 250g uses the function value H (h) generated by the one-way function value generation unit 240g and the encrypted modification number U ^* encrypted by the modification number encryption unit 260g as the first information. It is a component that performs a function value transmission stage to be transmitted to the processing device 100g.

In this way, the function value H (h) and the encryption modification number U ^* transmitted from the second information processing apparatus 200g are received by the function value receiving unit 170g. The received encrypted modification number U ^* is provided to the modification number decryption unit 180g, and the received function value H (h) is provided to the collation determination unit 150g. The modification number decryption unit 180g performs a modification number decryption step of decrypting the given encrypted modification number U ^* and restoring the modification number U.

  On the other hand, the verification correction code generation unit 120g performs a correction operation Y using the correction number U on each number that is a component of the random code R “12345” generated by the random code generation unit 110. A verification correction code generation stage for generating a verification correction code R ″ “45678” is performed. Further, the verification encryption code generation unit 130g obtains the verification correction code R ″ “45678” by an encryption operation based on the same encryption algorithm A as the encryption algorithm A used for the encryption process of the encryption code generation unit 230g. A verification encryption code generation stage is performed in which encryption is performed to generate a verification encryption code Q “DEFGH”.

  Subsequently, in the verification one-way function value generating unit 140g, the same one-way function as the one-way function used in the one-way function value generating unit 240g (for the verification encryption code Q “DEFGH”) ( In the case of the example shown here, a collation one-way function value generation stage is performed in which the HASH function is applied to generate the collation function value H (h). Finally, in the matching determination unit 150g, the function value H (h) received by the function value receiving unit 170g, the matching function value H (h) generated by the matching one-way function value generating unit 140g, Are matched, and if they match, a collation determination stage is performed in which the second information processing apparatus 200g is determined to be an apparatus whose validity has been confirmed.

  As described above, in Example g, since the verification performed on the first information processing apparatus 100g side is performed in the process of confirming the match of the one-way function value, the strictness of authentication is slightly reduced. In both the first information processing apparatus 100g and the second information processing apparatus 200g, it is only necessary to perform a process related to a single correction number U, so that an advantage of simplifying the process can be obtained.

<<< §6. Modification of the present invention >>
So far, the first embodiment and the second embodiment according to the present invention have been described based on several examples, but the present invention is of course not limited to these examples. Here, some modifications to the various embodiments described so far will be described.

(1) Variation of Correction Operation As an example of the correction operation executed in the second embodiment described in §4 and §5, FIG. 16 shows an example in which an arbitrary correction number U is added or subtracted. In addition to addition and subtraction, various arithmetic operations can be set. For example, multiplication by multiplying the number constituting each component of the original code by the correction number U, division by dividing the correction number U, shift operation for shifting the constituent bits by the correction number U, bit by bit with the correction number U These logical operations (AND operation, OR operation, XOR operation) may be performed.

  However, as shown in FIG. 17, the purpose of such a correction operation is such that the challenge / response code detected by communication interception is different from the code before and after the encryption processing to be subjected to side channel analysis. Therefore, there is no need to dare to perform complicated calculations. Therefore, practically, as illustrated in FIG. 16, as the first correction number U1 and the second correction number U2, positive or negative numbers generated using random numbers are used, and the first correction operation Y1 As a second correction operation Y2, an operation for adding or subtracting the second correction number U2 to each number is performed. It is enough to do so.

(2) Modification using individual number of corrections The correction operations described so far are for a code including a plurality of n numbers (or characters corresponding to the numbers) as components, for these n components. In this example, a common correction number U is generated, and the common correction number U is added or subtracted. However, the correction number U does not necessarily have to be common to n components, and is different from each other. You may use numbers. In this case, for a code including a plurality of n numbers (or characters corresponding to the numbers) as components, a correction number is generated separately for each of these n components, and the first correction number U1 or The correction number U2 of 2 may be configured by a sequence of n correction numbers. Eventually, a correction operation is performed on a code consisting of n components using a sequence of n correction numbers.

  For example, in the example shown in FIG. 16A, a common modification number U1 = + 3 is generated for the original code “12345” composed of five components (n = 5), and +3 is set for each component. A correction operation for obtaining a correction code “45678” by addition is shown. As the correction number U1, for example, a sequence of five numbers such as “33221” is generated, and five components are generated. On the other hand, if the numbers at the corresponding positions in the sequence are added, a correction code consisting of five components “78899” can be obtained. Of course, in this case, the modified number U1 consisting of the sequence “33221” is transmitted in an encrypted state from the second information processing apparatus to the first information processing apparatus.

(3) Mutual authentication in two sets of information processing apparatuses In the embodiments described so far, the first information processing apparatus (server apparatus) has confirmed the validity of the second information processing apparatus (client apparatus). Explained the authentication method to authenticate as. That is, the first information processing device generates a random code R using a random number, transmits this as a challenge to the second information processing device, and the second information processing device performs predetermined processing based on the challenge. To generate a response and return it to the first information processing apparatus. The first information processing apparatus determines whether or not the second information processing apparatus is a legitimate apparatus based on the response. ing.

  Therefore, if the process in which each processing stage performed by the first information processing apparatus is replaced with each processing stage performed by the second information processing apparatus is further performed, the first information processing apparatus becomes the second processing stage. It is also possible to authenticate the information processing device as a device whose validity has been confirmed, and to perform mutual authentication processing in which the second information processing device authenticates the first information processing device as a device whose validity has been confirmed. is there.

  Specifically, in the embodiments described so far, each component of the first information processing apparatus is also provided in the second information processing apparatus, and each component of the second information processing apparatus is set to the first information processing apparatus. The information processing apparatus may be provided so that each performs authentication processing for the other party.

(4) Provision of semiconductor integrated circuit or program Up to now, the basic configuration of the first information processing apparatus and the second information processing apparatus having the function of executing the authentication method according to the present invention is described using block diagrams. As described above, actually, these information processing apparatuses can be realized by a semiconductor integrated circuit having a dedicated processing function corresponding to the block diagram or a computer incorporating a dedicated program. Therefore, in practice, the product of the present invention is provided to the market as a hardware product called an information processing apparatus composed of a semiconductor integrated circuit or as a software product called a computer program.

10: First information processing apparatus (server apparatus)
11: Random code generation unit 13: Verification encryption code generation unit 15: Verification determination unit 16: Random code transmission unit 17: Encryption code reception unit 20: Second information processing apparatus (client apparatus)
21: Random code receiving unit 23: Cryptographic code generating unit 25: Cryptographic code transmitting unit 100, 100 ': First information processing apparatus (server apparatus)
100A to 100G: First information processing apparatus (server apparatus)
100a to 100g: First information processing apparatus (server apparatus)
110: Random code generation unit 120: Collation rearrangement code generation unit 120 ′: Collation correction code generation unit 120C: Collation random code generation unit 120D: Collation rearrangement code second generation unit 120G: Collation rearrangement code Generation unit 120a: collation correction code generation unit 120b: collation correction code generation unit 120c: collation random code generation unit 120d: collation correction code second generation unit 120e: collation correction code generation unit 120g: collation correction code Generation unit 130: verification encryption code generation unit 130 ': verification encryption code generation unit 130B: verification encryption code first generation unit 130C: verification rearrangement code generation unit 130D: verification rearrangement code first generation unit 130F : Collation rearrangement code generation unit 130a: collation encryption code generation unit 130b: collation encryption code first generation unit 130 : Collation correction code generation unit 130d: collation correction code first generation unit 130e: collation encryption code generation unit 130f: collation correction code generation unit 130g: collation encryption code generation unit 140: collation rearrangement encryption code generation Unit 140 ′: Verification modified encryption code generation unit 140B: Verification encryption code second generation unit 140C: Verification encryption code generation unit 140D: Verification encryption code generation unit 140F: Verification encryption code generation unit 140G: Verification one Directional function value generation unit 140a: collation modified encryption code generation unit 140b: verification encryption code second generation unit 140c: verification encryption code generation unit 140d: verification encryption code generation unit 140f: verification encryption code generation unit 140g : One-way function value generator for verification 150: verification determination unit 150 ′: verification determination unit 150B: verification determination unit 150C Collation determination unit 150D: Collation determination unit 150E: Collation determination unit 150F: Collation determination unit 150G: Collation determination unit 150a: Collation determination unit 150b: Collation determination unit 150c: Collation determination unit 150d: Collation determination unit 150e: Collation determination unit 150f: Collation determination unit 150g: Collation determination unit 160: Random code transmission unit 170: Rearranged encryption code reception unit 170 ′: Modified encryption code reception unit 170E: Rearrangement encryption code reception unit 170F: Rearrangement encryption code reception unit 170G: Function value Receiving unit 170a: Modified encrypted code receiving unit 170b: Modified encrypted code receiving unit 170c: Modified encrypted code receiving unit 170d: Modified encrypted code receiving unit 170e: Modified encrypted code receiving unit 170f: Modified encrypted code receiving unit 170g: Function value receiving unit 180: Table decoding unit 180E: Table decoding unit 180F: Table recovery No. 180G: table decoding unit 180a: correction number decoding unit 180b: correction number decoding unit 180c: correction number decoding unit 180d: correction number decoding unit 180e: correction number decoding unit 180f: correction number decoding unit 180g: correction number decoding unit 200 , 200 ': second information processing apparatus (client apparatus)
200A to 200G: second information processing apparatus (client apparatus)
200a to 200g: second information processing apparatus (client apparatus)
210: Random code receiver 220: Rearranged code generator 220 ′: Corrected code generator 220G: Rearranged code generator 220a: Corrected code generator 220b: Corrected code generator 220c: Corrected code generator 220d: Corrected code generator Unit 220e: correction code generation unit 220f: correction code generation unit 220g: correction code generation unit 230: encryption code generation unit 230 ′: encryption code generation unit 230a: encryption code generation unit 230b: encryption code generation unit 230c: encryption code generation unit 230d: Cryptographic code generator 230e: Cryptographic code generator 230f: Cryptographic code generator 230g: Cryptographic code generator 240: Rearranged cryptographic code generator 240 ′: Modified cryptographic code generator 240G: Unidirectional function value generator 240a : Modified encryption code generator 240b: Modified encryption code generator 40c: Modified encryption code generator 240d: Modified encryption code generator 240e: Modified encryption code generator 240f: Modified encryption code generator 240g: One-way function value generator 250: Rearranged encryption code transmitter 250 ': Modified encryption Code transmission unit 250E: Rearrangement encryption code transmission unit 250F: Rearrangement encryption code transmission unit 250G: Function value transmission unit 250a: Modification encryption code transmission unit 250b: Modification encryption code transmission unit 250c: Modification encryption code transmission unit 250d: Modification encryption code Code transmission unit 250e: Modified encryption code transmission unit 250f: Modified encryption code transmission unit 250g: Function value transmission unit 260: Table encryption unit 260E: Table encryption unit 260F: Table encryption unit 260G: Table encryption unit 260a: Correction Number encryption unit 260b: Modified number encryption unit 260c: Modified number encryption unit 60d: Correction number encryption unit 260e: Correction number encryption unit 260f: Correction number encryption unit 260g: Correction number encryption unit 270: Rearrangement table generation unit 270G: Rearrangement table generation unit 270a: Correction number generation unit 270b: Correction number generation unit 270c: Correction number generation unit 270d: Correction number generation unit 270e: Correction number generation unit 270f: Correction number generation unit 270g: Correction number generation unit A: Cryptographic algorithm H: One-way function values m1 to m5: Code Of each element Q: encryption code / verification encryption code Q ′: rearrangement encryption code Q ″: modified encryption code R: random code R ′: rearrangement code R ″: modification code T: rearrangement table T ^* : Encryption table T1: First rearrangement table T1 ^* : First encryption table T2: Second rearrangement table T2 ^* : Second encryption table U: Modification number U ^* : Dark Decoding modification number U1: First modification number U1 ^* : First encryption modification number U2: Second modification number U2 ^* : Second encryption modification number X: Rearrangement method X1: First rearrangement Method X2: Second sorting method Y: Correction operation Y1: First correction operation Y2: Second correction operation

Claims (33)

An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus generates a random code in which characters or numbers are enumerated using a random number and transmits the random code to the second information processing apparatus;
The second information processing apparatus receives the random code, rearranges its constituent elements by a random first rearrangement method, and generates a rearrangement code;
The second information processing apparatus encrypts the rearrangement code by an encryption operation based on a predetermined encryption algorithm, and generates an encryption code;
The second information processing apparatus generates a rearranged encryption code by rearranging the constituent elements of the encryption code by a random second rearrangement method;
The second information processing apparatus transmits rearrangement information indicating the first rearrangement method and the second rearrangement method together with the rearrangement encryption code to the first information processing apparatus; ,
The first information processing apparatus receives the rearrangement information together with the rearrangement encryption code, and determines the validity of the received rearrangement encryption code based on the received rearrangement information and the encryption. A step of confirming by an encryption operation or a decryption operation based on an algorithm;
An information processing apparatus authentication method comprising:   An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
  The first information processing apparatus generates a random code in which characters or numbers are enumerated using a random number and transmits the random code to the second information processing apparatus;
  The second information processing apparatus receives the random code, rearranges its constituent elements by a random first rearrangement method, and generates a rearrangement code;
  The second information processing apparatus encrypts the rearrangement code by an encryption operation based on a predetermined encryption algorithm, and generates an encryption code;
  The second information processing apparatus generates a rearranged encryption code by rearranging the constituent elements of the encryption code by a random second rearrangement method;
  The second information processing apparatus transmits rearrangement information indicating the first rearrangement method together with the rearrangement encryption code to the first information processing apparatus;
  The first information processing apparatus receives the rearrangement information together with the rearrangement encryption code, and performs a rearrangement process based on the received rearrangement information and an encryption based on the encryption algorithm for the random code. The received reordered encryption code is obtained by performing an operation and collating whether or not the constituent elements are compatible with respect to the result of the encryption operation and the received reordered encryption code, ignoring the order of arrangement. Confirming the legitimacy of
  An information processing apparatus authentication method comprising:   An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
  The first information processing apparatus generates a random code in which characters or numbers are enumerated using a random number and transmits the random code to the second information processing apparatus;
  The second information processing apparatus receives the random code, rearranges its constituent elements by a random first rearrangement method, and generates a rearrangement code;
  The second information processing apparatus encrypts the rearrangement code by an encryption operation based on a predetermined encryption algorithm, and generates an encryption code;
  The second information processing apparatus generates a rearranged encryption code by rearranging the constituent elements of the encryption code by a random second rearrangement method;
  The second information processing apparatus transmits rearrangement information indicating the second rearrangement method together with the rearrangement encryption code to the first information processing apparatus;
  The first information processing apparatus receives the rearrangement information together with the rearrangement encryption code, and performs the rearrangement process and the encryption algorithm based on the received rearrangement information for the received rearrangement encryption code. The result of the decryption operation and the random code are ignored, the order of arrangement is ignored, and whether or not the constituent elements are supported is verified. Confirming sex,
  An information processing apparatus authentication method comprising: In the authentication method of the information processing apparatus in any one of Claims 1-3 ,
An authentication method for an information processing apparatus, wherein transmission of rearrangement information from the second information processing apparatus to the first information processing apparatus is performed in an encrypted state. An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
The second information processing apparatus generates a first rearrangement table and a second rearrangement table using random numbers;
The second information processing apparatus generates a rearrangement code by rearranging the constituent elements of the random code based on the first rearrangement table;
The second information processing apparatus encrypts the rearrangement code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The second information processing apparatus rearranges the constituent elements of the encryption code based on the second rearrangement table to generate a rearrangement encryption code generation step; and
A table encryption stage in which the second information processing apparatus encrypts the first rearrangement table and the second rearrangement table, respectively, and generates a first encryption table and a second encryption table; ,
The second information processing apparatus transmits the first encryption table and the second encryption table together with the rearranged encryption code to the first information processing apparatus. ,
The first information processing device receives the first encryption table and the second encryption table together with the rearranged encryption code, and receives a rearranged encryption code reception step.
A table decryption step in which the first information processing apparatus decrypts the first encryption table and the second encryption table, respectively, and restores the first rearrangement table and the second rearrangement table. When,
The first information processing apparatus rearranges the components of the random code generated in the random code generation stage based on the first rearrangement table to generate a collation parallel code. Replacement code generation stage,
The first information processing apparatus encrypts the collation rearrangement code by an encryption operation based on the encryption algorithm to generate a collation encryption code generation step;
A collation rearrangement encryption code generation step in which the first information processing apparatus rearranges the constituent elements of the collation encryption code based on the second rearrangement table to generate a collation rearrangement encryption code; ,
Does the first information processing apparatus match the reordered encryption code received in the reordered encryption code receiving step and the reordered encryption code for verification generated in the verification reordered encryption code generation step? A collation determination step of determining whether the second information processing device is a device whose validity has been confirmed,
An authentication method for an information processing apparatus, comprising: An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
The second information processing apparatus generates a first rearrangement table and a second rearrangement table using random numbers;
The second information processing apparatus generates a rearrangement code by rearranging the constituent elements of the random code based on the first rearrangement table;
The second information processing apparatus encrypts the rearrangement code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The second information processing apparatus rearranges the constituent elements of the encryption code based on the second rearrangement table to generate a rearrangement encryption code generation step; and
A table encryption stage in which the second information processing apparatus encrypts the first rearrangement table and the second rearrangement table, respectively, and generates a first encryption table and a second encryption table; ,
The second information processing apparatus transmits the first encryption table and the second encryption table together with the rearranged encryption code to the first information processing apparatus. ,
The first information processing device receives the first encryption table and the second encryption table together with the rearranged encryption code, and receives a rearranged encryption code reception step.
A table decryption step in which the first information processing apparatus decrypts the first encryption table and the second encryption table, respectively, and restores the first rearrangement table and the second rearrangement table. When,
The first information processing apparatus rearranges the components of the random code generated in the random code generation stage based on the first rearrangement table to generate a collation parallel code. Replacement code generation stage,
The first information processing apparatus encrypts the collation rearrangement code by an encryption operation based on the encryption algorithm to generate a collation encryption code first generation step;
The first information processing apparatus rearranges the components of the reordered encryption code received in the reordered encryption code reception stage based on a table obtained by reversing the second reordering table, thereby verifying the encryption code A verification encryption code second generation stage for generating
Whether the first information processing apparatus matches the verification encryption code generated in the verification encryption code first generation stage with the verification encryption code generated in the verification encryption code second generation stage. A collation determination step of determining that the second information processing device is a device whose validity has been confirmed when they match.
An authentication method for an information processing apparatus, comprising: An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
The second information processing apparatus generates a first rearrangement table and a second rearrangement table using random numbers;
The second information processing apparatus generates a rearrangement code by rearranging the constituent elements of the random code based on the first rearrangement table;
The second information processing apparatus encrypts the rearrangement code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The second information processing apparatus rearranges the constituent elements of the encryption code based on the second rearrangement table to generate a rearrangement encryption code generation step; and
A table encryption stage in which the second information processing apparatus encrypts the first rearrangement table and the second rearrangement table, respectively, and generates a first encryption table and a second encryption table; ,
The second information processing apparatus transmits the first encryption table and the second encryption table together with the rearranged encryption code to the first information processing apparatus. ,
The first information processing device receives the first encryption table and the second encryption table together with the rearranged encryption code, and receives a rearranged encryption code reception step.
A table decryption step in which the first information processing apparatus decrypts the first encryption table and the second encryption table, respectively, and restores the first rearrangement table and the second rearrangement table. When,
The first information processing apparatus rearranges the components of the reordered encryption code received in the reordered encryption code reception stage based on a table obtained by reversing the second reordering table, thereby verifying the encryption code A verification encryption code generation stage for generating
The first information processing apparatus generates a collation rearrangement code by decrypting the collation cipher code by a decryption operation based on the cipher algorithm; and
Random code generation for collation in which the first information processing apparatus rearranges the constituent elements of the collation rearrangement code based on a table obtained by reversing the first rearrangement table to generate a random code for collation Stages,
The first information processing apparatus collates whether or not the random code generated in the random code generation stage matches the verification random code generated in the verification random code generation stage. A collation determination step for determining that the second information processing device is a device whose validity has been confirmed.
An authentication method for an information processing apparatus, comprising: An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
The second information processing apparatus generates a first rearrangement table and a second rearrangement table using random numbers;
The second information processing apparatus generates a rearrangement code by rearranging the constituent elements of the random code based on the first rearrangement table;
The second information processing apparatus encrypts the rearrangement code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The second information processing apparatus rearranges the constituent elements of the encryption code based on the second rearrangement table to generate a rearrangement encryption code generation step; and
A table encryption stage in which the second information processing apparatus encrypts the first rearrangement table and the second rearrangement table, respectively, and generates a first encryption table and a second encryption table; ,
The second information processing apparatus transmits the first encryption table and the second encryption table together with the rearranged encryption code to the first information processing apparatus. ,
The first information processing device receives the first encryption table and the second encryption table together with the rearranged encryption code, and receives a rearranged encryption code reception step.
A table decryption step in which the first information processing apparatus decrypts the first encryption table and the second encryption table, respectively, and restores the first rearrangement table and the second rearrangement table. When,
The first information processing apparatus rearranges the components of the reordered encryption code received in the reordered encryption code reception stage based on a table obtained by reversing the second reordering table, thereby verifying the encryption code A verification encryption code generation stage for generating
A collation rearrangement code first generation step in which the first information processing apparatus decrypts the collation cipher code and generates a collation rearrangement code by a decryption operation based on the encryption algorithm;
The collation rearrangement in which the first information processing apparatus rearranges the constituent elements of the random code generated in the random code generation stage based on the first rearrangement table to generate the collation rearrangement code. A second code generation stage;
The collation rearrangement code generated by the first information processing device in the collation rearrangement code first generation stage and the collation rearrangement code generated in the collation rearrangement code second generation stage. A collation determination step of collating whether or not they match, and determining that the second information processing device is a device whose validity has been confirmed if they match,
An authentication method for an information processing apparatus, comprising: An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
The second information processing apparatus generates a first rearrangement table and a second rearrangement table using random numbers;
The second information processing apparatus generates a rearrangement code by rearranging the constituent elements of the random code based on the first rearrangement table;
The second information processing apparatus encrypts the rearrangement code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The second information processing apparatus rearranges the constituent elements of the encryption code based on the second rearrangement table to generate a rearrangement encryption code generation step; and
A table encryption stage in which the second information processing apparatus encrypts the first rearrangement table and generates a first encryption table;
The second information processing device transmits the first encryption table together with the rearranged encryption code to the first information processing device;
The first information processing apparatus receives the first encryption table together with the rearranged encryption code;
A table decrypting step in which the first information processing apparatus decrypts the first encryption table and restores the first rearrangement table;
The first information processing apparatus rearranges the components of the random code generated in the random code generation stage based on the first rearrangement table to generate a collation parallel code. Replacement code generation stage,
The first information processing apparatus encrypts the collation rearrangement code by an encryption operation based on the encryption algorithm to generate a collation encryption code generation step;
The first information processing apparatus is included in the constituent elements included in the rearrangement encryption code received in the rearrangement encryption code reception stage and the verification encryption code generated in the verification encryption code generation stage. A matching determination step of determining whether or not the second information processing apparatus is an apparatus for which the validity has been confirmed.
An authentication method for an information processing apparatus, comprising: An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
The second information processing apparatus generates a first rearrangement table and a second rearrangement table using random numbers;
The second information processing apparatus generates a rearrangement code by rearranging the constituent elements of the random code based on the first rearrangement table;
The second information processing apparatus encrypts the rearrangement code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The second information processing apparatus rearranges the constituent elements of the encryption code based on the second rearrangement table to generate a rearrangement encryption code generation step; and
A table encryption stage in which the second information processing apparatus encrypts the second rearrangement table and generates a second encryption table;
The second information processing device transmits the second encryption table together with the rearranged encryption code to the first information processing device;
The first information processing apparatus receives the second encryption table together with the rearranged encryption code, and receives the rearranged encryption code reception step.
A table decrypting step in which the first information processing apparatus decrypts the second encryption table and restores the second rearrangement table;
The first information processing apparatus rearranges the components of the reordered encryption code received in the reordered encryption code reception stage based on a table obtained by reversing the second reordering table, thereby verifying the encryption code A verification encryption code generation stage for generating
The first information processing apparatus generates a collation rearrangement code by decrypting the collation cipher code by a decryption operation based on the cipher algorithm; and
The first information processing apparatus is included in a component included in a random code generated in the random code generation stage and a collation rearrangement code generated in the collation rearrangement code generation stage. A matching determination step of determining whether or not the second information processing device is a device whose validity has been confirmed.
An authentication method for an information processing apparatus, comprising: An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus uses a random number to generate a random code that enumerates characters or numbers as constituent elements;
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
The second information processing apparatus generates a rearrangement table using a random number;
The second information processing apparatus rearranges the components of the random code based on the rearrangement table to generate a rearrangement code, and generates a rearrangement code.
The second information processing apparatus encrypts the rearrangement code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The second information processing apparatus generates a predetermined function value by applying a one-way function to the encryption code; and
A table encryption stage in which the second information processing apparatus encrypts the rearrangement table and generates an encryption table;
A function value transmission stage in which the second information processing apparatus transmits the encryption table together with the function value to the first information processing apparatus;
A function value receiving stage in which the first information processing apparatus receives the encryption table together with the function value;
A table decrypting step in which the first information processing apparatus decrypts the encryption table and restores the rearrangement table;
The collation rearrangement code generation in which the first information processing apparatus rearranges the components of the random code generated in the random code generation stage based on the rearrangement table to generate a collation rearrangement code. Stages,
The first information processing apparatus encrypts the collation rearrangement code by an encryption operation based on the encryption algorithm to generate a collation encryption code generation step;
The first information processing apparatus generates a collation function value by causing the one-way function to act on the collation encryption code; and
The first information processing apparatus collates whether or not the function value received in the function value reception stage matches the collation function value generated in the collation one-way function value generation stage. A matching determination step of determining, when they match, that the second information processing apparatus is an apparatus whose validity has been confirmed;
An authentication method for an information processing apparatus, comprising: In the authentication method of the information processing apparatus in any one of Claims 5-10 ,
An authentication method for an information processing apparatus, wherein the same table is used as the first rearrangement table and the second rearrangement table. In the authentication method of the information processing apparatus in any one of Claims 5-12 ,
The second information processing apparatus encrypts the rearrangement table using one of a pair of keys used for the public key cryptosystem in the table encryption stage,
An authentication method for an information processing apparatus, wherein the first information processing apparatus decrypts the rearrangement table using the other key of the pair of keys in the table decryption stage. An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing device generates a random code enumerating numbers using random numbers and transmits the random code to the second information processing device;
The second information processing apparatus receives the random code, and performs a first correction operation using a first correction number generated at random on each of the constituent numbers, thereby correcting the code. Generating
The second information processing apparatus encrypts the correction code by an encryption operation based on a predetermined encryption algorithm, and generates an encryption code;
The second information processing apparatus performs a second modification operation using a second modification number generated at random on each number that is a constituent element of the encryption code to generate a modified encryption code. Stages,
The second information processing apparatus transmits correction information indicating the first correction calculation and the second correction calculation together with the correction encryption code to the first information processing apparatus;
The first information processing apparatus receives the modification information together with the modified encryption code, and corrects the received modified encryption code based on the modification operation based on the received modification information and encryption based on the encryption algorithm. A step of checking by calculation or decoding operation;
An authentication method for an information processing apparatus, comprising:   An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
  The first information processing device generates a random code enumerating numbers using random numbers and transmits the random code to the second information processing device;
  The second information processing apparatus receives the random code, and performs a first correction operation using a first correction number generated at random on each of the constituent numbers, thereby correcting the code. Generating
  The second information processing apparatus encrypts the correction code by an encryption operation based on a predetermined encryption algorithm, and generates an encryption code;
  The second information processing apparatus performs a second modification operation using a second modification number generated at random on each number that is a constituent element of the encryption code to generate a modified encryption code. Stages,
  The second information processing apparatus transmits correction information indicating the first correction calculation together with the corrected encryption code to the first information processing apparatus;
  The first information processing apparatus receives the modification information together with the modified encryption code, performs a modification operation based on the received modification information and an encryption operation based on the encryption algorithm for the random code, By determining whether or not the result of this encryption operation and the received modified encrypted code have a consistent relationship as numerical values before and after the second modified operation, the received modified encrypted code Verifying the legitimacy,
  An authentication method for an information processing apparatus, comprising: An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
  The first information processing device generates a random code enumerating numbers using random numbers and transmits the random code to the second information processing device;
  The second information processing apparatus receives the random code, and performs a first correction operation using a first correction number generated at random on each of the constituent numbers, thereby correcting the code. Generating
  The second information processing apparatus encrypts the correction code by an encryption operation based on a predetermined encryption algorithm, and generates an encryption code;
  The second information processing apparatus performs a second modification operation using a second modification number generated at random on each number that is a constituent element of the encryption code to generate a modified encryption code. Stages,
  The second information processing apparatus transmits correction information indicating the second correction calculation together with the corrected encryption code to the first information processing apparatus;
  The first information processing apparatus receives the modification information together with the modified encryption code, and performs a modification process based on the received modification information and a decryption operation based on the encryption algorithm for the received modified encryption code. The validity of the received modified encrypted code is determined by determining whether the result of the decryption operation and the random code have a consistent correspondence as numerical values before and after the first modified operation. The stage of checking
  An authentication method for an information processing apparatus, comprising: In the authentication method of the information processing apparatus in any one of Claims 14-16 ,
An authentication method for an information processing apparatus, wherein transmission of correction information from the second information processing apparatus to the first information processing apparatus is performed in an encrypted state. An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus generates a random code using a random number to generate a random code that enumerates numbers as constituent elements; and
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
A correction number generation stage in which the second information processing apparatus generates a first correction number and a second correction number using a random number;
A correction code in which the second information processing apparatus generates a correction code by performing a first correction operation using the first correction number on each number that is a component of the received random code. Generation stage,
The second information processing apparatus encrypts the correction code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The modified encryption code in which the second information processing apparatus generates a modified encryption code by performing a second modification operation using the second modification number on each number that is a component of the encryption code. Generation stage,
A modified number encryption stage in which the second information processing apparatus encrypts the first modified number and the second modified number, respectively, and generates a first encrypted modified number and a second encrypted modified number. When,
A modified encryption code transmission step in which the second information processing apparatus transmits the first encryption modification number and the second encryption modification number together with the modified encryption code to the first information processing apparatus; ,
A modified encrypted code receiving step in which the first information processing apparatus receives the first encrypted modification number and the second encrypted modification number together with the modified encrypted code;
Modification number decryption in which the first information processing apparatus decrypts the first encryption modification number and the second encryption modification number, respectively, and restores the first modification number and the second modification number. Stages,
The first information processing apparatus performs the first correction operation using the first correction number on individual numbers that are constituent elements of the random code generated in the random code generation stage. A verification correction code generation stage for generating a verification correction code,
The first information processing apparatus encrypts the verification correction code by an encryption operation based on the encryption algorithm to generate a verification encryption code; and
The first information processing apparatus performs the second correction operation using the second correction number on each number that is a constituent element of the verification encryption code to obtain a verification correction encryption code. A verification modified encryption code generation stage to be generated;
The first information processing apparatus collates whether or not the modified encryption code received in the modified encryption code reception stage matches the verification modified encryption code generated in the verification modified encryption code generation stage. And a collation determination step of determining, when they match, that the second information processing device is a device whose validity has been confirmed;
An authentication method for an information processing apparatus, comprising: An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus generates a random code using a random number to generate a random code that enumerates numbers as constituent elements; and
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
A correction number generation stage in which the second information processing apparatus generates a first correction number and a second correction number using a random number;
A correction code in which the second information processing apparatus generates a correction code by performing a first correction operation using the first correction number on each number that is a component of the received random code. Generation stage,
The second information processing apparatus encrypts the correction code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The modified encryption code in which the second information processing apparatus generates a modified encryption code by performing a second modification operation using the second modification number on each number that is a component of the encryption code. Generation stage,
A modified number encryption stage in which the second information processing apparatus encrypts the first modified number and the second modified number, respectively, and generates a first encrypted modified number and a second encrypted modified number. When,
A modified encryption code transmission step in which the second information processing apparatus transmits the first encryption modification number and the second encryption modification number together with the modified encryption code to the first information processing apparatus; ,
A modified encrypted code receiving step in which the first information processing apparatus receives the first encrypted modification number and the second encrypted modification number together with the modified encrypted code;
Modification number decryption in which the first information processing apparatus decrypts the first encryption modification number and the second encryption modification number, respectively, and restores the first modification number and the second modification number. Stages,
The first information processing apparatus performs the first correction operation using the first correction number on individual numbers that are constituent elements of the random code generated in the random code generation stage. A verification correction code generation stage for generating a verification correction code,
A first verification encryption code generation step in which the first information processing apparatus encrypts the verification correction code and generates a verification encryption code by an encryption operation based on the encryption algorithm;
The first information processing apparatus performs an operation opposite to the second correction operation using the second correction number on each number that is a component of the corrected encryption code for verification. A verification encryption code second generation stage for generating an encryption code;
Whether the first information processing apparatus matches the verification encryption code generated in the verification encryption code first generation stage with the verification encryption code generated in the verification encryption code second generation stage. A collation determination step of determining that the second information processing device is a device whose validity has been confirmed when they match.
An authentication method for an information processing apparatus, comprising: An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus generates a random code using a random number to generate a random code that enumerates numbers as constituent elements; and
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
A correction number generation stage in which the second information processing apparatus generates a first correction number and a second correction number using a random number;
A correction code in which the second information processing apparatus generates a correction code by performing a first correction operation using the first correction number on each number that is a component of the received random code. Generation stage,
The second information processing apparatus encrypts the correction code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The modified encryption code in which the second information processing apparatus generates a modified encryption code by performing a second modification operation using the second modification number on each number that is a component of the encryption code. Generation stage,
A modified number encryption stage in which the second information processing apparatus encrypts the first modified number and the second modified number, respectively, and generates a first encrypted modified number and a second encrypted modified number. When,
A modified encryption code transmission step in which the second information processing apparatus transmits the first encryption modification number and the second encryption modification number together with the modified encryption code to the first information processing apparatus; ,
A modified encrypted code receiving step in which the first information processing apparatus receives the first encrypted modification number and the second encrypted modification number together with the modified encrypted code;
Modification number decryption in which the first information processing apparatus decrypts the first encryption modification number and the second encryption modification number, respectively, and restores the first modification number and the second modification number. Stages,
What is the second correction operation using the second correction number for each number that is a component of the corrected encryption code received by the first information processing apparatus in the reception of the corrected encryption code? A verification encryption code generation stage for performing a reverse operation to generate a verification encryption code;
A verification correction code generation stage in which the first information processing apparatus generates a verification correction code by decrypting the verification encryption code by a decryption operation based on the encryption algorithm;
The first information processing apparatus collates each number that is a component of the collation correction code by performing a calculation opposite to the first correction calculation using the first correction number. A random code generation stage for generating a random code for verification,
The first information processing apparatus collates whether or not the random code generated in the random code generation stage matches the verification random code generated in the verification random code generation stage. A collation determination step for determining that the second information processing device is a device whose validity has been confirmed.
An authentication method for an information processing apparatus, comprising: An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus generates a random code using a random number to generate a random code that enumerates numbers as constituent elements; and
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
A correction number generation stage in which the second information processing apparatus generates a first correction number and a second correction number using a random number;
A correction code in which the second information processing apparatus generates a correction code by performing a first correction operation using the first correction number on each number that is a component of the received random code. Generation stage,
The second information processing apparatus encrypts the correction code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The modified encryption code in which the second information processing apparatus generates a modified encryption code by performing a second modification operation using the second modification number on each number that is a component of the encryption code. Generation stage,
A modified number encryption stage in which the second information processing apparatus encrypts the first modified number and the second modified number, respectively, and generates a first encrypted modified number and a second encrypted modified number. When,
A modified encryption code transmission step in which the second information processing apparatus transmits the first encryption modification number and the second encryption modification number together with the modified encryption code to the first information processing apparatus; ,
A modified encrypted code receiving step in which the first information processing apparatus receives the first encrypted modification number and the second encrypted modification number together with the modified encrypted code;
Modification number decryption in which the first information processing apparatus decrypts the first encryption modification number and the second encryption modification number, respectively, and restores the first modification number and the second modification number. Stages,
What is the second correction operation using the second correction number for each number that is a component of the corrected encryption code received by the first information processing apparatus in the reception of the corrected encryption code? A verification encryption code generation stage for performing a reverse operation to generate a verification encryption code;
A verification correction code first generation stage in which the first information processing apparatus generates a verification correction code by decrypting the verification encryption code by a decryption operation based on the encryption algorithm;
The first information processing apparatus performs the first correction operation using the first correction number on each number that is a constituent element of the random code generated in the random code generation stage. A verification correction code second generation stage for generating a verification correction code;
Whether the first information processing apparatus matches the verification correction code generated in the verification correction code first generation stage with the verification correction code generated in the verification correction code second generation stage. A collation determination step of determining that the second information processing device is a device whose validity has been confirmed when they match.
An authentication method for an information processing apparatus, comprising: An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus generates a random code using a random number to generate a random code that enumerates numbers as constituent elements; and
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
A correction number generation stage in which the second information processing apparatus generates a first correction number and a second correction number using a random number;
A correction code in which the second information processing apparatus generates a correction code by performing a first correction operation using the first correction number on each number that is a component of the received random code. Generation stage,
The second information processing apparatus encrypts the correction code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The modified encryption code in which the second information processing apparatus generates a modified encryption code by performing a second modification operation using the second modification number on each number that is a component of the encryption code. Generation stage,
A modified number encryption stage in which the second information processing apparatus encrypts the first modified number and generates a first encrypted modified number;
The second information processing apparatus transmits the first encryption modification number together with the modified encryption code to the first information processing apparatus,
The first information processing apparatus receives a modified encryption code reception stage for receiving the first encryption modification number together with the modified encryption code;
A modified number decryption step in which the first information processing apparatus decrypts the first encrypted modified number and restores the first modified number;
The first information processing apparatus performs the first correction operation using the first correction number on individual numbers that are constituent elements of the random code generated in the random code generation stage. A verification correction code generation stage for generating a verification correction code,
The first information processing apparatus encrypts the verification correction code by an encryption operation based on the encryption algorithm to generate a verification encryption code; and
The first information processing apparatus is included in the constituent elements included in the modified encryption code received in the modified encryption code reception stage and the verification encryption code generated in the verification encryption code generation stage. The component is compared with whether or not the numerical value before and after the calculation by the second correction calculation has a consistent correspondence, and if it has a consistent correspondence, the second information processing apparatus is validated. A collation determination stage for determining that the device has been confirmed,
An authentication method for an information processing apparatus, comprising: An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus generates a random code using a random number to generate a random code that enumerates numbers as constituent elements; and
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
A correction number generation stage in which the second information processing apparatus generates a first correction number and a second correction number using a random number;
A correction code in which the second information processing apparatus generates a correction code by performing a first correction operation using the first correction number on each number that is a component of the received random code. Generation stage,
The second information processing apparatus encrypts the correction code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The modified encryption code in which the second information processing apparatus generates a modified encryption code by performing a second modification operation using the second modification number on each number that is a component of the encryption code. Generation stage,
A modified number encryption step in which the second information processing apparatus encrypts the second modified number and generates a second encrypted modified number;
A modified encryption code transmission stage in which the second information processing apparatus transmits the second encrypted modification number together with the modified encryption code to the first information processing apparatus;
A modified encrypted code receiving stage in which the first information processing apparatus receives the second encrypted modification number together with the modified encrypted code;
A modified number decryption step in which the first information processing apparatus decrypts the second encrypted modified number and restores the second modified number;
What is the second correction operation using the second correction number for each number that is a component of the corrected encryption code received by the first information processing apparatus in the reception of the corrected encryption code? A verification encryption code generation stage for performing a reverse operation to generate a verification encryption code;
A verification correction code generation stage in which the first information processing apparatus generates a verification correction code by decrypting the verification encryption code by a decryption operation based on the encryption algorithm;
A configuration in which the first information processing apparatus is included in a component included in a random code generated in the random code generation stage and a verification correction code generated in the verification correction code generation stage. If the element has a consistent correspondence as a numerical value before and after the calculation by the first correction computation, and the correspondence is consistent, the second information processing apparatus is validated. A verification determination stage for determining that the device has been confirmed;
An authentication method for an information processing apparatus, comprising: An authentication method in which a first information processing device authenticates a second information processing device as a device whose validity has been confirmed,
The first information processing apparatus generates a random code using a random number to generate a random code that enumerates numbers as constituent elements; and
A random code transmission stage in which the first information processing apparatus transmits the random code to the second information processing apparatus;
A random code receiving stage in which the second information processing apparatus receives the random code;
The second information processing apparatus generates a correction number using a random number;
A correction code generation step in which the second information processing apparatus generates a correction code by performing a correction operation using the correction number on each number that is a component of the received random code;
The second information processing apparatus encrypts the correction code by an encryption operation based on a predetermined encryption algorithm to generate an encryption code; and
The second information processing apparatus generates a predetermined function value by applying a one-way function to the encryption code; and
A correction number encryption step in which the second information processing apparatus encrypts the correction number and generates an encrypted correction number;
A function value transmission stage in which the second information processing apparatus transmits the encryption correction number together with the function value to the first information processing apparatus;
A function value receiving step in which the first information processing apparatus receives the encryption correction number together with the function value;
A correction number decryption step in which the first information processing apparatus decrypts the encrypted correction number and restores the correction number;
The first information processing apparatus performs a correction operation using the correction number on each number that is a constituent element of the random code generated in the random code generation stage to obtain a correction code for verification. A verification correction code generation stage to be generated;
The first information processing apparatus encrypts the verification correction code by an encryption operation based on the encryption algorithm to generate a verification encryption code; and
The first information processing apparatus generates a collation function value by causing the one-way function to act on the collation encryption code; and
The first information processing apparatus collates whether or not the function value received in the function value reception stage matches the collation function value generated in the collation one-way function value generation stage. A matching determination step of determining, when they match, that the second information processing apparatus is an apparatus whose validity has been confirmed;
An authentication method for an information processing apparatus, comprising: In the authentication method of the information processing apparatus in any one of Claims 18-23 ,
An authentication method for an information processing apparatus, wherein the same correction number is used as the first correction number and the second correction number. In the authentication method of the information processing apparatus in any one of Claims 18-25 ,
The second information processing apparatus performs encryption of the correction number using one of the pair of keys used for the public key cryptosystem in the correction number encryption stage,
An authentication method for an information processing apparatus, wherein the first information processing apparatus performs decryption of the modification number using the other key of the pair of keys in the modification number decryption stage. In the authentication method of the information processing apparatus in any one of Claims 18-26 ,
Authentication of an information processing apparatus using a positive or negative number generated using a random number as a correction number, and performing an operation of adding or subtracting the correction number for each number as a correction operation Method. The authentication method of the information processing apparatus according to claim 27 ,
When performing the correction operation so that the individual numbers that are the constituent elements of the random code and the individual numbers that are the constituent elements of the encryption code are numerical values within the range of N to M (where N <M), When the calculated numerical value V is V <N, correction is performed by adding (M−N + 1), and when the calculated numerical value V is V> M, correction is performed by subtracting (M−N + 1). An authentication method for an information processing apparatus, wherein the numerical value after the correction calculation is a numerical value within a range of N to M. In the authentication method of the information processing apparatus according to any one of claims 18 to 28 ,
For a code including a plurality of n numbers as constituent elements, a correction number is separately generated for each of the n constituent elements, and a correction operation is performed using a sequence of n correction numbers. Processing device authentication method. 30. The authentication method for an information processing device according to claim 14 ,
As the first information processing device and the second information processing device, devices that handle characters associated with specific numbers are used to generate a code including characters as a random code or an encryption code. An authentication method for an information processing apparatus, characterized in that processing is performed as a corresponding number. In the authentication method of the information processing apparatus in any one of Claims 1-30 ,
By further performing a process in which each processing stage performed by the first information processing apparatus and each processing stage performed by the second information processing apparatus are interchanged, the first information processing apparatus changes the second information processing apparatus. An authentication method for an information processing apparatus, wherein authentication is performed as a device whose validity has been confirmed, and the second information processing apparatus performs processing for authenticating the first information processing apparatus as a device whose validity has been confirmed. . 31. An information processing apparatus having a function of executing each stage performed by the first information processing apparatus or the second information processing apparatus in the information processing apparatus authentication method according to claim 1. A program for causing a computer to execute each step performed by the first information processing apparatus or the second information processing apparatus in the authentication method for the information processing apparatus according to any one of claims 1 to 30 .

Images