JP6479724B2 - Secret key synchronization system, user terminal, and secret key synchronization method - Google Patents

Description

  The present invention relates to a secret key synchronization system, a user terminal, and a secret key synchronization method for user authentication between terminals using a WEB service for user authentication using public key cryptography.

Internet users use various web services such as online banking and online shopping using a plurality of terminals such as personal computers, smartphones, and tablet terminals. User authentication is required to use the WEB service. As a user authentication method, a user ID (identifier) and a password are generally used.
The browser has an automatic input function of a user ID and a password, but it is troublesome because it is necessary to set a user ID and a password for each of a plurality of terminals. In order to solve this problem, a password synchronization service that synchronizes an account, which is a set of a WEB service and a user ID and password of the WEB service, between terminals is widely used.

FIG. 24 is a diagram showing an overview of a service for synchronizing passwords between browsers on different terminals.
The password synchronization service is a service that automatically shares the user ID and password of the WEB service between the browsers on the terminal owned by the user via the password synchronization server. The password synchronization service itself also has a user ID and password, and the browser accesses the password synchronization server using the user ID and password. If there is an account that is not stored in the password synchronization server, the browser downloads it, and if there is an account that is not in the password synchronization server, uploads it. By doing so, the WEB service user ID and password are shared by all terminals owned by the user, and the WEB service user ID and password are automatically input from any terminal.

However, the password synchronization service has a problem that the password synchronization server is attacked and the account is stolen. When attacked, the user IDs and passwords of all WEB services of all users who use the password synchronization service are stolen and misused. This is because the user ID and the password are stored on the password synchronization server.
As one technique for solving this problem, there is a web service user authentication technique using public key cryptography called FIDO (Fast IDentity Online) described in Non-Patent Document 1.

FIG. 25 is a diagram showing an overview of FIDO, which is a user authentication technique using public key cryptography.
Description will be made by paying attention to the WEB service B in FIG. The user authentication in the FIDO is not performed by the WEB service B directly authenticating the user X but is performed through an authentication module on the terminal P. That is, the authentication module authenticates the user X, and the WEB service B authenticates the authentication module as the user's proxy. The authentication module confirms that the user X is the user using a password or biometric authentication. When this confirmation is successful, the private key XB of public key cryptography can be used in the authentication module. The authentication module signs the random number sent by the WEB service B using the secret key XB corresponding to the WEB service B and sends it to the WEB service B. The WEB service B verifies the signature using the user's public key XB. To do. By succeeding in this verification, the WEB service B authenticates the user X via the authentication module.

“FIDO Alliance”, [online], [searched on August 10, 2016], Internet <URL: https://fidoalliance.org/>

  In the user authentication of FIDO, the confidentiality of the secret key XB is important, and the secret key XB is confined in the authentication module and cannot be taken out to the outside. For this reason, even if an attempt is made to access the WEB service B from a terminal Q different from the terminal P that normally uses the WEB service B, the terminal Q does not have a secret key XB corresponding to the WEB service B. Can not.

  Some authentication modules can be taken out to the outside, but a password for protecting the taken out private key XB is required, which is troublesome. Further, when the secret key XB is updated, the operation is required for the number of terminals. Further, when there are a plurality of secret keys in the terminal P and these are to be copied to the terminal Q, an operation corresponding to the number of secret keys is required, which is troublesome.

  The present invention solves the above-described problem, and by connecting two user terminals that have been registered in advance, a secret key that can be duplicated without any user operation is provided. It is an object to provide a synchronization system, a user terminal, and a secret key synchronization method.

  As means for solving the above-mentioned problem, the invention according to claim 1 holds a user terminal holding a service secret key, which is a secret key used for authentication when using a service, and information related to the user terminal. A secret key synchronization system that is connected to a terminal management server via a communication network and replicates the service secret key between two user terminals, the user terminal authenticating the user terminal Generating a pair of a private key and a public key of the primary signature relationship information, and including a user terminal identifier of the device, a public key of the primary signature relationship information, and a signature using the secret key of the primary signature relationship information. The primary signature relation information is generated, the primary signature relation information is transmitted to the terminal management server, and the terminal initial registration unit is used as the primary user terminal. If not a terminal, a pair of a private key and public key of secondary signature relation information for authenticating the user terminal is generated, and its own user terminal identifier, a public key of the secondary signature relation information, and the second key The secondary signature relationship information including the signature using the secret key of the next signature relationship information is generated, and the secondary signature relationship information is transmitted to the primary user terminal by direct communication without going through the communication network. Then, when the terminal registration request unit is a secondary user terminal and the terminal registration request unit itself is the primary user terminal, the secondary signature relationship information is received from the secondary user terminal, and the secondary signature relationship is received. After successfully verifying the signature of the information, the user terminal identifier of the secondary signature relationship information that has been successfully verified, the public key of the secondary signature relationship information including the user terminal identifier, and the primary signature relationship Information user A signature generated with the private key of the primary signature relationship information is added to data including a terminal identifier and a public key of the primary signature relationship information, and new primary signature relationship information indicating new primary signature relationship information is generated. A terminal registration response unit that transmits information including the new primary signature relation information to the terminal management server and two user terminals that are the primary user terminal or the secondary user terminal that performs the duplication, Exchange the public key for encryption used for the duplication, the public key for signature used for the duplication, and the signature generated using the private key of the primary signature relation information or the secret key of the secondary signature relation information A pairing control unit that performs pairing, and a synchronization control unit that performs the duplication of the service secret key using the encryption public key and the signature public key exchanged in the pairing; The terminal management server receives and stores the primary signature relationship information from the primary user terminal via the communication network, and when receiving the new primary signature relationship information, the primary signature relationship A signature relation information management unit for storing the new primary signature relation information instead of the primary signature relation information after successful verification of the signature of the new primary signature relation information using a public key of the information, It is a secret key synchronization system.

  As means for solving the above-mentioned problems, the invention according to claim 6 holds a user terminal holding a service secret key, which is a secret key used for authentication when using a service, and information related to the user terminal. A user terminal of a secret key synchronization system connected to a terminal management server via a communication network and replicating the service secret key between the two user terminals, for authenticating the user terminal Generating a pair of a private key and a public key of the primary signature relationship information, including its own user terminal identifier, a public key of the primary signature relationship information, and a signature using the secret key of the primary signature relationship information A terminal initial registration unit that generates the primary signature relation information, transmits the primary signature relation information to the terminal management server, and makes itself a primary user terminal; If it is not the terminal, a pair of a private key and public key of secondary signature relation information for authenticating the user terminal is generated, and its own user terminal identifier, a public key of the secondary signature relation information, and the second key The secondary signature relationship information including the signature using the secret key of the next signature relationship information is generated, and the secondary signature relationship information is transmitted to the primary user terminal by direct communication without going through the communication network. Then, when the terminal registration request unit is a secondary user terminal and the terminal registration request unit itself is the primary user terminal, the secondary signature relationship information is received from the secondary user terminal, and the secondary signature relationship is received. After successfully verifying the signature of the information, the user terminal identifier of the secondary signature relationship information that has been successfully verified, the public key of the secondary signature relationship information including the user terminal identifier, and the primary signature relationship Information user A new primary signature relationship information indicating new primary signature relationship information is generated by adding a signature generated with a secret key of the primary signature relationship information to data including a terminal identifier and a public key of the primary signature relationship information A terminal registration response unit that transmits information including the new primary signature relation information to the terminal management server and two user terminals that are the primary user terminal or the secondary user terminal that performs the duplication, Exchange the public key for encryption used for the duplication, the public key for signature used for the duplication, and the signature generated using the private key of the primary signature relation information or the secret key of the secondary signature relation information A pairing control unit that performs pairing, and a synchronization control unit that performs the duplication of the service secret key using the encryption public key and the signature public key exchanged in the pairing; The It is a user terminal characterized by providing.

  As means for solving the above problem, the invention according to claim 7 holds a user terminal holding a service secret key, which is a secret key used for authentication when using a service, and information related to the user terminal. A secret key synchronization method of a secret key synchronization system, which is connected to a terminal management server via a communication network and duplicates the service secret key between two user terminals, wherein the user terminal is the user Generate a pair of a private key and public key of primary signature relationship information for authenticating a terminal, and use its own user terminal identifier, a public key of the primary signature relationship information, and a secret key of the primary signature relationship information Generating the primary signature relationship information including a signature, transmitting the primary signature relationship information to the terminal management server, and making itself a primary user terminal; If it is not the next user terminal, it generates a pair of the private key and public key of the secondary signature relation information for authenticating the user terminal, its own user terminal identifier, the public key of the secondary signature relation information, Generating the secondary signature relationship information including a signature using a secret key of the secondary signature relationship information, and directly communicating the secondary signature relationship information to the primary user terminal without passing through the communication network. And when the mobile terminal is a primary user terminal, the mobile terminal receives the secondary signature related information from the secondary user terminal when the mobile terminal is the primary user terminal. After successfully verifying the signature, the user terminal identifier of the secondary signature related information that has been successfully verified, the public key of the secondary signature related information including the user terminal identifier, and the primary signature related information You A signature generated with the private key of the primary signature relationship information is added to data including a terminal identifier and a public key of the primary signature relationship information, and new primary signature relationship information indicating new primary signature relationship information is generated. And transmitting the information including the new primary signature relation information to the terminal management server and the duplication between the two user terminals that are the primary user terminal or the secondary user terminal performing the duplication. Pairing for exchanging the encryption public key used, the signature public key used for the duplication, and the signature generated using the private key of the primary signature relation information or the secret key of the secondary signature relation information And executing the duplication of the service secret key using the encryption public key and the signature public key exchanged by the pairing, and The terminal management server receives and stores the primary signature related information from the primary user terminal via the communication network, and when receiving the new primary signature related information, the public key of the primary signature related information And a step of storing the new primary signature relationship information in place of the primary signature relationship information after a successful verification of the signature of the new primary signature relationship information using the secret key synchronization method .

  According to such a configuration, the first user terminal registered as the user terminal owned by the user (the target of the primary signature related information) or the second user owned by the user through direct communication with the primary user terminal The service secret key can be duplicated (synchronized) only between any of the secondary user terminals (subject to secondary signature related information) registered as subsequent user terminals. There is no synchronization with an unregistered unauthorized user terminal, and leakage of the service secret key can be prevented.

  As a means for solving the above-mentioned problem, in the invention according to claim 2, the terminal registration response unit performs user authentication before generating a signature of the new primary signature related information, and the pairing control unit includes: 2. The secret key synchronization system according to claim 1, wherein user authentication is performed before the pairing.

  According to such a configuration, it is possible to prevent registration, pairing, and synchronization of a user terminal using the user terminal by a user other than the owner of the user terminal.

  As means for solving the above-mentioned problem, the invention according to claim 3 is characterized in that the terminal management server stores, for each user terminal, whether or not the user terminal is in a suspended state, and the pairing control unit. Before the pairing, inquires to the terminal management server whether or not it is in the use suspension state, if the use suspension state, the pairing is stopped, the synchronization control unit Before the duplication, an inquiry is made to the terminal management server as to whether or not it is in the use suspension state, and if the use is in the use suspension state, the duplication is stopped. It is the private key synchronization system described.

  According to such a configuration, it is possible to prevent pairing and synchronization using the user terminal by keeping the lost user terminal in a use suspended state.

  As a means for solving the above-mentioned problems, the invention according to claim 4 is characterized in that the secret key synchronization system includes: a key protection capability, a user authentication method, a strength of user authentication, and a presence / absence of a secure area of the user terminal. A terminal verification server for storing terminal capability information including at least one of them and indicating a safety level, wherein the pairing control unit is a user terminal to be paired before the pairing The terminal capability information is obtained from the terminal verification server, and the pairing is stopped when the security level of the user terminal indicated by the terminal capability information does not satisfy a predetermined criterion. The secret key synchronization system according to claim 1.

  According to such a configuration, it is possible to prevent synchronization with a user terminal having a low level of security in which the user authentication method and the service secret key protection method (protection capability) do not satisfy the predetermined standard.

  As a means for solving the above-mentioned problem, the invention according to claim 5 is characterized in that the secret key synchronization system includes: a key protection capability, a user authentication method, a strength of user authentication, and a presence / absence of a secure area of the user terminal. A terminal verification server that stores terminal capability information indicating at least one of them and indicating a security level, wherein the service secret key is a secret key used for user authentication of a WEB service, and the WEB service The secret key used for user authentication of the WEB service can be copied, the user terminal key protection capability, the user terminal user authentication method, the user terminal user authentication strength, the user terminal secure area An authentication policy that defines at least one of presence / absence is stored, and the synchronization control unit performs user authentication of the WEB service. If the security level of the user terminal to which the copy is made does not meet the security level in the authentication policy of the WEB service before the secret key is copied, the copy is stopped. The secret key synchronization system according to claim 1, wherein:

  According to such a configuration, it is possible to prevent the service secret key from being copied to a user terminal having a low security level that does not match the level required by the WEB service for the secret key for user authentication of the WEB service such as FIDO.

  According to the present invention, a secret key synchronization system, a user terminal, and a secret key that can duplicate a secret key without user operation by connecting two user terminals that have been registered in advance. It is an object to provide a synchronization method.

It is a figure which illustrates the whole structure of the private key synchronization system which concerns on this embodiment. It is a functional block diagram which illustrates the composition of the user terminal concerning this embodiment. It is a figure which illustrates the structure of authentication credential DB memorize | stored in the secure memory | storage part of the user terminal which concerns on this embodiment. It is a figure which illustrates the structure of signature related key DB memorize | stored in the secure memory | storage part of the user terminal which concerns on this embodiment. It is a figure which illustrates the structure of key DB for a synchronization memorize | stored in the secure memory | storage part of the user terminal which concerns on this embodiment. It is a figure which illustrates the structure of WEB service key DB memorize | stored in the secure memory | storage part of the user terminal which concerns on this embodiment. It is a functional block diagram which illustrates the composition of the terminal management server concerning this embodiment. It is a figure which illustrates the composition of user information DB memorized by the storage part of the terminal management server concerning this embodiment. It is a figure which illustrates the structure of signature relation information DB memorize | stored in the memory | storage part of the terminal management server which concerns on this embodiment. It is a figure which illustrates the structure of terminal utilization condition DB memorize | stored in the memory | storage part of the terminal management server which concerns on this embodiment. It is a sequence diagram which illustrates the whole registration process of the primary user terminal which concerns on this embodiment. It is a sequence diagram which illustrates the new registration of the primary user terminal which concerns on this embodiment. It is a sequence diagram which illustrates the update registration process of the primary user terminal which concerns on this embodiment. It is a sequence diagram which illustrates the new registration of the secondary user terminal which concerns on this embodiment. It is a figure which shows the structural example of the signature related information of the double signature at the time of the new registration of the secondary user terminal which concerns on this embodiment. It is a sequence diagram which illustrates the update registration of the secondary user terminal which concerns on this embodiment. It is a figure which shows the structural example of the signature related information of the double signature at the time of the update registration of the secondary user terminal which concerns on this embodiment. It is a sequence diagram (1) which illustrates the pairing process between the registered user terminals concerning this embodiment. It is a sequence diagram (2) which illustrates the pairing process between the registered user terminals concerning this embodiment. It is a sequence diagram (3) which illustrates the pairing process between the registered user terminals concerning this embodiment. It is a sequence diagram (4) which illustrates the pairing process between the registered user terminals which concern on this embodiment. It is a sequence diagram (1) which illustrates the synchronization process between the user terminals already paired according to the present embodiment. It is a sequence diagram (2) which illustrates the synchronization process between the paired user terminals which concern on this embodiment. It is a figure which shows the outline | summary of the service which synchronizes the password between the browsers on a different terminal. It is a figure which shows the outline | summary of FIDO which is a user authentication technique using a public key encryption.

Hereinafter, a secret key synchronization system according to an embodiment of the present invention will be described with reference to the drawings.
≪Secret key synchronization system of this embodiment≫
FIG. 1 is a diagram illustrating the overall configuration of a secret key synchronization system 1 according to the present embodiment.
The secret key synchronization system 1 includes a user terminal 100 that stores the following secret key for user authentication of the WEB service 400 and performs user authentication of the WEB service, which is connected via a communication network (Internet), and the user terminal 100, a terminal management server 200 that stores information relating to 100, a terminal verification server 300 that stores information (terminal capability information 302) for confirming the safety level of the user terminal (verification of terminal capability), and access to itself. It consists of a WEB service 400 that stores an authentication policy 401 including the security level of the user terminal 100.

  There are two types of user terminals 100: primary user terminals 100-1 and secondary user terminals 100-2. The primary user terminal 100-1 is a user terminal 100 that each user first registers (see reference numeral 1 in FIG. 1). The second and subsequent user terminals 100 register using the primary user terminal as the secondary user terminal 100-2 (see reference numeral 2 in FIG. 1).

At the time of registration, the primary user terminal 100-1 and the secondary user terminal 100-2 communicate by being directly connected using a communication cable or the like, not via the Internet (hereinafter referred to as direct communication). Other direct communication methods include short-range wireless communication such as Bluetooth (registered trademark) and direct connection using an ad hoc mode wireless LAN (Local Area Network). By limiting the registration target to the user terminal 100 capable of direct communication, it is possible to prevent an unauthorized user terminal 100 from being remotely registered by an attacker who does not have the primary user terminal 100-1.
Hereinafter, the primary user terminal 100-1 and the secondary user terminal 100-2 are collectively referred to as a registered user terminal. If it is clear that the user has been registered, the registered user terminal is simply referred to as a user terminal.

  The two registered user terminals 100 are connected and paired so that direct communication is possible (see reference numeral 3 in FIG. 1), thereby exchanging public keys for encryption and signature. When synchronizing (duplicating) the private key of the WEB service 400 (see reference numeral 4 in FIG. 1), the user terminal 100 of the synchronization partner is authenticated using the public key for signature (for authentication) obtained by this pairing. Then, the private key is encrypted and copied using the public key for encryption. The two user terminals 100 once paired can be repeatedly synchronized thereafter.

  When the primary user terminal 100-1 is registered, the primary user terminal 100-1 generates signature relation information (D100 in FIG. 12 described later) indicating that the user owns the primary user terminal 100-1, and the terminal The data is transmitted to the management server 200, and the terminal management server 200 stores the signature relation information DB 232 (FIG. 9 described later). As will be described later, this signature related information (primary signature related information in claims) includes a public key used for authentication of the primary user terminal 100-1.

  When the secondary user terminal 100-2 is registered, signature related information (D170 in FIG. 15 to be described later) indicating that the user owns the primary user terminal 100-1 and the secondary user terminal 100-2 is transmitted to the primary user terminal. 100-1 is generated and transmitted to the terminal management server 200, and the terminal management server 200 stores the signature relation information DB 232 (FIG. 9 described later). As will be described later, this signature-related information (new primary signature-related information in the claims) includes public keys used for authentication of the primary user terminal 100-1 and the secondary user terminal 100-2. The user terminal 100 can obtain the latest registered user terminal 100 information by requesting the terminal management server 200 for signature-related information.

In pairing, the terminal management server 200 confirms the usage state of the partner user terminal 100 (see reference numeral 3a in FIG. 1) and the terminal verification server 300 performs capacity verification of the user terminal 100 (see reference numeral 3b in FIG. 1).
When the user terminal 100 is lost, the usage state of the user terminal 100 stored in the terminal management server 200 is kept stopped. By confirming the usage state of the partner user terminal 100 in the pairing process (see reference numeral 3a in FIG. 1), the lost user terminal 100 cannot perform pairing. The same applies to the case of confirmation in the synchronization process.

  In addition, the terminal capability information 302 of the partner user terminal 100 is obtained at the time of pairing, and capability verification is performed (see reference numeral 3b in FIG. 1), so that a countermeasure against an attack that attempts to steal the secret key (key Protection capability), certainty level of user authentication (user authentication method and its strength), presence / absence of a secure area, etc., and confirms whether the other user terminal 100 has a predetermined level of safety. If it cannot be confirmed, leakage of the private key from the user terminal 100 with a low security level can be prevented by canceling the private key synchronization (duplication) to the user terminal 100.

  When synchronizing the secret key used for user authentication of the WEB service 400, the security level indicated in the terminal capability information 302 of the partner user terminal 100 is compared with the authentication policy 401 of the WEB service 400 (FIG. 1). Reference 4a). As a result of the collation, if the authentication policy 401 of the WEB service 400 is not met, the synchronization is stopped. By prohibiting secret key synchronization (duplication) to the user terminal 100 with a low security level that does not meet the authentication policy 401, leakage of the secret key from the user terminal 100 with a low security level can be prevented.

  In the method of encrypting the secret key with the password shown in FIG. 25 and copying it between the user terminals 100, an operation proportional to the product of the number of user terminals 100 and the number of user authentication secret keys of the WEB service 400 is required. Met. In the synchronization process of the present embodiment, if two user terminals 100 are directly connected, no user operation is required.

Hereinafter, each device constituting the secret key synchronization system 1 will be described in detail with reference to the drawings.
<< User terminal configuration >>
FIG. 2 is a functional block diagram illustrating the configuration of the user terminal 100 according to this embodiment.
The user terminal 100 is realized by a general-purpose computer such as a workstation, a personal computer, or a smartphone, and includes a control unit 110, a storage unit 150, and an input / output unit 140. An arithmetic processing device such as a CPU (Central Processing Unit) inside the device functions as the control unit 110 by executing a control program stored in the memory. The control unit 110 includes a key management secure application 120 and a key management non-secure application 130.

In addition, the user terminal 100 includes a storage unit 150 realized by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk, and the storage unit 150 further includes a secure storage unit 160. Is provided. The secure storage unit 160 can be accessed only by the key management secure application 120 by the function of the OS (Operating System) of the user terminal 100. Regardless of the function of the OS, by encrypting with the key of the key management secure application 120, it is possible to prevent access to programs other than the key management secure application 120.
The secure storage unit 160 stores an authentication credential DB 161, a signature relation key DB 162, a WEB service key DB 163, a synchronization key DB 164, and a terminal verification secret key 165.

The input / output unit 140 inputs / outputs data to / from other devices such as the terminal management server 200 and other user terminals 100. The input / output unit 140 transmits / receives information via the network, the authentication device 141 used when the key management secure application 120 performs user authentication, the direct communication interface 142 that performs direct communication with other user terminals 100, and the network. It is composed of a communication interface (not shown) and an input / output interface (not shown) such as a keyboard and a monitor. Examples of the authentication device 141 include a device that reads biometric information such as a fingerprint and a vein, a camera that captures a face, and the like. The direct communication interface 142 is used for direct communication between the two user terminals 100 and includes a short-range wireless communication interface such as Bluetooth.
Hereinafter, configurations included in the control unit 110 and the secure storage unit 160 will be described.

  The key management secure application 120 provided in the control unit 110 receives an instruction from the key management non-secure application 130 and registers the user terminal 100 that enables private key synchronization. Further, the key management secure application 120 synchronizes secret keys stored in the WEB service key DB 163 (FIG. 6 described later) of the secure storage unit 160 between the registered user terminals 100. Further, the key management secure application 120 receives an instruction from a program that accesses the WEB service 400, and performs processing such as signature using a secret key necessary for user authentication of the WEB service 400.

  Also, the key management secure application 120 monitors the key management non-secure application 130, the authentication credential DB 161 (FIG. 3 described later), and the signature related key DB 162 (FIG. 4 described later), and detects tampering or deletion. The signature relation key DB 162, the WEB service key DB 163 (FIG. 6 described later), the synchronization key DB 164 (FIG. 5 described later), and the terminal verification secret key 165 are deleted. As a result, user authentication can be avoided, and attacks that illegally access the WEB service key can be prevented.

  By operating the key management secure application 120 in the privilege mode (secure area) of the OS, it is possible to prevent an attack from a general application. Further, the security of the authentication data stored in the authentication credential DB 161 and the security of the secret key stored in the signature relation key DB 162, the WEB service key DB 163, the synchronization key DB 164, and the terminal verification secret key 165 can be improved. Alternatively, by using the virtualization technology, the security can be improved by providing the key management secure application 120 and the secure storage unit 160 on an OS (secure area) different from the OS normally used by the user.

In addition to the operation in the privileged mode, the key management secure application 120 checks whether the software that the device or software (functional unit) that was activated first is activated after the user terminal 100 is activated is public key encryption. By verifying the signature using a technology and starting it when it is correct, the key management secure application 120 that has been tampered with can be prevented from starting.
Hereinafter, the key management secure application 120 includes a user authentication unit 121, a key management unit 122, a terminal initial registration unit 123, a terminal registration request unit 124, a terminal registration response unit 125, a pairing control unit 126, The synchronization control unit 127 will be described.

  The user authentication unit 121 receives a request from the terminal initial registration unit 123, the terminal registration request unit 124, and the like, and performs authentication (user authentication) of a user who uses the key management secure application 120. Data necessary for user authentication is stored in an authentication credential DB 161 (FIG. 3 described later) of the secure storage unit 160. One type of user authentication is authentication using biometric information such as a face or fingerprint. The user authentication unit 121 reads the biometric information by using an authentication device 141 such as a camera or a fingerprint scanner provided in the input / output unit 140 and performs user authentication.

FIG. 3 is a diagram illustrating a configuration of the authentication credential DB 161 stored in the secure storage unit 160 of the user terminal 100 according to the present embodiment.
The authentication credential DB 161 is, for example, data in a table format, and includes one or more rows (hereinafter referred to as records). Each record is data for one user authentication, and includes an authentication type, a device, and authentication data as attributes.

The authentication type is a user authentication method such as a method using biometric information such as a face or a fingerprint, a method using a password, or the like.
The device indicates an apparatus used for user authentication included in the input / output unit 140. In the authentication method using biometric information, the authentication device 141 is used to read the biometric information of the user. In the case of a password, a keyboard (not shown) provided in the input / output unit 140 is used.
The authentication data is verification data. That is, the user authentication unit 121 acquires biometric information and a password using an authentication device 141 and a keyboard (not shown), and collates the acquired data with authentication data. If the verification is successful, the user authentication is successful.

  Which method is used when there are a plurality of authentication methods depends on the authentication policy 401 of the WEB service 400 and the authentication policy of the key management secure application 120 itself. While there is a WEB service 400 that requires user authentication such as vein authentication that is difficult to be spoofed, there is also a WEB service 400 that may be a password. There is also a WEB service 400 that requires user authentication using a plurality of methods. As will be described later, the key management secure application 120 requires user authentication when registering or pairing with the user terminal 100, and can use different authentication methods.

The key management unit 122 generates a public key encryption key pair including the signature-related public key encryption key pair of the user terminal 100 (hereinafter also referred to as a signature related key), encryption using the public key, and secret Processing such as decryption using a key, signature generation using a private key, and signature verification using a public key is performed. These processes are performed in response to requests from the terminal initial registration unit 123, the pairing control unit 126, and the like.
The generated key pair is stored in the secure storage unit 160 in accordance with the use, such as a signature related key DB 162 (FIG. 4 to be described later), a WEB service key DB 163 (FIG. 6 to be described later), or a synchronization key DB 164 (a diagram to be described later). 5).

  The terminal initial registration unit 123 performs processing for registering the user terminal 100 owned by the user in the terminal management server 200 as the primary user terminal 100-1. In other words, the terminal initial registration unit 123 cooperates with the key management unit 122 to generate a key pair of the signature related key, and the terminal ID (Identifier) of the primary user terminal 100-1 and the public key of the signature related key (hereinafter, referred to as the key) Signature relation information (also referred to as a signature relation public key) is generated and transmitted to the terminal management server 200. A private key corresponding to the signature related public key is also referred to as a signature related private key. The generated key is stored in a signature related key DB 162 (see FIG. 4 described later) in the secure storage unit 160. Details will be described later with reference to FIG.

FIG. 4 is a diagram illustrating a configuration of the signature relation key DB 162 stored in the secure storage unit 160 of the user terminal 100 according to the present embodiment.
The signature related key DB 162 is, for example, data in a table format, and includes one or more records. Each record represents one user terminal 100 owned by the user, and includes a terminal ID, a starting point, a secret key, and a public key as attributes.

The terminal ID is identification information of the user terminal 100 represented by the record.
The starting point indicates whether or not the user terminal 100 represented by the record is the primary user terminal 100-1, that is, whether or not the user terminal 100 is registered first and is used for the subsequent registration of the user terminal 100. If it is the primary user terminal 100-1, “Y”, otherwise “N”.

  The secret key and the public key are a secret key and a public key of a public key encryption key pair of the user terminal 100, respectively. Since only the user terminal 100 that generated the key pair holds the secret key, the secret key is stored only in one record corresponding to itself, and the secret keys of other records corresponding to other user terminals 100 are stored. It is “−”.

  In the signature related key DB 162 of the primary user terminal 100-1, the public keys of all registered user terminals 100 are stored. This is because the secondary user terminal 100-2 is registered via the primary user terminal 100-1 for registration, and the terminal registration response unit 125 of the primary user terminal 100-1 registers during the registration process. This is because the signature related public key of the target secondary user terminal 100-2 is recorded.

  Returning to FIG. 2, the terminal registration request unit 124 and the terminal registration response unit 125 cooperate with each other as a secondary user terminal 100-2 as a user terminal 100 owned by a user in the following procedure. A process of registering in the terminal management server 200 is performed via 100-1.

  First, the terminal registration request unit 124 of the user terminal 100 registered as the secondary user terminal 100-2 (hereinafter referred to as the secondary user terminal 100-2 in the description of this process) In cooperation with the key management unit 122, a signature-related key pair is generated, signature-related information (secondary signature-related information in claims) is generated, and the terminal registration response unit 125 of the primary user terminal 100-1 receives Send. The generated key is stored in the signature relation key DB 162 (see FIG. 4) of the secure storage unit 160 of the secondary user terminal 100-2.

Subsequently, the terminal registration response unit 125 of the primary user terminal 100-1 collaborates with the key management unit 122 of the primary user terminal 100-1 to verify the received signature related information of the secondary user terminal 100-2. Then, it generates signature relationship information (new primary signature relationship information in claims) between the primary user terminal 100-1 and the secondary user terminal 100-2, and transmits them to the terminal management server 200. The signature related information includes the ID of the primary user terminal 100-1, the signature related public key, the ID of the secondary user terminal 100-2, and the signature related public key. Details will be described later with reference to FIG.
The terminal registration response unit 125 of the primary user terminal 100-1 stores the signature related public key of the secondary user terminal 100-2 included in the signature related information of the secondary user terminal 100-2 in the signature related key DB 162. .

  The registration of the new user terminal 100 after the secondary user terminal 100-2 is the same, and the terminal registration request unit 124 of the new user terminal 100 and the terminal registration response unit 125 of the primary user terminal 100-1 cooperate. The new user terminal 100 is registered as the secondary user terminal 100-2. The signature relation information transmitted to the terminal management server 200 by the terminal registration response unit 125 of the primary user terminal 100-1 includes the ID of the already registered user terminal 100 and its signature relation public key, including the new user terminal 100. included.

The pairing control unit 126 of the two registered user terminals (primary user terminal 100-1 and secondary user terminal 100-2) cooperates to perform pairing processing according to the following procedure. The two user terminals 100 are the primary user terminal 100-1 and the secondary user terminal 100-2, or the two secondary user terminals 100-2.
First, the pairing control unit 126 of each user terminal 100 performs user authentication using the user authentication unit 121. Next, the terminal management server 200 is inquired about its own usage status, and it is confirmed that the usage status is not stopped.

  Subsequently, the pairing control unit 126 of the two user terminals 100 shares a shared key for securing a secure communication path. As a sharing method, in addition to commonly used, for example, sharing using a Diffie-Hellman key exchange algorithm, the pairing control unit 126 of one user terminal 100 uses the signature-related public key of the other user terminal 100. The shared key can be encrypted and transmitted to the other user terminal 100, and the received user terminal 100 can decrypt and share the common key.

  Next, the pairing control unit 126 of each user terminal 100 verifies the capability of the partner key management secure application 120 using the terminal verification public key 301 obtained from the terminal verification server 300. Through this verification, the other party's key management secure application, such as the resistance to attacks that attempt to steal the secret key (key protection capability), the level of certainty of user authentication (user authentication method and its strength), the presence of a secure area, etc. It can be confirmed that 120 secures a predetermined level of safety.

Subsequently, the pairing control unit 126 of each user terminal 100 cooperates with its own key management unit 122 to use a key pair for encryption and a signature used for synchronization of a secret key for WEB service authentication. A key pair is generated and the public key is transmitted to the other user terminal 100. Hereinafter, the encryption key pair is the synchronization encryption key, the public key of the pair is the synchronization encryption public key (the encryption public key of the claims), and the private key of the pair is the synchronization encryption private key The signature key pair is also referred to as a synchronization signature key, the public key of the pair is also referred to as a synchronization signature public key (signature public key in claims), and the private key of the pair is also referred to as a synchronization signature private key. The encryption key for synchronization and the signature key for synchronization are stored in a synchronization key DB 164 (see FIG. 5 described later) of the secure storage unit 160.
Detailed processing of pairing will be described later with reference to FIGS.

FIG. 5 is a diagram illustrating a configuration of the synchronization key DB 164 stored in the secure storage unit 160 of the user terminal 100 according to the present embodiment.
The synchronization key DB 164 is, for example, data in a table format and includes one or more records. Each record includes a synchronization encryption key and a synchronization signature key that are used when synchronizing with the user terminal 100 of the synchronization partner, and as attributes, a terminal ID, a transmission public key, and a reception private key A reception public key, a signature private key, a signature public key, a verification public key, and a terminal capability.

The transmission public key is an encryption public key for synchronization of the user terminal 100 of the synchronization partner.
The reception private key is its own encryption private key for synchronization.
The reception public key is its own encryption public key for synchronization.
The signature private key is its own signature private key for synchronization.
The signature public key is its own signature public key for synchronization.
The verification public key is a synchronization signature public key of the synchronization partner user terminal 100.
The terminal capability is terminal capability information 302 (to be described later) of the user terminal 100 that is the synchronization partner. (Protective ability). User authentication types include passwords and fingerprints, and WEB service key DB 163 protection methods include hardware protection and encryption protection.

Returning to FIG. 2, the synchronization control unit 127 of the two registered user terminals (the primary user terminal 100-1 and the secondary user terminal 100-2) cooperates with the two user terminals 100 in the following procedure. WEB service secret key synchronization process is performed.
First, the synchronization control unit 127 of each user terminal 100 detects that direct communication is possible, and then inquires the terminal management server 200 about its own usage status and confirms that it is not in a usage suspension status. .

  Subsequently, each synchronization control unit 127 mutually authenticates the other party using the signature (authentication) key obtained through the pairing process. Next, it is confirmed whether or not the secret key of the WEB service can be synchronized with the authentication policy 401 of the WEB service 400.

Subsequently, each synchronization control unit 127 encrypts a key that the other party does not have with the secret key of the WEB service that can be synchronized, and transmits it to the other party using the encryption public key for synchronization.
Detailed processing of synchronization will be described later with reference to FIGS.

  The key management non-secure application 130 instructs the terminal management server 200 to stop using the user terminal 100 or release the use stop. When the user terminal 100 is lost, the user uses the key management non-secure application 130 of another user terminal 100 to put the lost user terminal 100 in a suspended state. By stopping the use, unauthorized use of the lost user terminal 100 can be prevented. When the lost user terminal 100 is found, the suspension of use can be canceled using the key management non-secure application 130.

FIG. 6 is a diagram illustrating a configuration of the WEB service key DB 163 stored in the secure storage unit 160 of the user terminal 100 according to the present embodiment.
The WEB service key DB 163 is, for example, data in a table format, and includes one or more records. Each record represents an account of one WEB service 400 held by the user, and includes a URL, a user ID, a secret key, and a public key as attributes.

The URL is the URL of the WEB service 400 indicated by the record.
The user ID is a user ID of a user account in the WEB service.
The secret key and the public key are a secret key and a public key of public key encryption used for user authentication of the user's WEB service, respectively. As the user authentication of the WEB service using public key cryptography, there is FIDO listed in Non-Patent Document 1, but a key pair of another user authentication method may be used.

  The terminal verification private key 165 is a key for generating a signature for authenticating the key management secure application 120 itself, and is used during the pairing process. The pairing partner verifies the signature generated using this key, so that the user terminal 100 of the pairing partner can confirm the identity of the key management secure application 120, and by inquiring the terminal verification server 300, the key management secure application 120 security levels (terminal capability information 302) can be confirmed.

  So far, the description has been made on the assumption that the user terminal 100 is a single user. In the case of a multi-user, each user includes an authentication credential DB 161, a signature relation key DB 162, a WEB service key DB 163, and a synchronization key DB 164.

≪Terminal management server configuration≫
FIG. 7 is a functional block diagram illustrating the configuration of the terminal management server 200 according to this embodiment.
The terminal management server 200 is realized by a general-purpose computer such as a workstation, and includes a control unit 210, an input / output unit 220, and a storage unit 230. An arithmetic processing unit such as a CPU inside the apparatus functions as the control unit 210 by executing a control program stored in the memory. The control unit 210 includes a user reception unit 211, a signature relationship information management unit 212, and a terminal usage status management unit 213.

The terminal management server 200 includes a storage unit 230 that is realized by a semiconductor memory device such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk. The storage unit 230 stores a user information DB 231, a signature relation information DB 232, and a terminal usage status DB 233.
The input / output unit 220 inputs and outputs data with the user terminal 100 and other devices. The input / output unit 220 includes a communication interface (not shown) for transmitting and receiving information via a network, and an input / output interface (not shown) such as a keyboard and a monitor.
Hereinafter, configurations included in the control unit 210 and the storage unit 230 will be described.

  The user reception unit 211 included in the control unit 210 checks the communication connection request from the user terminal 100 with the information in the user information DB 231 (FIG. 8 described later) stored in the storage unit 230, and Authenticate.

FIG. 8 is a diagram illustrating a configuration of the user information DB 231 stored in the storage unit 230 of the terminal management server 200 according to the present embodiment.
The user information DB 231 is data in a table format, for example, and includes one or more records. Each record represents one user, and includes a user ID, a password, a name, and an affiliation as attributes.
The user ID is user identification information. The password is authentication information used when authenticating the user. The name is the name of the user, and the affiliation is the name of the organization to which the user belongs. These pieces of information are registered by the administrator of the terminal management server 200 prior to registration of the user terminal 100.

  Returning to FIG. 7, when receiving the user authentication request including the user ID and password transmitted from the user terminal 100, the user reception unit 211 is stored in the storage unit 230 including the user ID that matches the received user ID. The user information DB 231 is searched for, and if the password of the record matches the received password, the user authentication is successful. If the record does not exist or the passwords do not match as a result of the search, the user authentication is failed.

  The signature related information management unit 212 provided in the control unit 210 receives the signature related information transmitted by the user terminal 100, verifies the signature, and stores the signature related information DB 232 (FIG. 9 described later) stored in the storage unit 230. Update. The reception of the signature related information is performed via a communication path that has been authenticated by the user reception unit 211.

FIG. 9 is a diagram illustrating a configuration of the signature relation information DB 232 stored in the storage unit 230 of the terminal management server 200 according to the present embodiment.
The signature related information DB 232 is, for example, data in a table format and includes one or more records. Each record represents the signature relationship information of one user, and includes a user ID and signature relationship information as attributes.
The user ID is user identification information. The signature relation information is the signature relation information of this user.

Returning to FIG. 7, when the signature relationship information management unit 212 receives the signature relationship information from the user terminal 100 through the communication path where the user authentication is completed, the signature relationship information management unit 212 verifies the signature, and if the verification is successful, stores it in the storage unit 230. In the signature relation information DB 232, the signature relation information of the record whose user ID matches the user ID authenticated by the user reception unit 211 is updated to the received signature relation information. This signature related information includes the ID of the user terminal 100 held by the user indicated by the user ID and the signature related public key. Details of the processing contents will be described later with reference to FIGS.
In addition, the signature relationship information management unit 212 transmits signature relationship information based on a request from the user terminal 100. At this time, the signature information of the user authenticated by the user reception unit 211 is transmitted.

  The terminal usage status management unit 213 provided in the control unit 210 receives an inquiry or a change in the usage status of the user terminal 100 and updates the terminal usage status DB 233 in the storage unit 230. Further, when the user terminal 100 is registered, the user terminal 100 is recorded in the terminal usage status DB 233 as the user terminal 100 for the owned user.

FIG. 10 is a diagram illustrating a configuration of the terminal usage status DB 233 stored in the storage unit 230 of the terminal management server 200 according to the present embodiment.
The terminal usage status DB 233 is, for example, data in a table format and includes one or more records. Each record represents one user terminal 100 and includes a terminal ID, a user ID, and a usage status as attributes.
The terminal ID is identification information of the user terminal 100. The user ID is identification information of a user who owns this user terminal 100. The usage status is the usage status of the user terminal 100 and is “in use” indicating that the user terminal 100 is being used, or “stopped” indicating that the usage has been stopped due to the possibility of being lost.

  Returning to FIG. 7, after the user reception unit 211 performs user authentication, the terminal usage status management unit 213 receives a usage stop request for the user terminal 100 owned by the user and is stored in the storage unit 230. Search the DB 233 for records that satisfy the condition “user ID matches the user ID authenticated by the user reception unit 211 and the terminal ID matches the identification information of the user terminal 100 requested”. . If there is a matching record, the terminal usage status management unit 213 updates the usage status of the matched record to “stopped”, and if not, notifies the user terminal 100 of an error.

  Even when a request to change while using the user terminal 100 whose use is stopped is received, the terminal usage status management unit 213 performs the same processing and updates the corresponding record to “in use”. The same processing is performed for inquiring about the usage status of the user terminal 100, and “in use” or “stopped” is transmitted.

≪Terminal verification server≫
The terminal verification server 300 receives the identification information of the key management secure application 120 and transmits the terminal verification public key 301 and the terminal capability information 302 of the key management secure application 120. Since the terminal verification public key 301 and the terminal capability information 302 are public information, the terminal verification server 300 may not perform user authentication.

The terminal capability information 302 includes a key management secure application such as a countermeasure power (key protection capability) against an attempt to steal a secret key, a certainty level of user authentication (user authentication method and strength), and presence / absence of a secure area. 120 is information indicating the safety level. The terminal capability information 302 includes at least one of key protection capability, user authentication method, user authentication strength, and presence / absence of a secure area, and is referred to in the pairing process.
Also, during the synchronization process, the terminal capability information 302 includes whether the secret key used for user authentication of the WEB service can be copied, the key protection capability of the user terminal 100, the user authentication method, the strength of user authentication, and the presence / absence of a secure area The authentication policy 401 of the WEB service 400 that defines at least one of them is used to determine whether or not the secret key is copied to the user terminal 100. The authentication policy 401 can be obtained from the WEB service 400.

≪User terminal registration process≫
Returning to FIG. 1, the user terminal 100 that can synchronize the secret key for WEB service authentication is registered in the terminal management server 200 in advance. Registration is performed by first registering the primary user terminal 100-1 that is the starting point of registration, and then registering the first secondary user terminal 100-2 and the second secondary user terminal (not shown). Do. When registering the secondary user terminal 100-2, the user terminal 100 is registered by directly communicating with the primary user terminal 100-1 using the direct communication interface 142 of the input / output unit 140.

It is assumed that a user is registered in each registered user terminal 100 and terminal management server 200 before the user terminal 100 is registered. That is, the user is registered in the authentication credential DB 161 (see FIG. 3) of each user terminal 100 and the user information DB 231 (see FIG. 8) of the terminal management server 200.
The two registered user terminals 100 hold a key necessary for the synchronization process through the pairing process, and can synchronize the secret key for authentication of the WEB service through the synchronization process.
Hereinafter, the registration process of the primary user terminal 100-1 will be described with reference to FIGS. 11 to 13, and the registration process of the secondary user terminal 100-2 will be described with reference to FIGS. The pairing process will be described in detail with reference to FIG. 21, and the synchronization process will be described in detail with reference to FIGS. 22 and 23.

≪Primary user terminal registration process≫
FIG. 11 is a sequence diagram illustrating the entire registration process of the primary user terminal 100-1 according to the present embodiment.
In starting the registration process of the primary user terminal 100-1, the key management non-secure application 130 of the primary user terminal 100-1 connects to the terminal management server 200 by a secure communication method (step S101). As a secure connection method, a method in which communication data such as TLS (Transport Layer Security) is encrypted and a server as a communication partner can be authenticated is used. When connected to the terminal management server 200, the key management non-secure application 130 transmits the user ID and password to the terminal management server 200.

The user reception unit 211 of the terminal management server 200 collates with the user information DB 231 (FIG. 8) stored in the storage unit 230 (see FIG. 7), and if the collation fails, the user management failure is indicated as a key management non-secure application 130. The key management non-secure application 130 disconnects the connection and ends the registration process. Hereinafter, the description will be continued assuming that the verification is successful and the user authentication is successful.
Subsequently, the key management non-secure application 130 instructs the terminal initial registration unit 123 of the key management secure application 120 to start registration processing (step S102).

  Upon receiving an instruction to start registration processing from the key management non-secure application 130, the terminal initial registration unit 123 of the key management secure application 120 performs user authentication (step S103). That is, the terminal initial registration unit 123 requests the user authentication unit 121 to authenticate a user who is currently using the key management secure application 120. If the user authentication fails, the registration process is stopped. Hereinafter, the description will be continued assuming that the user authentication is successful.

  Subsequently, the terminal initial registration unit 123 determines whether its own signature relationship key exists in the signature relationship key DB 162 (see FIG. 4) (step S104). To make a determination, a search is made for a record including the secret key in the signature relation key DB 162.

  When branching to N in step S104, that is, when there is no record in the previous search, the process proceeds to new registration in step S105. The new registration process in step S105 will be described later with reference to FIG.

  When branching to Y in step S104, that is, when a record exists in the previous search, the terminal initial registration unit 123 inquires of the user whether or not the key can be updated, and determines the signature-related key according to the result. It is determined whether or not to update (step S106).

  If the process branches to Y in step S106, that is, if an existing signature-related key is updated, the process proceeds to update registration in step S107. The update registration process in step S107 will be described later with reference to FIG.

  When branching to N in step S106, that is, when the existing signature-related key is not updated, the terminal initial registration unit 123 inquires of the user whether the key can be deleted, and the signature-related key is determined according to the result. It is determined whether or not to delete (step S108).

When branching to N in step S108, that is, when the existing signature-related key is not deleted, the terminal initial registration unit 123 finishes the registration process and performs the process without registration via the key management non-secure application 130. Notify the user that it has finished.
When branching to Y in step S108, that is, when deleting an existing signature-related key, the terminal initial registration unit 123 instructs the key management unit 122 to delete the signature-related key (step S109).

Next, the key management unit 122 deletes all the records in the signature related key DB 162 (FIG. 4) (step S110).
Next, the key management unit 122 notifies the terminal initial registration unit 123 that the signature-related key has been deleted (step S111).
Subsequently, the terminal initial registration unit 123 proceeds to new registration in step S112. The new registration process in step S112 will be described later with reference to FIG.

≪Primary user terminal new registration process≫
FIG. 12 is a sequence diagram illustrating new registration of the primary user terminal 100-1 according to the present embodiment. This process corresponds to steps S105 and S112 in FIG.
The terminal initial registration unit 123 instructs the key management unit 122 to generate new signature related information (step S201).

  The key management unit 122 receives an instruction to generate new signature relationship information, and generates a signature relationship key (key pair) (step S202). Next, the key management unit 122 stores the generated key pair in the signature relation key DB 162 (FIG. 4). That is, the key management unit 122 adds a record to the signature relationship key DB 162, sets the terminal ID of the record as its own terminal ID, sets the starting point to “Y”, and generates the private key and the public key as signature relationships. A secret key and a signature-related public key are used.

  Subsequently, the key management unit 122 generates signature relation information D100 (step S203). That is, the key management unit 122 generates signature data for data including its own terminal ID “T01” and the signature related public key (public key T01) using the signature related secret key, and generates the terminal ID (D101) and the signature. Signature relation information D100 (primary signature relation information of claims) consisting of relation public key D102 and signature data D103 is generated.

Next, the key management unit 122 transmits the signature relation information D100 to the terminal initial registration unit 123 (step S204).
The terminal initial registration unit 123 receives the signature relation information D100 and transmits it to the terminal management server 200 (step S205). This transmission is performed using a secure communication path using TLS or the like described in step S101 in FIG.

  When receiving the signature relationship information D100, the signature relationship information management unit 212 of the terminal management server 200 verifies the signature relationship information D100 (step S206). That is, it is verified by using the signature relation public key D102 whether the signature data D103 is a signature for data consisting of the terminal ID (D101) and the signature relation public key D102. If the verification fails, the terminal initial registration unit 123 is notified of the verification failure, and the process ends. Hereinafter, the description will be continued assuming that the verification was successful.

  Subsequently, the signature relationship information management unit 212 stores the signature relationship information D100 in the signature relationship information DB 232 (see FIG. 9) (step S207). That is, the signature relation information management unit 212 searches the record in the signature relation information DB 232 for the signature relation information D100 for a record whose user ID matches the user ID authenticated in step S101. Stored in the signature relation information of the record. If the record does not exist, the record is added, the user ID authenticated in step S101 is stored in the user ID of the record, and the received signature relation information D100 is received in the signature relation information. Is stored.

Next, the signature related information management unit 212 of the terminal management server 200 notifies the registration completion to the terminal initial registration unit 123 of the primary user terminal 100-1 (step S208).
Next, the signature related information management unit 212 adds the primary user terminal 100-1 to the terminal usage status DB 233 (see FIG. 10). That is, a record is added, and the terminal ID of the record is updated to “T01” D101, the user ID is updated to the user ID authenticated in step S101, and the usage status is updated to “in use”.
Subsequently, the terminal initial registration unit 123 of the primary user terminal 100-1 receives the registration completion, and stores the signature related information D100 in the secure storage unit 160 (step S209).

≪Primary user terminal update registration process≫
FIG. 13 is a sequence diagram illustrating the update registration process of the primary user terminal 100-1 according to this embodiment. This process corresponds to the update registration in step S107 in FIG.
The terminal initial registration unit 123 instructs the key management unit 122 to update the signature related information (step S301).

  The key management unit 122 receives an instruction to update the signature related information, and newly generates a signature related key pair (step S302). Next, the key management unit 122 stores the generated key pair in the signature relation key DB 162 (FIG. 4). That is, the key management unit 122 searches the record of the signature relation key DB 162 for a record having a starting point of “Y”, stores the secret key of the record as the old signature relation secret key, and stores the secret key and the public key. Overwrite the generated signature-related private key and signature-related public key, respectively.

  Subsequently, the key management unit 122 generates signature relation information D120 (step S303). That is, the key management unit 122 generates signature data for data including its own terminal ID “T01” and the signature-related public key (new public key T01) using the signature-related secret key, and the terminal ID (D121). Signature relation information D120 including signature relation public key D122 and signature data D123 is generated.

  Next, the key management unit 122 generates signature data D111 for the signature relationship information D120 by using the old signature relationship secret key, adds the signature data D111 to the signature relationship information D120, and generates the signature relationship information D110 of the double signature. (Step S304). The signature related information D110 of the double signature is data that is double-signed by adding the signature data D111 with the old signature related secret key to the signature related information D120 with the signature D123.

Subsequently, the key management unit 122 transmits the signature relation information D110 of the double signature to the terminal initial registration unit 123 (Step S305).
The terminal initial registration unit 123 receives the signature relation information D110 of the double signature and transmits it to the terminal management server 200 (step S306). This transmission is performed using a secure communication path using TLS or the like described in step S101 in FIG.

  Upon receiving the signature relationship information D110 of the double signature, the signature relationship information management unit 212 of the terminal management server 200 verifies the signature data D111 using the old signature relationship secret key of the signature relationship information D110 (step S307). In other words, the signature relationship information management unit 212 verifies whether the signature data D111 is correct with respect to the signature relationship information D120, which is data to be signed, using the old signature relationship public key paired with the old signature relationship secret key. The old signature-related public key is acquired from the signature-related information DB 232 (see FIG. 9) in the storage unit 230. That is, the signature relation information management unit 212 obtains the public key corresponding to the terminal ID (D121) in the signature relation information of the record whose user ID matches the user ID authenticated in step S101 in the signature relation information DB 232. And verifying the signature data D111.

If the verification fails, the terminal initial registration unit 123 is notified of the verification failure, and the process ends. Hereinafter, the description will be continued assuming that the verification was successful.
Some of the signature relation information included in the signature relation information DB 232 includes a plurality of terminal IDs and signature relation public keys. The signature related information (D100 and D120) for primary user terminal registration includes only the signature related public key of the primary user terminal 100-1, but the signature related information for registration of the secondary user terminal 100-2 described later. This is because includes a plurality of terminal IDs and signature-related public keys.

  Subsequently, the signature relationship information management unit 212 verifies the signature of the signature relationship information D120 (step S308). This process is the same as step S206.

  Subsequently, the signature relationship information management unit 212 stores the signature relationship information D120 in the signature relationship information DB 232 (see FIG. 9) (step S309). In other words, the signature relationship information management unit 212 overwrites the signature relationship information D120 in the signature relationship information DB 232 with the signature relationship information of the record whose user ID matches the user ID authenticated in step S101.

Next, the signature related information management unit 212 notifies the registration completion to the terminal initial registration unit 123 of the primary user terminal 100-1 (step S310).
Subsequently, the terminal initial registration unit 123 of the primary user terminal 100-1 receives the registration completion, extracts the signature relationship information D120 of the signature relationship information D110 of the double signature, and stores it in the secure storage unit 160 (step). S311).

≪Secondary user terminal new registration process≫
FIG. 14 is a sequence diagram illustrating new registration of the secondary user terminal 100-2 according to this embodiment.
In starting the new registration, the primary user terminal 100-1 and the secondary user terminal 100-2 are directly connected using a communication cable, Bluetooth, or the like, and directly via the direct communication interface 142 of the input / output unit 140. Communicate. The primary user terminal 100-1 is connected to the terminal management server 200 through user authentication, as in step S101 of FIG. In addition, the user authentication unit 121 of the secondary user terminal 100-2 has been authenticated.
Similarly to the processing shown in FIG. 11, it is assumed that the secondary user terminal 100-2 does not have a signature related key, or the signature related key is deleted and newly registered as the secondary user terminal 100-2. ,explain.

The terminal registration response unit 125 of the primary user terminal 100-1 and the terminal registration request unit 124 of the secondary user terminal 100-2 confirm that they are directly communicable connections (step S401). If it cannot be confirmed, the process is interrupted. Hereinafter, the description will be continued assuming that it has been confirmed.
The processing from step S402 to step S405 of the terminal registration request unit 124 of the secondary user terminal 100-2 is substantially the same as step S201 to step S204 of the new registration processing of the primary user terminal 100-1 described in FIG. It is. The difference is that the starting point of the record is “N” in the signature relation key DB 162 (see FIG. 4). This is because it is a registration process of the secondary user terminal 100-2. The generated signature related information is exemplified in D140 (secondary signature related information in claims).

Subsequently, the terminal registration request unit 124 of the secondary user terminal 100-2 transmits its own signature relation information D140 to the primary user terminal 100-1 via direct communication and requests its registration (step). S406).
The terminal registration response unit 125 of the primary user terminal 100-1 receives the signature related information D140 of the secondary user terminal 100-2 and accepts a registration request. Next, user authentication is performed (step S407). That is, user authentication is performed by requesting the user authentication unit 121 (see FIG. 2) of the primary user terminal 100-1. Furthermore, the terminal registration response unit 125 confirms that the origin is “Y” in the signature relation key DB 162 and that there is a record including the secret key, and confirms that it is the primary user terminal 100-1. .

The terminal registration response unit 125 transmits the signature relationship information D140 of the secondary user terminal 100-2 to the key management unit 122, and requests generation of signature relationship information of a double signature (step S408).
Subsequently, the key management unit 122 verifies the signature data D143 of the signature relation information D140 (step S409). The verification method is the same as that in step S206, and the description will be continued below assuming that the verification is successful.

Next, the key management unit 122 generates the signature related information of the double signature illustrated in FIG. 15 (Step S410). Hereinafter, this process will be described. Data comprising its own terminal ID (D171), its own signature related public key D172, the terminal ID (D173) of the secondary user terminal 100-2, and the signature related public key D174 of the secondary user terminal 100-2 On the other hand, signature data D175 is generated with its own signature relationship secret key, and new signature relationship information D170 (new primary signature relationship information in claims) is generated. This new signature relation information D170 becomes new signature relation information of the owning user of the primary user terminal 100-1.
Subsequently, signature data D181 is generated by using its own signature relationship secret key for the data including the signature relationship information D140 and the new signature relationship information D170 of the secondary user terminal 100-2, and the signature relationship of the double signature is obtained. Information D180 is generated.

Next, the key management part 122 transmits to the terminal registration response part 125 (step S411).
The terminal registration response unit 125 receives the signature relation information D180 of the double signature and transmits the signature relation information D180 of the double signature (information including the new primary signature relation information in the claims) to the terminal management server 200. Registration is requested (step S412).

  The signature relationship information management unit 212 of the terminal management server 200 verifies the signature of the signature relationship information D180 of the double signature (Step S413). The signature data D143 is verified using the signature relation public key D142, and the signature data D175 and the signature data D181 are verified by the user receiving unit 211 authenticated by the user reception unit 211 stored in the signature relation information DB 232 (see FIG. 9). The signature related public key of the primary user terminal 100-1 included in the signature related information is used. Further, it is confirmed that the two IDs (D141 and D173) of the secondary user terminal 100-2 match and the two signature-related public keys (D142 and D174) match.

Subsequently, the signature relationship information management unit 212 extracts the new signature relationship information D170 and stores it in the signature relationship information DB 232 (step S414).
Next, the signature relation information management unit 212 adds the secondary user terminal 100-2 to the terminal usage status DB 233 (see FIG. 10), as in the case of the primary user terminal 100-1 shown in FIGS. To do.

Next, the signature related information management unit 212 notifies the primary user terminal 100-1 that registration has been completed (step S415).
Subsequently, the terminal registration response unit 125 of the primary user terminal 100-1 transmits the new signature relationship information D170 to the secondary user terminal 100-2 via direct communication (step S416), and secures the new signature relationship information D170. Store in the storage unit 160 (step S417), add the record of the secondary user terminal 100-2 to the signature relation key DB 162 of the secure storage unit 160, set the starting point of the record as “N”, the terminal ID and the public key Is stored.

  The terminal registration request unit 124 of the secondary user terminal 100-2 receives the new signature relation information D170 and stores it in the secure storage unit 160 (step S418). Further, a record is added to the signature relation key DB 162 (see FIG. 4), the starting point is “Y”, the terminal ID is the terminal ID (D171) of the primary user terminal 100-1, and the public key is the signature relation public key D172. The record is stored with the secret key as “−”.

≪Secondary user terminal update registration process≫
FIG. 16 is a sequence diagram illustrating update registration of the secondary user terminal 100-2 according to this embodiment.
In starting the update registration, the primary user terminal 100-1 and the secondary user terminal 100-2 are directly connected using a communication cable, Bluetooth, or the like, and directly communicate via the direct communication interface 142. The primary user terminal 100-1 is connected to the terminal management server 200 through user authentication, as in step S101 of FIG. In addition, the user authentication unit 121 of the secondary user terminal 100-2 has been authenticated.
In the same manner as the processing shown in FIG. 11, the secondary user terminal 100-2 will be described as having a signature relationship key, which is updated and registered as the secondary user terminal 100-2.

The terminal registration response unit 125 of the primary user terminal 100-1 and the terminal registration request unit 124 of the secondary user terminal 100-2 confirm that they are directly communicable connections (step S501). If it cannot be confirmed, the process is interrupted. Hereinafter, the description will be continued assuming that it has been confirmed.
The processing from step S502 to step S506 of the terminal registration request unit 124 of the secondary user terminal 100-2 is almost the same as step S301 to step S305 of the update registration processing of the primary user terminal 100-1 described in FIG. It is. The difference is that the starting point of the record is “N” in the signature relation key DB 162 (see FIG. 4). This is because it is a registration process of the secondary user terminal 100-2. The generated signature related information is exemplified in D150.

  The processing from step S507 of the terminal registration request unit 124 of the secondary user terminal 100-2 to step S513 of the terminal registration response unit 125 of the primary user terminal 100-1 is the secondary user terminal 100- described with reference to FIG. 2 is almost the same as the process from step S406 of the terminal registration request unit 124 to step S412 of the terminal registration response unit 125 of the primary user terminal 100-1. The difference is step S510 of signature verification. For verification of the old signature T02 (D151), the signature-related public key of the existing secondary user terminal 100-2 is used. This key can be obtained from the record of the secondary user terminal 100-2 in the signature relation key DB 162.

  FIG. 17 illustrates signature-related information of the generated double signature. The new signature relationship information D170a is the same as the new signature relationship information D170 shown in FIG. 14 except that the signature relationship public key D174a of the secondary user terminal 100-2 is an updated public key.

  The processing from step S514 of the signature relationship information management unit 212 of the terminal management server 200 to step S519 of the terminal registration request unit 124 of the secondary user terminal 100-2 is the signature relationship of the terminal management server 200 described in FIG. The processing from step S413 of the information management unit 212 to step S418 of the terminal registration request unit 124 of the secondary user terminal 100-2 is substantially the same. The difference is step S514 of signature verification. For verification of the old signature T02 (D151), the signature-related public key of the existing secondary user terminal 100-2 is used. As this key, the signature related public key of the secondary user terminal 100-2 included in the signature related information of the user authenticated by the user receiving unit 211 stored in the signature related information DB 232 (see FIG. 9) is used.

  The signature relation information described above includes the signature relation public keys of the primary user terminal 100-1 and one secondary user terminal 100-2. If the registration of the secondary user terminal 100-2 is repeated, the terminal ID and the signature related public key included in the signature related information increase, and the signature related public keys of all registered user terminals 100 are included. This is because, in the generation of the signature related information of the double signature (steps S410 and S511), the public key (signature related public key) stored in the signature related key DB 162 (see FIG. 4) is generated.

≪Pairing process≫
18 to 21 are sequence diagrams illustrating pairing processing between the registered user terminal 100-A and the user terminal 100-B according to the present embodiment.
In starting the pairing process, the user terminal 100 -A and the user terminal 100 -B are directly connected using a communication cable, Bluetooth, or the like, and directly communicate via the direct communication interface 142.
Hereinafter, the pairing process will be described with reference to FIG.

The key management non-secure application 130 of the user terminal 100-A instructs a pairing request to the key management secure application 120. When receiving the instruction of the pairing request, the pairing control unit 126 of the key management secure application 120 confirms whether or not it is directly connected to the user terminal 100-B that is the pairing partner (step S601-A). .
Subsequently, the pairing control unit 126 requests user authentication from the user authentication unit 121 (see FIG. 2) (step S602-A).

Next, the pairing control unit 126 makes an inquiry to the terminal management server 200 and confirms that the user terminal 100-A that is itself is not suspended (step S603-A).
Similar processing is also performed on the user terminal 100-B (from step S601-B to step S603-B).

Subsequently, the pairing control unit 126 of the user terminal 100-A transmits a key exchange request to the user terminal 100-B (step S604).
When the key exchange request is transmitted, next, the pairing control unit 126 of the user terminal 100-A instructs the key management unit 122 to start key exchange with the user terminal 100-B (S605-A). Similarly, when receiving the key exchange request, the pairing control unit 126 of the user terminal 100-B instructs the key management unit 122 to start key exchange with the user terminal 100-A (S605-B).

Subsequently, the key management unit 122 of the user terminal 100-A and the key management unit 122 of the user terminal 100-B perform key exchange (step S606).
As a typical key exchange method, there is a Diffie-Hellman algorithm. A common key is shared by using this algorithm, and a secure communication path between the user terminal 100-A and the user terminal 100-B is established. it can.

  Apart from this, it is possible to establish a secure communication path by using the signature-related information and obtaining a common key by the following procedure. That is, each user terminal (100-A and 100-B) (1) obtains the signature related information of the counterpart terminal, and (2) uses the signature related public key of the primary user terminal 100-1, (3) The newly generated random number is encrypted using the other party's signature related public key in the signature related information and transmitted to the other party, and (4) the received encryption The encrypted random number is decrypted with its own signature-related private key and the random number generated by the other party is extracted, and (5) the exclusive OR of the random number generated by itself is used as a common key.

  The other party's signature related information can be obtained by inquiring the terminal management server 200. Alternatively, before starting the key exchange (step S604), the signature relation information stored in the secure storage unit 160 can be transmitted between the two user terminals (100-A and 100-B). Is possible.

  After verifying the signature of the signature relation information received from the counterpart user terminal using the signature relation public key of the primary user terminal 100-1 stored in the signature relation key DB 162, the counterpart user terminal (100-A or 100 -B) The signature-related public key can be obtained. If it exists in the signature related key DB 162 (see FIG. 4) of the secure storage unit 160, it can be used. Note that the signature-related public key of the primary user terminal 100-1 is stored in the secure storage unit 160 and the signature-related key DB 162 in steps S418 and S519.

The key management unit 122 of the user terminal 100-A notifies the pairing control unit 126 that the key exchange with the user terminal 100-B has been completed (step S607-A). Similarly, the key management unit 122 of the user terminal 100-B notifies the pairing control unit 126 that the key exchange with the user terminal 100-A has been completed (step S607-B).
Hereinafter, communication between the two user terminals (100-A and 100-B) is performed through a secure communication path protected using this shared key.

The description of the pairing process will be continued with reference to FIG.
The pairing control unit 126 of the user terminal 100-A transmits a pairing certificate request to the user terminal 100-B (step S608). At this time, a newly generated random number can be additionally transmitted. In the following description, it is assumed that the random number (hereinafter referred to as random number T0A) is added.

The pairing control unit 126 of the user terminal 100-B transmits the random number T0A to the key management unit 122 and requests generation of a pairing certificate (step S609).
The key management unit 122 of the user terminal 100-B generates signature data for data that is a combination of its own terminal ID “T0B” and the random number T0A, using its own signature-related secret key. The generated data is exemplified in D210. That is, data D210 including its own terminal ID (D211), random number T0A (D212) and generated signature data D213 is generated. Note that the own signature-related secret key can be obtained from the secret key of the record whose terminal ID in the signature-related key DB 162 is “T0B”.

Next, the key management unit 122 uses the terminal verification secret key 165 (see FIG. 2) stored in the secure storage unit 160 to combine the data D210 and the ID (D201) of the key management secure application 120. Signature data D202 for the data is generated, and a pairing certificate D200 including the data D210, the ID (D201) of the key management secure application 120, and the signature data D202 is generated (step S610).
Subsequently, the pairing certificate D200 is transmitted to the pairing control unit 126 (step S611).
The pairing control unit 126 receives the pairing certificate D200 and transmits the pairing certificate D200 to the user terminal 100-A (step S612).

  The pairing control unit 126 of the user terminal 100-A receives the pairing certificate D200, extracts the key management application ID (D201) in the pairing certificate D200, transmits it to the terminal verification server 300, and sends the key The terminal verification public key 301 and the terminal capability information 302 corresponding to the management application ID (D201) are inquired (step S613).

  Next, the pairing control unit 126 obtains the terminal verification public key 301 and the terminal capability information 302 from the terminal verification server 300 and requests the key management unit 122 to verify the terminal verification signature T0B (D202). (Step S614). If the verification fails, the pairing process is stopped. Hereinafter, the description will be continued assuming that the verification was successful.

  Subsequently, the pairing control unit 126 refers to the terminal capability information 302 and confirms that the partner key management secure application 120 secures a predetermined safety level (step S615). That is, at least one of the user terminal 100-B, such as the key protection capability, the user authentication method, the strength of user authentication, and the presence or absence of a secure area, is confirmed. If it cannot be confirmed, the pairing process is stopped. Hereinafter, the description will be continued assuming that it has been confirmed.

  Next, the pairing control unit 126 confirms that the random number T0A (D212) in the pairing certificate D200 matches the random number transmitted by itself in step S608. Further, the pairing control unit 126 requests the key management unit 122 to verify the signature related signature T0B (D213) (step S616). If the confirmation of the random number or the verification of the signature data fails, the pairing process is stopped. In the following, the explanation will be continued assuming that it was successful.

  The pairing control unit 126 of the user terminal 100-A notifies the user terminal 100-B that the verification has been successful (step S617).

FIG. 20 is processing subsequent to FIG. 19 and is processing in which the user terminal 100-A and the user terminal 100-B are replaced. Therefore, detailed description is omitted.
The description of the pairing process will be continued with reference to FIG.
The pairing control unit 126 of the user terminal 100-A requests the key management unit 122 to generate a pairing certificate (step S628).

The key management unit 122 generates the pairing certificate D310 according to the following procedure (step S629). Hereinafter, step S629 will be described in detail.
An encryption key pair and a signature key pair used for synchronization are generated. The four generated keys are stored in the synchronization key DB 164 (see FIG. 5) of the secure storage unit 160. That is, the key management unit 122 adds a record to the synchronization key DB 164, sets the terminal ID of the record to “T0B” that is the ID of the partner user terminal 100-B, and sets the reception private key to the encryption key. Update the private key of the pair, the public key for reception to the public key of the key pair for encryption, the public key for signature to the public key of the key pair for signature, and the private key for signature to the private key of the key pair for signature . Since the transmission public key and the verification public key are undecided, both are set to “−”.

Subsequently, the key management unit 122 “T0A” (D311), which is its own terminal ID, the public key D312 (encryption public key of the claims) of the encryption key pair, and the disclosure of the signature key pair For the data combined with the key D313 (the signature public key in the claims), the signature data D314 is generated using the secret key of the signature key pair, and the pairing certificate D310 is generated.
Next, the key management unit 122 transmits the generated pairing certificate D310 to the pairing control unit 126 (step S630).
The pairing control unit 126 receives the pairing certificate D310 and transmits it to the partner user terminal 100-B (step S631).

  The subsequent processing from step S632 to step S635 in the user terminal 100-B is the same as the processing from step S628 to step S631 in the user terminal 100-A.

The pairing control unit 126 of the user terminal 100-B transmits the pairing certificate D310 of the user terminal 100-A to the key management unit 122 (step S636).
When receiving the pairing certificate D310, the key management unit 122 of the user terminal 100-B verifies this certificate (step S637). That is, it is verified by using the signature public key T0A (D313) whether the signature T0A (D314) is correct. If the verification fails, the pairing process is stopped. In the following, the explanation will be continued assuming that it was successful.

  Subsequently, the key management unit 122 of the user terminal 100-B sends the encryption public key T0A (D312) and the signature public key T0A (D313) to the synchronization key DB 164 of the secure storage unit 160 (see FIG. 5). (Step S638). That is, the key management unit 122 sets the transmission public key of the record whose terminal ID matches “T0A” that is the ID of the pairing partner in the synchronization key DB 164 to the encryption public key T0A (D312). The verification public key is updated to the signature public key T0A (D313). Further, the pairing control unit 126 adds the terminal capability described in the terminal capability information 302 confirmed in step S625 to the terminal capability of the record.

The subsequent processing from step S639 to step S641 in the user terminal 100-A is the same as the processing from step S636 to step S638 in the user terminal 100-B.
The signature data (D314 and D324) of the pairing certificate (D310 and D320) is generated using the private key of the signature key pair, but can also be generated using the signature-related private key. In this case, verification is performed using the signature-related public key.

<< Synchronization process >>
FIG. 22 and FIG. 23 are sequence diagrams illustrating a synchronization process between the paired user terminal 100-A and the user terminal 100-B according to the present embodiment.
In starting the synchronization process, the user terminal 100-A and the user terminal 100-B are directly connected using a communication cable, Bluetooth, or the like, and can directly communicate with each other. Further, the user terminal 100-A and the user terminal 100-B have been paired.
Hereinafter, the synchronization process will be described with reference to FIG.

The synchronization control unit 127 of the user terminal 100-A detects that it is connected to the user terminal 100-B by direct communication (step S701-A). By this detection, the following processing of the user terminal 100-A automatically starts.
Subsequently, the synchronization control unit 127 makes an inquiry to the terminal management server 200 and confirms that the user terminal 100-A that is itself is not suspended (step S702-A).
The user terminal 100-B also performs the same process (steps S701-B and S702-B).

  The synchronization control unit 127 of the user terminal 100-A and the synchronization control unit 127 of the user terminal 100-B exchange their terminal IDs with a newly created random number (step S703). That is, the synchronization control unit 127 of the user terminal 100-A transmits its own terminal ID “T0A” and the newly generated random number T0A to the user terminal 100-B, and similarly, the synchronization of the user terminal 100-B. The control unit 127 transmits “T0B”, which is its own terminal ID, and a newly generated random number T0B to the user terminal 100-A. The synchronization control unit 127 of the user terminal 100-A receives the terminal ID “T0B” and the random number T0B, and the synchronization control unit 127 of the user terminal 100-B receives the terminal ID “T0A” and the random number T0A.

The synchronization control unit 127 of the user terminal 100-A transmits the terminal ID “T0B” and the random number T0B received in step S703 to the key management unit 122, and requests generation of synchronization signature data (step S704).
The key management unit 122 receives the terminal ID “T0B” and the random number T0B, and generates synchronization signature data D410 (step S705). Hereinafter, this process will be described.

  The key management unit 122 searches the synchronization key DB 164 (see FIG. 5) of the secure storage unit 160 for a record that matches the received “T0B” with the terminal ID. Since it has already been paired with the partner user terminal 100-B, the record exists, and using the signature private key of the record, its own terminal ID “T0A” (D411) and the received random number T0B (D412) ) And signature data D413 is generated for the combined data, and synchronous signature data D410 is generated.

The key management unit 122 transmits the generated synchronization signature data D410 to the synchronization control unit 127 (step S706).
The synchronization control unit 127 receives the synchronization signature data D410 and transmits it to the user terminal 100-B (step S707).

The synchronization control unit 127 of the user terminal 100-B receives the synchronization signature data D410. Subsequently, the synchronization control unit 127 transmits the terminal ID “T0A” received in step S703, the random number T0B generated by itself, and the synchronization signature data D410 to the key management unit 122 to verify the synchronization signature data D410. Is requested (step S708).
The key management unit 122 verifies the synchronization signature data D410 (step S709). Hereinafter, this process will be described.

  First, the key management unit 122 confirms whether the random number T0B (D412) in the synchronization signature data D410 matches the random number T0B received in step S708. Next, the synchronization control unit 127 confirms whether the terminal ID “T0A” (D411) in the synchronization signature data D410 matches the terminal ID “T0A” received in step S708. If any of the confirmations fails, the synchronization process is stopped. In the following, the explanation will be continued assuming that it was successful.

Subsequently, the key management unit 122 searches the synchronization key DB 164 (see FIG. 5) of the secure storage unit 160 for a record that matches the received “T0A”. Since it is paired with the counterpart user terminal 100-A, the record exists, the verification public key of the record is taken out, and the signature data D413 is verified using this key. If the verification fails, the synchronization process is stopped. In the following, the explanation will be continued assuming that it was successful.
The key management unit 122 notifies the synchronization control unit 127 that the synchronization signature data D410 has been successfully verified (step S710).

The subsequent processing from step S711 to step S714 in the user terminal 100-B is the same as the processing from step S704 to step S707 in the user terminal 100-A.
The subsequent processing from step S715 to step S717 at the user terminal 100-A is the same as the processing from step S708 to step S710 at the user terminal 100-B.

The description of the synchronization process will be continued with reference to FIG.
The synchronization control unit 127 of the user terminal 100-A requests the key management unit 122 to create a URL list (step S718-A).
The key management unit 122 creates a URL list (step S719-A). That is, the key management unit 122 collects URLs of the WEB service key DB 163 (see FIG. 6) in the secure storage unit 160 and creates a list.
Next, the key management unit 122 transmits the list of URLs created in step S719 to the synchronization control unit 127 (step S720-A).

  Subsequently, the synchronization control unit 127 makes an inquiry about the authentication policy 401 of the WEB service 400 (step S721-A). That is, the individual web service 400 included in the received URL list is accessed to obtain the authentication policy 401. The authentication policy 401 includes a user authentication method such as password / fingerprint / vein / sign, its strength, a key protection method (key protection capability) such as software / hardware, and a processor different from the CPU / CPU of the user terminal 100. Hardware for performing user authentication, etc., whether or not keys can be copied, and whether or not there is a secure area.

  Next, the synchronization control unit 127 refers to the authentication policy 401 of the WEB service 400 and determines whether key synchronization is possible (step S722-A). That is, at least one of whether or not the key can be copied, the key protection capability of the other user terminal 100-B, the user authentication method, the strength of the user authentication, and the presence or absence of the secure area is confirmed, and the authentication policy 401 of the WEB service 400 is It is determined whether it is satisfied, and it is determined whether synchronization is possible. The user authentication method and secret key protection method (protection capability) of the partner user terminal 100-B can be obtained from the terminal capability of the record of the user terminal 100-B in the synchronization key DB 164 (see FIG. 5).

Subsequently, in step S722-A, a list of URLs of WEB services where key synchronization is possible is created and transmitted to the key management unit 122 to request creation of a synchronizable key list (step S723-A).
The key management unit 122 receives the URL list, creates a public key list corresponding to the URL stored in the WEB service key DB 163, and transmits the list to the synchronization control unit 127 as a synchronizable key list (step S724). -A).

Similarly to the user terminal 100-A, the user terminal 100-B performs the processing from step S718-B to step S724-B.
The synchronization control unit 127 of the user terminal 100-A and the synchronization control unit 127 of the user terminal 100-B receive the synchronizable key list from each key management unit 122 and transmit the received synchronizable key list to the other party. (Step S725).

  Subsequently, each of the synchronization control unit 127 of the user terminal 100-A and the synchronization control unit 127 of the user terminal 100-B transmits the received synchronizable key list to the key management unit 122 and instructs synchronization (step). S726).

Each key management unit 122 obtains a key that the key management unit 122 does not own from the received key list that can be synchronized from the partner key management unit 122, and performs synchronization (step S727). Hereinafter, the synchronization process will be described.
First, the key management unit 122 of the user terminal 100-A identifies a public key that does not exist in the WEB service key DB 163 (see FIG. 6) from the list of public keys received in step S726, and identifies the identified public key. The signed public key list is encrypted and transmitted to the key management unit 122 of the user terminal 100-B as the counterpart. In order to sign, the signature private key of the record corresponding to the user terminal 100-B of the other party in the synchronization key DB 164 (see FIG. 5) is used, and in order to encrypt, the transmission public key is used.

  The key management unit 122 of the user terminal 100-B receives the signed and encrypted list of public keys, decrypts it, and verifies the signature. For decryption, the reception private key of the record corresponding to the counterpart user terminal 100-A in the synchronization key DB 164 is used, and for verification, the verification public key is used. If the decryption or signature verification fails, the synchronization process is stopped. In the following, the explanation will be continued assuming that it was successful.

  The key management unit 122 of the user terminal 100-B stores the URL of the WEB service 400 corresponding to each public key, the user ID, the secret key, and the public key included in the public key list, and the secure storage unit 160. Is taken out from the WEB service key DB 163 (see FIG. 6) stored in the list, signed, encrypted. The signature and encryption method is the same as the signature and encryption method previously performed on the public key list by the key management unit 122 of the user terminal 100-A. The signed and encrypted list is transmitted to the key management unit 122 of the user terminal 100-A.

When the key management unit 122 of the user terminal 100-A receives the signed and encrypted list, it decrypts it, verifies the signature, and securely stores the obtained URL, user ID, private key, and public key. To the WEB service key DB 163 stored in the unit 160.
The above is the synchronization (duplication) of the URL, the user ID, the secret key, and the public key in the direction from the user terminal 100-B to the user terminal 100-A, but the reverse direction is the same. Is completed.
The key management units 122 of the user terminal 100-A and the user terminal 100-B respectively notify the synchronization control unit 127 of the completion of synchronization (step S728).

  The above synchronization processing is started by detecting that direct communication is possible (connection detection in step S701). That is, by directly connecting the user terminal 100-A and the user terminal 100-B, synchronization can be performed without any user operation thereafter.

As shown in step S719 and step S727, the URL and public key stored in the WEB service key DB 163 are used to identify the secret key to be synchronized. However, the present invention is not limited to this. A hash value may be used.
The secret key to be synchronized is not limited to the secret key for user authentication of the WEB service, and can be synchronized with a secret key of public key encryption other than for user authentication of the WEB service. If a hash value is used for identification of a secret key to be synchronized, it is not necessary to limit to a secret key for public key cryptography, and a key for common key cryptography is also possible.

≪Effect of secret key synchronization system≫
There is manual operation such as password encryption even if the user terminal 100 having the secret key of the WEB service that has been used so far cannot be duplicated or can be duplicated. There was a problem that it took time and effort proportional to the product of the number.

  In the present embodiment, after the user terminal 100 is registered in the terminal management server 200 and the two user terminals are paired, it is only necessary to connect the two user terminals 100 so that they can communicate directly, and no manual operation is required. Can synchronize (copy the secret key of the WEB service).

  Regarding registration of the user terminal 100, the primary user terminal 100-1 registered first is used as a starting point, and the second and subsequent user terminals 100 are registered as secondary user terminals 100-2 via the primary user terminal 100-1. Like to do. Furthermore, for the registration of the secondary user terminal 100-2, the primary user terminal 100-1 and the secondary user terminal 100-2 to be registered are registered through direct communication, such as cable or Bluetooth, instead of the Internet. In addition, user authentication is performed at the primary user terminal 100-1. By doing so, the secondary user terminal 100-2 can be safely registered without being subjected to fraud and attacks via the network. In addition, pairing and synchronization can be performed only between the user terminals 100 registered in this way. Furthermore, pairing and synchronization are also performed directly via communication, which is safe.

  In addition, assuming that the user terminal 100 is lost or stolen, the usage status of the user terminal 100 can be confirmed. When there is a possibility that the user terminal 100 is lost or stolen, pairing and synchronization can be prohibited by stopping the use of the user terminal 100.

  In addition, the security of the key management secure application 120, such as the resistance to attacks that attempt to steal the secret key (key protection capability), the level of certainty of user authentication (user authentication method and its strength), the presence of a secure area, etc. Is checked in the pairing process and the synchronization process. Thereby, it becomes impossible to perform pairing with the user terminal 100 having a low security level, and leakage of the secret key can be prevented. Also, since each WEB service secret key is compared with the authentication policy 401 of the WEB service and cannot be synchronized with the user terminal 100 with a low level of security, leakage of the secret key can be prevented.

  The signature-related secret key, the WEB service user authentication secret key, the synchronization encryption secret key, the synchronization authentication secret key, and the terminal verification secret key are all stored in the secure storage unit 160, and only the key management unit 122 It is accessed and is always encrypted outside the key management secure application 120 and is safe.

  The partner-related signature relationship information at the time of pairing is obtained by transmitting the signature relationship information stored in the secure storage unit 160 between the two user terminals (100-A and 100-B). Is possible. If the usage status of the user terminal is not checked, the terminal management server 200 can be eliminated. In addition, the terminal management server 200 can be inquired to obtain signature related information. In this case, the amount of direct communication between the user terminals 100 can be reduced.

  The key management secure application 120 monitors the key management non-secure application 130, the authentication credential DB 161 (see FIG. 3), and the signature related key DB 162 (see FIG. 4), and when detecting falsification or deletion, the key management secure application 120 Then, the WEB service key DB 163 (see FIG. 6), the synchronization key DB 164 (see FIG. 5), and the terminal verification secret key 165 (see FIG. 2) are deleted. As a result, user authentication can be avoided, and attacks that illegally access the WEB service key can be prevented.

DESCRIPTION OF SYMBOLS 1 Secret key synchronization system 100 User terminal 110 Control part 120 Key management secure application 121 User authentication part 122 Key management part 123 Terminal initial registration part 124 Terminal registration request part 125 Terminal registration response part 126 Pairing control part 127 Synchronization control part 130 Key Management non-secure application 140 Input / output unit 141 Authentication device 142 Direct communication interface 150 Storage unit 160 Secure storage unit 161 Authentication credential DB
162 Signature-related key DB
163 WEB service key DB
164 Key DB for synchronization
165 Terminal verification private key 200 Terminal management server 210 Control unit 211 User reception unit 212 Signature related information management unit 213 Terminal usage status management unit 220 Input / output unit 230 Storage unit 231 User information DB
232 Signature related information DB
233 Terminal usage status DB
300 terminal verification server 301 terminal verification public key 302 terminal capability information 400 WEB service 401 authentication policy

Claims (7)

A user terminal holding a service secret key, which is a secret key used for authentication when using a service, and a terminal management server holding information related to the user terminal are connected via a communication network, and the two users A secret key synchronization system for replicating the service secret key between terminals,
The user terminal is
Generating a pair of a private key and a public key of primary signature relation information for authenticating the user terminal, and having a user terminal identifier of the user, a public key of the primary signature relation information, and a secret key of the primary signature relation information A terminal initial registration unit that generates the primary signature relationship information including the used signature, transmits the primary signature relationship information to the terminal management server, and makes itself a primary user terminal;
When the mobile terminal itself is not the primary user terminal, it generates a pair of the private key and public key of the secondary signature relation information for authenticating the user terminal, and publishes the user terminal identifier and the secondary signature relation information Generating the secondary signature relationship information including a key and a signature using a secret key of the secondary signature relationship information, and sending the secondary signature relationship information to the primary user terminal without passing through the communication network. A terminal registration request unit, which is transmitted by direct communication to be a secondary user terminal,
When the terminal itself is the primary user terminal, the secondary signature relation information is received from the secondary user terminal, and after the signature verification of the secondary signature relation information is successfully verified, the second signature verification succeeds. Including a user terminal identifier of the next signature related information, a public key of the secondary signature related information including the user terminal identifier, a user terminal identifier of the primary signature related information, and a public key of the primary signature related information. A signature generated with the private key of the primary signature relationship information is added to the data, new primary signature relationship information indicating new primary signature relationship information is generated, and information including the new primary signature relationship information is stored in the terminal A terminal registration response unit to be transmitted to the management server;
The encryption public key used for the replication, the signature public key used for the replication, and the primary signature relationship information between the two user terminals that are the primary user terminal or the secondary user terminal that performs the replication A pairing control unit for performing pairing for exchanging a signature generated using the secret key of the secondary signature related information or the signature generated by using the secret key of the secondary signature relation information;
Using the encryption public key and the signature public key exchanged in the pairing, and a synchronization control unit that performs the duplication of the service secret key,
The terminal management server
The primary signature related information is received and stored from the primary user terminal via the communication network, and when the new primary signature related information is received, the public key of the primary signature related information is used. A secret key synchronization system comprising: a signature relationship information management unit that stores the new primary signature relationship information in place of the primary signature relationship information after successful verification of the signature of the new primary signature relationship information. The terminal registration response unit performs user authentication before generating a signature of the new primary signature related information,
The secret key synchronization system according to claim 1, wherein the pairing control unit performs user authentication before the pairing. The terminal management server stores, for each user terminal, whether or not the user terminal is in a suspended state,
Before the pairing, the pairing control unit inquires to the terminal management server whether or not it is in the use suspension state, and if it is in the use suspension state, stops the pairing,
The synchronization control unit inquires of the terminal management server whether or not it is in the use suspended state before the duplication, and stops the duplication if in the use suspended state. The secret key synchronization system according to claim 1. The secret key synchronization system stores terminal capability information indicating a level of security including at least one of a key protection capability, a user authentication method, a strength of user authentication, and presence / absence of a secure area of the user terminal. A terminal verification server that
The pairing control unit obtains the terminal capability information of the user terminal to be paired from the terminal verification server before the pairing, and the safety level of the user terminal indicated by the terminal capability information The secret key synchronization system according to claim 1, wherein the pairing is stopped when the key does not satisfy a predetermined criterion. The secret key synchronization system stores terminal capability information indicating a level of security including at least one of a key protection capability, a user authentication method, a strength of user authentication, and presence / absence of a secure area of the user terminal. A terminal verification server that
The service secret key is a secret key used for user authentication of the WEB service,
The WEB service includes: whether or not a secret key used for user authentication of the WEB service can be copied; key protection capability of the user terminal; user authentication method of the user terminal; strength of user authentication of the user terminal; Stores an authentication policy that defines at least one of the presence or absence of a secure area,
The synchronization control unit determines whether the security level of the user terminal to which the copy is made is in the authentication policy of the WEB service before copying the secret key used for user authentication of the WEB service. The secret key synchronization system according to claim 1, wherein the duplication is canceled when the level is not satisfied. A user terminal holding a service secret key, which is a secret key used for authentication when using a service, and a terminal management server holding information related to the user terminal are connected via a communication network, and the two users The user terminal of the secret key synchronization system for copying the service secret key between the terminals,
Generating a pair of a private key and a public key of primary signature relation information for authenticating the user terminal, and having a user terminal identifier of the user, a public key of the primary signature relation information, and a secret key of the primary signature relation information A terminal initial registration unit that generates the primary signature relationship information including the used signature, transmits the primary signature relationship information to the terminal management server, and makes itself a primary user terminal;
When the mobile terminal itself is not the primary user terminal, it generates a pair of the private key and public key of the secondary signature relation information for authenticating the user terminal, and publishes the user terminal identifier and the secondary signature relation information Generating the secondary signature relationship information including a key and a signature using a secret key of the secondary signature relationship information, and sending the secondary signature relationship information to the primary user terminal without passing through the communication network. A terminal registration request unit, which is transmitted by direct communication to be a secondary user terminal,
When the terminal itself is the primary user terminal, the secondary signature relation information is received from the secondary user terminal, and after the signature verification of the secondary signature relation information is successfully verified, the second signature verification succeeds. Including a user terminal identifier of the next signature related information, a public key of the secondary signature related information including the user terminal identifier, a user terminal identifier of the primary signature related information, and a public key of the primary signature related information. A signature generated with the private key of the primary signature relationship information is added to the data, new primary signature relationship information indicating new primary signature relationship information is generated, and information including the new primary signature relationship information is stored in the terminal A terminal registration response unit to be transmitted to the management server;
The encryption public key used for the replication, the signature public key used for the replication, and the primary signature relationship information between the two user terminals that are the primary user terminal or the secondary user terminal that performs the replication A pairing control unit for performing pairing for exchanging a signature generated using the secret key of the secondary signature related information or the signature generated by using the secret key of the secondary signature relation information;
A user terminal comprising: a synchronization control unit that performs the duplication of the service secret key using the encryption public key and the signature public key exchanged by the pairing. A user terminal holding a service secret key, which is a secret key used for authentication when using a service, and a terminal management server holding information related to the user terminal are connected via a communication network, and the two users A secret key synchronization method of a secret key synchronization system that duplicates the service secret key between terminals,
The user terminal is
Generating a pair of a private key and a public key of primary signature relation information for authenticating the user terminal, and having a user terminal identifier of the user, a public key of the primary signature relation information, and a secret key of the primary signature relation information Generating the primary signature relationship information including the used signature, transmitting the primary signature relationship information to the terminal management server, and making itself a primary user terminal;
When the mobile terminal itself is not the primary user terminal, it generates a pair of the private key and public key of the secondary signature relation information for authenticating the user terminal, and publishes the user terminal identifier and the secondary signature relation information Generating the secondary signature relationship information including a key and a signature using a secret key of the secondary signature relationship information, and sending the secondary signature relationship information to the primary user terminal without passing through the communication network. To the mobile phone as a secondary user terminal,
When the terminal itself is the primary user terminal, the secondary signature relation information is received from the secondary user terminal, and after the signature verification of the secondary signature relation information is successfully verified, the second signature verification succeeds. Including a user terminal identifier of the next signature related information, a public key of the secondary signature related information including the user terminal identifier, a user terminal identifier of the primary signature related information, and a public key of the primary signature related information. A signature generated with the private key of the primary signature relationship information is added to the data, new primary signature relationship information indicating new primary signature relationship information is generated, and information including the new primary signature relationship information is stored in the terminal Sending to the management server;
The encryption public key used for the replication, the signature public key used for the replication, and the primary signature relationship information between the two user terminals that are the primary user terminal or the secondary user terminal that performs the replication Performing a pairing for exchanging a signature generated using a secret key of the second signature-related information or a signature generated using the secret key of the secondary signature related information;
Performing the duplication of the service secret key using the encryption public key and the signature public key exchanged in the pairing;
The terminal management server
The primary signature related information is received and stored from the primary user terminal via the communication network, and when the new primary signature related information is received, the public key of the primary signature related information is used. A secret key synchronization method comprising: storing the new primary signature relationship information instead of the primary signature relationship information after successful verification of the signature of the new primary signature relationship information.

Images