JPH04347949A - Cipher communicating method and cipher communicating system - Google Patents

Abstract

PURPOSE:To make it possible to cope with the transfer of the electronic mail without complicating a communication system by decoding a ciphered simple sentence by the terminal station itself on a transmission side based on the key sharing information for unknown destinations even when a receiver of electronic mail is not present on a destination. CONSTITUTION:A terminal station (i) transmitting ciphers generates the key of the transmission side based on not only the open information prepared by a central station 201, the station secret information but also the random number information Yi generated by the terminal station (i) on the transmission side and generates the key sharing information Xiy by further adding time information t. A terminal station (j) on the reception side confirms at first the validity of the reception time information (t), regards the information as a normal cipher and generates the key on the reception side based on the open information prepared by the central station 201, the station secret information, the received key sharing information Xij and the time information t. Next, whether the generated key of the reception side and the key generated at the terminal station (i) on the transmission side coincide or not is certified based on the ciphering communication. When they coincide, the sharing of the key is formed.

Description

[Detailed description of the invention]

0001

[Industrial Application Field] The present invention relates to a cryptographic communication method and a cryptographic communication system, and in particular, it is easy to change keys shared between terminal stations, easy to share keys between three or more stations, and prevents impersonation. The present invention relates to a cryptographic communication method and cryptographic communication system that can effectively prevent retransmission attacks.

0002

[Prior Art] Conventionally, when data is exchanged via an unsecure communication channel where a third party may eavesdrop or falsify a message, various methods have been used to protect the data using encryption. researched and used.

[0003] The above cryptographic systems are classified into secret key cryptography (or conventional cryptography) and public key cryptography. Secret key cryptography is widely used because the key used for encryption and the key used for decryption are the same cryptographic system and high-speed processing is easy. However, in the case of this secret key encryption, prior to encrypted communication, the same key information must be shared safely between the sender and the receiver so that it is not known to a third party. In other words, key sharing is necessary. A primitive key sharing method involves a person going to the communication partner's location and then agreeing in advance about the key to be used. Although such a time-consuming method of key sharing is acceptable for military and diplomatic purposes, it is not suitable for commercial communications. On the other hand, in public-key cryptography, the encryption key and the decryption key are different; the encryption key is public information that anyone can know, and each person keeps only the decryption key secret. . In this method, the encryption key is made public, so there is no need for key sharing, and encrypted communication with a desired party is possible using the public key. One example of a public key management method is to list public keys for each user and register them in a database that can be referenced by anyone. In this case, in order to operate public key cryptography correctly, it must be ensured that the keys registered in the public key list have not been tampered with. In other words, a public key authentication function is required.

However, while public key cryptography has the advantage of easy key management, it has the disadvantage of relatively low processing speed. Therefore, there are several methods that use public key cryptography technology to share the same key information between the sender and receiver, and then use that key information to perform encrypted communication using private key cryptography. method is running. The first of these methods was the DH method (W.Dif
fie&M. E. Hellman, “New Dire”
tions in cryptography” I
EEE Trans. on Information
Theory, IT-22, 6, pp. 644-6
45 (June 1976)) is known. D.H.
This method is a key distribution method limited to two parties based on the difficulty of inverse transformation of exponentiation operations modulo a large prime number p. In other words, mathematically, when y=gx mod p (x and g are integers), it is easy to find the remainder y when gx is divided by p from x, but it is difficult to find the value x from the value y. Based on something. This method does not have a public key authentication function, and the key shared between the sender and receiver never changes. Since then, several methods have been proposed in which improvements have been made so that the shared key changes each time, and the key can be shared among three or more parties.

[0005] As one of the improved methods, the improvement by Tatsuaki Okamoto and others is positioned as an extension to key sharing between two or more parties (Okamoto, Shiraishi, "Shared key distribution method based on PKDS", 1982).
IEICE Telecommunications Division National Conference Proceedings No.
18).

However, since the above-mentioned improved method uses a power operation modulo the prime number p, it is necessary to assume that the list of public keys has not been tampered with by a third party. Alternatively, it was necessary to separately provide a mechanism to prevent tampering by a third party, such as an authentication function.

[0007] Therefore, Mr. Eiji Okamoto expressed the modulus as two prime numbers p,
We proposed a method that incorporates a mechanism for authenticating public information into the key sharing method by expanding it to the product of q ("Propo
sal foridentity-based key
distribution systems”, E
electronics Letters, Vol. 2
2, No. 24, pp. 1283-1284, 198
6). However, in this method, the shared key depends on the secret information of both transmitting station i and receiving station j, and is not suitable for key sharing among three or more parties.

[0008] Koyama-Ota method (Security o
f improved identity-based
conference key distribution
n systems”, Lecture Notes
in Computer Science Adva
nces incryptology - Eurocr
ypt'88-pp. 11-19, Spring
r-Verlag 1988) incorporates the advantages of the two Okamoto methods mentioned above, and sets the modulus to the product of three prime numbers. However, in this method, the number of digits in the modulus is approximately twice as large as that in the method in which the modulus is the product of two prime numbers, which is disadvantageous in terms of the amount of memory and the amount of calculation. For example, since the amount of calculation for exponentiation is approximately proportional to the third power of the number of digits of the modulus, the amount of calculation for one exponentiation calculation reaches about eight times.

[0009] Furthermore, Ito et al. proposed a method in which the key changes every time, group keys can be shared, and the amount of calculation is lower than the Koyama-Ota method (Ito, Hamono, Sasase, Mori:
“One-way key distribution method based on ID information that does not require public files,” Proceedings of the 1990 Spring National Conference of the Institute of Electronics, Information and Communication Engineers, No. A-283, p. 1-283, 199
0, March). However, when Ito et al.'s method is used for group key sharing, there are problems such as impersonation due to retransmission attacks by third parties within the group and sender secret information.

[0010] As described above, at the same time as the technology for improving the key distribution method has progressed, attempts are being made to transmit not only short text data but also long text data using the above-mentioned key distribution method. For example, e-mails are sent to users based on the key distribution method using group key sharing such as that of Ito et al.

[0011] A specific example of electronic mail is UNIX network mail. This mail system is widely used today and sends messages from a sending terminal to a receiving terminal in a bucket brigade manner over a network in which multiple UNIX machines are connected in a mesh pattern through communication circuits. Such electronic mail generally supports a broadcast communication function that sends the same message to multiple recipients. In addition, as an essential function of e-mail, if the e-mail cannot be delivered to the recipient specified by the sender due to an error in the destination address or the recipient's address has been changed, the e-mail will be returned to the sender and the sender will be notified. There is a function to notify. These functions are also supported in UNIX mail.

[0012] When exchanging important messages via e-mail as described above, it is desirable to encrypt the messages in order to protect their contents. Furthermore, the encrypted communication must be compatible with the broadcast communication function and the reply function for mail with unknown destination. FIG. 17 shows a conventional example of e-mail having the above function.

[0013] As shown in the figure, an e-mail has a sender's address ID1, a receiver's address ID2, and an ID.
3,..., key sharing information X12, X13,..., and ciphertext C=E(K,M).

[0014] In the conventional example described above, one sender can simultaneously transmit encrypted e-mail to a large number of recipients using a different code for each recipient. Furthermore, each recipient can decrypt the encrypted email using a different decryption key for each recipient.

[0015] However, when an encrypted e-mail is sent and the e-mail is returned to the sender because the addressee is unknown, the sender naturally wants to decrypt the code and check the contents. If the sender is unable to decrypt the encrypted e-mail that is returned to him/her, the sender must determine which of the e-mails that he/she sent was the e-mail that was returned based only on the recipient's name.

[0016] Therefore, in the unlikely event that the recipient of the e-mail does not exist at the destination, the recipient will not be able to decrypt the e-mail. In other words, in order to decrypt the returned e-mail, the recipient must somehow memorize the decryption key. Storing and managing decryption keys for all sent e-mails in this way complicates the communication system.

[0017]

[Problems to be Solved by the Invention] As mentioned above, in the DH method using the key distribution method, communication is only between two parties, there is no authentication function, and the public key does not change, so there is no risk of eavesdropping or eavesdropping by a third party. There was a problem in that messages could be falsified with a high probability.

[0018] Although the extended key sharing method proposed by Mr. Tatsuaki Okamoto et al. allows communication between three or more parties, there still remains the problem that messages are often tampered with by third parties.

[0019] Eiji Okamoto's method using two prime numbers incorporates an authentication function, which reduces the risk of eavesdropping or message tampering by a third party, but it is not suitable for key sharing between three or more parties. There was a problem.

Although the Koyama-Ota system allows communication between three or more parties and incorporates an authentication function, there is a problem in that it is not suitable for practical use because the amount of calculation increases significantly. Although Ito et al.'s method allows communication between three or more parties, incorporates an authentication function, and does not require a significant increase in the amount of calculation, there are problems such as retransmission attacks and leakage of secret information when used for group key sharing. did.

On the other hand, when sending and receiving encrypted e-mails, there is a problem in that the communication system becomes complicated when trying to deal with a situation where the recipient of the e-mail does not exist at the destination.

[0022] Therefore, the present invention is intended to solve the above-mentioned problems of the prior art, and its first purpose is to easily change the shared key and to facilitate key sharing among three or more parties. It is an object of the present invention to provide an encrypted communication method that is possible to effectively prevent retransmission attacks caused by impersonation.

[0023] A second object is to provide an encrypted communication method that can handle the transmission and reception of e-mail even when there is no recipient of the e-mail at the destination without complicating the communication system. Another object of the present invention is to provide a cryptographic communication system useful for implementing the cryptographic communication method described above.

[0024]

[Means for Solving the Problems] A cryptographic communication method of the present invention for solving the above problems issues a key to each of a plurality of terminal stations from a central station, and establishes a communication network between the two terminal stations. In an encrypted communication method for encrypted communication via
The central station creates the same public information to be disclosed to all terminal stations and different station secret information to be notified to each terminal station, and the central station transmits the public information and the station secret information to a cryptographically transmitting side. a step of generating random number information in the transmitting terminal station, outputting time information in the transmitting terminal station, and publishing the random number information and the public information. a step of generating a sender's key based on the information; a step of creating key sharing information based on the random number information, the time information, the public information and the station secret information; and receiving the time information and the key sharing information. a step of confirming whether or not the time information is false in the receiving terminal station; and if it is confirmed that the time information is not false in the receiving terminal station, the time information, the key sharing information, and the public a step of generating a key for the receiving side based on the information and the station secret information, and confirming that the key generated in the receiving terminal station matches the key generated in the receiving terminal station by comparing the two. and a step of authenticating that they match.

On the other hand, in the cryptographic communication system of the present invention, a key is issued from a central station to each of a plurality of terminal stations via a communication network, and the cryptographic communication system performs cryptographic communication between two terminal stations. station secret information creation means for creating the same public information that a station discloses to all terminal stations and different station secret information that is notified to each terminal station, and the central station encrypting the public information and the station secret information. Information issuing means for issuing to a terminal station on the transmitting side and a terminal station on the cryptographic receiving side; random number information generating means for generating random number information in the terminal station on the transmitting side; and time information for outputting time information in the terminal station on the transmitting side. means for generating a transmitting side key based on the random number information and the public information; and generating key sharing information based on the random number information, the time information, the public information and the station secret information. a key sharing information creation means; a time validity checking means for checking whether or not the time information is false in a terminal station that receives the time information and the key sharing information; If it is confirmed that the information is not false, a receiving side key generation unit generates a receiving side key based on the time information, the key sharing information, the public information and the station secret information, and and authentication means for authenticating that the key generated in the received terminal station matches the key generated within the receiving terminal station.

Furthermore, in the cryptographic communication system according to the present invention, in which group key sharing and broadcast cryptographic communication are performed between two or more of the terminal stations, the secret information of the stations is kept secret even from the users of the stations; By configuring the device so that the station secret information cannot be used outside the group key sharing process, leakage of the secret information, which would be a problem in the group key sharing scene, is prevented.

Depending on the selection, the key sharing information created by the key sharing information creation means includes key sharing information for unknown destinations that allows the sending terminal station itself to decrypt the encrypted plaintext, and the sending side key generation a plaintext encrypting means for encrypting plaintext using a sender's key generated by the means; the plaintext encrypted by the means; and key sharing information and time information created by the key sharing information creating means. A transmission message creation means for creating a transmission message from the time information output by the output means; a message content division means for receiving the message created by the means at a receiving terminal station and dividing the message content; and a message content division means for dividing the message by the means. decryption means for decrypting the encrypted plain text using the reception side key generated by the reception side key generation means; and further, when the destination of the reception side terminal station is unknown, the destination unknown key The transmitting terminal station itself may have a transmitting side decryption means for decoding the encrypted plaintext based on the shared information.

[0028]

[Operation] In the encrypted communication method of the present invention, the terminal station that transmits the encrypted code uses not only the public information and station secret information created by the central station, but also the random number information generated by the transmitting terminal station itself. , and further adds time information to generate key sharing information. This key sharing information and time information are transmitted to the terminal station that receives the encryption, and a key for the receiving side is generated. That is, the receiving terminal station first confirms the validity of the received time information. If the validity is confirmed, it is considered to be a legitimate cipher, and a key for the receiving side is generated based on the public information and office secret information created by the central office, as well as the received key sharing information and time information.

Next, authentication is performed based on encrypted communication to determine whether the generated key on the receiving side matches the key generated at the transmitting terminal station, and if they match, key sharing is established. . In other words, the receiving terminal station receives the cipher information assuming that the correct cipher has been sent. Therefore, since the transmitting terminal station generates random number information by itself, the key sharing information and the key to be shared can be easily changed each time encrypted communication is performed. Since the value of the shared key depends only on the random number information generated by the sender, in principle it is possible to distribute a common key to a large number of receiving terminal stations using the same random number. However, in such usage, if a plurality of receiving terminal stations collude and the secret information of those stations is applied to the key distribution information from the receiver, there is a possibility that the secret information of the transmitting station will be leaked. Therefore, in order to prevent such unauthorized operations in group key sharing and leakage of transmitting station secret information, in the present invention, the secret information of each station is not information that the station can freely use, but is Even if there is, I don't know its value,
Another feature is that the device is configured so that it cannot be used for anything other than legitimate key sharing procedures. By doing so, application to group key sharing becomes possible.

Furthermore, since the key sharing information passed through the communication network for key sharing depends on time, it is difficult to use the key sharing information created at a certain time again later. Therefore, message retransmission attacks based on impersonation become difficult even in group key sharing among three or more parties. Further, in the present invention, since the modulus is not one prime number but the product of two prime numbers, it is easy to realize the authentication function using station secret information for terminal station authentication. Note that the present invention saves memory and calculation amount compared to a method using the product of three or more prime numbers as a modulus.

[0031] Depending on the selection, the key sharing information for unknown destinations may be included in the key sharing information, and the key sharing information may be included in the encrypted plain text sent to the receiving terminal station. That is,
If the receiving terminal station does not exist, the encrypted plaintext is returned to the transmitting terminal station, and the transmitting terminal station itself decrypts the encrypted plaintext using the key sharing information for unknown destinations. By doing so, the transmitting terminal station can know the contents of the plaintext even if the receiving terminal station is not present, which is convenient for management.

[0032]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Examples of the present invention will be described below with reference to the drawings. FIG. 1 shows a block diagram of a cryptographic communication system according to a first embodiment of the present invention.

As shown in the figure, the cryptographic communication system includes a central station 201 that starts up the system, and terminal stations i, j, . . . connected to the central station 201 via a communication network. However, in FIG. 1, for convenience, terminal stations i, j
only shown.

The central office 201 calculates public information, central office secret information, and office secret information according to a procedure predetermined by a program, and stores these information in memory. Here, the public information is information that all the terminal stations i, j, ... can freely know through communication with the central station 201, and is a common method of the cryptographic communication system, a predetermined information predetermined within the program. The integer g of
, j, ... IDi, ID that digitizes the unique name
It consists of j,...

[0035] Since these public information are public information, there is a great deal of freedom in how they can be managed and operated. FIG. 1 shows a method of reading from a central office public information file. In reality, the public key e, modulus n, and integer g of the central station are constant regardless of the communication partner, so each terminal station uses the public key e, modulus n, and integer g only once when joining the system.
All you need to do is obtain the integer g and record it. Also name I
Di, IDj, . . . and public information Yi, Yj, . . . may be obtained from the communication partner in addition to being obtained from the central office.

Central station secret information is information that the central station 201 keeps secret from each terminal station, and includes two different large prime numbers p and q, a modulus L within the central station, and a secret key d unique to the central station.
, and the central station's private key ei for terminal stations i, j,...
, ej ,...

Station secret information is information that is kept secret for stations other than the central station 201 and a specific terminal station. When the specific terminal station is i, the private key di of terminal station i and the terminal It consists of secret information Si for station i authentication. In addition, the central station 20
1 does not need to record the station secret information after issuing the secret keys di, dj, . . . and secret information Si, Sj to each terminal station i, j, . These station secret information are completely and reliably passed to the corresponding terminal station. As a specific method, for example, there is a method in which the station secret information is stored in a storage medium such as a safely portable IC card and handed over to each station. In Figure 1,
The procedure by which the central station safely issues station secret information to each terminal station is shown as a ``secure communication channel.'' A method for generating each of the above information will be described later.

Each of the terminal stations i, j, . . . includes a transmitting section 202 and a receiving section 203 for encrypted information. For example, encrypted information is sent from the transmitter 202 of terminal station i to the receiver 20 of terminal station j.
3, a random number generator 204 that generates random number information ri, a clock 205 that outputs time information t, various public information and station secret information obtained from the central station 201,
and a key sharing information creation means 206 that creates key sharing information Xij using random number information ri and time information t, and a shared key K of terminal station i using public information g and random number information ri.
and transmitting side key generation means 207 that generates if.

[0039] Furthermore, the receiving section 203 of the terminal station j is connected to the terminal station i.
a time validity checking means 208 for checking whether the time information t obtained from the central station 201 is false; a private key memory 209 for acquiring and holding the private key dj from the central station 201;
01, the time information t that has been confirmed to be non-false, the private key dj, and the key sharing information Xij output from the key sharing information creation means 206 of the terminal station i to create the shared key Kji of the terminal station j. and receiving side key generation means 210 for generating. In the above configuration, first, a method of creating various information performed within the central office 201 will be explained.

The central office 201 first appropriately generates two different large prime numbers p and q, and creates their product n=p·q. Furthermore, L, which is the least common multiple of p-1 and q-1, is determined. Next, Galois field (Galois field) GF(p) and G
Select one integer g to be the generation source for both F(q). This condition is introduced to improve the security of the cryptographic communication system according to the first embodiment of the present invention. however,
Any integer value g in the range of 1<g≦n-1 may be used. In addition, the public key e of the central station 201 is selected from a group of integers that are coprime to L, and then the private key d of the central station 201 corresponding to the public key e is expressed as e・d=1 (mod L). Create to meet your needs. Here, the above equation shows that the value determined as the product of e and d minus 1 is divisible by L. Furthermore, let us define the public common base G as G=gf
It is determined to satisfy mod n. Here, f=dk and G
means the remainder when the value of gf is divided by n. k is a non-negative integer (zero or natural number) determined by the key sharing process.

Next, the central office 201 obtains the private key d of the terminal station i.
Select one from a group of integers that is different from the value of the secret key d and coprime to L. Here, each terminal station i, j,...
The secret keys di, dj, . . . are selected to be different from each other. Next, the secret key ei of the central office that satisfies the relationship ei·di −1 (mod L) is determined for di. In addition, the central station 20
1 is the secret information S for station authentication using the value of the above secret key d.
Define i according to Si=h1 (IDi)-d mod n. Here, h1 ( ) is a pseudorandom function. Finally, under the modulus n, using the base G, secret key ei, and secret information Si, public information Yi of terminal station i is determined by Yi
=Si·(Gei mod n). In this way, as shown in FIG. 2, the central station 201 creates various information related to the terminal station i, and also creates information related to each of the other terminal stations j, k, .

[0042] Furthermore, the central 201 also has terminal stations i, j,
In order to create a so-called timestamp T, which is information dependent on the time information t, a pseudo-random function h2 is used.
( ) is established. Next, a cryptographic communication method between terminal stations i and j in the cryptographic communication system shown in FIG. 1 will be explained according to the flowchart shown in FIG. Note that in this embodiment, k=2, that is, f=d2.

First, in step 301, terminal station i receives public information modulus n, integer g, public key e, pseudorandom functions h1 ( ) and h2 ( ), public information Yj, and numerical value IDj from the central station 201, and Obtain station secret information Si.

In step 302, the key sharing information creation means 206 uses the random number information ri generated by the random number generator 204 and the time information t obtained from the clock 205.
, and the time stamp T and key sharing information Xij based on the information obtained from the central office 201, T=h2 (t) Xij=SiT ・(Yje ・h1 (IDj)) r
i mod n. Step 303
Then, the shared key Kij is determined in the transmitting side key generation means 207 according to Kij=gri mod n. At the same time, in step 304,
The key sharing information Xij and time information t determined in step 302 are transmitted to the terminal station j.

In step 305, the terminal station j is connected to the central station 2.
01 to public information modulus n, public key e, pseudorandom functions h1 () and h2 (), and numerical IDj
, and secret information dj.

In step 306, the time validity checking means 308 checks the validity of the time information t. In this embodiment, it is checked whether the difference between the current time t', which is being processed by the terminal station j, and the time information t is equal to the transmission delay from the terminal station i to the terminal station j. That is, using an appropriate tolerance Δt, it is checked that t'-t<Δt. If the validity is confirmed, the process proceeds to step 307, and if the validity is not confirmed, it is assumed that a third party has impersonated the user and the process is stopped.

In step 307, the receiving side key generation means 2
10, based on the public information obtained from the central station 201, the station secret information, and the information transmitted from the terminal station i, the time stamp T and the shared key Kji of the terminal station j are determined as T=h2
(t) Kji=(Xife ・h1 (IDi)T)dj
defined according to mod n.

In step 308, the terminal station j determines that the value of the generated shared key Kji is equal to the shared key Kij generated by the terminal station i.
It is checked using cryptographic technology whether or not the value matches the value of . A specific method for confirming that terminal station i and terminal station j have the same key information through encrypted communication is as follows. [Protocol] 1. Terminal station i generates a random number R and sends it to terminal station i. 2. Terminal station j generates another random number R', encrypts the concatenation of random number R and random number R' using shared key Kji, and obtains V=E(Kji, R‖R'). Terminal station j sends V to terminal station i. 3. Terminal station i decrypts V using the shared key Kij and obtains W=E(K
ij, V) is obtained. The first half of W is the random number R initially generated by terminal station i.
If they match, the terminal station i knows that the terminal station j has the shared key Kij
Make sure you have the same key. Also, terminal station i
sends the second half of W to terminal station j. 4. If the information sent from terminal station i matches the random number R' generated by terminal station j, terminal station j confirms that terminal station i has the same key as its own key Kji.

This method is one implementation of a communication method called a peer authentication protocol based on secret key cryptography. According to the other party authentication protocol, K that you want to keep secret from a third party
It can be confirmed that the other station has the same key as the own station without directly transmitting ij or Kji to the communication line. Note that the method for confirming that Kij and Kji match is not limited to this method.

[0050] This is the public key authentication function. Kji=
If it is confirmed that the information is Kij, the terminal station j authenticates that the information is encrypted and transmitted from a legitimate transmitting station and is free from transmission errors. That is, terminal stations i and j share the same key. Next, impersonation by a third party will be explained.

[0051] Suppose that a third party other than the terminal station j accesses the central station 20
Even if public information such as Yj is obtained from 1 and the station secret information Si is stolen by some other method, a third party will not be able to estimate the value of the random number information ri as in the past, and furthermore, the value of the random number information ri It is not possible to know the value of time information t. So, K
The security of the transmitted message from terminal station i encrypted by ij is maintained.

Furthermore, even if a third party impersonates terminal station i and carries out a retransmission attack on terminal station j, the value of time information t0 at the time of the retransmission attack will be the same as the time information t0 at the time of regular transmission by terminal station i. Therefore, terminal station j stops generating the shared key Kji in response to a retransmission attack. Next, the difference between this embodiment and Eiji Okamoto's method will be explained.

In this embodiment, the shared key Kij (Kij=gr
i mod n) depends only on random number information determined by terminal station i and does not include parameters regarding terminal station j. Such a feature is a great advantage when keys are shared among three or more terminal stations. That is, terminal stations i, j. When three parties k share a key, terminal station i shares Kij with terminal station j using the above-described key sharing method. Similarly, terminal station i is
Using the same random number information and time information, terminal station k and Kik are shared at the same time. As a result, the three terminal stations i, j, and k share the gri mod n as a key. The same is true in the case of four or more parties.

Note that the key sharing procedure shown here includes time information t, and the key sharing information X created at a specific time
Since ij becomes invalid when there is a retransmission attack by a third party, the present invention using time information t can prevent retransmission attacks.

However, in this key sharing method, there is a possibility that secret information Si of transmitting station i may be leaked due to collusion between receiving stations j and k. An attack method based on collusion between receiving stations j and k will be explained below. Receiving station j calculates the next Zij from key distribution information Xij from transmitting station i and station secret information dj. Zij=Xijdj mod n=Si Tdj ・
Ger1 mod n Similarly, the receiving station k obtains the next Zik from the key distribution information Xik from the transmitting station and the station secret information dk.
Calculate. Zik=Xikdk mod n=Si Tdk ・G
eri mod n Due to collusion between receiving stations j and k, the following Z
Find i. Zi =Zij/Zik mod n=Si T(d
j −dk ) mod n

On the other hand, Sie
Since the information =h1 (IDi)-1mod n is public, GCD(e,T(dj-dk))=
If 1, an integer (a, b) that satisfies the following equation can be found by Euclidean's algorithm. a・e+b・T(dj −dk)=1 This integer (a・
By using b), Si can be obtained by calculating the following equation. (h1 (IDi)-1)a ・Zib = Si
mod n

The above attack is based on the premise that the receiving station can freely use the station secret information dj and dk. On the other hand, the station secret information dj, dk is data whose value is unknown even at the receiving station, and the device is designed so that the secret information can only be used for the limited purpose of obtaining the key from the key distribution information. In the configured situation, the above attack is not possible.

As described above, in order to make it applicable to group key sharing, it is necessary to adopt a special device configuration. FIG. 4 is an example of this. In the apparatus shown in FIG. 4, Kji=(Xije ·
h1 (IDi)T)dj mod n is calculated. 402, 403, and 404 are exponentiation remainder calculators, and 405 is a remainder multiplier. 406 is a memory that stores numerical values necessary for calculation;
Secret information dj and system public keys e and n are stored. 401 is a medium in which these element parts are sealed;
For example, an IC card corresponds to this. A user of this device can provide three data (Xij, h1 (IDi), h2 (t)) as input and obtain Kji as an output. However, even if the user
Read the station secret information dj from 06, or
It is not possible to change the signal flow within the device 401. Figure 4 shows three exponentiation remainder calculators and one remainder multiplier.
Although a device incorporating a number of units is shown, it is also possible to configure the device with one exponentiation remainder calculator and one remainder multiplier, or it is also possible to realize it by software. Also,
The device 401 has built-in arithmetic units for functions h1 and h2,
It is also possible to provide (Xij, IDi, t) as input. Furthermore, it may be configured such that the calculation result is obtained only when it is determined that the user is an authorized user by a method such as password verification.

As explained above, in the method of the present invention,
Since the transmitting terminal station i generates the random number information ri by itself,
The key sharing information Xij and the shared key kij can be easily changed each time encrypted communication is performed. In addition, since the key sharing information Xij that is sent to the communication network for key sharing depends on the time information t, the key sharing information Xi created at a certain time
It is difficult to use j again later. Furthermore, the key K
Since ij depends only on the sender's random number information ri, by individually sending key sharing information to many receiving terminal stations, 3
It is also possible to share keys among more than one person. In order to actually create a system that can be safely used by three or more parties, it is necessary to adopt a device configuration that makes it difficult for unauthorized use of the sender's secret information in order to prevent leakage of the sender's secret information.

Furthermore, in the present invention, since the modulus is not one prime number but the product of two prime numbers, the authentication function is realized using station secret information for terminal station authentication. Note that this method saves memory and calculation amount compared to a method using the product of three or more prime numbers as a modulus. Next, a block diagram of a cryptographic communication system according to a second embodiment of the present invention adapted for encrypting and decoding plaintext M is shown in FIG.

As shown in the figure, the cryptographic communication system of the present embodiment is the same as the cryptographic communication system of the first embodiment by creating a ciphertext C from a plaintext M based on the shared key Kij generated by the transmitting side key generation means 207. ciphertext generation means 212 and decryption means 213 that decrypts the ciphertext C based on the shared key Kji generated by the receiving side key generation means 210.

In the above configuration, an encrypted communication method for encrypting and decoding plaintext M between the transmitting terminal station i and the receiving terminal station j will be explained according to the flowchart shown in FIG. In this embodiment, as in the first embodiment described above, k=2, and in step 601, the terminal station i is connected to the central station 2.
Public information and secret information Si are obtained from 01.

In step 602, based on the random number information ri, time information t, public information, and station secret information Si, the key sharing information creation means 206 generates a timestamp T and key sharing information Xij as T=h2 (t ) Xij=Si T ・(Yj e ・h1 (IDj
)) Created according to ri mod n. In step 603, the first ciphertext C1 determined in step 602 and time information t are transmitted to terminal station j. At the same time, in step 604, the shared key Kij of the terminal station i is determined by the transmitting side key generation means 207 according to Kij=gri mod n. In step 605, the plaintext M is encrypted into the ciphertext C in the ciphertext generation means 212 using the shared key Kij according to C=E(Kij,M). Here, the symbol E(K
ij, M) represents a procedure for encrypting plaintext M based on shared key Kij. Typical examples include DES method and FEAL
One example is the method.

Next, in step 606, terminal station j receives public information modulus n, public key e, non-negative integer k, and pseudorandom functions h1 ( ) and h2 (
), numerical IDj, and secret information dj.

Next, in step 607, the validity of the time information t is verified by the time validity checking means 208. This confirmation procedure is the same as in the first embodiment. If the validity is confirmed, the process proceeds to step 608, and if the validity is not confirmed, it is assumed that a third party has impersonated the user and the process is stopped.

In step 608, the receiving side key generating means 2
10, based on the public information obtained from the central station 201, the station secret information dj, and the key sharing information Xij and time information t sent from the terminal station i, the timestamp T and the shared key Kji of the terminal station j are determined as follows. =h2 (t) Kji=(Xije ・h1 (IDi)T)dj
defined according to mod n. In step 609, the decryption means 213 converts the ciphertext C into the shared key Kji
It is decoded using: M′=D(Kji,C)

Here, the symbol D(Kji, C) is the ciphertext C
This represents the procedure for decrypting the file using the shared key Kji. Next step 6
At step 10, terminal station j checks the contents of decoded M'. If the decrypted text M' has meaningful content, it can be confirmed that the ciphertext C was encrypted with the correct key at the transmitting station and that no error or tampering occurred during the communication. Even if an unauthorized third party tries to impersonate someone, the fraud will be discovered because they do not know the correct key. Note that if the receiving side wants to automatically check whether the decrypted text M' is a correctly decoded and meaningful message, it is sufficient to add redundancy to the message M that has been agreed upon between the sender and the receiver in advance.

Note that if the confirmation function in step 610 is not necessarily required, it is also possible to set k=0, Si=Sj=1, and h1 (IDi)=h1 (IDj)=1. Therefore, the plaintext M is encrypted by the ciphertext generating means 212 and then sent to the receiving terminal station j, and is decrypted by the decrypting means 213 of the receiving terminal station j using the key sharing information Xij that depends on the time information t. Therefore, as in the first embodiment, there is no risk of message retransmission attacks due to impersonation.

Next, an encrypted communication method and an encrypted communication system according to a third embodiment for transmitting and receiving encrypted e-mail using the second embodiment will be described with reference to FIGS. 7 to 11. This embodiment also supports the broadcast communication function and the function of notifying the absence of a recipient as described in the conventional example, and FIG. 7 shows a conceptual diagram of the encrypted communication system.

As shown in the figure, users 1 to 5 are connected through transmission lines 6, 7, 8, 9, and 10 for bidirectional communication. Here, each of users 1 to 5 corresponds to each terminal station in the second embodiment.

[0071] Also, the transmission route 11 of the mail sent from user 1 to user 4 via user 2 and returned because the destination was unknown, and the transmission route 12 of the mail sent from user 1 to user 3 are indicated by broken lines. It is shown.

[0072] Each of users 1 to 5 is connected to the central station 201 via a communication network similarly to each terminal station in the second embodiment, and obtains public information and secret information from the central station 201. FIG. 8 shows a block diagram of a part of an encrypted communication system in which user 1 encrypts e-mail and then user 3 decrypts the encrypted e-mail.

As shown in the figure, the cryptographic communication system according to the present embodiment replaces the first ciphertext generating means 211 of the cryptographic communication system of the second embodiment with the key sharing information generating means 206, and furthermore, the transmitter 202 receives the transmitted message. It is configured by adding a creation unit 214 and a received message separation unit 215 to the reception unit 203.

The transmission message creation unit 214 generates the key sharing information Xij created by the key sharing information creating means 206, the ciphertext C=E(K,M) generated by the ciphertext generating means 212, and the clock 2.
Based on the time information t output from 05 and the number IDi (i=1, 2, . . . ) from the central office 201, a transmission message (e-mail) consisting of the bit string shown in FIG. 9 is created.

[0075] The received message separation unit 215 is the transmitted message creation unit 2.
14, from the message, the key sharing information Xij and number IDi related to the own station are sent to the receiving side key generation means 210, the time information t is sent to the time validity confirmation means 208, and the second ciphertext C is sent. =E(K,M) is sent to the decoding means 213. Here, the ciphertext C=E(K,M) means the ciphertext of the plaintext M of the broadcast communication transmitted from user i to user j.

[0076] In the case of transmitting the message shown in Fig. 7,
The transmitted message has the sender's address ID as shown in Figure 10.
1, recipient address ID3, ID4, key sharing information X11, X13, X14, time information t, and ciphertext C
=E(K,M). However, K is a random number r1
This is key information created by the transmitting side key generation means 207 from . If the receiving side keys for users 1, 3, and 4 are generated correctly, K=K11=K31=K41 holds true.

In the above configuration, the message created by the transmission message creation section 214 of the user 1 is transmitted to the user 3 through the transmission path 12, and the message created by the transmission message creation section 214 of the user 1 is transmitted to the user 3 through the transmission path 12.
, sender address ID1, key sharing information X13
, time information t, and ciphertext C=E(K,M) are selected. Based on this information, the ciphertext C=E(K,M) is decrypted to obtain the plaintext M in the same manner as in the second embodiment. The reason why user 3 can decrypt this ciphertext is that K=K31. Similarly, a message is simultaneously transmitted from user 1 to user 4.

[0078] Here, for example, if the destination of user 4 is unknown and the message is returned to user 1, user 1 selects the key sharing information
A shared key K11 for decrypting =E(K,M) is created. That is, T=h2 (ID1) K11=(X11e ・h1 (ID1)T)d1
mod n User 1 uses the key K11 created in the above procedure
Decode C=E(K,M) using That is, using the shared key K11, the ciphertext C=E(K,M) is decrypted into the decrypted text M' according to M'=D(K11,C). This decrypted text M' matches plaintext M.

[0079] Therefore, by using the encrypted communication system of this embodiment, it is possible to simultaneously send encrypted e-mails from one user to a large number of other users. Of course, there is no risk of eavesdropping by users other than the destination user. Further, since the key sharing information Xij is created from the random number information ri and the time information t, there is no risk of retransmission attacks by a third party impersonating the key sharing information Xij. Furthermore, the user receiving the e-mail can extract only the information related to his/her own station and decrypt the encrypted e-mail.

Furthermore, as shown in FIG. 11, even if the message is returned to the sender's user because the destination is unknown, the sender's user will not be able to receive the encrypted message because the shared key X11 is added to the sent message. E-mails can be easily decrypted. In other words, it is possible to check what content of the message did not reach the recipient.

In the above embodiment, all users may be connected in a mesh pattern through bidirectional transmission paths. Furthermore, depending on the selection, e-mail transmission can be performed via another user, so only the minimum necessary transmission path may be used depending on the usage situation. Furthermore, in this embodiment, e-mails are simultaneously transmitted to a large number of users, but the recipient may be a single user.

Further, additional information such as parity bits for correcting transmission errors may be added to the transmitted message shown in FIG. 9. Further, the arrangement order within the transmitted message may be changed as appropriate.

Next, an encrypted communication method and an encrypted communication system according to a fourth embodiment in which data encrypted using the second embodiment is stored in a file will be described with reference to FIGS. 12 to 16.

[0084] In this embodiment, as a method for ensuring the security of data handled by a computer, the user encrypts the data contents for each file and stores it in an appropriate memory, and then edits the data contents as necessary. This is an embodiment of a method for decoding and using it.

The configuration of the terminal station of the encrypted communication system of this embodiment is exactly the same as that of the third embodiment, but the destination of the encrypted data is different. In other words, as shown in FIG. 12 for comparison between this embodiment and the third embodiment, in the third embodiment, the created encrypted information was sent as a message to the other user via the transmission path, but in this embodiment In the example, the created cryptographic information is stored as a file in the storage device from the transmitter 202, and read out via the receiver 203 at another time.

FIG. 13 shows a conceptual diagram in the case where user 1 encrypts data M, stores it in memory, and reads it out from memory and decrypts it when necessary. The structure of the file stored in the memory in this case is shown in FIG. That is, the file has the file ID and user I in the file header.
D, key restoration information X11, time information t, and encrypted data C=E(K,M) in the file body. here,
The encryption key K is determined by K=gr1 mod n, and the key recovery information X11 is determined in the same manner as in the third embodiment. When restoring, the restoring key K is used similarly to the third embodiment.
11 is generated. In other words, if the key is correctly restored at this time, K=K11 holds true.

FIG. 15 shows a conceptual diagram when the number of users who can read data is expanded to a plurality of users. In other words, not only user 1, but also users 3 and 4 can read out the information in the same way. The structure of the file stored in the memory in this case is shown in FIG. That is, the file has file ID, file creator ID1, file user ID1, ID3, ID4, and key recovery information X11 in the file header.
, has time information t, and encrypted data C= in the file body.
has E(K,M).

In FIG. 16, the file creator ID1 and file user ID1 overlap, so the file user ID
The entry field ID1 is omitted. ID1
You can also write it explicitly in this field. Therefore,
The encrypted communication system of this embodiment can be applied to an encrypted communication method in which files are encrypted and stored in memory, and read and restored as necessary. The present invention is not limited to the above-described embodiments, but can be implemented in any appropriate manner by making appropriate design changes.

[0089]

As explained above, according to the encrypted communication method of the present invention, the central station creates the same public information that is disclosed to all terminal stations and different station secret information that is notified to each terminal station. a step of the central station issuing the public information and the station secret information to a cryptographic transmitting terminal station and a cryptographic receiving terminal station; generating random number information in the transmitting terminal station; a step of outputting time information within the transmitting side terminal station; a step of generating a transmitting side key based on the random number information and the public information; and the random number information;
A step of creating key sharing information based on the time information, the public information, and the station secret information, and confirming whether or not the time information is false within a terminal station that receives the time information and the key sharing information. and a step of generating a key on the receiving side based on the time information, the key sharing information, the public information and the station secret information, if the time information is confirmed in the receiving terminal station as not being false. , confirming that the key generated in the transmitting terminal station and the key generated in the receiving terminal station match by comparing the two, and if they match, authenticating the cipher as a legitimate cipher. With this, it is easy to change the shared key, it is possible to share the key among three or more parties, and it is possible to effectively prevent retransmission attacks due to impersonation.

Furthermore, the encrypted communication system of the present invention is useful for implementing the above encrypted communication method, since it is provided with means corresponding to each step in the encrypted communication method. Depending on the selection, the key sharing information created in the step of creating key sharing information includes key sharing information for unknown destinations that allows the transmitting terminal station itself to decrypt the encrypted plaintext, and the transmitting side key generation means plaintext encrypting means for encrypting plaintext using a transmitter's key generated by the means, the plaintext encrypted by the means, and key sharing information and time information created by the key sharing information creating means. a transmission message creation means for creating a transmission message from the time information output by the means; a message content division means for receiving the message created by the means at a receiving terminal station and dividing the message contents; decryption means for decrypting said encrypted plain text using a reception side key generated by reception side key generation means; and further, when the destination of the reception side terminal station is unknown, said destination unknown key sharing Since the sending terminal station itself has a sending side decryption means that decrypts the encrypted plain text based on the information, the communication system does not become complicated even when there is no recipient of the e-mail at the destination when sending and receiving e-mails. It is possible to deal with it without doing anything.

[Brief explanation of the drawing]

FIG. 1 is a block diagram of a cryptographic communication system according to a first embodiment of the present invention.

FIG. 2 is an explanatory diagram of information created at the central station and terminal stations.

FIG. 3 is a flowchart diagram illustrating a cryptographic communication method between terminal stations in the cryptographic communication system shown in FIG. 1;

FIG. 4 is a configuration diagram of an arithmetic unit used in a cryptographic system that shares keys among three or more parties.

FIG. 5 is a block diagram of a cryptographic communication system according to a second embodiment of the present invention.

6 is a flowchart diagram for explaining the cryptographic communication method of the cryptographic communication system shown in FIG. 5. FIG.

FIG. 7 is a conceptual diagram of a cryptographic communication method according to a third embodiment of the present invention.

FIG. 8 is a block diagram of a cryptographic communication system that implements the cryptographic communication method shown in FIG. 7.

FIG. 9 is a diagram of a transmitted message created by the cryptographic communication system shown in FIG. 8.

FIG. 10 is a diagram of a message sent from user 1 to user 3 and user 4.

FIG. 11 is an explanatory diagram of processing when a message is returned to a sending user because the destination is unknown.

FIG. 12 is a comparison diagram between the fourth and third embodiments of the present invention.

FIG. 13 is a conceptual diagram for explaining the encrypted communication method shown in FIG.

FIG. 14 is a configuration diagram of a filter stored in the memory shown in the figure.

FIG. 15 is a conceptual diagram when the encrypted communication method shown in FIG. 12 is extended to a plurality of users who can read data;

FIG. 16 is a configuration diagram of files stored in the memory shown in FIG. 15.

FIG. 17 is a diagram showing a conventional example.

[Explanation of symbols]

201...Central station, 202...Transmitter, 203...Receiver, 204...Random number generator, 205...Clock, 206...Key sharing information generation means, 207...Sender side key generation means, 208...Time validity confirmation means, 209 ...Secret key memory, 210...Receiving side key generation means, 212...Ciphertext generation means 213...Decryption means, 214...Transmission message creation section, 215...Transmission message separation section, 401...Arithmetic device, 402, 403, 404...Exponentiation Remainder calculator, 405...
Remainder multiplier, 406...data memory.

Claims (5)

[Claims] Claim 1. An encrypted communication method in which a central station issues keys to each of a plurality of terminal stations, and encrypted communication is performed between two of the terminal stations via a communication network, wherein the central station issues keys to each of a plurality of terminal stations. A step of creating the same public information to be released and different station secret information to be notified to each terminal station, and the central station transmitting the public information and the station secret information to the terminal station on the cryptographic transmitting side and the terminal on the cryptographic receiving side. a step of issuing random number information to a station; a step of generating random number information within the transmitting terminal station; and a step of outputting time information within the transmitting terminal station;
a step of generating a transmitting side key based on the random number information and the public information; a step of creating key sharing information based on the random number information, the time information, the public information and the station secret information; a step of confirming whether or not the time information is false in the terminal station receiving the key sharing information, and when it is confirmed that the time information is not false in the receiving terminal station, the time information and the a step of generating a receiving side key based on the key sharing information, the public information, and the station secret information; and the key generated in the transmitting terminal station and the key generated in the receiving terminal station match. An encrypted communication method characterized by comprising a step of authenticating. 2. An encrypted communication system in which a key is issued from a central station to each of a plurality of terminal stations via a communication network, and encrypted communication is performed between two of the terminal stations, wherein the central station issues keys to each of a plurality of terminal stations via a communication network. station secret information creation means for creating the same public information to be made public and different station secret information to be notified to each terminal station; Information issuing means for issuing to a terminal station on the receiving side; random number information generating means for generating random number information in the terminal station on the transmitting side; time information outputting means for outputting time information in the terminal station on the transmitting side;
a transmitting-side key generation unit that generates a transmitting-side key based on the random number information and the public information; and key sharing information that creates key sharing information based on the random number information, the time information, the public information, and the station secret information. a generation means; a time validity checking means for checking whether the time information is false in a terminal station that receives the time information and the key sharing information; and a time validity checking means for checking whether the time information is false in the receiving terminal station; a receiving side key generation means for generating a receiving side key based on the time information, the key sharing information, the public information and the station secret information; and a key generated in the sending terminal station. and an authentication means for authenticating that the key generated in the receiving terminal station matches the received terminal station. 3. An encrypted communication system in which a central station issues a private key unique to each terminal station to each of a plurality of terminal stations, and encrypted communication is performed between two or more of the terminal stations via a communication network, 3. The encrypted communication system according to claim 2, wherein the private key unique to the terminal station is sealed, and the encrypted communication process cannot be changed. 4. The key sharing information created by the key sharing information creation means includes key sharing information for an unknown destination that allows the sending terminal station itself to decrypt the encrypted plaintext, and the sending terminal station itself decrypts the encrypted plain text. Plaintext encrypting means for encrypting plaintext using the generated sender's key, the plaintext encrypted by the means, and key sharing information and time information output means created by the key sharing information creating means. a transmission message creation means for creating a transmission message from the time information output by the means; a message content division means for receiving the message created by the means at a receiving terminal station and dividing the message contents; decryption means for decrypting the encrypted plaintext using a reception side key generated by the reception side key generation means, and further comprising: when the destination of the reception side terminal station is unknown, the said destination unknown key sharing information. 3. The cryptographic communication system according to claim 2, wherein the transmitting terminal station itself has a transmitting side decryption means for decoding the encrypted plaintext based on the above. [Claim 5] The key sharing information created by the key sharing information creating means includes key recovery information for decoding the encrypted plaintext by the sending terminal station itself, and the key sharing information created by the sending end key generating means Plaintext encrypting means for encrypting plaintext using a key on the sending side, the plaintext encrypted by the means, and key sharing information and time information created by the key sharing information creating means. a transmission message creation means for creating a transmission message from time information output by the means; a storage means for storing the message created by the means in a file; and a storage means for storing the encrypted plaintext stored by the means under the key. 3. The encrypted communication system according to claim 2, further comprising a transmitting side decryption means for decoding by the transmitting terminal station itself based on the restoration information.