JPH05347616A - Group ciphering communication method and group ciphering communication system - Google Patents

Abstract

PURPOSE:To attain group ciphering communication from one optional terminal to lots of optional terminals among plural terminals while the security is ensured. CONSTITUTION:Plural secret numerals called as a master key in common to a prescribed partial set in an IC card 101 are stored in a memory 103 of the IC card, the IC card is inserted to a terminal to which communication is started at first to generate communication destination information is generated and sent to other terminal via a communication network 117. Moreover, based on communication destination information, one is selected from plural master keys and a group key is generated by using the selected master key and a communication message is ciphered or decoded by using the generated group key. A terminal being a communication destination receives communication destination information and selects one from the plural master keys based on the communication destination information and the group key is generated by using the selected master key and ciphering/decoding of the communication message is implemented by using the generated group key.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a communication method and system for transmitting and receiving encrypted communication messages.

[0002]

2. Description of the Related Art In recent years, advances in information and communication technologies have made it possible to exchange various kinds of information at high speed and at low cost using a communication network. When using a communication satellite or a local area network, if one piece of information is transmitted, many terminals can receive it at the same time. That is, there is a feature that the broadcast communication can be easily realized.

By the way, when performing broadcast communication using a communication satellite or a local area network, the transmitted electric or radio wave signal can be received by any terminal, and as it is, only information to be kept secret is limited to a limited party. There is no limited communication that can be conveyed.

In the case of performing broadcast communication using a communication satellite or a local area network, one method for transmitting information to limited parties and keeping the information secret to other parties is, for example, treasure. Thu, Fukuzawa, Nakamura, "Security by Card", Symposium on Safety and Reliability of Communication Networks in Information Society, IEICE, August 1991
It is shown on the 9th.

The method disclosed in the above conventional example will be described with reference to FIG.

FIG. 9 shows a workstation (WS) 902 on the receiving side and an IC card 901 in the conventional communication system.

First, the WS 902 receives communication destination information via the communication network 917. The communication destination information includes the following information.

[0008] Communication destination information = establishment number 1 ‖ distribution list 1 ‖ random number 1 ‖ key information 1 ‖ establishment number 2 ‖ distribution list 2 ‖ random number 2 ‖ key information 2 ‖ ..... Indicates a match.

After that, the WS 902 selects its own WS as the communication destination based on the numerical value “2” of the business identification number 925 and the numerical value “3” of the personal identification number 926 that have been read in advance from the memory 903 of the IC card. Check for inclusion. For example, in the above communication destination information, it is assumed that the office number 1 is the numerical value “2” and the distribution list 1 is the bit string “00 ... 0101”. In this example, WS
The numerical value of the business office identification number 925 stored in the memory 914 in the 902 is "2", which is the same as the business office number 1 of the communication destination information. In addition, the memory 91 in the WS 902
The numerical value of the personal identification number 926 stored in 4 is “3”
Therefore, referring to the third bit from the bottom of the distribution list 1 pointed to by the numerical value “3”, it is “1”. Therefore, business establishment identification number 925
It is determined that (the numerical value is “2”) and the personal identification number 926 (the numerical value is “3”) are included in the communication destination information.

Next, the WS 902 applies the corresponding communication destination information "establishment number 1 ‖ distribution list 1 ‖ random number 1 ‖ key information 1".
Is transmitted to the IC card 901. And IC card 9
Even in 01, the same inspection is performed using the business establishment identification number 918 (numerical value is “2”) and the personal identification number 919 (numerical value is “3”). If the inspection result is “included”, the following calculation is performed using the master key for single office 920.

Work key ← H (master key for single establishment, establishment number 1 ‖ distribution list 1 ‖ random number 1) group key ← D (work key, key information 1) where H (I, M) is initial It is an output (hash total) by a hash function H in which the value is I and the input data is M. Further, D (K, M) is an output by the decryption function D in which the key is K and the input data is M.

The IC card 901 transfers the group key calculated as described above to the WS 902. WS902 is
Using this group key (stored in the group key storage area 927 in the memory 914), the encrypted message transmitted from the communication network 917 is decrypted.

As described above, the WS 902 in which the IC card 901 is inserted can determine that its own WS is included in the communication destination information, generate a key, and decrypt the encrypted message.

Similarly, in another WS, if an IC card having a business identification number and a personal identification number included in the communication destination information is inserted, a process of generating a group key is performed, and as a result, a communication network is generated. The encrypted message transmitted from 917 is ready to be decrypted.

In this way, one-to-many encrypted communication can be performed from one transmission source to many reception destinations.

[0016]

By the way, in the above-mentioned conventional example, one of the many sides of the one-to-many communication cannot be the transmitting side. That is, the IC card and WS on the receiving side could not create the communication destination information. This is because the IC card on the receiving side has only one master key for a single office that is valid only for the office to which the IC card belongs.

In view of the above-mentioned problems in the conventional example, an object of the present invention is to enable group cryptographic communication from any one terminal to any number of terminals among a plurality of terminals while ensuring security in security. To do so.

[0018]

In order to solve the above problems, the present invention provides a plurality of IC cards, a plurality of communication terminals having input / output interfaces of the IC cards, and a communication network connecting these communication terminals. A group encryption communication method and system applied to a communication system provided with the IC card, wherein each of the IC cards has an individual numerical value that identifies each IC card, and a secret called a master key that is common to a predetermined subset of the IC cards. A terminal that stores a plurality of numerical values and starts communication first generates communication destination information that identifies the other party with which communication is to be performed, and sends the communication destination information to another terminal, and based on the communication destination information. Select one of the plurality of master keys stored in the IC card inserted in its own terminal, and generate a group key using the selected master key. And performs encryption and Fukugoka communication message using the generated group key to exchange communication messages, in the terminal which is the communication destination,
The communication destination information is received, one is selected from the plurality of master keys stored in the IC card inserted in the terminal based on the communication destination information, and the group key is selected using the selected master key. The generated and generated group key is used to encrypt and decrypt the communication message so as to exchange the communication message.

The individual numerical value for each IC card may be used as a pointer for designating an inspection position for inspecting a specific position of a data string called communication destination information input to the IC card. By this inspection, it is possible to know whether the terminal into which the IC card is inserted is the communication destination. When it is a communication destination, one of the plurality of master keys is selected from the communication destination information. It is preferable that the master key of the IC card can be read only when it is properly accessed by the terminal in this communication system.

The group key may be obtained by performing a calculation using a hash function with the master key, which is the selected secret value, and the data including the communication destination information as input.

Further, the IC card holds a cryptographic function and a secret numerical value called an individual key which does not appear outside the IC card and is different for each IC card. By using the individual key and the encryption function to perform the decryption calculation, and by overwriting the calculation result on the area where the master key was written,
The master key may be updated.

[0022]

The terminal that first initiates communication generates communication destination information that identifies the other party with which communication is to be performed, and sends it to another terminal. Then, based on the communication destination information, one is selected from the plurality of master keys stored in the IC card inserted in the terminal, a group key is generated using the selected master key, and the generated group key is generated. The communication message is sent and received by encrypting and decrypting the communication message using the key. On the other hand, the terminal which is the communication destination receives the communication destination information, selects one from the plurality of master keys stored in the IC card inserted in the self-terminal based on the communication destination information, and selects the master key. The generated master key is used to generate a group key, the generated group key is used to encrypt and decrypt the communication message, and the communication message is exchanged. After all, the group key is generated using the same master key in each terminal. Therefore, it is possible to share a group key for performing group encrypted communication by designating a plurality of favorite communication partners across a plurality of business establishments.

ICs belonging to business establishments other than those in communication
Even if the contents of the card are leaked, since a unique master key is used between the business offices, the security of communication is not affected between the business offices. When attempting to share a key across a plurality of establishments, if an appropriate partial area master key is not present in the IC card, a master key valid for the entire area may be used. in this case,
It is safe if the contents of all IC cards are not leaked.

If the method of updating the master key by inputting the master key ciphertext encrypted using the individual key is used,
When it becomes necessary to update the master key due to circumstances such as master key leakage, the master key can be updated by a relatively secure means such as individual cryptographic communication after telephone confirmation.

In the method of inputting the master key division ciphertext encrypted using a plurality of individual keys and updating the master key, the master key is generated by the joint work of a plurality of key centers. Therefore, unless a plurality of key centers collude, the master key is not known by the independent work of the key centers. Therefore, it is possible to protect the privacy between communication parties even for the key center.

[0026]

Embodiments of the present invention will be described below with reference to the drawings.

FIG. 10 shows a cryptographic communication system to which the group cryptographic method and apparatus of the present invention are applied. This cryptographic communication system includes five communication terminals 1002, 1004, 1006 having IC card input / output interfaces.
1008, 1010, and a communication network 100 connecting them
1 is provided. Communication terminals 1002, 1004, 1006,
IC cards 100 are shown in 1008 and 1010, respectively.
3,1005,1007,1009,1011 are inserted.

Each IC card has individual numerical values 1012, 1016, 1019, 1023, 102 for each IC card.
6 is stored. In this individual numerical value (x, y), x represents a business office number and y represents an individual number within the business office. Here, it is assumed that the office number “1” represents the head office and “2” represents the A office. Since the individual numerical value 1012 of the IC card 1003 is (1,1), this card is for Mr. a at the head office, I
Since the individual numerical value 1016 of the C card 1005 is (1, 2), this card is for Mr. b of the head office, IC card 100
Since the individual number 1019 of 7 is (2,1), this card is for Mr. c of A office, and the individual number 1023 of the IC card 1009 is (2,2). Individual value of IC card 1011 1026
Since it is (2,3), this card is for Mr. e of business A.

Further, each IC card stores a secret numerical value called a master key whose reading from the IC card is prohibited. Of these, the master key for the headquarters
1013 and 1017 are cards 1003 and b for Mr. a at the head office.
It is common to the third card 1005. Further, the master keys 1020, 1024, and 1027 for the A office are common to the card 1007 for Mr. c, the card 1009 for Mr. d, and the card 1011 for Mr. e at the A office. Master key for whole area 1
015, 1018, 1022, 1025, 1029 are five IC cards 1003, 1005, 1007, 100
It is common to all 9,1011.

FIG. 1 shows the details of the e-card 1011 and the communication terminal 1010 of the A office in FIG. Figure 1
In, the IC card 101 (1011 in FIG. 10) is
Data is exchanged with the workstation (WS) 102 via the IC card side interface 105 and the WS side interface 109. WS102
Exchanges data with the communication network 117 via the communication board 108.

In the IC card 101, the CPU 106 according to the group key generation program 1 in the memory 104
Works. Business office identification number 118 in the memory 103
The numerical value (first of the individual numerical values 1026 in FIG. 10) is “2”, and the personal identification number 119 (the individual numerical value 1026 in FIG.
The second numerical value of 26 stores “3”, and the owner of the IC card 101 is the individual with the number “3” who belongs to the business office with the business office number “2” (A business office). Indicates that. More specifically, the IC card 10 is identified by the identification number-identification name correspondence table 124 stored in the memory 113.
It can be seen that the owner of No. 1 is Mr. E of the A office. The single business office master key 120 (1017 in FIG. 10), the entire area master key 121 (1029 in FIG. 10), the partial area master keys 122, 123 (1028 in FIG. 10), ...
It is 4-bit random data.

In the WS 102, the CPU 110 operates according to the group key generation program 2 in the memory 115. Identification number-identification name correspondence table 124 in the memory 113
Indicates that the office number “1” is the head office, the individual number “1” in the head office is Mr. a, the individual number “2” is Mr. b,
... is shown. Similarly, the establishment number “2” indicates that it is the establishment A. The individual number “1” in the establishment A is c, the individual number “2” is d, the individual number “3” is e, ... is shown. The memory 114 is the WS1
It has areas 125 and 126 for reading out and storing the business office identification number 118 and the personal identification number 119 of the IC card 101 inserted in 02. Here is the business identification number 1
Since 18 is “2” and the personal identification number 119 is “3”, the business establishment identification number 125 is “2” and the personal identification number 12
6 is "3". Further, the memory 114 has an area 127 for storing the group key generation result.

In addition, the WS 102 is equipped with a display 111 for providing input / output means to the operator of the WS and a keyboard 112.

As described above, each IC card has a business identification number and a personal identification number unique to its owner (see FIG. 10).
It is called an individual numerical value). By inserting the IC card into any of the terminals in the communication network 117, the owner of the IC card can communicate with other people via the communication network 117.

A method will be described below in which, when someone in the communication network arbitrarily designates a plurality of communication partners to perform encrypted communication, the encryption keys are shared with those communication partners.

FIG. 2 is a flow chart for explaining the operation of the group key generation program 2 stored in the memory 115. First, in step 201, the process is started, and in step 202, the operator inputs a command indicating that key generation is to be performed first from the keyboard 112 or a command indicating that key generation is to be performed after another communication partner. In step 203, if it is the former command, it branches to step 204, and if it is the latter command, it branches to step 211. To generate a key first means to start communication from this terminal to another terminal first, and for that purpose, a key is generated first. To generate a key after another communication partner means that the other communication partner first generates a key and starts communication, and performs key generation to receive a message etc. from the communication partner. That is.

When the key is generated for the first time, first in step 204, the identification number / identification name correspondence table 124 is displayed on the display 111. Next, in step 205, the operator selects a communication partner by looking at the display on the display 111, and inputs the communication partner and his / her affiliation and name from the keyboard 112. Here, it is assumed that the operator is Mr. e of the A office, and Mr. e selects Mr. a of the head office and Mr. c of the A office as communication partners, and inputs those office identification numbers and individual identification numbers. And Further, the business office identification number and the personal identification number for identifying e of the business office A, which is his / her affiliation and name, are also input.

Next, in step 206, the communication destination information as shown in FIG. 4 is generated by referring to the input information and the identification number-identification name correspondence table 124. The communication destination information is composed of an office number, a distribution list, and a random number. The establishment number is binary numerical data, and the distribution list is bit data in which each bit corresponds to each individual in the establishment.

In FIG. 4, since the business office number (business office identification number) 401 is binary numerical data "1", the business office number is "1", that is, the head office is the communication destination 1
Indicates that it is one. In the distribution list 402, since the second bit from the bottom of the bit string is bit “1”,
The personal identification number of the head office (the office number is "1") is "2", that is, Mr. a is one of the communication destinations. Similarly, the business office number 403 has a value of "2" and the business office A is one of the communication destinations, and the distribution list 404 thereof has individual identification numbers of "1" and "3", that is, c and e, respectively. Indicates one of the communication destinations. The random number 405 is a new random number generated at the time of carrying out this step 206. By generating such communication destination information, the IC card 1
Send to 01.

Next, in step 207, the IC card 101
Operation shown in Fig. 3 (generation of group key described later)
Is carried out. Meanwhile, the WS 102 side waits. IC
When the generation of the group key in the card 101 is completed, the group key that is the value returned from the IC card 101 is received in step 208 and written in the group key storage area 127 in the memory 114. Then, in step 209, the communication destination information (FIG. 4) is transferred to the communication network 1 via the communication board 108.
17 and the process ends in step 210. Thereafter, this terminal encrypts the communication message using the generated group key and sends it out. The communication message sent from the other party is decrypted using the generated group key.

Next, when the key is not first generated, first in step 211, the business identification number 118 and the personal identification number 119, which are the data in the IC card 101, are set to W.
The data is written in the areas 125 and 126 of the memory 114 in S102. Next, in step 212, it waits for the communication destination information to come from the communication network 117. When the communication destination information comes, proceed to the next step. In this example, the communication destination information of FIG. 4 is received.

In step 213, the communication destination information is the business office identification number 125 and the personal identification number 12 in the memory 114.
Check whether the destination indicated by 6 is included. If it is included, the process proceeds to step 214, and if not, the process proceeds to step 218 and ends the processing.

At step 214, the communication destination information is set to I
Send to C card 101. Then, in step 215, the operation shown in FIG. 3 (generation of a group key described later) is executed in the IC card 101. Meanwhile, the WS 102 side waits. When the generation of the group key in the IC card 101 is completed, the group key which is the value returned from the IC card 101 is received in step 216 and written in the group key storage area 127 in the memory 114. Then, in step 217, the process ends. Thereafter, this terminal uses the generated group key to decrypt the received communication message. Also, when sending a communication message to the other party,
Encrypt using the generated group key and send.

FIG. 3 shows a flow chart for explaining the operation of the group key generation program 1 stored in the memory 104. First, in step 301, the processing is started, and in step 302, the IC card side interface 1
The communication destination information (FIG. 4) is received via 05. Next, in step 303, it is checked whether or not the communication destination information includes the business office identification number 118 and the personal identification number 119 at the same time. If it is included, the process proceeds to step 304. Otherwise, go to step 308.

When the IC card on which the processing of FIG. 3 is being executed is the IC card 101 of FIG. 1 (of Mr. e of A office) and the received communication destination information is the numerical example shown in FIG. Is the number "2" in the field of office number 403,
Since the bit “1” is set as the third bit in the subsequent distribution list 404 column, the establishment identification number 118
It is determined that (the numerical value is “2”) and the personal identification number 119 (the numerical value is “3”) are included at the same time.

Next, in step 304, the type of master key to be used is selected by the procedure shown in FIG. 6 (described later). Then, in step 305, a hash total is calculated using the destination communication information and the master key. That is, hash total ← H (master key, destination communication information). Here, H (K, M) is a hash function, and for example, one defined in the document: Takaragi, “Cryptography and Applications”, Journal of Information Processing Society of Japan, June 1991, etc. is used.
Next, in step 306, the hash total is output to the WS 102 via the IC card side interface 105, and in step 307, the process ends. This hash total is used as a group key.

On the other hand, when the communication destination information does not include the business office identification number 118 and the personal identification number 119 at the same time in step 303, a "rejection" notification is issued in step 308.
The data is output to the WS 102 via the C-card side interface 105, and the processing ends in step 309.

FIG. 6 shows a step 30 of the processing shown in FIG.
4 is a flowchart for explaining the detailed operation of No. 4. First, when the processing is started in step 601, it is checked in step 602 whether or not there is only one data of the office number in the communication destination information (FIG. 4). If there is only one, communication is only with that business establishment, so the flow proceeds to step 608, returns the single business establishment master key 120 to the main routine, and proceeds to step 609. If there is more than one business office number data in the communication destination information (FIG. 4) in step 602, the process proceeds to step 603. In the numerical example of FIG. 4, there are two or more establishment number columns.

Next, in step 603, it is determined whether all the partial area master keys 122, 123, ... Recorded in the memory 103 have been inspected. If all are inspected, go to step 607. Otherwise,
Go to step 604. FIG. 5 shows a format example of the master key for the partial area. The partial area master key includes a business office list 501 and master key information 502 for the business office list 501. The business establishment list 501 is bit data in which bits corresponding to each business establishment are arranged. In the example of FIG. 5, the least significant bit (first bit) of the business establishment list 501 is “1”, and the second
Since the bit is "1" and the other bits are "0", this master key information 502 is the master key for the partial area of the group of the offices having the office identification numbers "1" and "2". Becomes

Next, in step 604, it is checked whether the column of the business establishment list 501 of the master key for partial area (FIG. 5) includes all the business establishments shown in the communication destination information (FIG. 4). If included, go to step 606. Otherwise, go to step 605. In the numerical example of FIG. 5, the business establishment list 501 has business establishment identification numbers “1” and “2”. In the numerical example of FIG. 4, the office number 401 indicates the office “1”, and the office number 403 indicates the office “2”. In FIG. 4, if the other portions are blank, the business area list (50) of the master key for the partial area (FIG. 5)
The section 1) includes all the business offices shown in the communication destination information (FIG. 4).

If it is determined in step 604 that the field of the business area list 501 of the partial area master key does not include all business offices indicated in the communication destination information, the memory 1 is stored in step 605.
Set the master key for the next partial area on 03. Then, the process returns to step 603.

In step 604, if the column of the business area list 501 of the sub domain master key includes all business sites indicated in the communication destination information, in step 606 the sub domain master key (the sub domain master key in FIG. 1). (One of the keys 122, 123, ...) Is passed to the main routine. And step 6
Go to 09.

If all the partial-area master keys are checked in step 603, the whole-area master key 12 is searched in step 607.
Pass 1 to the main routine. Then, the process proceeds to step 609. The process ends in step 609.

As described above, the master key 1 for a single office
The same value is written in all 20 in the IC cards belonging to the same office. For example, the master keys 120 for single offices of the IC cards of Mr. c, Mr. d, and Mr. e of the office A all have the same value. Also, the master key for all areas 1
21 are all I regardless of whether the establishment is the same or not.
Same value for C card. Partial area master key 122, 1
23 ... have the same value for all the IC cards belonging to the business office designated by the business office list (501 in FIG. 5). For example, the example 501 of FIG. 5 is recorded in the office numbers “1” and “2”, that is, the IC cards belonging to the head office and the A office.

As described above, according to the present embodiment, by looking at the identification list 124 by business place displayed on the display 112, the communication partner is selected and the keyboard is input,
The IC card 101 generates a group key commonly held by itself and the communication partner, and the group key stored in the memory 114 of the WS 102 is generated.
Is set to the group key. That is, it is possible to share a group key for performing group encrypted communication by designating a plurality of favorite communication partners across a plurality of business establishments.

In calculating the group key, the master key used in the formula of group key ← H (master key, communication destination information) (where H is a hash function) is input to the IC card 101. It depends on the numerical data of the communication destination information (FIG. 4). For example, in the case of the numerical example entered in FIG. 4, if the portion of ... Is blank in the figure, the master key for the partial area as shown in the numerical example of FIG. 5 is used. This partial area master key is numerical data stored only in the office numbers “1” and “2”, that is, the IC cards belonging to the head office and the A office. As a result, even if the contents of IC cards belonging to other business establishments are leaked, this master key will not be included, which may affect the security of communication between the business establishment numbers “1” and “2”. Never give.

It is assumed that when an attempt is made to share a key across a plurality of business establishments, an appropriate master key for the partial area is not present in the IC card. At this time, the master key for all areas is used to generate the group key. Each IC card contains a master key for a single office and several master keys for partial areas in addition to the master key for all areas. So, for example, 1
If the contents of one IC card are leaked, the master key for all areas will be known, so the security in that case will be reduced, but unless the contents of all IC cards are leaked,
High security in communication between groups. This is because the group key is not generated by any IC card other than the designated communication partner IC card.

(Modification 1 of Embodiment) In the above embodiment,
Master keys 120, 121, 12 in the IC card 101
2, 123, ... Are assumed to be set in advance. Instead, as shown in FIG. 7, a personal key 701 for each IC card is set in advance in the memory 103 in the IC card 101, and the master key 1 is transferred from the key center that centrally manages each personal key.
, 121, 122, 123, ... Are encrypted by the IC card by the private key 701 and transmitted as a master key ciphertext, and the master key ciphertext is decrypted by the encryption function 702 in the IC card on the receiving side and stored in the memory 103 It may be set to.

According to the first modification, when it is necessary to update the master key due to a master key leakage or the like, it is possible to update the master key by a relatively safe means such as individual cryptographic communication after telephone confirmation. become.

(Modification 2 of Embodiment) In the above embodiment,
Master keys 120, 121, 12 in the IC card 101
2, 123, ... Are assumed to be set in advance. Instead, as shown in FIG. 8, the individual key 801 registered in the first center, the individual key 802 registered in the second center, ... Are set in advance for each IC card. Each center centrally manages the IC card key. At the time of updating the master key, the first center encrypts the first master key registration information used for generating the master key information with the private key 801 and transmits it as the master key division ciphertext. IC on the receiving side
In the card, the master key division ciphertext is decrypted by the cryptographic function 702 to obtain the first master key registration information. Similarly,
The second master key registration information is sent from the second center to the private key 8
Then, the second master key registration information is obtained by decrypting with the encryption function 702 in the IC card on the receiving side. If there is another center, the master key registration information is similarly obtained. Then, in the IC card 101, the master key is calculated by the following formula: master key ← first master key registration information + second master key registration information + (where “+” is an exclusive OR for each bit) May be calculated and set in the memory 103.

According to the second modification, the master key is generated by the joint work of a plurality of key centers. Therefore, the master key will not be known to the center unless a plurality of key centers collude.

(Modification 3 of Embodiment) In the above embodiment,
Although the last column 405 of the communication destination information is a random number as shown in FIG. 4, it may be a random number instead of a random number, such as time information or a sequence number.

[0063]

As described above, according to the present invention,
It is possible to share a group key for group encrypted communication by designating a plurality of favorite communication partners across a plurality of business establishments. Further, even if the contents of an IC card belonging to a business office other than the business office in communication is leaked, it does not affect the safety of communication between the business offices.

Further, when trying to share a key across a plurality of business offices, if the appropriate master key for the partial area is not present in the IC card, the master key for the entire area is used,
A group key is generated. Even in this case, all ICs
It is safe if the contents of the card are not leaked.

If a personal key or the like is used, and if it becomes necessary to update the master key due to circumstances such as master key leakage, the master key can be updated by a relatively secure means such as individual cryptographic communication after telephone confirmation. It will be possible. Further, the master key can be generated by the joint work of a plurality of key centers so that the master key cannot be known by a single work of the key center unless the plurality of key centers collude.
Therefore, the privacy between communicating parties can be protected for the key center.

[Brief description of drawings]

FIG. 1 shows a block diagram of a terminal in a communication system which is a first embodiment of the present invention.

FIG. 2 shows an operation flowchart of a group key generation program 2 in FIG.

FIG. 3 shows an operation flowchart of a group key generation program 1 in FIG.

4 is a diagram showing a format of communication destination information input to the IC card 101 in FIG. 1 and an example of numerical data.

FIG. 5 is a diagram illustrating a partial area master key 122, 12 in FIG.
It is a figure which shows the format of 3, ..., and an example of numerical data.

FIG. 6 shows a detailed operation flowchart of step 304 in the processing of FIG.

FIG. 7 shows a system configuration diagram of a first modification of the embodiment.

FIG. 8 shows a system configuration diagram of a second modification of the embodiment.

FIG. 9 shows a system configuration diagram of a conventional example.

FIG. 10 shows a configuration diagram of a communication system which is a first exemplary embodiment of the present invention.

[Explanation of Codes] 1001 ... Communication network, 1002, 1004, 1006, 1
008, 1010 ... communication terminal, 1003, 1005, 1
007, 1009, 1011 ... IC card, 1012
1016, 1019, 1023, 1026 ... Individual numerical values,
1013, 1017 ... Headquarters master key, 1020, 10
24, 1027 ... A office master key, 1015, 10
18, 1022, 1025, 1029 ... Master key for whole area, 101 ... IC card, 102 ... Workstation (WS), 103, 104, 113, 114, 115 ...
Memory, 106, 110 ... CPU, 117 ... Communication network.

 ─────────────────────────────────────────────────── ─── Continuation of the front page (72) Inventor Hiroshi Matsumoto 3-10-22 Sakae, Naka-ku, Nagoya-shi, Aichi Pref.Nitrate Chubu Software Co., Ltd. Hitachi, Ltd. System Development Laboratory

Claims (14)

[Claims] 1. A group encryption communication method applied to a communication system comprising a plurality of IC cards, a plurality of communication terminals having input / output interfaces of the IC cards, and a communication network connecting the communication terminals, The IC card stores individual numerical values that specify each IC card and a plurality of secret numerical values called a master key that are common to a predetermined subset of IC cards. Generates the communication destination information that identifies the other party with which the communication is to be performed, sends the communication destination information to another terminal, and stores the plurality of the plurality of information stored in the IC card inserted in the own terminal based on the communication destination information. One of the master keys of the above is selected, the group key is generated by using the selected master key, and the communication message is encrypted and recovered by using the generated group key. In the terminal which is the communication destination, the communication message is transmitted and received, the communication destination information is received, and the plurality of the IC cards stored in the IC card inserted in the own terminal based on the communication destination information are transmitted. One of the master keys is selected, a group key is generated using the selected master key, the communication message is encrypted and decrypted using the generated group key, and the communication message is transmitted and received. Group encryption communication method. 2. The communication destination information is composed of information for specifying a destination to communicate with and numerical information arbitrarily selected, and the group key includes the selected master key and the communication destination information. The group encryption communication method according to claim 1, which is generated by using the method. 3. The group cryptographic communication method according to claim 1, wherein the group key is generated by calculation using a hash function. 4. The communication destination information is inspected by using the individual numerical value stored in the IC card, thereby determining whether the communication destination information specifies the individual numerical value of the IC card. 4. The group cryptographic communication method according to claim 1. 5. The process of selecting one from the plurality of master keys based on the communication destination information and generating a group key using the selected master key is executed inside the IC card. Group encryption communication method described in. 6. The IC card further stores a cryptographic function and a secret numerical value called an individual key, which is different for each IC card. When updating the master key of the IC card, the master key is encrypted with the individual key. By inputting the master key ciphertext from the outside into the IC card, decrypting the master key ciphertext using an individual key and an encryption function, and by overwriting the result on the storage area in which the master key is written. The group encryption communication method according to claim 1, which is performed. 7. The IC card further stores a plurality of secret numerical values called cryptographic functions and first, second, ... Individual keys that differ for each IC card, and updates the master key of the IC card. Is a master key division ciphertext obtained by encrypting a master key with a first individual key from an external source, and a master key division ciphertext obtained by encrypting a master key with a second individual key is inputted from an external IC card. , ..., and the plurality of master key division ciphertexts thus input to the IC card are respectively decrypted using the first, second, ... Individual keys and the cryptographic function, and a predetermined operation is performed on the result. 6. The group encryption communication method according to claim 1, wherein the result of performing the above is overwritten on a storage area in which the master key is written. 8. A group encryption communication system comprising a plurality of IC cards, a plurality of communication terminals having IC card input / output interfaces, and a communication network connecting the communication terminals, wherein the IC card comprises , An individual numerical value that identifies each IC card, and a plurality of secret numerical values called a master key that are common in a predetermined subset of IC cards are stored, and the terminal into which the IC card is inserted communicates with each other. Means for generating and outputting communication destination information for specifying a destination to be performed, and the means stored in an IC card inserted in the own terminal based on the communication destination information generated by the own terminal or generated by an external terminal. Means for selecting one from a plurality of master keys, means for generating a group key using the selected master key, and communication using the generated group key Group encryption communication system comprising: a means for encrypting and Fukugoka the message. 9. The communication destination information is composed of information for specifying a destination to communicate with and numerical information arbitrarily selected, and the means for generating the group key includes the selected master key and the selected master key. The group encryption communication system according to claim 8, wherein a group key is generated using communication destination information. 10. The group encryption communication system according to claim 8, wherein the means for generating the group key generates the group key by calculation using a hash function. 11. The communication destination information is inspected by using the individual numerical value stored in the IC card, thereby determining whether the communication destination information specifies the individual numerical value of the IC card. The group encryption communication system according to any one of claims 8 to 10. 12. A means for selecting one of a plurality of master keys based on the communication destination information and a means for generating a group key using the selected master key are provided inside the IC card. The group encryption communication system according to claim 8. 13. The IC card further stores a cryptographic function and a secret numerical value called an individual key, which is different for each IC card, and the IC card has a master key ciphertext obtained by encrypting a master key with the individual key. Means for updating the master key by externally inputting, decrypting the master key ciphertext using an individual key and an encryption function, and overwriting the result on the storage area in which the master key is written. The group encryption method according to claim 8, further comprising: 14. The IC card further stores a plurality of secret numerical values called encryption keys and first, second, ... Individual keys that are different for each IC card, and the IC card stores a master key. The master key division ciphertext encrypted with the first individual key is input from the outside, and the master key is
The master key division ciphertext encrypted with the individual key of
Input into the C card, ..., the plurality of master key division ciphertexts thus input into the IC card are respectively decrypted by using the first, second, ... Individual keys and the encryption function, and the predetermined result is determined. 13. The group encryption method according to claim 8, further comprising means for updating the master key by overwriting a result obtained by performing the operation of 1) on a storage area in which the master key is written.