JPH10210023A - Authentication method, cipher key sharing method, and communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a new method which makes a second station authenticate a first station in a communication system including first and second stations which desire communication. SOLUTION: Secret information Ka (K'a ) common to a first station 11 and a second station 41 is stored in storage parts 13 and 43 of respective stations. The first station 11 transmits user information Ia identifying the first station to the second station 41. One of first and second stations generates random numbers (r) and transmits them to the other. The first station 11 uses random numbers, secret information, and a prescribed algorithm to generate first authentication information and transmits it to the second station 41. The second station 41 uses random numbers, secret information and a prescribed algorithm to generate second authentication information. The second station 41 compares first and second authentication information with each other and discriminates whether they coincide with each other or not to authenticate the validity of the first station.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for authenticating a communication partner between a pair of communicating parties, and a shared encryption key (an encryption key and a decryption key) for performing encrypted communication. And a communication system suitable for implementing the method.

[0002]

2. Description of the Related Art When performing cryptographic communication, one of the important issues is how to share a shared encryption key between communicating parties. For example, Document I (IEEE Trans. On Inform. Theory), IT-22, No. 6, pp. 644
-654 (1976)) and Document II ("Encryption and Information Security", edited by Shigeo Tsujii and Masao Kasahara, Shokodo, pp.72-73, (1990)) citing Document I A method for generating a shared encryption key without sharing a key is disclosed. Specifically, it is assumed that correspondents A and B want to exchange encryption keys. A large prime number n (about 512 bits) and an integer g which is a primitive element of a finite field GF (n) having n elements are disclosed, and a shared encryption key for the communication parties A and B is generated as follows. doing.

(1) A generates a random number x, and X = g
Send ^x mod n to B. Note that g ^x mod n represents a remainder obtained by dividing g ^x by n (the following g ^y mod n
And so on. ).

(2) B generates a random number y, and Y = g
Send ^y mod n to A.

(3) A generates an encryption key as K _A = Y ^x mod n.

(4) B generates an encryption key as K _B = X ^y mod n.

[0007] By simple _{calculation, K A = K B = g} xy mo
dn can be obtained. This value is used as the shared encryption key of the communication parties A and B. On the other hand, when a third party decrypts this encryption key, it is difficult to find a solution in a realistic time because this is a discrete logarithm problem. Therefore, sharing of the encryption key between the communication parties A and B can be ensured.

[0008]

However, the above-mentioned conventional method does not show a method of authenticating a communication partner.

Therefore, the encryption key is generated without the authentication of the communication partner. Therefore, for example, even if the communication information is intercepted and tampered with by a third party (unauthorized communicator) during communication, the encryption key is calculated based on the falsified information, and the encryption key cannot be shared. In some cases.

Therefore, a new method for authenticating a communication partner is desired.

In addition, even if a new method for authenticating a communication partner is developed, information communication for sharing an encryption key between the communication parties is separately performed after the authentication work is completed by the new authentication method. Then, there is a danger that a third party may eavesdrop or attack during the communication work.

Therefore, it is desired to realize an encryption key sharing method capable of not only authenticating a communication partner but also sharing an encryption key between the communication parties.

Further, it is desired to realize a communication system suitable for implementing the above-mentioned authentication method and encryption key sharing method.

[0014]

[Means for Solving the Problems]

(1). Therefore, according to the first invention of the authentication method of this application, in a communication system including a first station and a second station storing common secret information in respective storage means, the second station is In authenticating the first station,
It is characterized by including the following processes.

(A) A process in which the first station transmits user information indicating that it is the first station to the second station. (b) A process in which the first station or the second station generates a random number and transmits it to the other station. (c) The first station generates first authentication information by a predetermined algorithm that receives the random number and the secret information stored in the storage means in the own station, and generates the first authentication information by the second algorithm. The process of transmitting to the station. (d) a process in which the second station generates second authentication information by a predetermined algorithm that receives the random number and the secret information stored in the storage means in the own station. (e) A process in which the second station authenticates the validity of the first station by comparing the first authentication information with the second authentication information.

Here, the secret information is any predetermined secret information that can be shared between the first station and the second station (the same applies to the following inventions). The user information is arbitrary information unique to the first station, and is, for example, a user ID, a name (anything other than a person's name), a mail address, and the like (the same applies to the following inventions).

According to the first aspect of the authentication method, the first method
When the station transmits user information to the second station, the authentication operation starts. Authentication is performed by determining whether the first and second authentication information generated by each station matches or does not match, using secret information, a random number, and a predetermined algorithm common to the first station and the second station. .

In order to implement the first invention of this authentication method, it is preferable to configure a communication system (first communication system invention) including the following means (1) to (7).

(1) From the first station to the second station, a first
User information transmitting means for transmitting user information indicating that the station is the station. (2) A random number generating means provided in the first station or the second station for generating a random number. (3) Random number transmitting means for transmitting the generated random number to the other station. (4) a first algorithm provided in the first station for generating the first authentication information by a predetermined algorithm that receives the random number and the secret information stored in the storage means in the own station as an input; Authentication information generation means. (5) Authentication information transmitting means for transmitting the first authentication information to the second station.
(6) A second algorithm for generating second authentication information by a predetermined algorithm provided in the second station and inputting the random number and the secret information stored in the storage means in the own station. Authentication information generation means. (7) An authentication means provided in the second station for authenticating the validity of the first station by comparing the first authentication information with the second authentication information.

(2). Also, the second of the authentication methods of this application
According to the invention, in a communication system including a first station and a second station storing common secret information in respective storage means, when the second station authenticates the first station, , Including the following processes.

(A) A process in which the first station transmits user information indicating that it is the first station to the second station. (b) The first station generates a random number. (c) The first station:
Transmitting the random number to a second station; (d) The first station generates first authentication information by a predetermined algorithm which receives the random number and the secret information stored in the storage means in the own station, and generates the first authentication information by the second algorithm. The process of transmitting to the station. (e) A process in which the second station authenticates the transmitted random number. (f) a process executed when the random number is determined not to be valid in the process of authenticating the random number, wherein the second station determines that the first station is not valid. (g) executed when the random number is determined to be valid in the process of authenticating the random number, wherein the second station is configured to execute the random number and the secret information stored in the storage means in the local station; The second authentication information is generated by a predetermined algorithm that receives
A process of authenticating the validity of the first station by comparing the first authentication information with the second authentication information.

According to the second aspect of the authentication method, the first method
When the station transmits user information and a random number to the second station, the authentication operation starts. Authentication can be performed first on a random number transmitted from the first station. Authentication of the random number can be performed, for example, by checking whether or not the random number transmitted this time from the first station is included in the history of random numbers transmitted in the past from the first station.

The authentication of random numbers has the following role. Even if a third party eavesdrops on the communication information and repeatedly attacks the second station using the communication information, this is an attack using the already used random numbers. Then, since this random number exists in the random number history, the second station can determine that this attack is caused by a third party. As a result, an unjust repetitive attack by a third party can be found, and further intrusion into the communication system by a third party can be prevented. In addition, when the second station determines that the first station is not valid in the random number authentication, the authentication information creation processing on the side of the second station can be omitted. Therefore, the degree to which the second station is occupied by the attack by the third party can be reduced.

When the random number is determined to be valid, the second station generates the second authentication information and compares the first and second authentication information. Can be performed exactly as in the first invention.

In the second aspect of the authentication method, each process of transmitting information does not necessarily require that each process be performed separately. From the viewpoint of reducing the number of times of communication, several transmission processes may be simultaneously performed as long as the information processing is not hindered. For example, user information,
The random number and the authentication information can be transmitted simultaneously.

In order to implement the second invention of the authentication method, it is preferable to configure a communication system (second communication system invention) including the following means (1) to (8).

(1) The first station sends a first message from the first station to the second station.
User information transmitting means for transmitting user information indicating that the station is the station. (2) Random number generation means provided in the first station for generating a random number. (3) random number transmitting means for transmitting the generated random number to the second station. (4) a first algorithm provided in the first station for generating the first authentication information by a predetermined algorithm that receives the random number and the secret information stored in the storage means in the own station as an input; Authentication information generation means. (5) Authentication information transmitting means for transmitting the first authentication information to the second station. (6) A random number authenticating means provided in the second station for authenticating the transmitted random number. (7) To generate second authentication information by a predetermined algorithm provided in the second station and inputting the transmitted random number and the secret information stored in the storage means in the own station. Second authentication information generating means. (8) The first station is provided in the second station, and compares the first authentication information with the second authentication information to obtain the first authentication information.
Authentication means to authenticate the validity of the station.

(3). In addition, the third method of the authentication method of this application
According to the invention, in a communication system including a first station and a second station storing common secret information in respective storage means, when the second station authenticates the first station, , Including the following processes.

(A) A process in which the first station transmits user information indicating that it is the first station to the second station. (b) A process in which the first station or the second station generates a random number and transmits it to the other station. (c) a process of counting the number of times the first station has accessed the second station and transmitting the number of accesses to the second station. (d) The first station generates first authentication information by a predetermined algorithm that receives the random number, the access count, and the secret information stored in the storage unit in the first station, and generates the first authentication information. Transmitting to the second station; (e) a process in which the second station authenticates the transmitted access count. (f) A process executed when the number of accesses is determined to be invalid in the process of authenticating the number of accesses, and the second station determines that the first station is not valid. (g) executed when the access count is determined to be valid in the process of authenticating the access count, and the second station stores the random number, the access count, and the storage means in its own station. The second authentication information is generated by a predetermined algorithm that receives the secret information as input, and the first authentication information and the second authentication information are compared by comparing the first authentication information with the second authentication information. Processing to authenticate validity.

According to the third aspect of the authentication method, the first method
When the station transmits the user information, the random number, and the access count to the second station, the authentication operation starts. Authentication is also the first
Can be performed first for the number of accesses transmitted from the other station. Authentication of access count is, for example, a first transmitted from the station came and the number of accesses n _'a when the previous transmission, the first being transmitted this time from the station to the access number has n _a, a communication Miss When the number considered is ε, n ' <sub>a
+ Ε> n a> n '</sub> a that can be performed by checking whether the inequality is satisfied relationship.

Authentication of the number of accesses has the following role. Even if a third party eavesdrops on the communication information and repeatedly attacks the second station using the same, the number of accesses transmitted by this attack is the same as the value already transmitted. Then, since the above inequality relation is not satisfied, the second station can determine that this attack is caused by a third party.
As a result, an unjust repetitive attack by a third party can be found, and further intrusion into the communication system by a third party can be prevented. In addition, when the second station determines that the first station is not valid in the authentication of the number of times of access, the authentication information creating process on the second station side can be omitted. For this reason, the degree to which the second station is occupied by a third party attack can be reduced.

In the second invention, it is necessary to store the random numbers used in the past. On the other hand, in the third invention, it is only necessary to store the number of accesses. Can be saved.

If the number of accesses is determined to be valid, the second station generates the second authentication information and compares the first and second authentication information. Authentication can be performed accurately.

Further, in the case of the third invention, since the authentication information is generated by using a random number, the number of times of access, secret information and a predetermined algorithm, more detailed authentication can be performed as compared with the first invention.

In implementing the third invention of this authentication method, it is preferable that the first station generates a random number and transmits it to the second station. In this case, when transmitting the user information, a random number can be transmitted together. On the other hand, if the second station has a procedure for generating random numbers, the first station needs to separately transmit a random number that is indispensable for generating authentication information from the second station to the first station. The first
The number of communications increases as compared with the case where the station generates a random number.

In order to implement the third invention of this authentication method, it is preferable to configure a communication system (third invention of the communication system) including the following means (1) to (10).

(1) From the first station to the second station, a first
User information transmitting means for transmitting user information indicating that the station is the station. (2) A random number generating means provided in the first station or the second station for generating a random number. (3) Random number transmitting means for transmitting the generated random number to the other station. (4) An access number counting means provided in the first station for counting the number of times the first station has accessed the second station. (5) An access count transmitting means for transmitting the access count to the second station. (6)
A first algorithm for generating first authentication information by a predetermined algorithm which is provided in the first station and receives the access count, the random number, and the secret information stored in the storage means in the own station; Authentication information generating means. (7) The first
Authentication information transmitting means for transmitting the authentication information to the second station. (8) Access number authentication means provided in the second station for authenticating the transmitted access number. (9) The second authentication information is provided in the second station by a predetermined algorithm that receives the transmitted access count, the random number, and the secret information stored in the storage means in the own station, and Second authentication information generating means for generating. (10) Authentication means provided in the second station for authenticating the validity of the first station by comparing the first authentication information with the second authentication information.

(4). In addition, the fourth method of the authentication method of this application
According to the invention, in a communication system including a first station and a second station storing common secret information in respective storage means, when the second station authenticates the first station, , Including the following processes.

(A) A process in which the first station transmits user information indicating that it is the first station to the second station. (b) The first station generates a random number. (c) the first station generates authentication information by encrypting the random number and the user information using the secret information stored in the storage means in the own station as a key, and generates the authentication information by the second station. The process of transmitting to the station. (d) a process in which the second station decrypts the transmitted authentication information using the secret information stored in the storage unit in the second station as a key. (e) the second station compares the user information obtained in the decryption with the transmitted user information, and authenticates the random number obtained in the decryption to obtain the first information. The process of verifying the validity of a station.

According to the fourth aspect of the authentication method, the first method
When the station transmits user information to the second station, the authentication operation starts. Moreover, the first station encrypts the user information and the random number and sends them to the second station, which decrypts them and thereby authenticates the first station. Since encryption and decryption are included, it is considered that the authentication method itself is less likely to be decrypted.

Also in the case of the fourth invention, a random number is generated each time the first station accesses the second station. This random number is transmitted to the second station in an encrypted state, and is decrypted at the second station. The decrypted random number is authenticated. The authentication of the random number can be performed, for example, by checking whether or not the currently decoded random number is included in the history of the random number decoded in the past communication. Even if a third party eavesdrops on the communication information and uses it to attack the second station, the random number decoded from the communication information is the already used random number. Then, the second station can determine that this attack is caused by a third party. In other words, if the authentication is only for the decrypted user information, the third party is legitimate when the third party eavesdrops on the communication information and sends it.
According to the fourth aspect, the decrypted random number is also authenticated, so that an attack by a third party can be prevented.

In the fourth aspect of the authentication method, each process of transmitting information does not mean that it is essential to perform each process separately. From the viewpoint of reducing the number of times of communication, several transmission processes may be simultaneously performed as long as the information processing is not hindered. For example, user information,
The random number and the authentication information can be transmitted simultaneously.

In order to implement the fourth invention of this authentication method, it is preferable to configure a communication system (fourth invention of a communication system) comprising the following means (1) to (6).

(1) From the first station to the second station, a first
User information transmitting means for transmitting user information indicating that the station is the station. (2) Random number generation means provided in the first station for generating a random number. (3) Authentication for generating authentication information by encrypting the random number and the user information using the secret information stored in the storage unit in the first station as a key and provided in the first station. Information generation means.
(4) Authentication information transmitting means for transmitting the authentication information to the second station. (5) Authentication information decryption means provided in the second station for decrypting the transmitted authentication information using the secret information stored in the storage means in the own station as a key. (6) provided in the second station, by comparing the user information obtained by the decoding with the transmitted user information, and by authenticating the random number obtained by the decoding Authentication means for authenticating the validity of the first station.

(5). In addition, the fifth of the authentication method of this application
According to the invention, in a communication system including a first station and a second station storing common secret information in respective storage means, when the second station authenticates the first station, , Including the following processes.

(A) A process in which the first station transmits user information indicating that it is the first station to the second station. (b) a process in which the first station generates a first random number and a second random number. (c) the first station transmits the first random number to the second
The process of transmitting to the station. (d) a process in which the first station encrypts the user information using the second random number as a key to generate a first ciphertext. (e) a key of an encryption algorithm for the first station to generate authentication information by a predetermined algorithm which receives the secret information and the first random number stored in the storage means in the first station; Processing to generate.
(f) the first station further encrypts the second random number and the first ciphertext using the key of the encryption algorithm to generate a second ciphertext, and the second ciphertext is used as authentication information. Processing for transmitting to the second station. (g) A process in which the second station authenticates the transmitted first random number. (h) a process executed when the first random number is determined to be invalid in the process of authenticating the first random number, and the second station invalidating the first station. (i) executed when the first random number is determined to be valid in the process of authenticating the first random number, wherein the second station is stored in the storage means in its own station. A key for decrypting authentication information is generated by a predetermined algorithm that receives the secret information and the first random number as input, and the transmitted authentication information is decrypted using the key, and the key is decrypted. Authenticating the first station by comparing the received user information with the transmitted user information.

According to the fifth aspect of the authentication method, the first random number can be authenticated in the authentication operation. The authentication of the first random number can be performed by, for example, a method of referring to the random number history as described in the description of the second invention. Then, the advantage of authenticating the random numbers described in the second invention can be obtained in the fifth invention as well.

In the fifth aspect of the authentication method, the original authentication operation is performed as follows. The first station generates a first ciphertext, encrypts the first ciphertext, and generates authentication information. The second station decrypts the authentication information and the second station authenticates the first station with the information obtained from the decryption.
Since the double encryption is used, it is considered that the authentication method itself is more difficult to be deciphered than in the fourth aspect of the invention.
Also, since the first and second random numbers used to generate the authentication information are the first and second random numbers, it is considered that the authentication method itself is less likely to be deciphered than when only one random number is used to generate the authentication information.

In the fifth aspect of the authentication method, each process of transmitting information does not necessarily mean that each process is performed separately. From the viewpoint of reducing the number of times of communication, several transmission processes may be simultaneously performed as long as the information processing is not hindered.

In order to carry out the fifth invention of this authentication method, it is preferable to constitute a communication system (fifth invention of a communication system) comprising the following means (1) to (11).

(1) User information transmitting means for transmitting user information indicating the first station from the first station to the second station. (2) The first station is provided in the first station.
Random number generating means for generating a random number and a second random number. (3) Random number transmitting means for transmitting the generated first random number to the second station. (4) Ciphertext generation means provided in the first station for encrypting the user information using the second random number as a key to generate a first ciphertext.
(5) An encryption algorithm for generating authentication information by a predetermined algorithm provided in the first station and inputting the first random number and the secret information stored in the storage means in the own station. Encryption key generation means for generating a key for the key. (6) The second station is provided in the first station, and further encrypts the second random number and the first cipher text using the key of the encryption algorithm to generate a second cipher text as authentication information. Authentication information generating means. (7) Authentication information transmitting means for transmitting the authentication information to the second station. (8) A random number authenticating means provided in the second station for authenticating the transmitted first random number. (9) The authentication information is decrypted by a predetermined algorithm provided in the second station and inputting the transmitted first random number and the secret information stored in the storage means in the own station. Key generating means for generating a key for decryption. (10) An authentication information decrypting means provided in the second station for decrypting the authentication information using the decryption key. (11) Authentication means provided in the second station for authenticating the validity of the first station by comparing the user information obtained by the decoding with the transmitted user information. .

(6). In addition, the sixth method of the authentication method of this application
According to the invention, in a communication system including a first station and a second station storing common secret information in respective storage means, when the second station authenticates the first station, , Including the following processes.

(A) A process in which the first station transmits user information indicating that it is the first station to the second station. (b) The first station generates a random number. (c) a process of counting the number of times the first station has accessed the second station.
(d) a process in which the first station encrypts the user information and the access count using the random number as a key. (e) the first station further encrypts the encrypted user information and the access count using the secret information stored in the storage means in the own station as a key, and uses the encrypted information as authentication information. Processing for transmitting to the second station. (f) A process in which the second station decrypts the transmitted authentication information using the secret information stored in the storage unit in the second station as a key.
(g) the second station compares the user information obtained in the decryption with the transmitted user information, and authenticates the number of accesses obtained in the decryption to obtain the first information. Process to authenticate the validity of the station.

According to the sixth aspect of the authentication method, the first method
Station generates authentication information by a first encryption using a random number as a key and a second encryption using a secret information as a key.
To the station. On the other hand, the second station has the secret information in its own storage means in advance. Therefore, the second station can decrypt the authentication information transmitted from the first station using the secret information and the random number as keys. Then, the authenticity of the first station is authenticated based on the decrypted information. Moreover, both user information and the number of accesses are encrypted,
In addition, since double encryption is performed, it is considered that the authentication method itself is difficult to be decrypted.

Further, in the sixth aspect of the authentication method, the number of times of decryption access is authenticated. Authentication of access count is, for example, as described _{above, n 'a + ε> n} a>n' a that can be performed by checking whether the inequality is satisfied relationship. Even if a third party eavesdrops on the communication information and repeatedly attacks the second station using the same, this is an attack based on the communication information including the same value as the number of accesses already used. Then, since the above inequality relation is not satisfied, the second station can determine that this attack is caused by a third party.

It should be noted that in the sixth aspect of the authentication method, it is not essential that each processing for transmitting information be performed separately. From the viewpoint of reducing the number of times of communication, several transmission processes may be simultaneously performed as long as the information processing is not hindered.

In order to implement the sixth invention of this authentication method, it is preferable to configure a communication system (sixth invention of a communication system) including the following means (1) to (8).

(1) User information transmitting means for transmitting user information indicating that the station is the first station from the first station to the second station. (2) Random number generation means provided in the first station for generating a random number. (3) Access number counting means provided in the first station for counting the number of times the first station has accessed the second station.
(4) Encryption means provided in the first station for encrypting the user information and the number of accesses using the random number as a key. (5) The authentication information is provided by further encrypting the encrypted user information and the access count using the secret information stored in the storage unit in the first station as a key and provided in the first station. Authentication information generation means for generating. (6) Authentication information transmitting means for transmitting the authentication information to the second station. (7) Authentication information decryption means provided in the second station for decrypting the transmitted authentication information using the secret information stored in the storage means in the own station as a key. (8) provided in the second station, by comparing the user information obtained by the decoding and the transmitted user information, and by authenticating the number of access obtained by the decoding, First
Authentication means to authenticate the validity of the station.

(7). In addition, the seventh method of the authentication method of this application
According to the invention, in a communication system including a first station and a second station storing common secret information in respective storage means, when the second station authenticates the first station, , Including the following processes.

(A) A process in which the first station transmits user information indicating that it is the first station to the second station. (b) a process in which the first station generates a first random number and a second random number. (c) a process in which the first station transmits the first random number to the second station. (d) a process of counting the number of times the first station has accessed the second station. (e) a process in which the first station encrypts the user information and the number of accesses using the second random number as a key to generate a first ciphertext. (f) a key of an encryption algorithm for the first station to generate authentication information by a predetermined algorithm that receives the secret information and the first random number stored in the storage means in the first station; Processing to generate. (g) the first station further encrypts the second random number and the first ciphertext using the key of the encryption algorithm to generate a second ciphertext, and the second ciphertext is used as authentication information. Processing for transmitting to the second station. (h) a key for the second station to decrypt the authentication information by a predetermined algorithm which receives the secret information and the first random number stored in the storage means in the own station; The process to generate. (i) a process in which the second station decrypts the transmitted authentication information using the decryption key. (J) authenticating the first station by comparing the user information obtained in the decryption with the transmitted user information, and authenticating the number of accesses obtained in the decryption; Processing to do.

According to the seventh aspect of the authentication method, the first method
Station generates a first cipher text using the second random number as a key.
Further, the first station generates a key of an encryption algorithm using secret information, a first random number and a predetermined algorithm, and further encrypts the first ciphertext using the key to generate a second ciphertext. Is transmitted to the second station as authentication information. On the other hand, a first random number is transmitted from the first station to the second station, and the second station has the secret information itself and the predetermined algorithm itself in advance. Therefore, the second station can generate a key for decryption using the first random number, the secret information, and a predetermined algorithm. When the authentication information is decrypted using the generated decryption key, the second
, That is, the key used to generate the first ciphertext. When the authentication information is decrypted using the second random number as a key, the user information and the access count can be decrypted.

In the case of the seventh invention of this authentication method, both: user information and the number of times of access are encrypted,: double encryption is performed, and: encryption key for generating authentication information and authentication are also used. Since each of the decryption keys for information decryption is generated using secret information, a first random number, and a predetermined algorithm, it is considered that the authentication method itself is more difficult to decrypt than in the sixth aspect of the invention.

Further, in the seventh invention of this authentication method, the number of times of access that has been decrypted is authenticated. Authentication of access count is, for example, as described _{above, n 'a + ε> n} a>n' a that can be performed by checking whether the inequality is satisfied relationship. Even if a third party eavesdrops on the communication information and repeatedly attacks the second station using the same, this is an attack using the number of accesses already used. Then, since the above inequality relation is not satisfied, the second station can determine that this attack is caused by a third party.

In the seventh aspect of the authentication method, each process of transmitting information does not necessarily mean that each process is performed separately. From the viewpoint of reducing the number of times of communication, several transmission processes may be simultaneously performed as long as the information processing is not hindered.

In order to implement the seventh invention of this authentication method, it is preferable to configure a communication system (seventh invention of a communication system) including the following means (1) to (11).

(1) User information transmitting means for transmitting user information indicating the first station from the first station to the second station. (2) The first station is provided in the first station.
Random number generating means for generating a random number and a second random number. (3) Random number transmitting means for transmitting the generated first random number to the second station. (4) An access number counting means provided in the first station for counting the number of times the first station has accessed the second station. (5) Ciphertext generation means provided in the first station for encrypting the user information and the number of accesses using the second random number as a key to generate a first ciphertext. (6) An encryption algorithm for generating authentication information by a predetermined algorithm provided in the first station and inputting the first random number and the secret information stored in the storage means in the own station. Encryption key generation means for generating a key for the key. (7) The second station is provided in the first station, and further encrypts the second random number and the first cipher text using the key of the encryption algorithm to generate a second cipher text as authentication information. Authentication information generating means. (8) Authentication information transmitting means for transmitting the authentication information to the second station. (9) The authentication information is decrypted by a predetermined algorithm provided in the second station and inputting the transmitted first random number and the secret information stored in the storage means in the own station. Key generating means for generating a key for decryption. (10) An authentication information decrypting means provided in the second station for decrypting the transmitted authentication information using the decryption key. (11) provided in the second station, by comparing the user information obtained by the decoding and the transmitted user information, and by authenticating the number of accesses obtained by the decoding Authentication means for authenticating the validity of the first station.

The first to seventh inventions of the above-mentioned authentication method are as follows:
In this example, authentication is performed by directly communicating between the first station and the second station. However, in a communication system, a reliable third station that authenticates the first station on behalf of the second station is inserted between the first station and the second station that want to communicate, or an intermediate station. Bureaus often enter. This is for the purpose of, for example, distributing the load of the first station or the second station that desires communication.
The eighth to tenth inventions of the authentication method are examples.

(8). According to the eighth invention of the authentication method of this application, the first station and the second station that desire to communicate,
A third trusted station that authenticates on behalf of the second station, wherein the first and third stations store common secret information in respective storage means; When the third station actually authenticates the first station, the third station includes the following processes.

(A) A process in which the first station generates a random number and transmits the random number and user information indicating that the station is the first station to the second station. (b) a process in which the first station generates authentication information using the random number and the secret information stored in the storage means in the own station, and transmits the authentication information to the second station. (c) a process in which the second station transmits user information, a random number, and authentication information transmitted from the first station to the third station. (d) the third station authenticates the authentication information transmitted from the second station using the random number and the secret information stored in the storage means in the own station, thereby performing the first Process to authenticate the validity of the station. (e) a process in which the third station transmits an authentication result to the second station.

According to the eighth aspect of the authentication method, the second method
Transmitting the user information, the random number, and the authentication information transmitted from the first station to the third station, causing the third station to authenticate the first station, and receiving the result. Can be done. Even if the second station does not have common secret information with respect to the first station, the second station trusts whether the first station is a legitimate communicator. Authentication can be performed with the help of a third station. Therefore, the second station can communicate with the first station with confidence. Since the second station does not perform the authentication operation, the load on the second station is reduced.

In the case of the eighth invention of the authentication method, since the first station generates a random number, the random number can be transmitted to the second station together with the user information. When a random number is generated in the second station (a ninth invention of the authentication method described later), the first station transmits a random number necessary for generating authentication information to the first station by the second station. Since processing is required, the number of times of communication increases. Considering this point, it is preferable that the first station generates a random number.

In the eighth aspect of the authentication method, the method of generating the authentication information and the authentication of the authentication information are arbitrary. This is because information exchange between the first to third stations is devised so that the third station can authenticate the first station in place of the second station when the third station is included. (This is the same in the ninth invention of the following authentication method.) However, it is preferable to use any one of the authentication information generation procedure and the authentication information authentication procedure claimed in the second to seventh aspects of the authentication method (the following authentication method). The same applies to the ninth invention.). This is because even if a third station is added, the above-described effect of preventing a repeated attack by a third party (an unauthorized communication party) can be obtained.

In order to implement the eighth invention of this authentication method, it is preferable to constitute a communication system (eighth invention of a communication system) including the following means (1) to (8).

(1) First communication from the first station to the second station
User information transmitting means for transmitting user information indicating that the station is the station. (2) Random number generation means provided in the first station for generating a random number. (3) random number transmitting means for transmitting the generated random number to the second station. (4) Authentication information generation means provided in the first station for generating authentication information using the random number and the secret information stored in the storage means in the own station. (5) The authentication information is stored in the second
Authentication information transmitting means for transmitting to an office. (6) Transmission means for transmitting the user information, the random number, and the authentication information transmitted from the first station to the second station to the third station. (7) The first station is provided by authenticating the authentication information transmitted from the second station using the secret information stored in the storage means in the own station. Authentication means to authenticate the validity of the station. (8) Means provided in the third station for transmitting the authentication result to the second station.

(9). According to the ninth invention of the authentication method of this application, the first station and the second station that desire communication and the reliable third station that performs authentication in place of the second station are included. In a communication system in which the first station and the third station store common secret information in their respective storage units, the following processing is performed when the third station authenticates the first station. It is characterized by including.

(A) A process in which the first station transmits user information indicating that it is the first station to the second station. (b) When the second station receives the user information, generates a random number and transmits the random number to the first station. (c) the first
Station generates authentication information using the random number transmitted from the second station and the secret information stored in the storage means in the own station, and transmits the authentication information to the second station. .
(d) a process in which the second station transmits the random number, and user information and authentication information transmitted from the first station to the third station. (e) the third station authenticates the user information and the authentication information transmitted from the second station using the secret information stored in the storage means in the own station, and Processing to authenticate the validity of one station. (f)
A process in which the third station transmits an authentication result to the second station.

In the ninth aspect of the authentication method, as in the eighth aspect, even if the second station does not have the common secret information with respect to the first station, the second station will Whether or not one station is a valid communicator can be authenticated with the help of a third station trusted by the second station. Therefore, the second station can communicate with the first station with confidence.

Further, in this case, since the second station generates a random number, it is possible to prevent a repeated attack (illegal communication) on the second station.

In order to implement the ninth invention of this authentication method, it is preferable to configure a communication system (a ninth invention of a communication system) including the following means (1) to (8).

(1) First communication from the first station to the second station
User information transmitting means for transmitting user information indicating that the station is the station. (2) Random number generation means provided in the second station for generating a random number when receiving the user information. (3) random number transmitting means for transmitting the generated random number to the first station. (4) Authentication information generation means provided in the first station for generating authentication information using the random number and the secret information stored in the storage means in the own station. (5) Authentication information transmitting means for transmitting the authentication information to the second station. (6) Transmission means for transmitting the random number and the user information and the authentication information transmitted from the first station to the second station to the third station.
(7) The first station is provided by authenticating the authentication information transmitted from the second station using the secret information stored in the storage means in the own station. Authentication means to authenticate the validity of the station. (8) Means provided in the third station for transmitting an authentication result to the second station.

(10). The first of the authentication methods of this application
According to the first invention, the first station and the second
, And an intermediate station interposed between the stations, wherein the first station and the second station perform the following processes in a communication system in which common secret information is stored in respective storage means. It is characterized by including.

(A) A process in which the first station transmits user information indicating that it is the first station to the intermediate station. (b) a process in which the intermediate station generates a random number upon receiving the user information and transmits the random number to the first station. (c) the first station generates authentication information using the random number transmitted from the intermediate station and the secret information stored in the storage means in the own station, and transmits the authentication information to the intermediate station. Processing to do. (d) a process in which the intermediate station transmits the random number, and user information and authentication information transmitted from the first station to the second station. (e) the second station authenticates the authentication information transmitted from the intermediate station using the secret information stored in the storage means in the own station, thereby validating the first station. Authentication process.

According to the tenth aspect of the authentication method, the intermediate station performs a relay process between the first station and the second station. Even when an intermediate station that does not share secret information intervenes between the first station and the second station, the second station can authenticate whether the first station is a legitimate communicator. it can. Therefore, the second station can communicate with the first station with confidence. Moreover, since the intermediate station performs the random number generation processing, the load on the first station and the second station can be reduced correspondingly.

In the tenth aspect of the authentication method, it is optional how to generate the authentication information or authenticate the authentication information. The reason for this is that information transmission and reception of the first, second, and intermediate stations are devised so that the second station can authenticate the first station even when the intermediate station is included. However, preferably, it is preferable to use any one of the authentication information generation procedure and the authentication information authentication procedure claimed in the second to seventh aspects of the above authentication method. This is because even if added, the above-described effect of preventing a replay attack by a third party (unauthorized communicator) can be obtained.

In order to implement the tenth invention of this authentication method, it is preferable to configure a communication system (a tenth invention of a communication system) including the following means (1) to (7).

(1) User information transmitting means for transmitting user information indicating the first station from the first station to the intermediate station. (2) Random number generation means provided in the intermediate station for generating a random number when receiving the user information.
(3) random number transmitting means for transmitting the generated random number to the first station. (4) Authentication information generation means provided in the first station for generating authentication information using the transmitted random number and the secret information stored in the storage means in the own station. (5) Authentication information transmitting means for transmitting the authentication information to the intermediate station. (6) The random number and the first
Transmitting means for transmitting the user information and the authentication information transmitted from the station to the intermediate station to the second station. (7) The authenticity of the first station is authenticated by authenticating the transmitted authentication information provided in the second station using the secret information stored in the storage means in the own station. Authentication means to do.

(A). In carrying out each of the first to third inventions of the authentication method, each of the first station and the second station uses a plurality of types of algorithms that can be used as the predetermined algorithm and similarly (the same type). (Purpose) It is preferable to prepare in advance. In addition, one of the first and second stations generates a selection signal, and the first and second stations select one of the plurality of algorithms in response to the selection signal. Preferably, the first station generates the first authentication information and the second station generates the second authentication information according to the algorithm. In this case, the number of algorithms for generating authentication information increases as much as the algorithm can be changed, so that the authentication method is difficult to be decrypted. Therefore, a communication system having excellent security protection capability can be realized.

Note that the plurality of types of algorithms prepared for each of the first and second stations are preferably, for example, algorithms stored in a state where numbers are commonly assigned to both stations. When the number is specified, it is preferable that the same algorithm is selected in both stations. ((B) below,
The same applies to (D). ).

(B). Further, in carrying out the fifth and seventh inventions of the authentication method, each of the first station and the second station has a plurality of algorithms that can be used as the predetermined algorithm and similarly (the same type). (Purpose) It is preferable to prepare in advance. In addition, one of the first and second stations generates a selection signal, and in response thereto, the first and second stations select one of the plurality of algorithms, and the selected Preferably, the first station generates an encryption algorithm key according to an algorithm, and the second station generates a key for decrypting the authentication information. In this case, the number of types of keys increases because the algorithm can be changed, and the number of algorithms for generating authentication information increases. Therefore, a communication system having excellent security protection capability can be realized.

(C). It is preferable to use a one-way function as a predetermined algorithm used when creating authentication information. Specifically, a predetermined algorithm for creating the first and second authentication information in the first to third inventions of the authentication method, respectively, and a key of the encryption algorithm and decryption in the fifth and seventh inventions It is preferable to use a one-way function as a predetermined algorithm for generating each key for use. One-way functions are also called one-way hash functions, or simply hash functions. This is a function f (x) that is easy to calculate f (x) from x, but very difficult to find x from f (x). Using a one-way function,
It is possible to reduce the risk that secret information and random numbers are decrypted from the authentication information.

(D). In carrying out each of the fourth to seventh inventions of the authentication method, the first station and the second station each have an algorithm for generating the authentication information and an algorithm for decoding the authentication information. It is preferable to prepare a plurality of types of encryption algorithms that can be used as the same (the same type) in advance. In addition, one of the first and second stations generates a selection signal, and in response thereto, the first and second stations select one from the plurality of encryption algorithms, and It is preferable that the first station performs encryption for generating the authentication information and the second station decrypts the authentication information using the encryption algorithm. In this case, since the number of algorithms for generating authentication information increases as much as the encryption algorithm can be changed, the authentication method is difficult to be decrypted. Therefore, a communication system having excellent security protection capability can be realized.

(I). According to a first aspect of the encryption key sharing method of this application, the first station is authenticated by any one of the first to third aspects of the authentication method:
If the authentication is valid, the first station and the second station respectively generate a shared encryption key using a predetermined encryption key generation algorithm that receives the random number and the secret information, and It is a shared encryption key for the first and second stations.

According to the first aspect of the encryption key sharing method, when the first station is authorized, the shared encryption key is continuously generated, so that the authentication of the first station and the generation of the shared encryption key are performed. Can be performed continuously. Of course, an encryption key can be generated using random numbers and secret information that are information used in the authentication method.

To implement the first invention of the encryption key sharing method, a communication system (first communication system) will be described as follows.
(Invention 1) is preferable. That is, in addition to any one of the first to third aspects of the communication system,
An encryption key generation algorithm that is provided in each of the first and second stations and that operates when the authentication unit determines that the first station is legitimate and receives the random number and the secret information as input; A communication system further comprising a shared encryption key generation means for generating a shared encryption key by using the method.

(II). Further, according to the second invention of the encryption key sharing method of this application, the first station is authenticated by the fourth or sixth invention of the authentication method, and: Each of the first station and the second station generates a shared encryption key by a predetermined encryption key generation algorithm that receives the random number as an input, and uses this as the shared encryption key of the first and second stations. Features.

According to the second aspect of the encryption key sharing method, when the first station is authorized, the shared encryption key is continuously generated, so that the authentication of the first station and the generation of the shared encryption key are performed. Can be performed continuously. Of course, an encryption key can be generated using the random number used in the authentication method.

In order to carry out the invention of the second invention of this encryption key sharing method, it is preferable to configure a communication system (a twelfth invention of the communication system) as follows. That is, in addition to the configuration of the communication system according to the fourth or sixth aspect, the communication system is provided in each of the first station and the second station,
A communication system further comprising a shared encryption key generation unit that operates when the authentication unit determines that the first station is valid, and generates a shared encryption key by an encryption key generation algorithm that receives the random number as an input.

(III). Further, according to the third invention of the encryption key sharing method of the present application: the fifth or seventh authentication method;
Authenticating the first station according to the invention of the above, and: if the authentication is valid, a predetermined encryption key generation algorithm in which each of the first station and the second station inputs the second random number Generates a shared encryption key by
: This is used as a shared encryption key for the first and second stations.

According to the third aspect of the encryption key sharing method, when the first station is authorized, the shared encryption key is continuously generated, so that the authentication of the first station and the generation of the shared encryption key are performed. Can be performed continuously. Of course, the encryption key can be generated using the second random number that is the information used in the authentication method.

In order to implement the third invention of the encryption key sharing method, it is preferable to configure a communication system (a thirteenth invention of a communication system) as follows. That is, in addition to the configuration of the fifth or seventh invention of the communication system, the communication system is provided in each of the first station and the second station,
A shared encryption key generation unit that operates when the authentication unit determines that the first station is legitimate and generates a shared encryption key by using an encryption key generation algorithm that receives the second random number as input; Communications system.

In implementing the first to third inventions of the encryption key sharing method, each of the first and second stations has a plurality of algorithms that can be used as the predetermined encryption key generation algorithm. It is prepared in advance of the same kind (the same kind). And the first
And the second station generates a selection signal. In response, the first and second stations select one of the plurality of encryption key generation algorithms, and select the selected encryption key. The first station and the second station
It is preferable that each station generates a shared encryption key.
In this case, since the number of encryption key generation algorithms increases, it becomes difficult to decrypt the encryption key. Therefore, a communication system having excellent security protection capability can be realized.

(IV). According to a fourth aspect of the encryption key sharing method of the present application, the first station is authenticated by the eighth or ninth aspect of the authentication method, and: Generating a shared encryption key in each of the first station and the third station;
The second station transmits the shared encryption key to the second station, and the second station uses the same as the shared encryption key.

According to the fourth aspect of the encryption key sharing method, if the first station is authorized, the shared encryption key is continuously generated, so that the authentication of the first station and the generation of the shared encryption key are performed. Can be performed continuously.

In order to implement the invention of the fourth invention of this encryption key sharing method, it is preferable to configure a communication system (a fourteenth invention of the communication system) as follows. That is, in addition to the configuration of the communication system according to the eighth or ninth aspect of the present invention, in the case where the first station and the third station are provided in each of the first and third stations and the first station is determined to be valid by the authentication means. And a shared encryption key transmitting means for transmitting the shared encryption key generated by the third station to the second station.

(V). According to the fifth aspect of the encryption key sharing method of the present application, the first station is authenticated by the tenth invention of the authentication method, and: if the authentication is valid, the first station is authenticated. A shared encryption key is generated by each of the station and the second station, and this is used as the shared encryption key of the first and second stations.

According to the fifth aspect of the encryption key sharing method, if the first station is authorized, the shared encryption key is continuously generated, so that the authentication of the first station and the generation of the shared encryption key are performed. Can be performed continuously.

In order to carry out the fifth invention of the encryption key sharing method, it is preferable to configure a communication system (a fifteenth invention of the communication system) as follows. That is, in addition to the configuration of the communication system according to the tenth aspect, the communication system is provided in each of the first and second stations and operates when the authentication unit determines that the first station is valid. A communication system further comprising a shared encryption key generation unit.

In practicing the invention of the communication system, it is particularly preferable to configure as follows.

(I) In practicing the second invention of the communication system, the random number authenticating means may be means for determining that the first station is not valid when the random number is judged to be invalid. It is suitable. Moreover, it is preferable that each of the second authentication information generation unit and the authentication unit is a unit that operates when the random number authentication unit determines that the random number is valid. This can prevent the second authentication information generation unit and the authentication unit from operating more than necessary, so that the processing capacity of the communication system can be improved, congestion can be reduced, and the like.

(Ii) In practicing the third invention of the communication system, the access number authentication means is means for determining that the first station is invalid if the access number is judged to be invalid. Is preferred. Moreover,
It is preferable that each of the second authentication information generation unit and the authentication unit is a unit that operates when the access count authentication unit determines that the access count is valid. This can prevent the second authentication information generation unit and the authentication unit from operating more than necessary, so that the processing capacity of the communication system can be improved, congestion can be reduced, and the like.

(Iii) In implementing the fifth aspect of the communication system, when the first random number authenticating means determines that the first random number is not valid, it determines that the first station is not valid. It is preferable to use a means for performing this. In addition, it is preferable that each of the decryption key generation unit, the authentication information decryption unit, and the authentication unit is a unit that operates when the first random number authentication unit determines that the first random number is valid. is there. This can prevent the decryption key generation unit, the authentication information decryption unit, and the authentication unit from operating more than necessary, so that the processing capacity of the communication system can be improved and congestion can be alleviated.

[0112]

Embodiments of the present invention will be described below with reference to the drawings. However,
Each drawing used in the description is schematically illustrated to an extent that these inventions can be understood. Also, in each of the drawings, the same components are denoted by the same reference numerals, and duplicate description thereof may be omitted.

The first station, the second station, the third station, and the intermediate station referred to in this application can be constituted by a computer. In addition, each station forms a communication system by being connected by a communication line. The communication protocol can be any protocol. In addition, each unit such as an authentication information generation unit and an authentication unit referred to in the present invention includes a CPU, a memory,
It can be configured by combining an interface circuit and the like and a communication line connecting the computers.

1. First Embodiment First, embodiments of a first invention of an authentication method, a first invention of an encryption key sharing method, and first and eleventh inventions of a communication system will be described together.

1-1. Description of Configuration of Communication System FIG. 1 is a diagram for explaining a configuration of a communication system according to the first embodiment.

The first station 11 has a secret information storage unit 13 and
User information storage unit 15 and transmission / reception interface 17
Means for storing a plurality of predetermined algorithms (referred to as function f table 19);
1 (also referred to as a f _i operation unit 21)
Means for storing a plurality of encryption key generation algorithms
(Referred to as a function g table 25) and a shared key storage unit 27.

[0117] Here, the secret information storage unit 13 is a storage unit for storing a common secret information K _a in the first station and the second station. The secret information storage unit 13 is connected to the authentication information generation unit 21 and the shared key generation unit 23.
The authentication information generation unit 21 and the shared key generation unit 23 can read the secret information from the secret information storage unit 13 as needed.

[0118] The user information storage unit 15 is storage means for storing user information I _a for the first station 11. The user information storage unit 15 is connected to the transmission / reception interface 17, and can transmit user information to another station (here, the first station) as needed.

The transmission / reception interface 17 cooperates with the communication line (100 in FIG. 1) and the transmission / reception interface 45 of the second station 41 to constitute various transmission means according to the present invention.

The function f table 19 is a storage means for storing a plurality of predetermined algorithms used when the first authentication information generation means 21 generates the first authentication information, as will be described later in detail. The function f table 19 includes the first authentication information generation unit 21 and the transmission / reception interface 1.
7 is connected.

The first authentication information generating means 21 is a means for generating the first authentication information, which will be described later in detail. The first authentication information generation unit 21 receives the secret information from the secret information storage unit 13 and outputs the authentication information to the transmission / reception interface 17.
17 is connected.

As will be described later in detail, the shared key generation means 23 is a means for generating a shared encryption key when the first station is authorized in the authentication processing.

The function g table 25 is a storage means for storing a plurality of encryption key generation algorithms used when the shared encryption key generation means 23 generates an encryption key, as will be described in detail later. This function g table 25 is connected to the shared encryption key generation means 23 and the transmission / reception interface 17.

The shared key storage unit 27 is a unit for storing the shared encryption key generated by the shared generation unit 23.

On the other hand, the second station 41 includes a user information / secret information storage unit 43, a transmission / reception interface 45, a unit 47 for storing a plurality of predetermined algorithms (function f table 47), a random number generation unit 49, A second authentication information generation unit 51 (also referred to as a f _i operation unit 51), a shared key generation unit 53, a unit 55 for storing a plurality of encryption key generation algorithms (called a function g table 55), and a shared key storage unit 5
7 and an authentication means 59.

Here, the user information / secret information storage unit 43
, For each legitimate correspondent, a storage means for storing the user information I _a and secret information K _'a. The user information / secret information storage unit 43 is connected to the transmission / reception interface 45, the second authentication information generation unit 51, and the shared key generation unit 53, respectively. The second station 41 is the first station 11
When the user information I _a is transmitted from, this user information I _a, it is possible to detect the secret information K _'a corresponding user information and the secret information storage unit 43.

The secret information K _a and K ′ _a are the same, but in order to distinguish which station side secret information, K a
_a, shows a K _'a.

The transmitting / receiving interface 45 is connected to the first station 1
Like the transmission / reception interface on one side, it is one of the components of various transmission means referred to in the present invention.

The function f table 47 is storage means for storing a plurality of predetermined algorithms used when the second authentication information generating means 51 generates the second authentication information, as will be described later in detail. This function f table 51 is defined by the second
Authentication information generating means 51 and transmission / reception interface 45
Connected to

[0130] number generating means 49 receives the user information I _a from a first station 11, a means for generating a random number r. The random number generation unit 49 is connected to the transmission / reception interface 45, the second authentication information generation unit 51, and the shared key generation unit 53, respectively. Moreover, the generated random number r is also transmitted to the first authentication information generating means 21 and the shared key generating means 23 on the first station 11 side. The random number generating means 49 is provided on the first station 11 side, and the second station 41
Alternatively, the random number r may be transmitted from the first station 11.

The second authentication information generation means 51 is a means for generating the second authentication information, which will be described later in detail. The output of the second authentication information generation unit 51 is connected to the authentication unit 59.

As will be described later in detail, the shared key generation means 53 is a means for generating a shared encryption key when the first station is authorized in the authentication processing.

The function g table 55 is storage means for storing a plurality of encryption key generation algorithms used when the shared encryption key generation means 53 generates an encryption key, as will be described in detail later. This function g table 55 is connected to the shared encryption key generation means 53 and the transmission / reception interface 45.

The shared key storage unit 57 is a unit for storing the shared encryption key generated by the shared generation unit 23.

The authentication means 59 is means for comparing the first authentication information with the second authentication information and authenticating whether or not the first station is valid according to the result. Here, authentication means 5
9 comprises a comparing section for comparing the first authentication information with the second authentication information.

Next, components which have been simply described in the above description will be described in detail.

[0137] First, a first authentication information generating means 21 generates the first authentication information from the secret information K _a and the random number r with a predetermined algorithm. The second authentication information generation unit 51 includes:
The second authentication information is generated from the secret information K ′ _a (= K _a ), the random number r, and a predetermined algorithm.

In this embodiment, a one-way function f _i is used as a predetermined algorithm used when generating the first and second authentication information. Accordingly, a first authentication information generating means 21, a one-way function f _i, the random number r
When the first authentication information using the secret information K _a f _i (r, K
_a ) is generated. On the other hand, the second authentication information generation means 51
Generates a one-way function f _i, the random number r, the secret information K _'a and the reference second authentication information _{f i (r, K' a} ).

[0139] Moreover in this embodiment, one-way function f _i, for the first authentication information generating means 21 function f
From the table 19, the second authentication information generation means 51
Are configured to be input from the function f table 47, respectively.

Note that the one-way function is also called a one-way hash function or simply a hash function. In simple terms, it is easy to calculate f (x) from x, but it is easy to calculate f (x) from x
Is an extremely difficult function f (x).

As a specific example of the one-way function, MD5 (R.
Rivest: The MD5 Message-Digest Algorithm, Networking
Group, RFC 1321, 1992) and SHA (National Institute)
ofStandards and Technology: Secure Hash Standard, F
IPS PUB 180-1, 1995).

In each of the function f tables 19 and 47, the same type of a plurality of one-way functions f _i are stored. In addition, a common number is assigned to each function stored in both stations. By inputting the same number i (for example, i = 1, 2, 3,...) To each of the function f tables 19 and 47, the same one-way function is obtained from each of the function f tables 19 and 47. You can choose.

The one-way function selection number i is prepared by the first station 11 or the second station 41 using, for example, a random number or prepared in advance in accordance with the communication start signal of the first station 11, for example. Generate according to the program. Whether the first station 11 or the second station 41 generates the number i may be determined according to the design of the communication system. In the case of the first embodiment, the number i is generated on the second station 41 side.

When the one-way function is the above MD5 or the like, each of the function f tables 19 and 47 is
1. f ₁ : MD5 2. f ₂ : SHA 3. f ₃ : HM
AC-MD5 4. f ₄ HMAC-SHA 5. ...
You can do as follows.

Incidentally, without using the function f table,
One one-way function common to the first station 11 and the second station 41 may be a predetermined algorithm for generating authentication information.

In each of the function g tables 25 and 55, an encryption key generation algorithm g _j (not necessarily a one-way function) that can be used for generating a shared encryption key is stored.
Each type is stored. In addition, a common number is assigned to each function stored in both stations. For each function g table 25, 55, the same number j (for example, j = 1, 2, 2,
,...), The same encryption key generation algorithm can be selected from each of the function g tables 25 and 55.

The selection number j for selecting a function from the function g tables 25 and 55 is, for example, the first station 11 or the second station 41 according to the communication start signal of the first station 11.
For example, a CPU (not shown) included in the program generates the data using a random number or according to a prepared program. In the first embodiment, the second station 41 generates the selection number j.

Here, the function g _j stored in each of the function g tables 25 and 55 can be any suitable one determined between the communication stations. For example, g (x) = X or g (x) = S ⁿ
(X) (left n-cyclic shift). In that case, as the function g table, 1. g ₁ (x)
= X2. g ₂ (x) = S ⁿ (x) (left n-cyclic shift) ... and so on.

Incidentally, without using the function g table,
One algorithm common to the first station 11 and the second station 41 may be a predetermined algorithm for generating a shared encryption key.

Also, the shared key generation means 23 is provided for the first station 11
Is valid, a shared encryption key is generated using one or more of the information used in the authentication method and the function g _j selected from the function g table 25. In the first embodiment, a shared encryption key g _j (r, K _a ) is generated from _a random number r, secret information Ka, and a function g _j selected from the function g table 25. The shared key storage unit 27 stores the generated shared encryption key g _j (r, K _a ) therein.

Also, the shared key generation means 53
If 1 is valid, a shared encryption key is generated using one or more of the information used in the authentication method and the function g _j selected from the function g table 55. In the first embodiment, a shared encryption key g _j (r, K ′ _a ) is generated from the random number r, the secret information K ′ _a, and the function g _j selected from the function g table 55. The shared key storage unit 57 stores the generated shared encryption key g _j (r, K ′ _a ) therein.

[0152] In the following another embodiment, information used for the generation of the shared encryption key, the random number r and the secret information K _a
Instead of only the random number r, or only the second random number r ₂ . However, in each explanatory diagram of the following embodiments, numbers 23 and 53 are commonly assigned to the shared key generation means.

1-2. Description of Operation Next, the operation of the communication system according to the first embodiment will be described. Thus, the processing procedure of the authentication method and the method of generating the shared encryption key will be described. This description will be made with reference to FIG. 2 in addition to FIG. FIG. 2 is a diagram showing a processing flow.

The first station 11 transmits the user information _Ia to the second station 41 (communication 101 in FIG. 2).

[0155] The second station 41 that has received the user information I _a
Generates a random number r using the random number generation means 49 and returns it to the first station (communication 102 in FIG. 2). In the case of specifying the one-way function f _i used to generate the authentication information, the second station 41, the station function number i be first with random number r 11
Send to When the one-way function is not designated, both stations 11 and 41 use a predetermined function.

[0156] Next, the first station 11, use the secret information K _a with the random number r and myself, and, by using a one-way function f _i that is determined to have been specified, or pre-second The first authentication information f _i (r, K _a ) is calculated (process 111 in FIG. 2) and transmitted to the authentication means 59 of the second station 41 (communication 103 in FIG. 2).

The second station 41 having received the first authentication information f _i (r, K _a ) then stores the secret information K ′ _a corresponding to the user information I _a in the user information / secret information storage section. Find out from 43. Further, the second station 41, using the random number r and the private information K _'a, and correspond to the number i one-way function f
_{Using i} , the second authentication information f _i (r, K ′ _a ) is calculated (process 112 in FIG. 2), and this is used as authentication means (comparing unit) 59.
To enter.

Next, the authentication means 59 outputs the first authentication information f
_i (r, K _a ) is compared with the second authentication information f _i (r, K ′ _a ) (process 113 in FIG. 2). If the two stations are equal in this comparison, the second station 41 recognizes the legitimacy of the first station 11 and sends the communication permission signal “OK” and the number j of the function g _i for generating the shared encryption key to the second station. 1 to the station 11 (communication 104 in FIG. 2). Further, the shared key generation means 53 of the second station 41 generates a shared encryption key as K ₁₂ = g _j (r, K ′ _a ) (process 114 in FIG. 2).

[0159] On the other hand, a first station 11 which has received the communication enable signal "OK" is the common encryption key _{K 12 = g j (r,} K a) generated as by using the shared key generation unit 23 ( Processing 115 in FIG. 2).

According to the first embodiment, the second information is used by using user information and secret information unknown to a third party.
Can authenticate the validity of the first station. In addition, the encryption key is shared between the first station and the second station by using the random number and the secret information, which are the information used at the time of authentication, as they are. Moreover, the authentication processing of the first station,
The process of generating a shared encryption key between the first station and the second station can be performed continuously.

[0161] 2. Second Embodiment Next, the second embodiment of the authentication method, the first invention of the encryption key sharing method, and the second and eleventh embodiments of the communication system will be described together.

2-1. Description of Configuration of Communication System FIG. 3 is a diagram illustrating a configuration of a communication system according to the second embodiment.

The main difference between the second embodiment and the first embodiment is that the random number generation means 49 provided on the second station 41 side is omitted, and the first station is replaced by the first station. The point that the random number generation means 29 is provided on the station 11 side: the point that the random number authentication means 61 is provided in the second station 41; and the user information / random number history information / secret information storage section in the second station 41 63 is provided.

Here, the random number generation means 29 is connected to the first authentication information generation means 21, the shared key generation means 23, and the transmission / reception interphase 17. Further, the generated random number r is stored in the second authentication information generating means 5 on the second station 41 side.
1 and also transmitted to the shared key generation means 53.

[0165] The user information-random number history information, the secret information storage unit 63, together with the stores user information I _a and secret information K _'a, communication random number r used in communication for each legitimate correspondent This is a storage unit that stores each time (stores a random number history). The user information / random number history information / secret information storage unit 63 is connected to the transmission / reception interface 17, the random number authentication unit 61, and the first authentication information generation unit 51.

Each time communication is performed, the random number authenticating means 61 checks whether the random number r transmitted from the first station is a random number transmitted in the past or not. This is a means for searching and determining the information / confidential information storage unit 63. This random number authentication means 61 is referred to as a comparison unit 61 here.
It consists of. The random number authentication means 61 is connected to the transmission / reception interface 45 and the user information / random number history information / secret information storage unit 63.

In the communication system according to the second embodiment, the configuration other than the random number generation unit 29, the random number authentication unit 61, and the user information / random number history information / secret information storage unit 63 is the same as that of the first embodiment. There is.

2-2. Description of Operation Next, the operation of the communication system according to the second embodiment will be described. Thus, the processing procedure of the authentication method and the method of generating the shared encryption key will be described. This description will be made with reference to FIG. 4 in addition to FIG. FIG. 4 is a diagram showing a processing flow.

The random number generation means 29 of the first station 11 generates a different random number r for each communication. The first authentication information generation unit 21 of the first station 11 uses the random number r and the secret information K _a
And the one-way function f _i , the first authentication information f _i
(R, K _a ) is calculated (process 211 in FIG. 4).

Next, the first station 11 transmits to the second station 41
User information _Ia , random number r, one-way function number i,
The first authentication information f _i (r, K _a ) is transmitted (communication 201 in FIG. 4).

Next, the second station 41 uses the user information _Ia to store the random number history and the secret information K ′ _a for the first station 11 in the user information / random number history information / secret information storage section. Find out from 63. Next, first, the random number authentication means 61 of the second station 41 checks the random number history (step 21 in FIG. 4).
2) If the received random number r is in the random number history, the validity of the first station 11 is not recognized.

As a result of checking the random number history, if the validity of the first station 11 is not recognized, the second station 41 stops the authentication operation. Then, the second station 41 takes any suitable action such as terminating the communication or issuing an error message to the first station 11.

[0173] On the other hand, if the random number that has been transmitted this time is not included in the random number history, a second authentication information generating means 51 of the second station 41, and the random number r and the private information K _'a one second authentication credential f _i by using the directional function f _i
(R, K ′ _a ) is calculated (process 213 in FIG. 4). Also,
The second station 41 adds the random number r transmitted this time to the user information / random number history information / secret information storage unit 63 as random number history information.

Next, the authentication means 59 of the second station 41 transmits the first authentication information f _i (r, K _a ) and the second authentication information f _i.
(R, K ′ _a ) (step 214 in FIG. 4). If the two are equal in this comparison, the second station 41
The station 11 recognizes the validity of the station 11 and transmits the communication permission signal “OK” and the number j of the function g _j for generating the shared encryption key to the first station 1
1 (communication 202 in FIG. 4). Also, the second station 4
The first shared key generation unit 53 generates a shared encryption key as K ₁₂ = g _j (r, K ′ _a ) (process 215 in FIG. 4).

On the other hand, the first station 11 that has received the communication permission signal “OK” generates a shared encryption key using the shared key generation means 23 as K ₁₂ = g _j (r, K _a ) (FIG. 4 processing 216).

According to the second embodiment, the user information and the secret information unknown to the third party are
Can authenticate the validity of the first station. In addition, the encryption key is shared between the first station and the second station by using the random number and the secret information, which are the information used at the time of authentication, as they are. Moreover, the authentication processing of the first station,
The process of generating a shared encryption key between the first station and the second station can be performed continuously.

The validity of the first station can be determined based on whether the transmitted random number is included in the random number history. Therefore, it is possible to stop repeated attacks by an unauthorized communication person.

Further, since the authentication of the validity of the first station can be performed in the same manner as in the first embodiment, security can be ensured.

Further, in the second embodiment, the number of times of communication can be reduced as compared with the case of the first embodiment.

3. Third Embodiment Next, the third embodiment of the authentication method, the first invention of the encryption key sharing method, and the third and eleventh embodiments of the communication system will be described together.

3-1. Description of Configuration of Communication System FIG. 5 is a diagram illustrating a configuration of a communication system according to the third embodiment.

The main difference between the third embodiment and the first embodiment is that the random number generating means 49 provided on the second station 41 side is omitted and the second embodiment is omitted. Similarly, the first station 11 is provided with a random number generating means 29, the second station 41 is provided with an access number authentication means 65, and the second station 41 is provided with user information and the number of accesses. The provision of a secret information storage unit 67 and the provision of an access frequency counting means 31 for counting the number of accesses to the first station 11 each time the first station 11 accesses the second station 41 is there.

The random number generating means may be provided on the second station 41 side. However, if the first station 11 is provided with a random number generating means, the random number and the user information can be transmitted to the second station 41 together, so that the number of times of communication can be reduced.

Here, the access number counting means 31
Means for counting the number of accesses each time the second station 41 accesses the second station 41. This access frequency counting means 3
1 is connected to the transmission / reception interface 17 and the first authentication information generation unit 21.

The number-of-accesses counting means 31 can be constituted by, for example, a counter which monotonically increases each time the first station 11 accesses the second station 41. In addition,
Access frequency n counted by access frequency counting means 31
_a is the transmission / reception interfaces 17 and 45 and the communication line 10
0, the access number authentication means 6 of the second station 41
5 is sent.

[0186] The access number authentication means 65 determines the number of accesses n _a transmitted from the first station 11, whether to past access number from the first station is in reasonable scope This is a means for authenticating the number of accesses. The access count authentication unit 65 is connected to the user information / access count / secret information storage unit 63 and the transmission / reception interface 45.

In this embodiment, the number-of-times-of-access authentication means 65 stores the number of times of access transmitted this time from the first station 11 as n _a and the user information / access number / secret information storage section 67. last access times n until the communication of the first station _'a, when the allowable value to allow communication misses the epsilon (e.g. about 5), for n _a n' _a +
inequality relationship ε> n _a> n _'a is as a comparison unit for checking whether or not satisfied.

[0188] The user information access number, the secret information storage unit 63, together with the stores user information I _a and secret information K _'a, the number of accesses n _a number of accesses authentication unit 65 authenticates the legitimacy Access count n ' _a each time
Storage means for updating and storing as This user information
The access count / secret information storage unit 63 is connected to the transmission / reception interface 45, the second authentication information generation unit 51, the shared key generation unit 53, and the access count authentication unit 65.

In the communication system according to the third embodiment, the configuration other than the random number generation means 29, the access number counting means 31, the access number authentication means 65, and the user information / access number / secret information storage section 67 is the same as that of the first embodiment. It is the same as that of the embodiment. However, in this case, the first authentication information generation unit 21 and the second authentication information generation unit 51 use the random number r, the number of accesses n _a (n ′ _a ), and the secret information K _a
And (K _'a), by a one-way function f _i, is configured so as to generate first and second authentication information.

3-2. Description of Operation Next, the operation of the communication system according to the third embodiment will be described. Thus, the processing procedure of the authentication method and the method of generating the shared encryption key will be described. This description will be made with reference to FIG. 6 in addition to FIG. FIG. 6 is a diagram showing a processing flow.

The random number generation means 29 of the first station 11 generates a random number r at the time of communication. Access number counting unit 31 of the first station 11, the count value ie is 1 increases the number of accesses n _a, and n _a = n _a +1. The first authentication information generating unit 21 of the first station 11, using the random number r, and the secret information K _a, and a number of accesses n _a, and, using a one-way function f _i, the first authentication information _{f i (r, n a,} K a) to calculate the (process 311 of FIG. 6).

Next, the first station 11 sends to the second station 41
User information _Ia , random number r, one-way function number i,
And the number of accesses n _a, the first authentication information f _i (r, n _a,
K _a ) (communication 301 in FIG. 6).

Next, the second station 41 uses the user information _Ia to store the user information / access count / secret information storage unit 6.
7, the number of accesses n ′ _a and the secret information K ′ _a for the first station 11 are found. Next First, access number authentication means 65 of the second station 41, the currently received access count _{n a, n 'a + ε} > n a>n' inequality relation _a investigate whether established (FIG. 6 processing 312).
If not, the first station 11 is not recognized as legitimate.

When the validity of the first station 11 is not recognized, the second station 41 stops the authentication operation. In addition, the second station 41 takes any suitable action such as terminating the communication or issuing an error message to the first station 11.

[0195] On the other hand, if the above inequality relationships are satisfied, changing the number of accesses n _a of the number of accesses n _'a which is stored in the user information access number, the secret information storage unit 67 has been transmitted this time ( Processing 313 in FIG. 6). The third authentication information generating means 51 of the second station 41, the random number r, 'and _a (= n _a), the secret information K' access count n _a
And the one-way function f _i , the second authentication information f _{i
(R, n 'a, K} ' a) calculating a (process 314 of FIG. 6).

[0196] Next, the authentication unit 59 of the second station 41, the first authentication information _{f i (r, n a,} K a) and the second authentication information _{f i (r, n 'a} , K' _a ) (processing 31 in FIG. 6).
5). If the two are equal in this comparison, the second station 4
1 recognizes the legitimacy of the first station 11 and outputs a communication permission signal “O
K ”and the number j of the function g _j for generating a shared encryption key,
It transmits to the first station 11 (communication 302 in FIG. 6). Also,
The shared key generation means 53 of the second station 41 generates a shared encryption key as K ₁₂ = g _j (r, K ′ _a ) (process 316 in FIG. 6).

On the other hand, the first station 11 that has received the communication permission signal “OK” generates a shared encryption key using the shared key generation means 23 as K ₁₂ = g _j (r, K _a ) (FIG. 6 processing 317).

According to the third embodiment, the second information is obtained by using the user information and the secret information unknown to a third party.
Can authenticate the validity of the first station. In addition, the encryption key is shared between the first station and the second station by using the random number and the secret information, which are the information used at the time of authentication, as they are. Moreover, the authentication processing of the first station,
The process of generating a shared encryption key between the first station and the second station can be performed continuously.

The validity of the first station can be determined based on whether or not the transmitted access count satisfies a predetermined inequality relationship. Therefore, it is possible to prevent an attack by an unauthorized communication person.

Further, since the authentication of the validity of the first station can be performed in the same manner as in the first embodiment, security can be ensured.

Further, in the second embodiment, the number of times of communication can be reduced as compared with the case of the first embodiment.

Further, in the third embodiment, since the second station 41 stores the number of times of access, the memory in the second station 41 can be saved as compared with the case where the random number history is stored.

4. Fourth Embodiment Next, the fourth embodiment of the authentication method, the second invention of the encryption key sharing method, and the fourth and twelfth embodiments of the communication system will be described together.

4-1. Description of Configuration of Communication System FIG. 7 is a diagram illustrating a configuration of a communication system according to the fourth embodiment.

In the first to third embodiments, the generation of the authentication information is performed using the one-way function. In the fourth embodiment, when generating authentication information, an encryption algorithm is used instead of the one-way function.

The main difference between the fourth embodiment and the first embodiment is that the random number generation means 49 provided on the second station 41 side is omitted and the second embodiment is omitted. The first station 11 is provided with a random number generation means 29 in the same way as in the first embodiment. The first station 11 generates authentication information by generating authentication information by encrypting a random number and user information using secret information as a key. A means 33 (also referred to as an encryption unit 33);
The first station 11 is provided with a storage means 35 (also referred to as an algorithm E table 35) for storing a plurality of algorithms for the above encryption. The authentication information for decrypting the authentication information to the second station. The point that a decoding means 69 (also referred to as a decoding unit 69) is provided;
And that the second station 41 is provided with the user information / random number history / secret information storage unit 63 in the same manner as in the second embodiment. Instead of the authentication means 59 provided in the form described above, an authentication means 73 for authenticating the validity of the first station based on the random number history and the user information is provided.

Here, the algorithm E tables 35 and 7
In each of the stations 1, a plurality of stored encryption algorithms are assigned a common number between the stations 11 and 41. By for each algorithm E table 35,71 enter the same number q, it can be from each algorithm E table 35,71, selects the same encryption algorithm E _q. The algorithm E table 35 is connected to the transmission / reception interface 17 and the encryption unit 33 as authentication information generation means. The algorithm E table 71 is
It is connected to a transmission / reception interphase 45 and a decryption section 69 as authentication information decryption means.

The encryption algorithm selection number q
For example, the first station 11 or the second station 41 uses, for example, a random number in response to a communication start signal of the first station 11,
Generated according to a program prepared in advance. Whether the first station 11 or the second station 41 generates the number q may be determined according to the design.

Here, specific examples of the encryption algorithm include, for example, DES-CBC, MISTY, and Tri.
ple DES-EDE-CBC and the like. In that case, the algorithm E tables 35 and 71 respectively include: E ₁ : DES-CBC 2. E ₂ : MI
STY 3. E ₃ : TripleDES-EDE-CB
C4. ...

The algorithm E tables 35 and 71
May be used, and one encryption algorithm common to the first station 11 and the second station 41 may be a predetermined algorithm for generating authentication information.

[0211] Also, the encryption unit 33 as an authentication information generating unit 33, using an encryption algorithm E _q selected from the algorithm E Table 35, the random number r and the user information I _a, the key secret information K _a To generate E _q {K _a , (r | E _q {r, I _a })} as authentication information (details will be described later). The output of the authentication information generation means 33 is connected to the transmission / reception interface 17.

The decryption unit 69 as the authentication information decrypting means 69 transmits E _q ＥK _a , (r | E) as the authentication information transmitted from the authentication information generating means 33 of the first station 11.
_q {r, _Ia })} means for decoding _a random number r and user information Ia (details will be described later). The output of the authentication information decrypting means 69 is connected to the authentication means 73.

The authentication means 73 compares the user information decoded by the authentication information decoding means 69 with the user information transmitted from the first station, and the authentication information decoding means 69 decodes the user information. The comparison unit 73b compares the random number with the random number history. This authentication means 73
This is a means for authenticating the first station as legitimate when each of the comparison units 73a and 73b passes the comparison result.

In the communication system according to the fourth embodiment, the random number generating means 29, the authentication information generating means 33, the algorithm E tables 35 and 71, the authentication information decoding means 69,
The configuration other than the user information / random number history / secret information storage unit 63 and the authentication unit 73 is the same as that of the first embodiment.

4-2. Description of Operation Next, the operation of the communication system according to the third embodiment will be described. Thus, the processing procedure of the authentication method and the method of generating the shared encryption key will be described. This description will be made with reference to FIG. 8 in addition to FIG. FIG. 8 is a diagram showing a processing flow.

The random number generating means 29 of the first station 11 generates a random number r at the time of communication. The authentication information generation means 33 of the first station 11 generates authentication information by encrypting the random number r and the user information using the secret information Ka as _a key. In this case, encryption is performed as follows. First, the user information I is set using the random number r as a key.
By encrypting _a , an encrypted text _Eq {r, _Ia } is obtained.
Here, E _q is the q-th encryption algorithm selected from the algorithm E table 35. Next, using the secret information Ka as _a key, a random number r and the ciphertext _Eq {r, _Ia }
Is further encrypted, and E _q ｛K _a ,
(R | E _q {r, I _a })} (process 41 in FIG. 8)
1). Here, the symbol “|” means concatenation, and E ｛K,
The notation X｝ means that X is encrypted using the encryption key K.

Next, the first station 11 communicates with the second station 41,
User information _Ia , encryption algorithm selection number q,
E _q ｛K _a , (r | E _q ｛r, I
_a {)} is transmitted (communication 401 in FIG. 8).

[0218] E _q {K _a as an authentication information, (r | E _q
The second station 41 that has received {r, I _a }) stores the user information I from the user information / random number history / secret information storage unit 63.
_{Using a} , secret information K ′ _a (K _a ) and random number history about the first station are found. Furthermore the second station 41 by using the authentication information decoding unit 69, as the key secret information K _'a, the authentication information ciphertext _{E q {K a, (r} | E q {r, I
_a {)} is decoded or decrypted to obtain a random number r.
Further, _Eq {r, _Ia } is decrypted or decrypted using r as a key to obtain _Ia (process 412 in FIG. 8).

Next, the comparing section 73a of the authentication means 73 checks whether or not the decrypted r is included in the random number history. The decrypted user information is compared with the user information transmitted from the first station 11 by using the comparing unit 73b (processing 413 in FIG. 8). If at least one of the case where the decoded random number r is included in the random number history and the case where the decoded _Ia is different from the received _Ia occur, the authentication unit 73 does not recognize the validity of the first station 11.

[0220] If the validity of the first station 11 is not recognized, the second station 41 stops the authentication operation. In addition, the second station 41 takes any suitable action such as terminating the communication or issuing an error message to the first station 11.

On the other hand, if the decrypted random number r is not in the random number history,
If the decrypted user information is equal to the transmitted user information, the authentication unit 73 recognizes the validity of the first station 11. When the first station 11 is recognized as valid (process 414 in FIG. 8), the second station 41 transmits the communication permission signal “OK”.
And the number j of the function g _j for generating the shared encryption key
(The communication 402 in FIG. 8). Also, the second
The shared key generation means 53 of the station 41 generates a shared encryption key as K ₁₂ = g _j (r) (process 415 in FIG. 8).

On the other hand, the first station 11 that has received the communication permission signal “OK” generates a shared encryption key as K ₁₂ = g _j (r) by using the shared key generation means 23 (the processing in FIG. 8). 416).

According to the fourth embodiment, the user information and the secret information unknown to the third party are
Can authenticate the validity of the first station. In addition, the encryption key is shared between the first station and the second station by using the random number, which is the information used at the time of authentication, as it is. Moreover, the authentication processing of the first station and the generation processing of the shared encryption key between the first station and the second station can be performed continuously.

When user authentication is performed, the decrypted random number is compared with the random number history. The random number is different for each communication.
Even if a third party eavesdrops on the communication information and uses it to repeatedly attack the second station, a random number decoded from the communication information exists in the random number history. Then, the second station does not recognize this communication information as valid. Therefore, a repeated attack by a third party can be prevented.

[0225] 5. Fifth Embodiment Next, a fifth embodiment of the authentication method, a third invention of the encryption key sharing method, and fifth and thirteenth embodiments of the communication system will be described together.

5-1. Description of Configuration of Communication System FIG. 9 is a diagram illustrating a configuration of a communication system according to a fifth embodiment.

The communication system according to the fifth embodiment is a modification of the communication system according to the fourth embodiment (FIG. 7) as follows. : The first station 11 has a first random number r ₁ and a second random number r ₂ instead of the random number generating means 29.
Is provided. : Instead of providing the authentication information generating means 33 in the first station 11,
, An encryption key generation unit 125, and an authentication information generation unit 127 that further encrypts the first ciphertext using an encryption key to generate authentication information.
Are provided. The authentication information decrypting means 6 is provided to the second station 41.
9 and an authentication unit 73, instead of a decryption key generation unit 75, an authentication information decryption unit 77 that decrypts authentication information using a decryption key, and an authentication unit that authenticates the first station based on the decrypted user information. Means 79 and a random number authenticating means 81 for authenticating the first random number r ₁ are provided.

Here, the random number generation means 121 outputs the second random number r ₂ of the generated random numbers to the shared key generation means 23,
These components 23, 123, and 12 are output so that they can be output to the ciphertext generation unit 123 and the authentication information generation unit 127.
7 is connected. Further, it is connected to these components 125 and 17 so that the first random number r ₁ can be output to the encryption key generation means 125 and the transmission / reception interface 17.

The ciphertext generating means 123 is a
21, the user information storage unit 15, the algorithm E table 35, and the authentication information generation unit 127. The ciphertext generating unit 123, the user information I _a to generate a first cipher text by encrypting the random number r ₂ as a key, is a means for outputting it to the authentication information generating means 127 (details will be described later) . The encryption algorithm for encryption is input from the algorithm E table 35 here.

[0230] The encryption key generation means 125
21, a secret information storage unit 13, and a function f table 19
And the authentication information generating means 127. The encryption key generation unit 125, the key for generating the authentication information, with means for generating by the first random number r ₁ and the secret information K _a with a predetermined algorithm, and outputs it to the authentication information generating means 127 (Details will be described later). Here, a one-way function f _i as a predetermined algorithm. One-way function f _i is inputted from the function f table 19.

The authentication information generation means 127 uses the encryption key generated by the encryption key generation means 125 to generate a second random number r ₂
And the first cipher text to generate authentication information (details will be described later). The encryption algorithm for this encryption is input from the algorithm E table 35. The output of the authentication information generation means 127 is connected to the transmission / reception interface 17.

[0232] decryption key generating means 75 of the second station 41, the first random number r ₁ and the transmitted secret information K _'a and a predetermined algorithm, the key (decryption key for decrypting the authentication information ) Is generated (details will be described later). Here, a one-way function f _i as a predetermined algorithm. One-way function f _i is inputted from the function f table 47. The output of the decryption key generation means 75 is connected to the authentication information decryption means 77.

The authentication information decrypting means 77 is means for decrypting the authentication information using the decryption key generated by the decryption key generating means 75 (details will be described later). The algorithm for decoding is input from the algorithm E table 71 here. The output of the authentication information decrypting means 77 is connected to the authentication means 79.

In this case, the authentication means 79 authenticates the validity of the first station 11 by comparing the decrypted user information with the transmitted user information (details will be described later). .

The means 81 for authenticating the first random number checks whether the first random number r ₁ transmitted this time is included in the history of the random numbers transmitted in the past, and checks the first station. This is a means for authenticating the validity of this (details will be described later).

Except for the means described above, the configuration is the same as that of the fourth embodiment.

5-2. Description of Operation Next, the operation of the communication system according to the fifth embodiment will be described. Thus, the processing procedure of the authentication method and the method of generating the shared encryption key will be described. This description is added to FIG.
Refer to. FIG. 10 is a diagram showing a processing flow.

The random number generating means 121 of the first station 11 generates first random numbers r ₁ and r ₂ for each communication. Ciphertext generating unit 123 of the first station 11, a second random number r ₂ as a key, and, using a cryptographic algorithm E _q, encrypts the user information I _a, in this case the first ciphertext E _q ｛R
₂ , generate a ciphertext I _a }. Also the first station 11
Here, the encryption key generation means 125 uses f _i (r ₁ , K) as a key of an encryption algorithm for generating authentication information.
_a ) is generated. Then, the authentication information generating means 127
Using the encryption key f _i (r ₁ , K _a ) and the encryption algorithm E _q , the random number r ₂ and the first cipher text E _q ｛r
₂ , I _a } is further encrypted and E _q
｛F _i (r ₁ , K _a ), (r ₂ | E _q ｛r ₂ , I
_a {)} is generated (process 511 in FIG. 10).

Next, the first station 11 transmits the user information I _a ,
First random number r _1, one-way function number i, the encryption algorithm number q and authentication information _{E q {f i (r 1} , K a),
(R ₂ | E _q {r ₂ , I _a })} to the second station 41 (communication 501 in FIG. 10).

Next, the second station 41 uses the user information _Ia to store the random number history and the secret information K ′ _a for the first station 11 in the user information / random number history information / secret information storage section. Find out from 63. Next, first, the random number authentication means 81 of the second station 41 checks the random number history (step 51 in FIG. 10).
2), the first random number r ₁ does not recognize the validity of the first station 11 If you are entered into the random number history received if.

If the validity of the first station 11 is not recognized as a result of checking the random number history, the second station 41 stops the authentication operation. Then, the second station 41 takes any suitable action such as terminating the communication or issuing an error message to the first station 11.

On the other hand, the first random number r ₁ transmitted this time
Is not included in the random number history, the second station 41
The decryption key generating means 75 of f _i (r ₁ ,
K ′ _a ). Next, the authentication information decrypting means 77 of the second station 41 uses the decryption key f _i (r ₁ , K ′ _a )
Authentication information _{E q {f i (r 1} , K a), (r 2 | E q {r
₂ , _Ia {)} is decoded or decoded to obtain a _second random number r ₂ . Furthermore, the authentication information decrypting means 77 of the second station 41
Using the decrypted second random number r ₂ as a key, the first cipher text E _q {r ₂ , I _a } is decrypted or decrypted to obtain user information I _a (process 513 in FIG. 10).

Further, the second station 41 adds the first random number r ₁ transmitted this time to the user information / random number history information / secret information storage unit 63 as random number history information.

Next, the authentication means 79 of the second station 41 compares the decrypted user information with the transmitted user information (process 514 in FIG. 10). If the two are equal in this comparison (process 515 in FIG. 10), the second station 41
The validity of the first station 11 is recognized, and the communication permission signal “OK” and the number j of the function g _j for generating the shared encryption key are transmitted to the first station 11 (communication 202 in FIG. 10). Also, the second
The shared key generation means 53 of the station 41 generates a shared encryption key as K ₁₂ = g _j (r ₂ ) (process 516 in FIG. 10).

On the other hand, the first station 11 which has received the communication permission signal “OK” generates a shared encryption key using the shared key generation means 23 as K ₁₂ = g _j (r ₂ ) (FIG. 10). Process 517).

According to the fifth embodiment, the user information and the secret information unknown to the third party are used for the second
Can authenticate the validity of the first station. Moreover realizes a shared encryption key between the first station and the second station using the second random number r ₂ is information used during authentication it is. In addition, the authentication processing of the first station and the first station
And a process of generating a shared encryption key between the second station and the second station.

The validity of the first station can be determined based on whether or not the transmitted first random number r ₁ is included in the random number history. Therefore, it is possible to prevent a replay attack by an unauthorized communication person.

Also, since the secret information is encrypted using a predetermined algorithm without using the secret information as it is as the encryption key, it can be said that the secret protection capability is higher than in the fourth embodiment.

Further, since two types of random numbers r ₁ and r ₂ are used, it can be said that the secret protection capability is high.

[0250] 6. Sixth Embodiment Next, the respective embodiments of the sixth invention of the authentication method, the second invention of the encryption key sharing method, and the sixth and twelfth inventions of the communication system will be described together.

6-1. Description of Configuration of Communication System FIG. 11 is a diagram illustrating a configuration of a communication system according to the sixth embodiment.

The main difference between the sixth embodiment and the fourth embodiment (FIG. 7) is that:
The first embodiment is that the first station 11 has an encryption unit 129 for encrypting the user information and the number of accesses instead of providing the authentication information generation unit 33. And an authentication information generating means 131 for further encrypting the encryption encrypted by the encryption means 129 and generating authentication information.
Providing authentication means 83 for authenticating the first station based on the decrypted user information and the number of accesses in place of the authentication means 73; Instead of the information / secret information storage unit 63,
As in the third embodiment, a user information / access count / secret information storage unit 67 (in this case, the decrypted access count is stored) is provided.

[0253] Here, the encryption unit 129 is means for encrypting the user information I _a and the number of accesses n _a random number r as a key (details below). The encryption algorithm for encryption is algorithm E table 3 here.
5 is input. The output of the encryption means 129 is connected to the authentication information generation means 131.

[0254] authentication information generating means 131, the encrypted user information I _a and the number of accesses n _a random number and encrypting means 129, means for generating authentication information by further encrypted as a key secret information K _a (Details will be described later). The encryption algorithm for this encryption is input from the algorithm E table 35. The output of the authentication information generation means 131 is connected to the transmission / reception interface 17.

The authentication unit 83 of the second station 41 compares the user information decrypted by the authentication information decryption unit 69 with the user information transmitted from the first station.
A comparing unit 83 for comparing whether or not a predetermined inequality relationship holds between the number of accesses n _a decrypted by the authentication information decrypting means 69 and the number of accesses n ′ _a stored in the storage unit 67;
b. The predetermined inequality is, for example, n ′ _a + ε
> It can be a n _a> n _'a. Here, ε is a number that allows a communication error or the like, and is, for example, about 5. The authentication unit 83 authenticates the first station when the two comparison units 83a and 83b pass the comparison result.

The configuration other than the above is the same as that of the fourth embodiment.

6-2. Description of Operation Next, the operation of the communication system according to the sixth embodiment will be described. Thus, the processing procedure of the authentication method and the method of generating the shared encryption key will be described. This explanation is added to FIG.
2 is performed. FIG. 12 is a diagram showing a processing flow.

The random number generation means 29 of the first station 11 generates a random number r at the time of communication. Access number counting unit 31 of the first station 11, the count value ie is 1 increases the number of accesses n _a, and n _a = n _a +1. The encryption means 129 of the first station uses the random number r as a key and the encryption algorithm E _q
Using, in this case encrypts the user information I _a and the number of accesses _{n a E q {r, I} a | n a} to generate a cipher sentence. Then, the authentication information generating means 131 of the first station 11
Is _calculated by using the secret information Ka as _a key and using the encryption algorithm _Eq to generate a random number and the ciphertext _Eq qr, _Ia | n.
_a ｝ is further encrypted, and E _q ｛K _a ,
(R | E _q {r, I _a | n _a })} is generated (FIG. 12).
Processing 611).

Next, the first station 11 transmits the user information I _a ,
The encryption algorithm number q and the authentication information E _q ｛K _a ,
(R | E _q {r, I _a | n _a })} is transmitted to the second station 41 (communication 601 in FIG. 12).

Next, the second station 41 uses the user information _Ia to determine the secret information K ′ _a for the first station 11 and the number of accesses n _a ′ so far. It is found out from the count / secret information storage unit 63.

Next, the second station 41 sends the authentication information decrypting means 6
9, using the secret information K ′ _a as a key, the ciphertext E _q {K _a , (r | E _q {r, I _a | n _a })}, which is authentication information.
Is decrypted, that is, decrypted to obtain a random number r. further,
_{E q {r, I a |} n a} a r a key by decrypting i.e. decrypt to give a I _a and n _a (process 612 in FIG. 12).

Next, the decrypted user information and the user information transmitted from the first station 11 are compared with the authentication means 83.
Are compared using the comparison unit 83a. Further, whether the number of accesses n _a as described above decrypt satisfies _{n 'a + ε> n a} >n' a, examined using a comparison unit 83 b (the process of FIG. 12 61
3). And if decrypted access number n _a does not meet the above inequality, when at least one of the case and I _a with the received I _a of decoding are not equal occurs, authentication means 83
Does not recognize the legitimacy of the first station 11.

If the validity of the first station 11 is not recognized, the second station 41 stops the authentication operation. In addition, the second station 41 takes any suitable action such as terminating the communication or issuing an error message to the first station 11.

On the other hand, if the number of decrypted accesses n _a satisfies the above inequality and the decrypted user information is equal to the transmitted user information, the authentication means 83 sets the first
Admits the validity of the bureau 11. When the first station 11 is recognized as valid (process 614 in FIG. 12), the second station 41 transmits the communication permission signal “OK” and the number j of the function g _j for generating the shared encryption key to the 1 to the station 11 (communication 6 in FIG. 12).
02). Moreover, changing the are stored in the storage unit 67 the number of accesses n _'a to n _a (process 615 in FIG. 12). The shared key generation means 53 of the second station 41 generates a shared encryption key as K ₁₂ = g _j (r) (process 616 in FIG. 12).

On the other hand, the first station 11 that has received the communication permission signal “OK” generates a shared encryption key using the shared key generation means 23 as K ₁₂ = g _j (r) (the processing in FIG. 12). 617).

According to the sixth embodiment, the user information and the secret information unknown to the third party are used for the second
Can authenticate the validity of the first station. Moreover, the first station and the second station share the encryption key by using the random number r, which is the information used at the time of authentication, as it is. Moreover, the authentication processing of the first station and the generation processing of the shared encryption key between the first station and the second station can be performed continuously.

Further, when performing authentication of the first station, since both the user information and the access count are used, the reliability of authentication can be improved.

Furthermore, in the sixth embodiment, the number of accesses (the number of accesses decrypted from the authentication information) whose value changes for each communication is authenticated. If a third party eavesdrops on the communication information and repeatedly attacks the second station using the same, the number of accesses is always the same as that of the attack, so that the communication is not valid. Therefore, it is possible to prevent a third party from repeatedly attacking.

[0269] 7. Seventh Embodiment Next, the seventh embodiment of the authentication method, the third invention of the encryption key sharing method, and the seventh and thirteenth embodiments of the communication system will be described together.

7-1. Description of Configuration of Communication System FIG. 13 is a diagram illustrating a configuration of a communication system according to the seventh embodiment.

The communication system according to the seventh embodiment comprises:
This corresponds to a system in which the communication system of the fifth embodiment (FIG. 9) is modified as follows. : In the first station 11,
An access frequency counting means 31 is provided as in the third embodiment. : Instead of the ciphertext generating unit 123 which has been used in the fifth embodiment, generating a first ciphertext by encrypting the user information I _a and the number of accesses n _a second random number r ₂ as a key And a ciphertext generating means 133 for performing the above. :
The random number authentication means 81 provided in the second station 41 in the fifth embodiment is omitted. : Instead of the authentication means 79 provided in the fifth embodiment, an authentication means 83 for authenticating the first station based on the decrypted user information and the number of accesses is provided in the same manner as in the sixth embodiment.

The other configuration is the same as that of the fifth embodiment.

7-2. Description of Operation Next, the operation of the communication system according to the seventh embodiment will be described. Thus, the processing procedure of the authentication method and the method of generating the shared encryption key will be described. This explanation is added to FIG.
4 is performed. FIG. 14 is a diagram showing a processing flow.

The random number generating means 121 of the first station 11 generates first random numbers r ₁ and r ₂ for each communication. Access number counting unit 31 of the first station 11, the count value ie is 1 increases the number of accesses n _a, and n _a = n _a +1. Ciphertext generating unit 133 of the first station 11, a second random number r ₂ as a key, and, using an encryption algorithm E _q, a encrypts the user information I _a and the number of accesses n _a 1 in ciphertext here _{E q {r 2, I a} | n a} to generate a cipher sentence. In addition, the encryption key generation means 125 of the first station 11 generates f _i (r ₁ , K _a ) as a key of an encryption algorithm for generating authentication information.
Then, the authentication information generation means 127 outputs the encryption key f _i (r
₁ , K _a ) and using the encryption algorithm E _q , the random number r ₂ and the first ciphertext E _q ｛r ₂ , I _a | n
further encrypting _a}, E _q {f _i as authentication information
(R ₁ , K _a ), (r ₂ | E _q ｛r ₂ , I _a | n
_a {)} is generated (process 711 in FIG. 14).

Next, the first station 11 transmits the user information I _a ,
First random number r _1, one-way function number i, the encryption algorithm number q and authentication information _{E q {f i (r 1} , K a),
(R ₂ | E _q {r ₂ , I _a | n _a })} to the second station 4
1 (communication 701 in FIG. 14).

Next, the second station 41 uses the user information _Ia to divide the secret information K ′ _a and the number of accesses n _a ′ about the first station 11 into user information and access times. -Find out from the secret information storage section 67.

Next, the second station 41 establishes the authentication information decrypting means 6.
9 using, f _i a (r _1, K _'a) as a key, the ciphertext is authentication information _{E q {f i (r 1} , K a), (r 2 | E q
{R ₂ , I _a | n _a }) is decrypted or decrypted to obtain a _second random number r ₂ . Further, the second random number r ₂ in the key _{E q {r 2, I a} | n a} decodes ie decrypts to obtain a I _a and n _a (process 712 of FIG. 14).

Next, the decrypted user information and the user information transmitted from the first station 11 are transmitted to the authentication means 83.
Are compared using the comparison unit 83a. Further, whether the number of accesses n _a as described above decrypt satisfies _{n 'a + ε> n a} >n' a, examined using a comparison unit 83 b (the process of FIG. 14 71
3). And if decrypted access number n _a does not meet the above inequality, when at least one of the case and I _a with the received I _a of decoding are not equal occurs, authentication means 83
Does not recognize the legitimacy of the first station 11.

If the first station 11 does not recognize the validity, the second station 41 stops the authentication operation. In addition, the second station 41 takes any suitable action such as terminating the communication or issuing an error message to the first station 11.

On the other hand, if the number of decrypted accesses n _a satisfies the above inequality and the decrypted user information is equal to the transmitted user information, the authentication means 83 sets the first
Admits the validity of the bureau 11. When the first station 11 is recognized as valid (process 714 in FIG. 14), the second station 41 transmits the communication permission signal “OK” and the number j of the function g _i for generating the shared encryption key to the 1 to the station 11 (communication 7 in FIG. 14).
02). Moreover, changing the are stored in the storage unit 67 the number of accesses n _'a to n _a (process 715 of FIG. 14). Further, the shared key generation means 53 of the second station 41 generates a shared encryption key as K ₁₂ = g _j (r ₂ ) (process 716 in FIG. 14).

On the other hand, the first station 11 which has received the communication permission signal “OK” generates a shared encryption key using the shared key generation means 23 as K ₁₂ = g _j (r ₂ ) (FIG. 14). Process 717).

According to the seventh embodiment, the user information and the secret information unknown to the third party are used for the second
Can authenticate the validity of the first station. Moreover realizes a shared encryption key between the first station and the second station using the second random number r ₂ is information used during authentication it is. In addition, the authentication processing of the first station and the first station
And a process of generating a shared encryption key between the second station and the second station.

When the first station is authenticated, both the user information and the number of accesses are used, so that the reliability of the authentication can be improved.

When generating authentication information, a random number r ₂
Is used for the first encryption, and the value of the one-way function is used for the second encryption, so that the security performance is improved as compared with the sixth embodiment.

Further, in the seventh embodiment, the number of accesses (the number of accesses decrypted from the authentication information) whose value changes for each communication is authenticated. If a third party eavesdrops on the communication information and repeatedly attacks the second station using the same, the number of accesses is always the same as that of the attack, so that the communication is not valid. Therefore, it is possible to prevent a third party from repeatedly attacking.

[0286] 8. Eighth Embodiment Next, an eighth embodiment of the authentication method, a fourth invention of the encryption key sharing method, and embodiments of the eighth and fourteenth inventions of the communication system will be described together. FIG.
FIG. 3 is a diagram illustrating a configuration of a communication system according to an embodiment.

In the eighth embodiment, a communication includes a first station 11 and a second station 41 desiring to communicate, and a reliable third station 151 that performs authentication on behalf of the second station. In this system, the third station authenticates the validity of the first station 11 on behalf of the second station 11 and shares the encryption key between the first and second stations. However, as a precondition, the first station 11 and the third station 151 share secret information. Moreover, the second station 41 and the third station 151
Assume that the communication path between is secure.

According to the eighth embodiment, for example, the first station 11 is a large number of external personal terminals, and the third station 151
Is a large number of terminals in a company, and can be applied to a communication system in which the second station 41 is a firewall of a third station. In this example, the load on the second station 41 can be distributed, and the secret protection capability of the communication system can be further increased. The details will be described below.

8-1. Configuration Description first station 11 of the communication system includes a secret information storage unit 13 for storing the secret information K _a, the user information storage unit 15 for storing user information I _a, transceiver interface for transmitting and receiving with other station 17, random number generation means 141, authentication information generation means 1
43, a shared key generation unit 23, and a shared key storage unit 27. The connection relation of these components is the same as the connection relation in the second embodiment (see FIG. 3) (function f table,
The same except for the function g table).

The second station 41 has a transmission / reception interface 45 for transmission / reception to / from another station, and a shared key storage unit 91 connected thereto. Note that the first station 11 and the second station 11
Are connected by a communication line 100a.

[0291] The third station 151 includes a user information and the secret information storage unit 153 stores at least user information I _a and secret information K _'a per authorized correspondents, a transceiver interface 155, an authentication unit 157, Shared key generation means 159. Second station 41 and third station 151
Are connected by the communication line 100b.

The user information / secret information storage unit 153 is connected to the transmission / reception interface 155, the authentication unit 157, and the shared key generation unit 159. The authentication means 157 is connected to the transmission / reception interface 155. The shared key generation means 159 is connected to the transmission / reception interface 155.

The user information / secret information storage section 153
At least user information I _a and secret information K ′ _a
The fact that is stored means that the random number history, the number of accesses, the decrypted random number history, or the decrypted access number may be stored depending on the authentication method. The secret information K _a and K ′ _a are the same,
First, to distinguish whether the secret information of the third either the station side, is called a K _a, K _'a.

[0294] Here, the authentication information generating means 143 of the first station 11, generates the authentication information using the secret information K _a, which are stored in the random number and the confidential information storage unit 13 that is generated by the random number generation unit 141 Any suitable one can be used. For example, the authentication information can be generated using a one-way function f _i or using an encryption algorithm. Specifically, the means 21 described in the first embodiment, the means 33 described in the fourth embodiment,
: Means including means 123, 125 and 127 described in the fifth embodiment;: means including means 129 and 131 described in the sixth embodiment; or: described in the seventh embodiment. Means 125, 127 and 1
The authentication information generating unit can be configured by the unit including 33. Of course, when the authentication information generating means 143 is configured by any of the above-mentioned, the configuration in the first station is changed according to the teaching of any of the first to seventh embodiments described above.

The random number generating means 141 is a means for generating a random number r for each communication, for example. This random number generating means 14
1 is an authentication information generation unit 143 and a shared key generation unit 23
And the transmission / reception interface 17. The random number generating means 141 may be a means for generating the first random number r ₁ and the second random number r ₂ depending on the configuration of the authentication information generating means 143.

The authentication means 157 of the third station 151
Authentication information from the first station 11 is a means for authenticating using the secret information K _'a. The configuration of the authentication unit 157 is determined depending on how the authentication information generation unit 143 of the first station 11 is configured. The authentication information generation unit 143 is configured as described above.
(1)
A means including the means 51 and 59 described in the first embodiment, (2) a means including the means 69 and 73 described in the fourth embodiment, and (3) a means described in the fifth embodiment. Means including 75, 77 and 79, (4) means including means 69 and 83 described in the sixth embodiment, or
(5) The means including the means 75, 77 and 83 described in the seventh embodiment can constitute the authentication means 157. Of course, the authentication means 143 is used for the above (1) to
(5), the third embodiment is used in accordance with the teachings of any of the first to seventh embodiments described above.
Change the configuration in the station.

The shared key generation means 23 of the first station 11
The shared key storage unit 27 can be composed of the units 23 and 27 described in the first to seventh embodiments, respectively. The shared key generation means 159 of the third station 151
7 is means for generating a shared encryption key using one or more of the information used for authentication when the first station is determined to be valid. Further, the shared key storage unit 91 of the second station 41
Is means for storing a shared key generated by the third station and transmitted from the third station.

8-2. Description of Operation Next, the operation of the communication system according to the eighth embodiment will be described. Thus, the processing procedure of the authentication method and the method of generating the shared encryption key will be described. This explanation is added to FIG.
Refer to No. 6. FIG. 16 is a diagram showing a processing flow.

The random number generating means 141 of the first station 11 generates a random number r upon communication. Authentication information generating means 143 of the first station by using the random number r and the private information K _a credential A
_a is generated (process 811 in FIG. 16). This authentication information A
_a is the authentication information generation unit 143 as described above.
Is optional depending on the configuration of

Next, the first station 11 transmits the random number r, the user information _Ia, and the authentication information _Aa to the second station 41 (communication 801 in FIG. 16).

[0301] The second station 41, so does not have the authentication function and the secret information, and transfers the random number r sent from the first station 11 and the user information I _a and the authentication information A _a to the third station 151 (Communication 802 in FIG. 16).

[0302] The third station 151 finds the secret information K _'a for the first station 11 from the user information and the secret information storage unit 153 using the user information I _a, which has been transferred from the second station 41. Then, the third station 151 authenticates the authentication information A _a transferred from the second station 41 using the secret information K ′ _a (process 813 in FIG. 16). This authentication can be performed, for example, as follows. Authentication information A _a Since those using the random number r and the private information K _a, third station 15
1 may be from the authentication information A _a obtain a random number r using the secret information K _'a. Further, the random number r is separately transmitted.
Therefore, the validity of the first station can be authenticated by comparing the random number obtained from the authentication information with the transmitted random number. Of course, a specific method of authentication using the secret information K _'a has been already described, the authentication information generation 14
3 and the authentication means 157 can be changed depending on the configuration.

[0303] If the above authentication is the first station is a valid (process 814 in FIG. 16), the shared key generating unit 159 of the third station 151 generates a shared secret K ₁₂ (FIG. 16
Processing 815). Further, the third station 151 transmits the generated shared encryption key K ₁₂ and the communication permission signal “OK” to the second station 4.
1 (communication 803 in FIG. 16). Note that the shared encryption key K
_{The twelve} generation algorithms can be any algorithm determined between the first and third stations. For example g _j (r, K _a) using a random number and the secret information K _a may be prepared as. Of course, a method using a function g table may be used.

[0304] The second station 41 that has received the communication enable signal "OK" and the shared encryption key K ₁₂ stores a common encryption key K ₁₂ in the shared key storage unit 91, also, the communication permission signal "OK" First
(Station 804 in FIG. 16).

The communication permission signal “OK” has been received. The first station 11 generates a common encryption key K ₁₂ (processing of FIG. 16 81
6) This is stored in the shared key storage unit 27.

According to the eighth embodiment, the first embodiment which shares secret information and has authentication information and a means for generating a shared key is provided.
Even if a second station having no secret information intervenes between the third station and the third station, authentication of the first station can be realized, and the first station and the second station can be realized. It is possible to realize the sharing of the encryption key between the two. In addition, since the third reliable station authenticates the validity of the first station on behalf of the second station, the load on the second station can be reduced. In particular, in the case where each of the first station and the third station is a group including a large number of terminals, load distribution of the second station is realized.

Also in the case of the eighth embodiment, sharing of an encryption key between the first station and the second station is realized by using information used for authentication. Moreover, the authentication processing of the first station and the generation processing of the shared encryption key between the first station and the second station can be performed continuously.

9. Ninth Embodiment Next, the ninth invention of the authentication method, the fourth invention of the encryption key sharing method, and the ninth and fourteenth inventions of the communication system will be described together.

FIG. 17 is a diagram for explaining the configuration of the communication system according to the ninth embodiment. In the eighth embodiment, the example in which the random number generation means is provided in the first station 11 has been described. On the other hand, the ninth embodiment is an example in which the second station 41 is provided with a random number generating means 93. Other configurations are the same as in the eighth embodiment.

[0310] Random number generation means 93 provided in the second station 41
Are connected to the transmission / reception interface 45. Moreover, the random number generated by the random number generation means 93 is transmitted to the first station 11
Authentication information generating means 143 and shared key generating means 23
Is transmitted to the authentication unit 157 and the shared key generation unit 159 of the third station 151. Note that the configuration of the authentication information generation unit 143 and the authentication unit 157 is the fifth configuration.
When the random number r ₁ and the random number r ₂ are used as in the embodiment and the like, the random number generation means 93 also performs the random number r ₁ and the random number r
₂ is generated.

Next, the operation of the communication system according to the ninth embodiment will be described with reference to FIG. 18 in addition to FIG. FIG. 18 is a diagram showing a processing flow.

[0312] The first station 11 transmits the user information _Ia to the second station 41 (communication 901 in Fig. 18).

[0313] The second station 41 is user information I _a generates a random number r using the random number generation unit 93 receives this first
(The communication 902 in FIG. 18).

The authentication information generating means 143 of the first station 11
Generates the authentication information A _a using the random number r and the private information K _a (processing of FIG. 18 911), and transmits it to the second station 41 (communication 903 in FIG. 18) receives the authentication information A _a The second station 41 performs authentication information _Aa , random number r, and user information _Ia.
To the third station 151 (communication 90 in FIG. 18).
4).

[0315] The third station 151 finds the secret information K _'a for the first station 11 from the user information and the secret information storage unit 153 using the user information I _a, which has been transmitted from the second station 41. Then, the authentication information A _a which has been transferred from the second station 41, the third station 151 authenticates by using the secret information K _'a (process 912 of FIG. 18). This authentication can be performed, for example, as described in the eighth embodiment.

[0316] If the above authentication is the first station is a valid (process 913 in FIG. 18), the shared key generating unit 159 of the third station 151 generates a shared secret K ₁₂ (FIG. 18
Processing 914). Further, the third station 151 transmits the generated shared encryption key K ₁₂ and the communication permission signal “OK” to the second station 4.
1 (communication 905 in FIG. 18).

[0317] The second station 41 that has received the communication enable signal "OK" and the shared encryption key K ₁₂ stores a common encryption key K ₁₂ in the shared key storage unit 91, also, the communication permission signal "OK" First
(Station 906 in FIG. 18).

The first station 11 that has received the communication permission signal “OK” uses the shared encryption key generation means 23 and uses the shared encryption key K ₁₂
Is generated (step 915 in FIG. 18), and this is stored in the shared key storage unit 27.

[0319] According to the ninth embodiment, the first embodiment shares secret information and has authentication information and a shared key generation means.
Even if a second station having no secret information intervenes between the third station and the third station, authentication of the first station can be realized, and the first station and the second station can be realized. It is possible to realize the sharing of the encryption key between the two. In addition, since the third reliable station authenticates the validity of the first station on behalf of the second station, the load on the second station can be reduced. In particular, in the case where each of the first station and the third station is a group including a large number of terminals, load distribution of the second station is realized.

Also in the case of the ninth embodiment, sharing of an encryption key between the first station and the second station is realized using the information used at the time of authentication. Moreover, the authentication processing of the first station and the generation processing of the shared encryption key between the first station and the second station can be performed continuously.

In the case of the ninth embodiment, since the second station generates a random number, the first station itself cannot obtain an appropriate random number. Therefore, even if a third party repeatedly attacks the second station, it can be prevented.

[0322] 10. Tenth Embodiment Next, a tenth invention of an authentication method and a fifth invention of an encryption key sharing method will be described.
The embodiments of the present invention and the tenth and fifteenth aspects of the communication system will be described together.

FIG. 19 is a diagram for explaining the configuration of the communication system according to the tenth embodiment.

The tenth embodiment includes a first station 11 and a second station 41 that want to communicate with each other,
In the communication system including the intermediate station 161 interposed between the first station 11 and the second station, the second station authenticates the validity of the first station 11 and shares the encryption key between the first station and the second station. It is. However, as a precondition, the first station 11 and the third station
Is sharing secret information. Moreover, the intermediate station 161 has random number generation means. In addition, the communication path between the intermediate station 161 and the first station 11,
It does not matter whether the communication path between the second station 41 and the second station 41 is secure.

10-1. Description of Configuration of Communication System The first station 11 has the same configuration as the first station in the case of the eighth embodiment except that the random number generation means is omitted.

[0326] The second station 41, the user information and the secret information storage unit for storing transmission and reception interface 45, at least the user information I _a and secret information K _'a per legitimate correspondent for transmission and reception to and from other stations 95, authentication means 97,
It includes a shared key generation unit 99 and a shared key storage unit 57.
The user information / secret information storage unit 95 is connected to the transmission / reception interface 45, the authentication unit 97, and the shared key generation unit 99. The authentication means 97 is a transmission / reception interface
5 is connected. The shared key generation means 99 is connected to the transmission / reception interface 45.

[0327] Incidentally, said storing at least user information I _a and secret information K _'a for the user information and the secret information storage unit 95, depending on the authentication method, random number history,
This means that the number of accesses, the history of decoded random numbers or the combined number of accesses may be stored.

The authentication means 97 stores the authentication information A _a transmitted from the first station 11 via the intermediate station 161 in the storage section 9.
5 is a means for performing authentication using the secret information K ′ _a stored in the storage unit 5. The authentication unit 97 has a configuration corresponding to the configuration of the authentication information generation unit 143 of the first station 11.

The intermediate station 161 includes a transmission / reception interface 163 for transmission / reception to / from another station, and random number generation means 165 connected thereto. The random number generated by the random number generation unit 165 is stored in the authentication information generation unit 143 of the first station 11.
And the shared key generation means 23 and the authentication means 97 and the shared key generation means 99 of the second station 41.

The first station 11 and the intermediate station 161 are connected by a communication line 101c, and the second station 41 and the intermediate station 1
61 is connected by a communication line 101d.

10-2. Description of Operation Next, the operation of the communication system according to the tenth embodiment will be described with reference to FIG. 20 in addition to FIG. FIG.
Is a diagram showing the flow of processing.

The first station 11 transmits the user information _Ia to the intermediate station 161 (communication 1001 in FIG. 20).

[0333] Intermediate station 161 returns this generates a random number r using the random number generation unit 165 receives the user information I _a to the first station 11 (communication 1002 in FIG. 20).

The authentication information generating means 143 of the first station 11
Generates the authentication information A _a using the random number r and the private information K _a (process 911 in FIG. 20), and transmits it to the intermediate station 161 (communication 1003 in FIG. 20) intermediate that has received the authentication information A _a station 161, the authentication information a _a random number r and the user information I _a, and transmits to the second station 41 (communication 1004 in FIG. 20).

[0335] The second station 41 finds the user information and the secret information storage unit 95 using the user information I _a, which has been transmitted from the intermediate station 161 the secret information K _'a for the first station 11. Then, the second station 41 authenticates the authentication information A _a transferred from the intermediate station 161 using the secret information K ′ _a (process 1012 in FIG. 20). This authentication is, for example, the eighth
This can be performed as described in the embodiment.

[0336] If the first station in the above authentication is justified (in FIG. 20 process 1013), the shared key generating unit 99 of the second station 41 generates a common encryption key K ₁₂ (processing of FIG. 20 1014). Further, the second station 41 transmits a communication permission signal “OK” to the intermediate station 161 (FIG. 20: communication 10).
05).

Intermediate station 1 having received the communication permission signal “OK”
61 transmits a communication permission signal “OK” to the first station 11 (communication 1006 in FIG. 20).

The first station 11 that has received the communication permission signal “OK” uses the shared encryption key generation means 23 and uses the shared encryption key K ₁₂
Is generated (process 1015 in FIG. 20), and this is stored in the shared key storage unit 27.

According to the tenth embodiment, an intermediate station having no secret information is provided between the first station and the second station which share the secret information and have the authentication information and the shared key generating means. Even if a station is interposed, the authentication of the first station can be realized, and the encryption key can be shared between the first station and the second station.

Also in the case of the tenth embodiment, sharing of the encryption key between the first station and the second station is realized using the information used at the time of authentication. Moreover, the authentication processing of the first station and the generation processing of the shared encryption key between the first station and the second station can be performed continuously.

Also, since the job of generating random numbers is assigned to the intermediate station, the load on the first and second stations can be reduced.

The embodiments of each invention of this application have been described above. However, these inventions are not limited to the above-described embodiments, and many modifications or changes can be made.

For example, f _i (x | y), f _i (xAND) are used as the variable utilization form of the one-way function f _i (x, y).
Forms such as y) and f _i (xXORy) may be used.

Can be used. However, x | y means connection.

In each of the fourth to seventh embodiments, when generating a shared encryption key, the random number r (or r ₂ ) is transmitted in ciphertext, and therefore g _j ( r)
(Or g _j (r ₂ )) as a shared encryption key,
If the secret information K _a (K ′ _a ) is added to the variable when generating the shared encryption key, the security is further improved.

[0346] In addition, in the fourth embodiment of the present invention to use the secret information K _a as the encryption key of the encryption algorithm, also, fifth
In the seventh to seventh embodiments, f _i (r ₁ , K _a ) is used as the encryption key of the encryption algorithm. However, the key length may not match depending on the encryption algorithm. For example, when the one-way function is MD5, the key f _i (r ₁ , K _a ) has 128 bits. At this time, if DES-CBC is used as the encryption algorithm, this key is too long. As a method for dealing with such a case, there is a method of cutting off the upper bits when the key is longer than necessary, or putting 0 in the upper bits when the key is short. E _q {r ₂ , I _a }, E _q {r ₂ , I _a | n _a }
Is the encryption algorithm E _q
If it is longer or shorter, it can be treated the same as above.

[0347]

As is apparent from the above description, according to the inventions of the authentication method of this application, the first station is changed to the second station (or the third station) using the user information and the secret information. ) Can be authenticated. For this reason, a legitimate communication partner can be confirmed in the encrypted communication.

In particular, the invention includes a process of checking whether or not the random number transmitted from the first station is included in the random number history. Invention including a process of checking: an invention including a process of checking whether or not a random number decoded from the authentication information transmitted from the first station is included in the random number history; decoding from the authentication information transmitted from the first station In each of the inventions including a process of checking whether or not the number of times of access satisfies the inequality relation, it is possible to eliminate the use of the information used in the communication once again for the communication. Therefore, even if a third party eavesdrops on the communication information and attempts to attack the communication system using the same, it can be prevented.

Further, according to each invention of the encryption key sharing method of this application, one or more pieces of information used in the authentication method can be used as it is to generate a shared encryption key. To generate a shared encryption key. If the communication for generating the shared encryption key is separately performed after the authentication processing is completed, there is a danger of eavesdropping on this separate communication, but the encryption key sharing method of the present invention is to prevent this. Can be.

Further, according to each invention of the communication system of the present application, the invention of the corresponding authentication method and the invention of the corresponding generation method of the shared encryption key can be easily implemented.

[Brief description of the drawings]

FIG. 1 is an explanatory diagram illustrating a configuration of a communication system according to a first embodiment.

FIG. 2 is an operation explanatory diagram of the communication system according to the first embodiment;

FIG. 3 is an explanatory diagram of a configuration of a communication system according to a second embodiment.

FIG. 4 is an explanatory diagram illustrating an operation of the communication system according to the second embodiment;

FIG. 5 is a diagram illustrating a configuration of a communication system according to a third embodiment;

FIG. 6 is a diagram illustrating an operation of the communication system according to the third embodiment.

FIG. 7 is a diagram illustrating a configuration of a communication system according to a fourth embodiment;

FIG. 8 is a diagram illustrating an operation of the communication system according to the fourth embodiment.

FIG. 9 is an explanatory diagram of a configuration of a communication system according to a fifth embodiment.

FIG. 10 is an explanatory diagram of an operation of the communication system according to the fifth embodiment.

FIG. 11 is an explanatory diagram illustrating a configuration of a communication system according to a sixth embodiment.

FIG. 12 is an explanatory diagram illustrating an operation of the communication system according to the sixth embodiment;

FIG. 13 is an explanatory diagram illustrating a configuration of a communication system according to a seventh embodiment.

FIG. 14 is an explanatory diagram of an operation of the communication system according to the seventh embodiment.

FIG. 15 is a diagram illustrating a configuration of a communication system according to an eighth embodiment;

FIG. 16 is an operation explanatory diagram of the communication system according to the eighth embodiment;

FIG. 17 is a diagram illustrating the configuration of a communication system according to a ninth embodiment.

FIG. 18 is an explanatory diagram of the operation of the communication system according to the ninth embodiment.

FIG. 19 is an explanatory diagram of a configuration of a communication system according to a tenth embodiment.

FIG. 20 is an explanatory diagram illustrating the operation of the communication system according to the tenth embodiment.

[Explanation of symbols]

11: first station 13: secret information storage unit 15: user information storage unit 19, 47: function f table (means for storing a plurality of predetermined algorithms) 21: first authentication information generation unit 23: shared key generation unit 25, 55: Function g table (means for storing a plurality of encryption key generation algorithms) 29: Random number generation means 31: Access count counting means 33: Authentication information generation means (encryption unit) 35, 71: Algorithm E table (encryption) 41: second station 43: user information / secret information storage unit 49: random number generation unit 51: second authentication information generation unit 53: shared key generation unit 61: random number authentication unit 63: user Information / random number history information / secret information storage unit 65: Access count authentication unit 67: User information / access count / secret information storage unit 69: Authentication information Decryption means 73: Authentication means 75: Decryption key generation means 77: Authentication information decryption means 79: Authentication means 81: Means for authenticating the first random number 83: Authentication means 100, 100a to 100d: Communication line 121: Random number generation Means 123: Ciphertext generation means 125: Encryption key generation means 127: Authentication information generation means 129: Encryption means 131: Authentication information generation means 133: Ciphertext generation means 151: Third station 161: Intermediate station

 ────────────────────────────────────────────────── ─── Continued on the front page (72) Inventor Shoji Torii 1-7-12 Toranomon, Minato-ku, Tokyo Oki Electric Industry Co., Ltd.

Claims (53)

[Claims] 1. In a communication system including a first station and a second station storing common secret information in respective storage means, when the second station authenticates the first station, A process in which the first station transmits user information indicating that it is the first station to the second station; and one of the first and second stations generates a random number. A process of transmitting to the other station, the first station generates first authentication information by a predetermined algorithm which receives the random number and the secret information stored in the storage means in the own station as input. A process of transmitting the random number and the secret information stored in the storage means in the local station as a second algorithm; Processing for generating information; and the second station is configured to execute the first authentication information. Authentication method characterized by including a process of authenticating the validity of the first station by the comparing the second authentication information. 2. In a communication system including a first station and a second station storing common secret information in respective storage means, when the second station authenticates the first station, A process in which the first station transmits user information indicating that the first station is a first station to a second station; a process in which the first station generates a random number; A process of transmitting the random number to the second station; and a first algorithm wherein the first station receives the random number and the secret information stored in the storage means in the local station as a first algorithm. A process in which authentication information is generated and transmitted to the second station; a process in which the second station authenticates the transmitted random number; and a process in which the random number is authenticated, the random number is not valid. The second station is not valid for the first station. The process is executed when the random number is determined to be valid in the process of authenticating the random number, and the second station is configured to execute the random number and the secret information stored in the storage unit in the own station. A process of generating second authentication information by a predetermined algorithm which receives the first authentication information, and comparing the first authentication information with the second authentication information to authenticate the validity of the first station. An authentication method comprising: 3. In a communication system including a first station and a second station storing common secret information in respective storage means, when the second station authenticates the first station, A process in which the first station transmits user information indicating that the first station is a first station to the second station; and one of the first and second stations generates a random number and transmits the random number to the other station. A process of transmitting to the second station, a process of counting the number of times the first station has accessed the second station, and transmitting the number of accesses to the second station; and A process of generating first authentication information by a predetermined algorithm that receives the random number, the access count, and the secret information stored in the storage unit in the own station, and transmitting the generated first authentication information to the second station; The second station recognizes the transmitted access count. A process performed when the number of accesses is determined to be invalid in the process of authenticating the number of accesses, and a process in which the second station determines that the first station is not valid; The process is executed when the number of accesses is determined to be valid in the authentication process, and the second station stores the random number, the number of accesses, and the secret information stored in the storage unit in the own station. A process of generating second authentication information by a predetermined algorithm to be input, and authenticating the validity of the first station by comparing the first authentication information with the second authentication information; An authentication method comprising: 4. In a communication system including a first station and a second station storing common secret information in respective storage means, when the second station authenticates the first station, A process in which the first station transmits user information indicating that it is the first station to the second station; a process in which the first station generates a random number; Generating authentication information by encrypting the random number and the user information using the secret information stored in the storage means in the local station as a key,
The second station, the second station decrypts the transmitted authentication information using the secret information stored in the storage means in the own station as a key, and the second station A station authenticates the validity of the first station by comparing the user information obtained in the decoding with the transmitted user information, and authenticating a random number obtained in the decoding. And an authentication method. 5. In a communication system including a first station and a second station storing common secret information in respective storage means, when the second station authenticates the first station, A process in which the first station transmits user information indicating that it is the first station to the second station; a process in which the first station generates a first random number and a second random number; A process in which the first station transmits a first random number to the second station; and the first station encrypts the user information using the second random number as a key to perform a first encryption. A process for generating a sentence, wherein the first station generates authentication information by a predetermined algorithm that receives the first random number and the secret information stored in the storage unit in the first station. A process for generating a key for a cryptographic algorithm; Further encrypting the second random number and the first ciphertext using the key of (i), generating a second ciphertext, and transmitting this as authentication information to the second station; Is executed when the first random number is not valid in the process of authenticating the transmitted first random number and the process of authenticating the first random number, and the second A process in which a station determines that the first station is not valid, and a process in which the first random number is determined to be valid in the process of authenticating the first random number, wherein the second station includes: A key for decrypting authentication information is generated by a predetermined algorithm that receives the first random number and the secret information stored in the storage unit in the local station as input, and the key is transmitted using the key. Decrypted authentication information, and user information obtained by the decryption and the transmitted user Authentication method characterized by including a process of authenticating the validity of the first station by comparing the distribution. 6. In a communication system including a first station and a second station storing common secret information in respective storage means, when the second station authenticates the first station, A process in which the first station transmits user information indicating that it is the first station to the second station; a process in which the first station generates a random number; A process of counting the number of times the second station has been accessed; a process of the first station encrypting the user information and the number of times of access using the random number as a key; A process of further encrypting the encrypted user information and the number of accesses using the secret information stored in the storage unit in the own station as a key and transmitting the encrypted user information as authentication information to the second station; The second station is stored in the storage means in its own station Decrypting the transmitted authentication information using the secret information as a key; and the second station comparing the transmitted user information with the transmitted user information obtained by the decryption, and Authenticating the first station by authenticating the number of accesses obtained by the decryption. 7. In a communication system including a first station and a second station storing common secret information in respective storage means, when the second station authenticates the first station, A process in which the first station transmits user information indicating that it is the first station to the second station; and a process in which the first station generates a first random number and a second random number A process in which the first station transmits the first random number to the second station; a process in which the first station counts the number of times the second station has been accessed; A first station encrypting the user information and the number of accesses by using the second random number as a key to generate a first ciphertext; and Authentication information by a predetermined algorithm which receives the secret information stored in the storage means in the station as an input. A process of generating a key of a cryptographic algorithm for generating, the first station further encrypts the second random number and the first ciphertext using the key of the cryptographic algorithm to generate a second cryptographic key. A process of generating a ciphertext and transmitting it to the second station as authentication information, wherein the second station uses the first random number and the secret information stored in the storage means in the own station. A process of generating a key for decrypting the authentication information by a predetermined algorithm as an input; and the second station decrypts the transmitted authentication information using the key for decryption. Processing, comparing the user information obtained in the decryption with the transmitted user information, and authenticating the validity of the first station by authenticating the number of accesses obtained in the decryption And processing to perform Authentication method. 8. A communication system comprising a first station and a second station wishing to communicate, and a trusted third station authenticating on behalf of said second station, said first station and said third station. In a communication system in which the stations store common secret information in respective storage means, when the third station authenticates the first station, the fact that the first station is the first station. A process of transmitting user information indicating the following to the second station; a process of the first station generating a random number; a process of the first station transmitting a random number to the second station; A process in which the first station generates authentication information using the random number and the secret information stored in the storage means in the own station, and transmits the authentication information to the second station; A station transmitting user information, a random number, and authentication information transmitted from the first station to the third station; The third station authenticates the random number and the authentication information transmitted from the second station by using the secret information stored in the storage means in the own station, thereby enabling the first station to perform authentication. An authentication method, comprising: a process of authenticating validity; and a process of the third station transmitting an authentication result to the second station. 9. A communication system comprising a first station and a second station wishing to communicate, and a trusted third station that authenticates on behalf of the second station, the first station and the third station. In a communication system in which the stations store common secret information in respective storage means, when the third station authenticates the first station, the fact that the first station is the first station. A process of transmitting user information indicating the following to the second station: a process of generating a random number when the second station receives the user information and transmitting the random number to the first station; Station generates authentication information using the random number transmitted from the second station and the secret information stored in the storage means in the own station, and transmits the authentication information to the second station. The second station, the random number, and user information and authentication information transmitted from the first station. To the third station, and the third station authenticates the authentication information transmitted from the second station using the secret information stored in the storage means in the own station. Performing a process of authenticating the validity of the first station and a process of transmitting the authentication result to the second station by the third station. 10. The first station including a first station and a second station that desire to communicate, and an intermediate station interposed between the first and second stations.
In the communication system in which the second station and the second station store common secret information in their respective storage means, when the second station authenticates the first station, the first station A process of transmitting user information indicating that it is one station to the intermediate station; a process of generating a random number when the intermediate station receives the user information and transmitting the random number to the first station; A process in which the first station generates authentication information using the random number transmitted from the intermediate station and the secret information stored in the storage unit in the own station, and transmits the authentication information to the intermediate station; A process in which the intermediate station transmits the random number, and user information and authentication information transmitted from the first station to the second station; and wherein the second station is transmitted from the intermediate station. Stored in the storage means in the own station. Authentication method characterized by including a process of authenticating the validity of the first station by authentication using the information. 11. The authentication method according to claim 1, wherein each of said first station and said second station has a plurality of types of algorithms that can be used as said predetermined algorithm. The first or second station generates a selection signal, and the first and second stations respectively select one of the plurality of algorithms according to the selection signal. The authentication method, wherein the first station generates the first authentication information according to the set algorithm, and the second station generates the second authentication information. 12. The authentication method according to claim 2, wherein the processing of authenticating the transmitted random number includes: storing a history of the random numbers transmitted from the first station;
And an authentication method for checking whether a random number transmitted from the first station in the current communication is included in a random number history up to the previous communication. 13. The authentication method according to claim 4, wherein the process of authenticating the random number obtained by the decryption includes storing a history of the random number obtained by the decryption and decrypting the current communication. An authentication method characterized in that it is a process of checking whether or not the random number obtained in (1) is included in the random number history up to the previous communication. 14. The authentication method according to claim 5, wherein the processing of authenticating the transmitted first random number includes storing a history of the first random number transmitted from the first station. And an authentication method for checking whether or not the first random number transmitted from the first station in the current communication is included in the random number history up to the previous communication. 15. The authentication method according to claim 3, wherein the processing of authenticating the transmitted access count includes: storing the access count transmitted from the first station; And a process of checking whether the number of accesses transmitted from the first station satisfies a predetermined inequality relation with respect to the number of accesses up to the previous communication. 16. The authentication method according to claim 6, wherein the process of authenticating the number of accesses obtained by the decryption includes: storing the number of accesses obtained by the second station by the decryption; and An authentication method for checking whether or not the number of accesses obtained by decoding in the current communication satisfies a predetermined inequality relation with the number of accesses obtained in decoding in the previous communication. 17. The authentication method according to claim 5, wherein a plurality of types of algorithms that can be used as the predetermined algorithm are prepared for each of the first station and the second station in a similar manner. The first or second station generates a selection signal, and in response thereto, each of the first and second stations selects one of the plurality of algorithms, and according to the selected algorithm, The authentication method, wherein the first station generates a key for the encryption algorithm, and the second station generates a key for decrypting the authentication information. 18. The authentication method according to claim 1, 2, 3, 5, 5, 7, 11, or 17, wherein the predetermined algorithm is a one-way function. 19. The authentication method according to claim 4, wherein each of the first station and the second station decodes an algorithm for generating the authentication information and the authentication information. Similarly, a plurality of types of encryption algorithms that can be used as algorithms when preparing are prepared in advance, and the first or second station generates a selection signal, and the first and second stations respectively respond accordingly. Selects one of the plurality of encryption algorithms, the first station performs encryption for generating the authentication information, and the second station performs encryption based on the selected encryption algorithm. An authentication method characterized by decrypting a password. 20. The first station is authenticated by the authentication method according to any one of claims 1 to 3, and the first station and the second station are validated by the authentication. A cryptographic key generated by a predetermined cryptographic key generation algorithm that inputs the random number and the secret information, respectively, and using this as a shared cryptographic key of the first and second stations. Sharing method. 21. The first station is authenticated by the authentication method according to claim 4 or 6, and if the authentication is valid, the first station and the second station respectively transmit the random number. An encryption key sharing method, wherein a shared encryption key is generated by a predetermined encryption key generation algorithm to be input, and the shared encryption key is used as a shared encryption key for the first and second stations. 22. The first station is authenticated by the authentication method according to claim 5 or 7, and if the authentication is valid, the first station and the second station respectively execute the second station. A shared encryption key is generated by a predetermined encryption key generation algorithm to which the random number is input, and this is used as a shared encryption key for the first and second stations. 23. The encryption key sharing method according to claim 20, wherein each of the first and second stations can be used as the predetermined encryption key generation algorithm. Are prepared in advance in a similar manner, and the first or second station generates a selection signal, and the first and second stations respectively respond to the selection signal from among the plurality of types of encryption key generation algorithms. Selecting one, and selecting the first by the selected encryption key generation algorithm.
The second station and the second station each generate a shared encryption key. 24. The first station is authenticated by the authentication method according to claim 8 or 9, and if the authentication is valid, the first station and the third station respectively use a shared encryption key. Respectively, and the third station transmits the shared encryption key to the second station, and the second station uses the shared encryption key as a shared encryption key. 25. The authentication method according to claim 10, wherein the first station is authenticated, and if the authentication is justified, the first station and the second station respectively exchange a shared encryption key. An encryption key sharing method, wherein each of them is generated and used as a shared encryption key for the first and second stations. 26. A communication system including a first station and a second station storing common secret information in respective storage means, wherein: (1) the first station transmits a second secret information to the second station; User information transmitting means for transmitting user information indicating that the station is a first station; (2) random number generating means provided in the first station or the second station for generating a random number; (3) random number transmitting means for transmitting the generated random number to the other station; (4) the secret information provided in the first station, the random number and the secret information stored in the storage means in its own station A first authentication information generating means for generating first authentication information by a predetermined algorithm having the following as input: (5) authentication information for transmitting the first authentication information to the second station Transmitting means, (6) provided in the second station, the random number and the storage means in its own station A second authentication information generating means for generating second authentication information by a predetermined algorithm which receives the stored secret information as input, (7) provided in the second station, A communication system comprising: authentication means for authenticating the first station by comparing authentication information with the second authentication information. 27. A communication system including a first station and a second station storing common secret information in respective storage means, wherein: (1) the first station transmits a second secret information to the second station; User information transmitting means for transmitting user information indicating that the station is a first station; (2) random number generating means provided in the first station for generating a random number; A random number transmitting means for transmitting the random number to the second station; (4) inputting the random number and the secret information stored in the storage means in the first station provided in the first station; First authentication information generating means for generating first authentication information by a predetermined algorithm, and (5) authentication information transmitting means for transmitting the first authentication information to the second station; (6) Random number authentication provided in the second station for authenticating the transmitted random number Means, (7) provided in the second station, the second authentication information by a predetermined algorithm that receives the transmitted random number and the secret information stored in the storage means in its own station, A second authentication information generating means for generating, (8) provided in the second station, wherein the first authentication information and the second authentication information are compared by comparing the first authentication information with the second authentication information. A communication system comprising: authentication means for authenticating the validity. 28. A communication system including a first station and a second station storing common secret information in respective storage means, wherein: (1) the first station transmits a second secret information to the second station; User information transmitting means for transmitting user information indicating that the station is a first station; (2) random number generating means provided in the first station or the second station for generating a random number; (3) random number transmitting means for transmitting the generated random number to the other station; (4) provided in the first station, wherein the first station is the second station
(5) an access count transmitting means for transmitting the access count to the second station; and (6) an access count transmitting means for transmitting the access count to the second station. A first authentication information generating means for generating first authentication information by a predetermined algorithm which receives the number of accesses, the random number, and the secret information stored in the storage means in its own station; (7) authentication information transmitting means for transmitting the first authentication information to the second station; and (8) provided in the second station to authenticate the transmitted access count. And (9) a predetermined number provided in the second station, which receives the transmitted access number, the random number, and the secret information stored in the storage means in its own station. Second authentication by algorithm Second authentication information generating means for generating information; (10) provided in the second station, wherein the first authentication information and the second authentication information are compared by comparing the first authentication information with the second authentication information. A communication system comprising an authentication unit for authenticating a station. 29. A communication system including a first station and a second station storing common secret information in respective storage means, wherein: (1) the first station transmits a second secret information to the second station; User information transmitting means for transmitting user information indicating that the station is a first station; (2) random number generating means provided in the first station for generating a random number; (3) the first station An authentication information generating means for generating authentication information by encrypting the random number and the user information with the secret information stored in the storage means in the own station as a key, 4) authentication information transmitting means for transmitting the authentication information to the second station; and (5) a secret key provided in the second station and stored in the storage means in its own station as a key. Authentication information decoding means for decoding the transmitted authentication information (6) provided in the second station, comparing the user information obtained by the decryption with the transmitted user information, and authenticating a random number obtained by the decryption And a means for authenticating the validity of the first station. 30. A communication system including a first station and a second station storing common secret information in respective storage means, wherein: (1) the first station transmits the second station to the second station; User information transmitting means for transmitting user information indicating that the station is a first station; and (2) random number generation provided in the first station for generating a first random number and a second random number. Means, (3) random number transmitting means for transmitting the generated first random number to the second station, (4) provided in the first station, using the second random number as a key Ciphertext generating means for encrypting the user information to generate a first ciphertext; (5) provided in the first station, storing the first random number and the storage means in the own station; Cryptographic algorithm for generating authentication information by a predetermined algorithm which receives the secret information (6) provided in the first station, further encrypting the second random number and the first ciphertext using a key of the encryption algorithm. Authentication information generating means for converting the authentication information to the second station, and (8) the authentication information transmitting means for transmitting the authentication information to the second station. 2 station, and the transmitted first
(9) provided in the second station, wherein the transmitted first
Decryption key generating means for generating a key for decrypting the authentication information by a predetermined algorithm which receives the random number of the authentication information and the secret information stored in the storage means in its own station, (10) Authentication information decrypting means provided in the second station, for decrypting the authentication information using the decryption key; (11) provided in the second station, obtained by the decryption A communication system comprising: authentication means for authenticating the validity of the first station by comparing user information with the transmitted user information. 31. A communication system including a first station and a second station storing common secret information in respective storage means, wherein: (1) the first station transmits the second station to the second station; User information transmitting means for transmitting user information indicating that the station is a first station; (2) a random number generating means provided in the first station for generating a random number; 1 station and the first station is the second station.
An access number counting means for counting the number of times of access to the station, and (4) an encryption provided in the first station for encrypting the user information and the number of accesses with the random number as a key. (5) further encrypting the encrypted user information and the number of accesses using the secret information stored in the storage unit in the first station as a key, provided in the first station. (6) authentication information transmitting means for transmitting the authentication information to the second station, (7) provided in the second station, Authentication information decrypting means for decrypting the transmitted authentication information using the secret information stored in the storage means in the station as a key, (8) provided in the second station, User information obtained by Authentication means for comparing the received user information and authenticating the first station by authenticating the number of accesses obtained by the decryption. Communications system. 32. A communication system including a first station and a second station storing common secret information in respective storage means, wherein: (1) the first station transmits the second station to the second station; User information transmitting means for transmitting user information indicating that the station is a first station; and (2) random number generation provided in the first station for generating a first random number and a second random number. Means, (3) random number transmitting means for transmitting the generated first random number to the second station, (4) provided in the first station, wherein the first station is the first station 2
And (5) provided in the first station, encrypting the user information and the number of accesses using the second random number as a key. Ciphertext generating means for generating a first ciphertext; (6) the secret information provided in the first station, the first random number and the secret information stored in the storage means in the own station. An encryption key generation means for generating a key of an encryption algorithm for generating authentication information by a predetermined algorithm as an input; (7) provided in the first station, using the key of the encryption algorithm, Authentication information generating means for further encrypting a second random number and the first ciphertext to generate a second ciphertext as authentication information; (8) sending the authentication information to the second station; Authentication information transmitting means for transmitting; (9) The second station is provided with the first
Decryption key generating means for generating a key for decrypting the authentication information by a predetermined algorithm which receives the random number of the authentication information and the secret information stored in the storage means in its own station, (10) Authentication information decrypting means provided in the second station, for decrypting the transmitted authentication information using the decryption key; (11) provided in the second station, Comparing the obtained user information with the transmitted user information, and authenticating means for authenticating the validity of the first station by authenticating the number of accesses obtained by the decryption. A communication system, comprising: 33. A first station and a second station wishing to communicate, and a trusted third station that authenticates on behalf of said second station.
In the communication system, wherein the first station and the third station store common secret information in respective storage means, (1) the first station and the third station User information transmitting means for transmitting user information indicating that the station is a first station; (2) random number generating means provided in the first station for generating a random number; A random number transmitting means for transmitting the random number to the second station; (4) using the random number and the secret information stored in the storage means in the first station provided in the first station; Authentication information generating means for generating authentication information; (5) authentication information transmitting means for transmitting the authentication information to the second station; (6) the first station to the second station Transmitting the user information, the random number, and the authentication information transmitted to the third station. (7) The authentication information provided in the third station and transmitted from the second station using the secret information stored in the storage means in the own station. (8) provided in the third station, wherein the authentication result is provided in the second station.
A communication system comprising: an authentication result transmitting unit for transmitting to an office. 34. A first station and a second station wishing to communicate, and a trusted third station that authenticates on behalf of the second station.
In the communication system, wherein the first station and the third station store common secret information in respective storage means, (1) the first station and the third station User information transmitting means for transmitting user information indicating that the station is the first station; and (2) random number generating means provided in the second station for generating a random number when receiving the user information. (3) random number transmitting means for transmitting the generated random number to the first station; (4) provided in the first station, the random number and stored in the storage means in its own station Authentication information generating means for generating authentication information using the secret information, (5) authentication information transmitting means for transmitting the authentication information to the second station, (6) the random number and the The user information and the authentication information transmitted from the first station to the second station are 3
And (7) the secret provided in the third station, wherein the authentication information transmitted from the second station is stored in the storage means in the own station. Authentication means for authenticating the validity of the first station by authenticating using information; (8) provided in the third station, wherein the authentication result
A communication system comprising: an authentication result transmitting unit for transmitting to an office. 35. A communication system comprising a first station and a second station desiring to communicate, and an intermediate station interposed between the first and second stations.
In the communication system in which the first station and the second station store common secret information in respective storage means, (1) user information indicating that the first station is the first station from the first station to the intermediate station (2) a random number generating means provided in the intermediate station, for generating a random number when receiving the user information; and (3) transmitting the generated random number to the first station. And (4) authentication using the transmitted random number and the secret information stored in the storage means in the own station, which is provided in the first station. Authentication information generating means for generating information; (5) authentication information transmitting means for transmitting the authentication information to the intermediate station; (6) transmitted from the random number and the first station to the intermediate station. And transmitting the user information and the authentication information to the second station. And (7) the first station by authenticating the transmitted authentication information provided in the second station using the secret information stored in the storage means in the own station. A communication system comprising an authentication unit for authenticating a station. 36. The communication system according to claim 26, wherein a plurality of algorithms provided in each of the first station and the second station and usable as the predetermined algorithm are stored. Storage means, and an algorithm selection signal generated in one of the first station and the second station and transmitted to the other station, and the first station and the second station One common algorithm is selected from the storage means storing the plurality of algorithms of each of the stations, and this is selected by the first or second authentication information generation means provided in each station as the predetermined algorithm. A communication system, comprising: an algorithm selecting means for outputting. 37. The communication system according to claim 27, wherein the random number authentication means is provided in the second station, and stores a history of random numbers transmitted from the first station. Comparing means provided in the second station for checking whether or not the random number transmitted from the first station in the current communication is included in the random number history up to the previous communication. Communication system. 38. The communication system according to claim 29, wherein the means for authenticating the random number obtained by the decoding is provided in the second station, and stores the history of the random number obtained by the decoding. Means, and comparing means provided in the second station for checking whether a random number obtained by decoding in the current communication is included in a random number history up to the previous communication. A communication system characterized by the following. 39. The communication system according to claim 30, wherein said means for authenticating said first random number is a first random number provided in said second station and transmitted from said first station. Means for storing the history of the first station, and whether or not the first random number provided in the second station and transmitted from the first station in the current communication is included in the random number history up to the previous communication And a comparing means for checking whether or not the communication system is in the communication system. 40. The communication system according to claim 28, wherein the access count authentication unit is provided in the second station, and stores the access count transmitted from the first station. Comparing means provided in the second station for checking whether the number of accesses transmitted from the first station in the current communication satisfies a predetermined inequality relation with respect to the number of accesses up to the previous communication; A communication system comprising: 41. The communication system according to claim 31, wherein the means for authenticating the number of accesses obtained by the decoding is provided in the second station, and the number of accesses obtained by the decoding is provided. Means for storing whether or not a random number provided in the second station and obtained by decoding in the current communication satisfies a predetermined inequality relationship with respect to the number of accesses obtained in decoding in the previous communication And a comparing means for checking whether or not the communication system is in the communication system. 42. The communication system according to claim 30 or 32, wherein the first station and the second station each have a plurality of algorithms that are provided in each of the stations and that can be used as the predetermined algorithm. An algorithm selection signal is generated in one of the first station and the second station and transmitted to the other station, and the selection signal is used to transmit the algorithm selection signal to each of the first and second stations. An algorithm selecting means for selecting one common algorithm from storage means storing a plurality of algorithms and outputting the same as the predetermined algorithm to the encryption key generation means or decryption key generation means provided in each station; A communication system comprising: 43. The method according to claim 26,27,28,30,3.
43. The communication system according to 2, 36 or 42, wherein the predetermined algorithm is a one-way function. 44. The communication system according to claim 27, wherein said random number authenticating means determines that said first station is not valid when said random number is not valid, and generates said second authentication information. A communication system, wherein each of the means and the authentication means is a means that operates when the random number authentication means determines that the random number is valid. 45. The communication system according to claim 28, wherein said access count authentication means determines that said first station is not valid when said access count is not valid, and said second authentication A communication system, wherein each of the information generation unit and the authentication unit is a unit that operates when the access count authentication unit determines that the access count is valid. 46. The communication system according to claim 30, wherein said first random number authenticating means determines that said first station is not valid when said first random number is not valid, A communication system, wherein each of a decryption key generation unit, the authentication information decryption unit, and the authentication unit is a unit that operates when the first random number authentication unit determines that the first random number is valid. . 47. The communication system according to any one of claims 29 to 32, wherein the authentication information generating means and the authentication information decoding means are provided in the first station and the second station, respectively. Storage means for storing a plurality of usable encryption algorithms; generating an algorithm selection signal in one of the first station and the second station and transmitting it to the other station; Selects one common algorithm from storage means storing the plurality of encryption algorithms of each of the first station and the second station, and stores the same in the authentication information generation means or the authentication information provided in each station. A communication system comprising: an algorithm selecting unit that outputs to an information decoding unit. 48. The communication system according to any one of claims 26 to 28, wherein the communication system is provided in each of the first station and the second station, and the authentication unit validates the first station. And a shared encryption key generating means for generating a shared encryption key by an encryption key generation algorithm that receives the random number and the secret information as input. 49. The communication system according to claim 29, wherein the communication unit is provided in each of the first station and the second station, and the authentication unit determines that the first station is valid. A communication system, further comprising: a shared encryption key generation unit that operates and generates a shared encryption key by an encryption key generation algorithm that receives the random number. 50. The communication system according to claim 30 or 32, provided in each of the first station and the second station, when the authentication unit determines that the first station is valid. A communication system, further comprising: a shared encryption key generation unit that operates and generates a shared encryption key by an encryption key generation algorithm that receives the second random number as an input. 51. The communication system according to claim 48, wherein a plurality of algorithms provided in each of said first station and said second station and which can be used as said encryption key generation algorithm are provided. A storage means for storing an algorithm selection signal in one of the first station and the second station, and transmitting the algorithm selection signal to the other station; Algorithm selecting means for selecting one common algorithm from storage means storing the plurality of encryption algorithms of each of the second stations and outputting the same to a shared encryption key generating means provided in each station. A communication system comprising: 52. The communication system according to claim 33, wherein the communication device is provided in each of the first station and the third station, and the authentication unit determines that the first station is valid. A communication system comprising: a shared encryption key generation unit that operates; and a shared encryption key transmission unit that transmits a shared encryption key generated by the third station to the second station. 53. The communication system according to claim 35, wherein the communication unit is provided in each of the first station and the second station, and operates when the authentication unit determines that the first station is valid. A communication system comprising a shared encryption key generation unit.