JPH10276184A - Key management method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To attain decoding of an encrypted text and copy of a session key within a range decided by a certification agency only. SOLUTION: The management method divides system secret information Rs into (Rs1 , rs1 ), (Rs2 , rs2 ) (Rs =Rs1 +Rs2 =rs1 .rs2 ) and the result is stored in an agency 3, secret information Si of a user (i) is divided into Si1 , Si2 , which are stored in the agency 3, and user public information Pi =g<si> mod p is open to the public. A user 1 sets a key KS to generate a key Kab =Pb <sa> and uses date time information D to generate a key Kd =Kab .g<kab> .D, encrypts the KS and sends it to user 2. The user 2 obtains the Kab , Kd , decodes the encrypted KS to obtain the KS. When an agency 5 decodes an encrypted text, the agency c5 submits a certificate to the agency 3, and when the certificate is valid, the agency 3 generates K1 (K2 )=Pb S<a1> /rs1 mod p and sends it to the agency 5, the agency 5 obtains K'=K1 .K2 and sends it to the agency 3. The agency 3 calculates K1 ' (K2 ')=Pb S<a1> .g<k> '.D.R<g1> (mod p) and sends it to the agency 5, and the agency 5 obtains the KS from Kd =K1 '.K2 '.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a cryptographic communication system, which is capable of decrypting a cipher text stored in a database or the like during communication or a session key for decrypting a cipher text based on a law or a contract. Ensure that the authorized enforcement authority can decrypt the ciphertext or duplicate the session key only to the extent of its provisions, and at the same time deviate from the provisions and illegally decrypt the ciphertext, Alternatively, the present invention relates to a key management method for preventing a user's privacy from being violated by duplicating a session key.

[0002]

2. Description of the Related Art In recent years, encryption technology has been widely studied as a fundamental technology for the information society, and while extremely strong encryption technology has been developed, as strong encryption technology has been developed, There is growing concern that encryption technology itself may be used for antisocial behavior. However, the current encryption technology aims to prevent anyone from eavesdropping on communications, so even if it is used for antisocial acts, it can not be recognized or caught .

[0003] Also, from the viewpoint of corporate defense, some companies have taken measures such as encrypting and storing important files in the company, but on the other hand, accidents, disasters, and other reasons have occurred. Even if a situation occurs in which an encrypted file cannot be decrypted, there is no longer any means for decrypting the file with the current encryption technology, and the file is permanently unavailable.

[0004] For this reason, technologies for enabling enforcement agencies to decrypt ciphertexts under certain conditions under laws or contracts have been studied mainly in Europe and the United States. These technologies are called key recovery or key escrow. being called. These technologies generally use LEA after encrypting a session key used when using encrypted communication.
F (Law Enhancement Access)
Field) is added to the ciphertext and added to the ciphertext. When permission to decrypt the ciphertext is issued by a court order or a contract, the enforcement agency restores the session key from the additional data and encrypts the ciphertext. Can be decrypted. A typical example is Escrowed Encrypt, which is proposed by the US government.
ionStandard (Federal Information
motion Processing Standard
ds Publication (FIPS) 185
U. S. Dept. of Commercial).

FIG. 6 shows an Escrolled Encrypt.
It is an operation summary of ion Standard. According to this method, the user performs cipher communication using a clipper chip that is a tamper-resistant (tampering) chip. This clipper chip has SKI
LEAF, a secret encryption algorithm called PJACK
A plurality of algorithms such as a secret generation algorithm and a verification algorithm, and a plurality of device-specific or system-common data such as a device number, a unit key, and a family key are enclosed. Because this chip is a mechanism that is allowed to be manufactured only at manufacturing plants that have been approved by the US government due to confidentiality policies aimed at securing the communication interception function, the specific configuration is not disclosed, only the operation summary is published Have been.

According to the outline of the operation, a manufacturing factory first encloses an algorithm, data, and the like in each clipper chip and distributes the same, and divides a unit key into two pieces of data to specify two data specified by the law together with a device number. Deposit with the escrow agency. Next, when the user performs the cryptographic communication under a situation where the session key is shared in advance by some method, the sender A inputs the session key and the message to the clipper chip A. Clipper chip A sends the message using the session key
At the same time as encrypting with the KIPJACK algorithm, the session key is encrypted with the secret key generation algorithm using the unit key and the family key together with the device number and some private data to generate the LEAF. The ciphertext and LEAF generated in this way are transmitted to the communication partner.

[0007] The receiver B inputs the session key, the ciphertext, and the LEAF to the clipper chip B. The clipper chip B first verifies the legitimacy of the LEAF using the family key and the secret data, and decrypts the cipher text using the session key using the SKIPJACK algorithm only when the verification passes. If the verification fails, decryption is not performed.

Further, when a law enforcement agency obtains a verification warrant from a court and intercepts the communication, the law enforcement agency presents the verification warrant to the two escrow agencies so that the law enforcement agency can obtain the data of the divided unit key of the clipper chip A. The unit key of the clipper chip A received from each escrow agency is reconstructed. Later, L
The EAF is decrypted using the family key and the reconstructed unit key to obtain a session key. By using the session key thus obtained, the cipher text can be decrypted and the message can be intercepted.

[0009] However, it has been pointed out that this method has some problems. Among them, (1) it is almost kept secret because the basic part of the configuration secures a communication interception function. (2) If a law enforcement agency obtains a court's warrant and intercepts communications at least once, it will obtain a unit key for the device. Regardless of whether it is within the range permitted by the court, past, present, and future, the device can unconditionally intercept the communication that is the sender, (3) the device is the receiver Sometimes, it is impossible to intercept communication unless a unit key for the transmitting device is obtained, and if an attempt is made to forcibly intercept communication, a unit for a user's device that is not included in the verification warrant There like so that the thus disclosed is a major problem. In other words, it is a scheme that places more emphasis on the interests of law enforcement agencies and does not dispel concerns that the risk of privacy infringements by enforcement agencies is extremely high. In addition, it cannot be ignored that legal control by law enforcement agencies is not effective against illegal interception of communications by law enforcement agencies.

[0010]

SUMMARY OF THE INVENTION An object of the present invention is to protect the user's privacy as much as possible from cipher decryption or session key duplication performed based on a law or a contract. 1) Use public protocols and algorithms. (2) If an enforcement authority performs ciphertext decryption or session key duplication based on laws or contracts, ensure that ciphertexts are used only within the specified range. (3) that the enforcement authority cannot decrypt the ciphertext and duplicate the session key, even if the enforcement authority attempts to decrypt the ciphertext or duplicate the session key illegally beyond the provisions;
(4) A person who does not have authority according to a law or a contract is to provide a key management method for realizing that decryption of a ciphertext and duplication of a session key cannot be performed.

[0011]

According to the present invention, as a method for achieving the above object, a system secret random number and a user secret information generated by a key management authority device, a key registration authority device, or a user device, or a communication party are specified. The key management institution device registers and manages the master key to be encrypted, and, when performing cryptographic communication, the originating user device uses the data including the master key and date and time information as a session encryption key, and encrypts the actual message. Generating additional data by encrypting the data including the session key used in the session with the session encryption key, and using the session encryption key generated by the receiving user apparatus in the same manner as the originating user apparatus. A process of obtaining a session key by decrypting additional data, and performing ciphertext decryption or session key duplication. Sometimes the key management authority device provides a pseudo master key generated using data including the master key, date and time information, and system secret random number to the enforcement authority device, and the enforcement authority device uses the pseudo master key to perform pseudo session encryption. After the key is generated, it is sent to the key management authority device, which prepares to erase the system secret random number from the pseudo session encryption key and returns it to the enforcement authority device. After reconstructing, decrypting the additional data using the session encryption key to obtain a session key, and if necessary, decrypting the ciphertext using the session key. .
Since the date and time information only needs to include information for determining whether or not the time is within a permitted range based on a law or a contract, the transmission number may be used instead of the actual date and time information. Any information may be used as long as the information is temporally distinguishable, such as a message number. Furthermore, a plurality of types of such information may be included, and other information, for example, additional data such as a user name of a transmitter / receiver and random number data may be further added.

[0012]

According to the present invention, in order to obtain a session key and decrypt a ciphertext, it is necessary to obtain a session encryption key, and the session encryption key includes a master key and date and time information. Since it is obtained using data, it is necessary to obtain a master key in order to generate an arbitrary session encryption key.

However, in order to extract the data including the master key and the date and time information from the session encryption key, it is necessary to solve a discrete logarithm problem, which is extremely difficult to solve mathematically. Is thought to be as difficult as decrypting Therefore,
Even if the session encryption key is obtained, the enforcement device and unauthorized parties cannot decrypt the session encryption key and extract the master key.

On the other hand, when decrypting a ciphertext or duplicating a session key, it is possible to obtain a pseudo session encryption key from the pseudo master key that can be obtained from the key management institution by the enforcement agency. However, in order to obtain the session encryption key or the master key from the pseudo session encryption key, the system secret random number needs to be erased, and only the key management authority device is ready to erase the system secret random number. Hence, the key management authority device can pass only the session encryption key to the enforcement device by preparing to erase the system secret random number from the pseudo session encryption key without revealing the master key itself to the enforcement device. .

Further, the pseudo master key provided by the key management organization device can be generated without using only the user secret information of one user or the master key specifying the communication party regardless of the originating side or the receiving side. No user secrets or master keys of outside users are used. Also, since the user sends the session key using the additional data, if the additional data is improper, the users themselves cannot share the session key. This means that additional data is used. Therefore, when ciphertext decryption or session key duplication is performed based on laws or contracts, etc., it is necessary to confirm whether the key management institution equipment is within the prescribed range, and only if it is deemed to be within the range, the session Will pass the encryption key to the enforcement unit,
In addition, when the session encryption key is obtained, the session key is always obtained because the additional data is valid, and the cipher text can be decrypted.

Further, since the date and time information differs for each communication or each session key update, the session encryption key also differs for each communication or each session key update. Therefore, the session encryption key obtained by the enforcement agency device is also effective only for the duplication of the session key or the decryption of the ciphertext in the case where the session encryption key is available, and is useless in other cases.

[0017] Therefore, the master key itself cannot be obtained under any circumstance, not only those without authority but also the enforcement authority device, so that any session encryption key cannot be generated illegally. Impossible, and consequently, it is not possible for an enforcement authority to decipher the ciphertext or duplicate the session key without departing from its scope. In the present invention, a system can be configured using a common key cryptosystem in which an algorithm is disclosed.

[0018]

DESCRIPTION OF THE PREFERRED EMBODIMENTS One embodiment of the present invention will be described below with reference to the drawings. FIG. 1 is a configuration diagram of a key management system showing one embodiment of the present invention. In FIG. 1, an originating user device 1 includes a user information generating unit 10 for generating user public information and user secret information, a session key generating unit 11 for setting a session key KS by a user operation,
Master key generation means 12 for generating a master key for specifying a communication party; date and time management means 13 for managing information indicating communication date and time; session encryption for generating a session encryption key for encrypting a session key Key generating means 14, additional data generating means 1 for generating additional data
5. It has a common key encryption means 16 for performing encrypted communication.

The receiving-side user device 2 has user information generating means 20 for generating user public information and user secret information, master key generating means 21 for generating a master key for specifying a communication party, and for encrypting a session key. A session encryption key generation unit 22 for generating a session encryption key, a verification unit 23 for verifying whether the additional data is valid data, a session key acquisition unit 24 for extracting a session key from the additional data, and for performing cryptographic communication. The common key encryption means 25 is provided.

The first and second key management institution devices 3 and 4 respectively store system secret random number management databases 30 and 40 for storing and managing system secret random numbers, and a user secret information management database 31 for storing and managing user secret information. , 4
1. pseudo master key generation means 32, 42 for generating a pseudo master key; random number erasure preparation means 33, 43 for preparing to delete the system secret random number from the pseudo session encryption key.
It has.

The enforcement agency device 5 includes a storage unit 50 for storing the intercepted cipher text and additional data, and a pseudo session encryption key generation unit 5 for generating a pseudo session encryption key.
1. Session encryption key reconstructing means 52 for reconstructing a session encryption key, analyzing means 5 for acquiring a session key
3. It has a common key encryption means 54 for decrypting encrypted communication. The user devices 1 and 2 are connected by a communication line 6,
The key registration authority device 7 includes information generating means 70 for generating system public information and system secret random numbers.

Next, the operation method of the above embodiment will be described with reference to the drawings. First, an operation method at the time of system construction is shown in FIG. Step A1: The key registrar 7 prepares the following information in the information generating means 70. (1) large prime p, (2)
p primitive element g, (3) random number R _s Step A2: The key registrar 7 publishes p, g as system public information to all subscribing users and subscribing organizations.

Step A3: R _s is divided into two (R _s1 , r _s1 ) and (R _s2 , r _s2 ) as a system secret random number,
(R _s1 , r _s1 ) is _stored in the first key management authority device 3 by (R _s2 , r _s1 ).
_s2 ) to the second key management authority device 2 securely and secretly. Here meet the _{R s = R s1 + R s2} = r s1 · r s2. Step A4: The first key management institution device 3 (the second key management institution device 4) transmits (R) in the system secret random number management database 30 (system secret random number management database 40).
( _s1 , _rs1 ) (( _Rs2 , _rs2 )) is kept strictly. Note that R
_s , R _s1 , R _s2 , r _s1 , and _rs2 are extremely important confidential information in the system, and must be stored strictly so as not to leak out in any case.

Although the description has been made here assuming that the key registration authority device 7 generates system public information and a random number, the present invention is not limited to this, and the key management authority device alone or cooperates with the system to release the system. Information and system secret random numbers may be generated. Next, FIG. 3 shows the operation when the user subscribes to the system.

Step B1: User i generates user information
In the means 10 (20), the user secret information S_iPassing
And user public information P_i= G^Si(Mod p) is set. Step B2: User secret information S_iS_i1, S_i2Two
And securely and confidentially
And S_i1And S to the second key management authority device 4._i2To
Send it. Where S_i= S_i1+ S_i2Meet. Also, Yu
Public information P _iIs registered in the key registration authority device 7 and made public.
You.

Step B3: The first key management institution device 3 (second key management institution device 4) transmits the information S _i1 (S _i2 ) sent from the user device to the user secret information management database 31.
Store securely in (41). Here, it has been described that the user device itself generates the user public information P _i and the user secret information S _i , but the present invention is not limited to this, and instead of the user device, a key management authority device or a key The registration authority device 7 may generate the necessary information and securely and confidentially transmit necessary information to the user device, the first key management authority device, the second key management authority device, and the key registration authority device.

Next, FIG. 4 shows a case where user A and user B perform encrypted communication. Here, the calling side is A and the receiving side is B
In the following steps C1 to C5, A corresponds to step C6.
B is to be performed by C9. Step C1: The session key KS is freely set using the session key generation means 11.

Step C2: The master key generation means 12
Using A's user secret information S_aAnd public information P of B
_bFrom the master keys K of users A and B_ab= P_b ^Sa= G
^SaSb(Mod p). Step C3: Master key K_abAnd from the date and time management means 13
Generating a session encryption key using the obtained date and time information D
In the means 14, the session encryption key K_d= K _ab・ G
^{Kab / D}(Mod p).

Step C4: The additional data generating means 15 uses the session encryption key _Kd to generate the session key K
Additional data LEAF regarding S = ｛f (KS, K _d ) |
D | checksum} is generated. Here, f (M, K) is an arbitrary common key cryptosystem f, and represents that M is encrypted with the key K. Also, | indicates concatenation, and checksum is checksum data indicating the validity of the additional data LEAF.

Step C5: Add additional data LEAF to B
It is sent through the communication line 6. Step C6: Using the master key generation means 21,
User secret information S_bPublic information P of A and A_bAnd from A to
B's master key K_ab= P_a ^Sa= G^SaSb(Mod p)
You. Step C7: The date and time information D is obtained from the additional data LEAF.
Out, master key K _abAnd session using date and time information D
The session encryption key K
_d= K_ab・ G^{Kab / D}(Mod p).

Step C8: In the verification means 23, check
The validity of the additional data LEAF is verified using the ksum.
If the verification fails, disconnect the communication. Step C9: The session key
Encryption key K_dFrom the additional data LEAF using
Key KS = f^-1(F (KS, K_d), K _d)
Confuse. Where f^-1(C, K) is the common key cryptosystem f
And decrypting C with the key K.

Step C10: A and B are session keys K
Using S, encrypted communication is performed through the communication line 6 using the common key encryption means 16 and 25, respectively. Step C11: One of A and B is the session key KS
Is changed, the operation from step C1 is repeated with the user who tried to change the session key KS as the originating side.

Finally, FIG. 5 shows a case where the enforcement agency device 5 executes ciphertext decryption or session key duplication based on a law or a contract. Here, it is assumed that the enforcement agency has obtained a permit (for example, a communication interception verification warrant, an inquiry letter, etc.) necessary to execute ciphertext decryption or session key duplication, and The stored communication data is stored in the storage device 5 in the executive agency device 5.
It is assumed that it is stored in 0. It is also assumed that the user who is the target of the permit is A, and the communication partner at this time is B.

Step D1: The enforcement authority device 5 sends the first key management institution device 3 and the second key management institution device 4 a permit and additional data stating that ciphertext decryption or session key duplication is properly executed. The date and time information D obtained from the LEAF is presented. The exchange of data between the key management institution devices 3 and 4 and the enforcement institution device 5 may use a communication line, or may use a communication line other than the communication line.

Step D2: The first key management institution device 3 (second key management institution device 4) checks whether the permit is valid, and the enforcement institution performs ciphertext decryption or session key duplication. Make sure that the object you are trying to reach is within the scope of your permit, law, contract, etc. If it is determined that it is out of the range, the request is rejected.

Step D3: If the first key management institution device 3 (second key management institution device 4) is determined to be within an appropriate range, the divided A user secret information S _a1 (S _a2 ), B
The user public information P _b (P _a) and divided system secret random number r _s1, (r _s2) using a quasi-master key generating unit 32 pseudo-In (42) the master key ^{_{K 1 = P b Sa1 / r}} s1 (Mod p), (K ₂ = P _b ^Sa2 / r
_s2 (mod p)).

Step D4: The first key management institution apparatus 3 (second key management institution apparatus 4) sends the pseudo master key K ₁ (K ₂ ) to the executive institution apparatus 5. Step D5: The enforcement agency device 5 uses the pseudo session encryption key generation means 51 to convert the pseudo session encryption key K '= K ₁ · K ₂ = P _b ^{Sa1 + Sa2} / r from the pseudo master key K ₁ (K ₂ ). _s1 · r _s2 = P _b ^Sa
/ R _s = K _ab / R _s (mod p) is calculated.

Step D6: The enforcement authority device 5 sends the pseudo session encryption key K 'to the first key management authority device 3 and the second key management authority device 4. Step D7: first key management center apparatus 3 (second key management center apparatus 4) is a random number erased preparing means 33 in order to clear the system secret random number R _s from the pseudo session encryption key K '(4
The system secret random number R _s1 divided using 3),
From (R _s2 ) and date and time information D, P _b , S _a1 (S _a2 ), K ₁ ′ = P _b ^Sa1 · g ^{k ′ · D · Rs1} (mod p), (K ₂ ′ =
^{_{P b Sa2 · g K '·}} D · Rs2 (mod p)) is calculated.

Step D8: The first key management organization device 3 (the
2 key management organization device 4) is K₁'(K _Two′)
To the device 5. Step D9: The enforcement agency device 5 re-enters the session encryption key.
K using the constituent means 52₁'(K_Two') From session
Encryption key K_d= K₁'K_Two '= P_b ^{Sa1 + Sa2}・ G
^{k '・ D (Rs1 + Rs2)} = P_b ^Sa・ G^{k '・ D ・ Rs}= K_ab・ G^{Kab / D}Reconstruct (mod p).

Step D10: The enforcement agency device 5 is
In step 53, the session encryption key K _dAdditional data using
From the LEAF to the session key KS = f^-1(F (KS, K
_d), K_d). Step D11: The enforcement agency device 5 uses the common key encryption unit 54
In the storage means 50 using the session key KS.
Decrypt the ciphertext between A and B that have been accumulated.

Incidentally, it is assumed that the user who is the target of the permit is B, and if the communication partner at this time is A, steps D3 and D7 are simply replaced as follows. Step D3 ^* : If the first key management institution device 3 (the second key management institution device 4) is determined to be within an appropriate range, the divided B user secret information S _b (S _b2 ) and the A user public information P _a and split system secret random number r _s1, (r
_s2) using a quasi-master key ^{_{K 1 = P a Sb1 / r}} s1 (mod p in quasi-master key generation unit 32 (42)), (K 2 = P a Sb2 / r
_s2 (mod p)).

Step D7 ^* : First key management organization device 3
(Second key management center apparatus 4) is pseudo-session encryption key K 'from the system secret random number R _s random erase preparing means to erase the 33 (43) system secret random number R _s1 divided using, (R _s2 ) and date and time information D, _Pb , S
_b1 (S _b2) from the ^{_{K 1 '= P a Sb1 ·}} g K' · D · Rs1 (mod p), (K 2 '=
_{^{P a Sb2 · g K '·}} D · Rs2 (mod p)) is calculated.

Such processing is performed by K _ab = P _b ^Sa = P _a ^Sb =
This is possible because g ^{Sa · Sb} (mod p) always holds.
Therefore, it indicates that the same method can be used regardless of whether the user who is the target of the license is the sender or the receiver, and the user who is used by the key management organization The confidential information is that of the user who is the target of the permit, and only the user public information is used for the communication partner user. Therefore, the user secret information of the user who is not the target of the permit is not used.

In the above description, there are two key management institutions.
User confidential information and system
By changing the number of divided secret random numbers,
Build as a system with more than one key management authority
It is possible. For example, if it is alone, the key management organization
All user secret information and system secret random numbers must be owned.
In this case, steps D3 to D6 are omitted.
Yes, directly to enforcement agencies_d= K_ab・ G^{Kab / D}(m
od p) can be provided. Also, if the key management organization
(K>2) If there are R_s= Σ_{j = 1} ^kR_sj= Π_{j = 1} ^k
r_sj, S_i= Σ _{j = 1} ^kS_ijMeet the system secret
The random number and the user secret information may be divided and owned. This
, K ′ = in step D5_{j = 1} ^kK_j(Mod
p), K at step D9_d'= Π_{j = 1} ^kK_j′ (Mod p) and
It can be realized by exactly the same processing except for the following.

In the above description, the master keys _Kab of the users A and B are generated using the user public information P _i and the user secret information S _i , and these P _i and S _i (= S _i1 +
Instead of using the S _i2), the user A, may be registered in the first, second key management center apparatus 3, 4 K _ab1, K _ab2 by dividing the unique master key K _ab to B. That is, it is assumed that a unique master key _Kab has been set between users A and B. In this case, by dividing the K _ab to satisfy K _ab = K _ab1 · K _ab2 two K _ab1, K _ab2, first key management center apparatus 3 (second key management center apparatus 4), K _ab1 ( K _ab2 ) is stored respectively. In Step _{D3 K 1 = K ab1 / r} s1 (mod p), (K 2 = K ab2 / r s2 (m
od p)), and at step D7, K ₁ '= K _ab1 · g ^{K' · D · Rs1} (mod p), (K ₂ '= K
_ab2 · g ^{K '· D · Rs2} (mod p)). Other steps are the same as those described above. If there are k (k > 2) key management institutions, the master key may be divided and owned so as to satisfy K _ab = Π _{j = 1} ^k K _abj .

The additional data LEAF may be linked with various additional information such as a sender name and a receiver name in addition to the data described above.

[0047]

As described above, according to the present invention,
The following effects can be obtained. (1) The system can be realized using only a public algorithm. (2) When decryption of a ciphertext or duplication of a session key is performed based on a law or a contract, etc., the ciphertext can be deciphered or the session key can be reliably reproduced only within a prescribed range. (3) Even if an attempt is made to decipher the ciphertext or duplicate the session key unduly, the ciphertext cannot be decrypted and the session key cannot be duplicated. (4) A person who does not have authority according to law or contract cannot decrypt ciphertexts or duplicate session keys at all.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a functional configuration of a key management system to which an embodiment of the present invention is applied.

FIG. 2 is a flowchart showing an operation procedure (at the time of system construction) in the embodiment of the present invention.

FIG. 3 is a flowchart showing an operation procedure (when a user joins the system) in the embodiment of the present invention.

FIG. 4 is a flowchart showing an operation procedure (at the time of encrypted communication) in the embodiment of the present invention.

FIG. 5 is a flowchart showing an operation procedure (when executing ciphertext decryption or session key duplication) in the embodiment of the present invention.

FIG. 6 is a diagram showing an operation outline in the clipper chip.

Claims (8)

[Claims] 1. A key management method for managing a session key used for encrypting a message in a cryptographic communication system, wherein a key management institution device or a key registration institution device sets system public information and a system secret random number when a system is constructed.
And, when the user device or the key registration authority device or the key management authority device generates the user public information and the user secret information, or generates the master key for specifying the communication party when the user joins the system, the system public information and the user public information On the system, and registering and managing the system secret random number and the user secret information or the master key in one or more key management organizations. When performing cryptographic communication, the originating user device identifies the communicating party. A session encryption key is generated using data including a master key and data indicating a time element such as date and time information, and additional data is generated by encrypting the data including the session key using the session encryption key. Transmitting the additional data to the receiving user equipment after generating the Generates a session encryption key using data including a master key specifying a communication party and data indicating a time element such as date and time information, and decrypts the received additional data using the session encryption key. Obtaining a session key by performing a key management method. 2. When the enforcement authority device decrypts a ciphertext or duplicates a session key, the key management authority device uses a master key for identifying a communication party, data indicating time elements such as date and time information, and a system secret. A pseudo master key is generated using data including a random number and provided to the enforcement authority device, and after the enforcement authority device generates the pseudo session encryption key using the pseudo master key, the pseudo session key is returned to the key management authority device,
The key management authority device prepares to erase the system secret random number from the pseudo session encryption key and returns it to the enforcement authority device,
The key management method according to claim 1, further comprising a step of, after the enforcement apparatus reconstructs the session encryption key, decrypting the additional data using the session encryption key to obtain the session key. 3. The key according to claim 1, wherein a master key for specifying the communication party is generated from one user secret information of the communication party and user public information of the communication partner. Management method. 4. In a process of registering and managing a system secret random number and a user secret information or a master key in a plurality of key management authority devices, the secret information is divided and each key management authority device divides the divided secret information. 4. The key management method according to claim 1, wherein the key management is performed. 5. The division of the system secret random number R _s and the user secret information S _{i is performed} as follows: R _s = Σ _{j = 1} ^k R _sj = Π _{j = 1}
^k r _sj , S _i = Σ _{j = 1} ^k S _ij The number of key management authority devices is divided into k (k > 2) so as to satisfy ^k S _ij , and the system secret random number R _sj , _5. The key management method according to claim 4, wherein r _sj and the divided user secret information S _ij are managed. 6. The system secret random number R _s and users A, B
_Are divided into R _s = Σ
_{j = 1} ^k R _sj = Π _{j = 1} ^k r _sj , K _ab = Σ _{j = 1} ^k K _abj is divided into the number k (k > 2) of key management authority devices so as to satisfy:
_5. The key management method according to claim 4, wherein the j-th key management institution manages the divided system secret random numbers R _sj , r _sj and the divided master key K _abj . 7. When generating additional data, generating additional data by encrypting data including a session key with a common key cryptosystem using a session encryption key, and obtaining the session key. 7. The key management method according to claim 1, wherein a session key is obtained by decrypting the additional data by a common key encryption method using the session encryption key. 8. The method according to claim 1, wherein a checksum indicating the validity of the additional data is added to the additional data, and whether the received additional data is correct information is verified using the checksum. Item 9. The key management method according to any one of Items 7 to 7.