JPWO2010024379A1 - COMMUNICATION SYSTEM, TRANSMITTER AND RECEPTION OR TRANSFER COMMUNICATION DEVICE, DATA COMMUNICATION METHOD, DATA COMMUNICATION PROGRAM - Google Patents

Abstract

The communication device on the transmission side uses a key chain in order with respect to the data image to be transmitted in order to store a key chain in which a series of keys is formed by repeating a hash value for each key, and The keyed hash value is calculated from the part and the key, and is added to the packet transmitted immediately before. Thereafter, the data part and key in the previous packet, the keyed hash value calculated earlier, A means for generating an authenticator for each packet by repeatedly calculating a hash value with a key from and assigning it to the packet transmitted immediately before, and a means for transmitting the generated packet to the network. The receiving or forwarding communication device comprises means for receiving a packet from the network, means for storing a key for confirming the validity of the packet, and Calculates that the key included in the received packet is a continuous hash value based on, calculates the keyed hash value for the entire packet including the next authenticator, and is already included in the next packet Means for verifying the authenticator by comparing whether or not the hash value with the key is the same.

Description

  The present invention relates to a communication system for verifying the integrity of a program image mainly for updating a program image via a network, a communication device on a transmission side and a reception or transfer side, a data communication method, and a data communication program.

  In recent years, in response to the rapid development of the wireless sensor network (Wireless Sensor Network, hereinafter referred to as WSN) field using wireless communication protocols represented by IEEE 802.15.4 and ZigBee, the program image of the sensor node once deployed The importance of updating through the Internet has increased. In such a program image update via a network, it is important to verify the integrity to ensure that the program image has not been changed from the original because the program image may be altered on the network path. It becomes.

  Updating the program image starts with the program image being set in a device called a base station that distributes the program image to the sensor nodes, where the program image is divided into sizes suitable for deployment on the network. After dividing into the appropriate size, each is expanded to the sensor node. When the sensor node is configured by a multi-hop such as a tree structure, the sensor node is delivered by transferring the sensor image to the next-hop sensor node.

  At this time, if the sensor node in the middle alters the program image, it cannot be expected that the subsequent sensor nodes that have received the altered program image will operate correctly, and thus the integrity of the program image cannot be verified. It is an important issue.

  As this type of detection method, for example, as shown in Non-Patent Document 1, a method based on a public key cryptosystem is shown. In this method, the base station is realized by processing as follows at the stage of dividing the program image.

  First, when each divided program image is expressed as a packet, the hash value of the last packet is calculated and attached to the previous packet. Similarly, the hash value of the packet is calculated and added to the previous packet. Thereafter, the same process is repeated until the first packet is reached (hash chain). Finally, the top packet is signed with a secret key held by the base station. In this way, the receiver verifies the likelihood of the packet by verifying the leading packet with the public key, and verifies the validity of the subsequent packet by verifying the hash chain (see Non-Patent Document 1). ).

  However, the WSN is composed of a CPU (central processing unit) whose processing speed is not sufficient compared with a PC and a device having a limited memory. For example, they are 8-bit microcomputers equipped with 128 Kbytes of flash memory, 4 Kbytes of SRAM, EEPROM, and the like. When public key cryptosystems are used on these devices, there are problems of requiring calculation time and consuming a lot of memory for storing keys.

  On the other hand, as shown in Non-Patent Document 2, there is shown a method using a common key cryptosystem assuming the resource limitation of devices constituting the WSN. In this method, the base station is realized by processing as follows at the stage of dividing the program image.

  First, a one-way key chain is generated. In this key chain, a hash value of a key is calculated based on the first determined key, and this is the next key. By repeating this process, a key chain can be generated. This key chain is used from the last generated key and is used when calculating the hash value of the divided packet. The calculated hash value and the key used for the calculation are assigned to each packet, and the packet is expanded to the sensor node.

  The sensor node receiving this packet calculates a hash value using the assigned key, and verifies the probability of the packet. At the same time, it is possible to verify the certainty of the key itself by calculating the hash value of the key itself and verifying whether the hash value is the same as the previous key.

Prabal K. Dutta and Jonathan W. Hui and David C. Chu and David E. Culler, "Securing the Deluge network programming system", In Proceedings of the Fifth International Conference on Information Processing in Sensor Networks (IPSN}, 2006, pages 326 -333, ACM Hailun Tan, Sanjay Jha, Diethelm Ostry, John Zic, and Vijay Sivaraman, "Secure multi-hop network programming with multiple one-way hash chains", In WiSec '08: ACM Conference on Wireless Network Security, 2008, ACM

  In order to realize an efficient verification method in a device with limited resources, it is necessary to guarantee safety while using a method with the least amount of calculation as shown in Non-Patent Document 2. However, in the method shown in Non-Patent Document 2, before a sensor node receives a specific packet, a key is first obtained from the same packet received by another sensor node, and the obtained legitimate key is used for falsification. When a hash value is assigned to a packet that has been tampered with, the sensor node that has received the tampered packet has a problem of accepting the tampered packet as correct because a valid key is used.

  The first problem is that when a packet is received, a falsified packet can be immediately generated using a valid key. The reason is that the same packet includes packet data, a key for calculating a hash value, and a calculated hash value.

  Therefore, an object of the present invention is to provide a communication system that verifies the accuracy of a program image using a shared key cryptosystem without using a public key cryptosystem that requires more computation processing, a transmission side, and a reception or transfer side. Communication device, data communication method, and data communication program.

  Another object of the present invention is to adopt a mechanism capable of sequentially verifying received packets, so that even if a tampered packet is inserted, a communication system that immediately detects, a communication device on the transmission side and the reception or transfer side, A data communication method and a data communication program are provided.

  The present invention includes a communication device on the transmission side, a communication device on the reception or transfer side, and a network connecting between the communication device on the transmission side and the communication device on the reception or transfer side, and guarantees integrity. The transmission side communication device is configured to store a key chain in which a series of keys is formed by repeating hash values for each key, and a divided data image to be transmitted. Using the key chain in order, a hash value with a key is calculated from the data part and the key and attached to the packet transmitted one before, and thereafter the data part in the previous packet and Generate an authenticator for each packet by repeatedly calculating the keyed hash value from the key and the previously calculated keyed hash value and assigning it to the previous packet sent Means for transmitting the generated packet to the network, and the communication device on the receiving or transferring side has means for receiving the packet from the network and a key for confirming the validity of the packet. Based on the stored means and the stored key, it is calculated that the key included in the received packet is a continuous hash value, and a keyed hash value for the entire packet including the next authenticator is calculated. A communication system comprising: means for verifying an authenticator by comparing whether or not the calculated keyed hash value included in the next packet is the same.

The present invention also provides means for storing a key chain in which a series of keys is formed by repeating hash values for each key, and using the key chains in order for the divided data images to be transmitted. The keyed hash value is calculated from the key and attached to the previous packet to be transmitted, and thereafter the data part, key, and keyed hash value calculated in the previous packet are used. Means for generating an authenticator for each packet by repeatedly calculating a keyed hash value and assigning it to the packet transmitted one before;
A communication apparatus comprising means for transmitting a generated packet to a network.

  The present invention also provides a means for receiving a packet from a network, a means for storing a key for confirming the validity of the packet, and a hash in which a key included in the received packet is based on the stored key. Is calculated, calculates a keyed hash value for the entire packet including the next authenticator, and compares it with the calculated keyed hash value included in the next packet And a means for verifying the authenticator.

  Further, according to the present invention, on the transmission side, a key chain in which a series of keys is formed by repeating hash values for each key is stored, and the key chains are sequentially arranged with respect to the divided data images to be transmitted. Using the data part and the key to calculate the keyed hash value and assigning it to the previous packet to be sent, and then the data part and key in the previous packet and the key with the previously calculated key Generate an authenticator for each packet by repeatedly calculating a hash value with a key from the hash value and assigning it to the packet sent one before, and sending the generated packet to the network and receiving it On the side, a key for confirming the validity of the packet is stored, the packet from the network is received, and included in the packet received based on the stored key. And the keyed hash value for the entire packet including the next authenticator is calculated and is the same as the calculated keyed hash value included in the next packet. It is a data communication method characterized by verifying an authenticator by comparing whether or not.

  The present invention also provides a process for storing a key chain in which a series of keys is composed of repeated hash values for each key, and a data portion using the key chain in order for the divided data images to be transmitted. The keyed hash value is calculated from the key and attached to the previous packet to be transmitted, and thereafter the data part, key, and keyed hash value calculated in the previous packet are used. Communicating the process of generating an authenticator for each packet by repeatedly calculating the keyed hash value and assigning it to the previous packet sent, and the process of sending the generated packet to the network A program that is executed by an apparatus.

  Further, the present invention provides a process for receiving a packet from the network, a process for storing a key for confirming the validity of the packet, and a hash in which the keys included in the received packet are based on the stored key. Is calculated, calculates a keyed hash value for the entire packet including the next authenticator, and compares it with the calculated keyed hash value included in the next packet Thus, the communication device is caused to execute processing for verifying the authenticator.

  According to the present invention, in addition to the key chain, the hash value of the next packet is included in the previous packet and sent, making it difficult to forge the packet. Therefore, it is possible to verify the integrity of the data image even when a method based on the common key encryption method is used. Thereby, efficient verification can be performed even in an apparatus with limited resources. In addition, since the hash value of the next packet is included in the previous packet and sent, the relevance between successive packets is increased, so even if a packet is spoofed, the spoofing can be quickly and reliably ensured. Can be detected.

It is a block diagram which shows the structure of the communication system of the 1st Embodiment of this invention. It is a block diagram which shows the structure of the communication apparatus by the side of the transmission of the 1st Embodiment of this invention. It is the block diagram which showed the detail of the key chain which the key chain storage part of the 1st Embodiment of this invention hold | maintains. It is a block diagram which shows the structure of the communication apparatus by the side of reception or transfer of the 1st Embodiment of this invention. It is the block diagram which showed the detail of the packet exchanged between the communication apparatus of the transmission side of the 1st Embodiment of this invention, and a reception or transfer side. It is a flowchart which shows operation | movement of the communication apparatus by the side of reception or transfer of the 1st Embodiment of this invention. It is a block diagram which shows the structure of the communication apparatus by the side of the transmission of the 2nd Embodiment of this invention. It is a block diagram which shows the structure of the communication apparatus by the side of reception or transfer of the 2nd Embodiment of this invention. It is a block diagram which shows the structure of the communication system of the 3rd Embodiment of this invention. It is a block diagram which shows the structure of the communication apparatus by the side of the transmission of the 3rd Embodiment of this invention. It is a block diagram which shows the structure of the communication apparatus by the side of reception or transfer of the 3rd Embodiment of this invention. It is the block diagram which showed the packet exchanged between the communication apparatus of the transmission side of the 3rd Embodiment of this invention, and the communication apparatus 2 of the reception or transfer side.

  Next, embodiments of the present invention will be described in detail with reference to the drawings. Note that the embodiment shown here is merely an example, and is not necessarily limited to this embodiment.

<First Embodiment>
FIG. 1 is a diagram showing a configuration of a communication system according to a first embodiment for carrying out the present invention.

  Referring to FIG. 1, a communication system according to a first embodiment of the present invention includes communication apparatuses 1 to 7 and a network 10 that connects LAN (Local Area Network) lines or WAN (Wide Area Network) lines. It is composed of The network 10 may be wired or wireless.

  The communication devices 1 to 7 are devices that perform communication using wired or wireless communication, and are generally terminal devices such as notebook PCs and mobile terminals. In particular, the communication devices 2 to 7 may be small devices configured with limited processing capability, memory, and communication capability such as sensor devices.

  The communication devices 2 to 7 may be configured to transfer the received packet to the next communication device. For example, when receiving a packet from the communication device 1, the communication device 2 transfers the same packet to the communication device 4 and the communication device 5. Similarly, the communication device 3 transfers to the communication device 6 and the communication device 7. It can be easily assumed that the data is transferred to a communication device (not shown).

  FIG. 2 shows a configuration of the communication device 1 on the transmission side in the first embodiment of the present invention. The communication apparatus 1 includes a key chain storage unit 11, a data image input unit 12, a transmission packet generation unit 13, a trust anchor generation unit 14, a network communication unit 15, a hash calculation unit 16, and a cryptographic calculation unit 17.

  The key chain storage unit 11 stores a series of keys, and each key is a hash value of the previous key. For example, FIG. 3 shows a series of (n + 1) key K relationships. The key K (1) is a hash value of K (0) with respect to the master key K (0). Similarly, the key K (2) is a hash value of K (1). Hereinafter, similarly, K (n) is a hash value of K (n−1).

  The data image input unit 12 is an input unit in the communication device 1 for a data image that the communication device 1 transmits to the communication devices 2 to 7. This data image is, for example, an application or a program image, and is a program code that operates on the communication devices 2 to 7.

  The transmission packet generator 13 has a function of dividing a data image into a size suitable for transmission via the network 10. Further, by calculating a keyed hash value using the key chain stored in the key chain storage unit 11 in order from the subsequent data for the divided data image, the transmission data, the keyed hash value, and the hash A function for generating a transmission packet including a key used for calculating a value is provided.

  The trust anchor generation unit 14 has a function of generating a trust anchor packet serving as a trust anchor at the head of the series of packets generated by the transmission packet generation unit 13. Specifically, it has a function of encrypting a key used at the beginning of a series of packets generated by the transmission packet generation unit 13 and a hash value of the leading packet with the key.

  The network communication unit 15 has a function of communicating with other communication devices using wired or wireless communication. In the present embodiment, the network communication unit 15 is an IEEE 802.15.4 transceiver.

  The hash calculation unit 16 is a function that calculates a keyed hash value based on a secure hash algorithm. Using the data input value from the transmission packet generation unit 13 and the key as inputs, a hash value with a key is calculated. Specifically, the hash calculation unit 16 is SHA-1, MD5, HMAC, or the like.

  The cryptographic calculation unit 17 has a function of performing cryptographic processing based on the common key cryptosystem. Encryption is performed using the data input value from the trust anchor generation unit 14 and the key as inputs. Specifically, the cryptographic calculation unit 17 is DES, 3DES, RC5, or the like.

  FIG. 4 shows a configuration of the communication device 2 on the reception or transfer side in the present invention. The communication device 2 includes a key storage unit 21, a data image reconstruction unit 22, a hash chain verification unit 23, a key chain verification unit 24, a trust anchor verification unit 25, a network communication unit 26, a hash calculation unit 27, and a cryptographic calculation unit 28. Including. The configuration of the communication device 2 is similarly applied to the other communication devices 3 to 7.

  The key storage unit 21 stores a key to be used for verifying the validity of the received packet. When the validity of the received packet is confirmed, it is updated with a new key.

  The data image reconstruction unit 22 is a function that collects the received packets whose validity has been confirmed and reconstructs them as a data image. The reconstructed data image is installed in the communication device 2 as an application or program image.

  The hash chain verification unit 23 has a function of verifying the hash value of the received packet. When the validity of the received packet can be confirmed, the hash value of the next packet included in the packet is held. The held hash value is used for verifying the hash value of the next received packet.

  The key chain verification unit 24 has a function of verifying the validity of the key included in the received packet. The key chain verification unit 24 confirms that the key included in the received packet is a hash value for the current key stored in the key storage unit 21.

  The trust anchor verification unit 25 has a function of verifying the trust anchor packet transmitted first, which becomes the trust anchor. Specifically, the trust anchor packet is stored, and when the key is obtained with the next packet, the trust anchor packet is decrypted using the key, and the decrypted key is the same as the key used for decryption. By confirming this, the validity of the trust anchor packet is confirmed. The hash value of the next packet included in the trust anchor packet is used by the hash chain verification unit 23.

  Similar to the network communication unit 15 in the communication device 1, the network communication unit 26 has a function of communicating with other communication devices using wired or wireless communication. In the present embodiment, this is the transmission / reception of IEEE 802.15.4. Machine.

  The hash calculation unit 27 is a function that calculates a keyed hash value based on the secure hash algorithm, similarly to the hash calculation unit 16 in the communication device 1. Using the data input value from the hash chain verification unit 23 and the key as inputs, a hash value with a key is calculated. Specifically, the hash calculation unit 27 is SHA-1, MD5, HMAC, or the like.

  The cryptographic calculation unit 28 is a function that performs cryptographic processing based on the common key cryptosystem, similarly to the cryptographic calculation unit 17 in the communication device 1. Encryption is performed using the data input value from the trust anchor generation unit 14 and the key as inputs. Specifically, the cryptographic calculation unit 17 is DES, 3DES, RC5, or the like.

  Next, the operation of the first embodiment for carrying out the present invention will be described in detail.

  FIG. 5 illustrates the flow of packetization of the data image in the communication apparatus 1 and FIG. 6 illustrates the flow when the communication apparatus 2 receives a packet.

  In FIG. 5, keys K (0) to K (L) indicate (L + 1) key chains, where the key K (1) is the hash value of the key K (0) and the key K (2) is the key. The hash value of K (1),..., Key K (L) is related to the hash value of key K (L−1). The data portions divided into (L) pieces are respectively indicated by D (1) to D (L) in order. (L + 1) key chains are used for (L) divided data images. The previous packet includes a keyed hash value calculated from the divided data portion and the hash value of the next packet using the key of the key chain. For example, in the case of a packet including the data part D (1), the keyed hash value H (1) is obtained by changing the keyed hash value H (2) for the data part D (1) and the data part D (2) to the key K. The value calculated as the keyed hash value in (L-1). Further, only the last key K (L) of the key chain is shared in advance by the communication devices 2 to 7. The key pre-distribution method is out of scope here.

  First, the transmission packet generation unit 13 of the communication device 1 divides the data image input from the data image input unit 12 for each packet to be transmitted to the communication devices 2 to 7. In the example of this embodiment, the data image D is divided into L data portions D (1) to D (L) in the order of transmission.

  The transmission packet generation unit 13 processes the data image from the back and uses the hash calculation unit 16 to process the keyed hash value H (L) and the key K stored in the data part D (L) and the key chain storage unit 11. Calculate from (0). The calculated keyed hash value H (L) is configured as a packet transmitted together with the key K (1) and the data portion D (L-1) of the previous packet. Subsequently, the keyed hash value H (L-1) is calculated from the data portion D (L-1), the previously calculated keyed hash value H (L), and the key K (1). Thereafter, the same processing is performed.

  When the transmission packet generator 13 finishes calculating the keyed hash value for the first data portion D (1) of the data image, the trust anchor generator 14 generates a trust anchor packet.

  The trust anchor generation unit 14 uses the key K (L-1) stored in the key chain storage unit 11 and uses a key hash value H for the key K (L-1) and the top data D (1). (1) is subjected to cryptographic processing using the cryptographic calculation unit 17.

  Each packet generated in this way is sequentially transmitted to the communication devices 2 to 7 connected to the network 10 via the network communication unit 15.

  The first transmitted packet is the encrypted trust anchor packet EncK (L-1), and then the key K (L-1), the data portion D (1), and the keyed hash value H (2) are one. Sent as one packet. Thereafter, it is similarly transmitted. Finally, the key K (0) and the data part D (L) are transmitted as one packet.

  Next, a flow of receiving and verifying a packet transmitted from the communication device 1 in the communication device 2 will be described with reference to FIG.

  When the communication device 2 receives a packet from the communication device 1 connected to the network at the network communication unit 26 (step A1), the communication device 2 determines whether this packet is a trust anchor packet (step A2). If it is a trust anchor packet, it is cached by the trust anchor verification unit 25 (step A3).

  If the packet is not a trust anchor packet in step A2, the key chain verification unit 24 extracts the key from the packet (step A4) and compares it with the key stored in the key storage unit 21 to determine whether the key chain is present. Verification is performed (step A5). More specifically, the key chain verification unit 24 calculates a hash value of the extracted key, and verifies that the calculated hash value is the same as the value stored in the key storage unit 21. If these values are not the same, it is determined that the packet is an illegal packet from a communication device that does not have the correct key (step A15).

  For example, if the key K (L) is stored in advance in the key storage unit 21 of the communication apparatus 2 and a packet including the key K (L-1) is received, the key chain verification unit 24 uses the key K from the packet. (L-1) is taken out. Next, a hash value of the key K (L−1) is calculated, and it is confirmed that the value is the same as the key K (L) stored in the key storage unit 21. If the key K (L-1) is a different key K, the calculated hash value does not become the key K (L), and the key fraud can be detected.

  Next, when the key verification is successfully completed, if the packet is the second packet, that is, the packet next to the trust anchor packet, the trust anchor packet stored in the trust anchor verification unit 25 is verified. Implement (Step A7 to Step A9). More specifically, the cryptographic calculation unit 28 performs the decryption process of the trust anchor packet using the key K (L-1) that has been verified from the second packet and has been verified (step A7). The trust anchor verification unit 25 confirms that the key obtained by decryption is the same as the key used for decryption (step A8), and if different, determines that the trust anchor packet is an illegal packet (step A15). ). If they are the same, it is determined that the trust anchor packet is correct, and the hash chain verification unit 23 holds the hash value H (1) of the next packet included in the trust anchor packet (step A9).

  When the verification of the trust anchor packet is completed successfully, the process returns to the verification of the second packet. The hash calculator 27 uses the keyed hash value of the second packet as the data part D (1) using the key K (L-1) included in the second packet, and the hash value H (2 of the next packet). ) (Step A10). Based on the result of the hash calculation unit 27, the hash chain verification unit 23 checks whether the previously stored hash value H (1) is the same as the keyed hash value calculated here (step A11). If they are different, it is determined that the second packet is an illegal packet (step A15). If they are the same, it is determined that the second packet is correct, the key stored in the key storage unit 21 is updated with the key K (L−1) (step A12), and the verification hash value of the next packet is further updated. The hash chain verification unit 23 holds H (2) (step A13).

  In this way, the data portion D (1) included in the packet determined to be correct is passed to the data image reconstruction unit 22.

  When subsequent packets are received, the same processing is performed (step A4 to step A6, step A10) except that the trust anchor packet verification processing (step A7 to step A9) when the second packet is received is not performed. To Step A13).

  Furthermore, even when the last packet is received, from the verification of the key chain (step A4, step A5) to the calculation of the keyed hash value (step A10), the verification (step A11), and the key update (step A12) The same is done. Further, since it is the last packet, the hash value of the next packet is not included. In this way, all the data portions are transferred to the data image reconstruction unit 22, and the communication device 2 can acquire the data image.

  Note that the network 10 may be wired, but in the present embodiment, wireless communication, in particular, use of a wireless communication protocol represented by IEEE 802.15.4 or ZigBee is suitable.

  The communication devices 3 to 7 are the same as the communication device 2 in that it is possible to verify whether or not the data image has been tampered with by performing the same operation as the communication device 2.

  Next, effects of the first exemplary embodiment of the present invention will be described. The first effect of the present embodiment is that the integrity of the data image can be verified even when a method based on the common key encryption method is used. This is because the hash value of the next packet is included in the previous packet in addition to the key chain, thereby making it difficult to forge the packet.

  The second effect of the present embodiment is that even if a packet is forged, it can be immediately detected. This is because the hash value of the next packet is included in the previous packet and sent to increase the relevance between successive packets.

<Second Embodiment>
Next, a second embodiment of the present invention will be described with reference to FIGS.

  As shown in FIG. 7, the communication device 101 on the transmission side in this embodiment includes a key chain storage unit 111, a data image input unit 112, a transmission packet generation unit 113, a trust anchor generation unit 114, a network communication unit 115, a hash calculation. Unit 116, encryption calculation unit 117, and transmission key encryption unit 118.

  As shown in FIG. 8, the communication device 102 on the reception or transfer side in this embodiment includes a key storage unit 121, a data image reconstruction unit 122, a hash chain verification unit 123, a key chain verification unit 124, a trust anchor verification. Section 125, network communication section 126, hash calculation section 127, encryption calculation section 128, and key decryption section 129.

  This embodiment is almost the same as the first embodiment, except that the key K included in each packet is encrypted.

  Referring to FIG. 7, the communication apparatus 101 has the same configuration as that of the first embodiment except that the communication apparatus 101 includes a transmission key encryption unit 118.

  The transmission key encryption unit 118 has a function of encrypting the key K included in each packet. More specifically, the key included in each packet has a function of encrypting with the key included in the previous packet.

  Referring to FIG. 8, the communication device 102 has the same configuration as that of the first embodiment except that the communication device 102 includes a key decryption unit 129.

  The key decryption unit 129 has a function of decrypting the key K included in each packet. More specifically, it has a function of decrypting an encrypted key included in each packet with a key included in a previous packet stored in the key storage unit 121.

  The difference in operation from the first embodiment will be described. Compared to the operation in the first embodiment shown in FIG. 6, communication is performed to extract a key in the step of extracting a key from a received packet (step A4). The key decryption unit 129 of the device 102 is different in that the encrypted key is extracted by decrypting. Other operations are the same as those in the first embodiment.

  Next, effects of the second embodiment will be described. The effect of this embodiment is that it is possible to make it more difficult to disguise packets than in the first embodiment. This is because the key included in the packet is encrypted using the key of the previous packet, and in order to obtain the key necessary to impersonate the packet, it is necessary to intercept the exchange of packets for a longer period of time. Because there is. Further, in order to acquire the first key shared in advance that is not exchanged on the network, it is necessary to require another means such as acquiring the key by physical attack.

<Third Embodiment>
Next, a mode for carrying out the third aspect of the present invention will be described with reference to FIGS.

  This embodiment is almost the same as the first embodiment, but in the first embodiment, all the communication devices 2 to 7 share the same common key in advance. Different shared keys are shared in advance.

  Referring to FIG. 9, among communication devices 201 to 207, communication device 201 is a communication device on the transmission side, and communication devices 202 to 207 are communication devices on the reception side (including transfer). The communication devices 201 to 207 are connected via the network 210. The communication device 202 and the communication device 203 belong to the same group G1. Similarly, the communication devices 204 to 207 belong to the same group G2. Here, a multi-hop network configuration is used, and the same number of hops from the communication device 201 belong to the same group. Note that these are not limited to groups for each number of hops, and other group configurations may be used.

  As shown in FIG. 10, the communication device 201 on the transmission side in this embodiment includes a plurality of key chain storage units 211a to 211b, a data image input unit 212, a transmission packet generation unit 213, a trust anchor generation unit 214, and a network communication unit. 215, a hash calculation unit 216, and a cryptographic calculation unit 217.

  As shown in FIG. 11, the communication device 202 on the reception or transfer side in the present embodiment includes a key storage unit 221, a data image reconstruction unit 222, a hash chain verification unit 223, a key chain verification unit 224, trust anchor verification. Section 225, network communication section 226, and hash calculation section 227.

  The communication device 201 of the present embodiment is different from the configuration of the first embodiment shown in FIG. 2 in that a plurality of key chain storage units 211a to 211b are held. The plurality of key chain storage units 211a to 211b maintain the number of key chains corresponding to the group shown in FIG. For example, assuming that there are two groups, group G1 and group G2, shown in FIG. 9, the communication apparatus 201 of this embodiment has a configuration having two key chains: a key chain for group G1 and a key chain for group G2. Become.

  The communication device 202 and the communication device 203 have a shared key for the group G1 set in advance, and the communication devices 204 to 207 have the shared key for the group G2 set in advance. It is a different configuration.

  Referring to FIG. 12, the packet configuration generated from the data image by the communication device 201 is shown, and the group to which the communication device belongs to each of the trust anchor packet, the key included in each packet, and the keyed hash value for the next packet. It is different from the first embodiment in that it is included in an amount equal to the number of.

  Explaining the difference in operation from the first embodiment, the communication apparatus 201 of this embodiment calculates a hash value with a key using a single key chain in the first embodiment when generating a packet. In this embodiment, key-attached hash values are calculated using the same number of keys as the number of key chains to be maintained. Furthermore, the calculated keyed hash value and the key pair used for the calculation are included in the packet. However, at this time, this pair is also included in the packet by the number of key chains.

  This will be described more specifically with reference to FIG. Here, in order to simplify the description, the trust anchor packet that is transmitted first will be described in order, but in reality, it is recursively generated from the packet that is transmitted last as in the first embodiment.

  The communication device 1 calculates a trust anchor packet T for each group as a trust anchor packet. The calculation itself is the same as in the first embodiment. If there are n groups, n trust anchor packets T (1) to T (n) (indicated by symbols B1 and B2) are generated. The communication device 1 collectively sends each trust anchor packet as the first packet (indicated by reference numeral B11).

  Next, the communication apparatus 1 similarly calculates a keyed hash value for each group, and includes a keyed hash value for each group and a key pair used for the calculation in the packet (indicated by symbols B3 to B7). At this time, the data portion D is common to all the groups, so only one data portion may be used. That is, as the second packet, the data portion D (1) (indicated by the symbol B3), the key K (1_1) (indicated by the symbol B4) used for the calculation for the group G1, and the keyed hash value H (1_1) The key K (n_1) (denoted by reference B6) and the keyed hash value H (n_1) (denoted by reference B7) used for calculation for the group Gn are collectively transmitted as a packet (denoted by reference B5). (Indicated by B12).

  Thereafter, packet generation and transmission are performed in the same manner. For the last packet, based on the same processing as in the first embodiment, the keys K (1_L) to K (n_L) (indicated by reference symbols B9 and B10) for each group are changed to the last data portion D (L) (reference symbol B8). (Shown by reference sign B13).

  Next, the operation at the time of packet reception in the communication device 2 belonging to the group G1 according to the present embodiment will be described focusing on differences from the first embodiment.

  When the communication device 2 of this embodiment receives a packet from the communication device 1, the communication device 202 uses only the portion related to the group to which the communication device 202 itself belongs, and does nothing for the portion related to another group. The operation is the same as that of the first embodiment.

  More specifically, when the communication apparatus 202 receives the trust anchor packet (indicated by reference numeral B11) shown in FIG. 12, only the T (1) (indicated by reference numeral B1) that is a part related to the group G1 is addressed to itself. The same processing as in the first embodiment is performed using T (1) as the trust anchor packet of group G1.

  Furthermore, when the communication apparatus 202 receives the packet shown in FIG. 12 (indicated by reference numeral B12), the data portion D (1), the key K (1_1), and the keyed hash value H (1_1), which are locations related to the group G1. (Represented by symbols B3 to B5) is recognized as data addressed to itself, and the same processing as in the first embodiment is performed.

  Thereafter, by performing the same processing, it is possible to use a different key chain for each group.

  Note that the communication device 202 performs an operation of transferring a packet received from the communication device 201 to a communication device belonging to the next hop. Taking FIG. 9 as an example, the packet is transferred to the communication device 204 and the communication device 205. At this time, the communication device 2 may be an operation for transferring the packet as it is, or an operation for transferring the packet after deleting a portion related to itself.

  More specifically, taking the packet indicated by reference numeral B12 in FIG. 12 as an example, the key K (1_1) (indicated by reference numeral B4) and the hash value with key H (1_1) (reference numeral), which are locations related to the group G1. (B5) is deleted, and the others are transferred. At this time, the data portion D (1) is not deleted because it is common to all groups.

  Next, effects of the third embodiment will be described. The effect of this embodiment is that if the key is leaked, the range of influence can be made smaller than in the first embodiment. This is because, in order to limit the range of communication devices that commonly use keys, even if a key for a certain group leaks, it does not affect the keys for other groups.

  Furthermore, it is possible to reduce communication overhead when the communication device transfers a packet. This is because the communication device is configured to delete the part related to its own group and transfer it to the next communication device.

  In this embodiment, the size of the keyed hash value used in the communication apparatus is the same regardless of the group, but the size of the hash value may be different for each group. In this case, a part (for example, the last few bytes) of the output 20 bytes calculated by the original hash function is used. As an example of the size, a 6-byte hash value is used for the group G1, and a 7-byte hash value is used for the group G2.

  If the configuration in which the size of the hash value is different for each group and the configuration in which the above-described communication device deletes a location related to its own group and forwards it to the next communication device are used in combination, further packets It is possible to make it difficult to disguise. This is the case when an attacker uses a valid key because the communication device can only find out the location related to itself after receiving a packet from which unnecessary portions transferred from the previous communication device are deleted. This is because it is difficult to distinguish between the key and the hash value with key included in the middle.

  The third embodiment can be used in combination with either the first embodiment or the second embodiment.

  As described above, the first aspect of the present invention connects the communication device on the transmission side, the communication device on the reception or transfer side, and the communication device on the transmission side and the communication device on the reception or transfer side. A communication system for ensuring integrity, wherein the communication device on the transmitting side stores a key chain in which a series of keys is composed of repeated hash values for each key; Using the key chain in order for the divided data images to be transmitted, a hash value with a key is calculated from the data part and the key, and is added to the previous transmitted packet. Each packet is repeated by repeatedly calculating the keyed hash value from the data part of the previous packet, the key, and the previously calculated keyed hash value, and assigning it to the previous transmitted packet. And a means for transmitting the generated packet to the network, wherein the receiving or forwarding communication device has a means for receiving the packet from the network, and the validity of the packet. A means for storing a key for confirmation and a keyed hash for the entire packet including the next authenticator by calculating that the key included in the received packet is a continuous hash value based on the stored key. A communication system comprising: means for verifying an authenticator by calculating a value and comparing whether the value is the same as a calculated keyed hash value included in a previous packet.

  In addition, in a second aspect of the present invention, in the above aspect, the means for generating the authenticator includes a packet to be transmitted including a key included in the next packet and a keyed hash value for the entire next packet, Further, the means for verifying the authenticator by encrypting with the key included in the next packet and confirming the validity of the key included in the next packet after decrypting the received packet, It is characterized in that an attached hash value is acquired.

  In a third aspect of the present invention, in the above aspect, the means for generating the authenticator encrypts a key included in each packet using a key included in a previous packet, and verifies the authenticator. The means is characterized in that the key is obtained by decrypting the encrypted key included in the packet with the previously obtained key.

  According to a fourth aspect of the present invention, in the above aspect, the means for generating the authenticator includes two or more key chains, calculates two or more authenticators using each key chain, and the authentication The means for verifying the child is characterized by verifying one of the two or more authenticators.

  According to a fifth aspect of the present invention, in the above aspect, the means for generating the authenticator comprises two or more key chains, calculates two or more authenticators using each key chain, and the authentication The means for verifying the child is characterized in that the first authenticator following the data part is verified, and the verified authenticator and its key are deleted from the packet and then transferred to the next communication device.

  According to a sixth aspect of the present invention, in the above aspect, the length of the authenticator included in each packet is different for each key chain.

  According to a seventh aspect of the present invention, in the above aspect, the network is a wireless communication path.

  According to an eighth aspect of the present invention, there is provided means for storing a key chain in which a series of keys is formed by repeating a hash value for each key, and sequentially using the key chains for the divided data images to be transmitted. The keyed hash value is calculated from the data part and the key and added to the previous packet to be transmitted. After that, the data part and key in the previous packet and the keyed hash previously calculated Means for generating an authenticator for each packet by repeatedly calculating a hash value with a key from the value and assigning it to a packet transmitted immediately before, and means for transmitting the generated packet to the network And a communication device.

  In addition, in a ninth aspect of the present invention, in the above aspect, the means for generating the authenticator includes a packet to be transmitted including a key included in the next packet and a keyed hash value for the entire next packet, Further, encryption is performed using a key included in the next packet.

  According to a tenth aspect of the present invention, in the above aspect, the means for generating the authenticator encrypts a key included in each packet using a key included in a previous packet.

  An eleventh aspect of the present invention is characterized in that, in the above aspect, the means for generating the authenticator comprises two or more key chains, and calculates two or more authenticators using each key chain. And

  According to a twelfth aspect of the present invention, in the above aspect, the length of the authenticator included in each packet is different for each key chain.

  A thirteenth aspect of the present invention is included in the received packet based on the means for receiving a packet from the network, a means for storing a key for confirming the validity of the packet, and the stored key. Calculate that the key has a continuous hash value, calculate the keyed hash value for the entire packet including the next authenticator, and be the same as the calculated keyed hash value included in the next packet. A communication device comprising means for verifying an authenticator by comparing whether or not there is an authenticator.

  In addition, in a fourteenth aspect of the present invention, in the above aspect, the means for verifying the authenticator confirms the validity of the key included in the next packet from the received packet, decrypts the packet, and A keyed hash value of a packet is acquired.

  According to a fifteenth aspect of the present invention, in the above aspect, the means for verifying the authenticator obtains the key by decrypting the encrypted key included in the packet with the previously obtained key. Features.

  According to a sixteenth aspect of the present invention, in the above aspect, the means for verifying the authenticator verifies one of the two or more authenticators.

  According to a seventeenth aspect of the present invention, in the above aspect, the means for verifying the authenticator verifies the first authenticator following the data portion, and deletes the verified authenticator and the key related thereto from the packet. It transfers to the next communication apparatus, It is characterized by the above-mentioned.

  In the eighteenth aspect of the present invention, the transmitting side stores a key chain in which a series of keys is formed by repeating hash values for each key, and sequentially transmits the divided data images to be transmitted. Using the key chain in order, a hash value with a key is calculated from the data part and the key and given to the previous packet to be transmitted, and thereafter, the data part, key and destination in the previous packet are sent. By generating a keyed hash value from the calculated keyed hash value and assigning it to the packet sent before, an authenticator for each packet is generated, and the generated packet is sent to the network. The reception side stores the key for confirming the validity of the packet, receives the packet from the network, and receives it based on the stored key. Calculates that the key included in the packet is a continuous hash value, calculates the keyed hash value for the entire packet including the next authenticator, and calculates the calculated keyed hash included in the next packet A data communication method characterized by verifying an authenticator by comparing whether or not the value is the same.

  In addition, in a nineteenth aspect of the present invention, in the above aspect, the authenticator is generated by configuring a packet to be transmitted with a key included in the next packet and a keyed hash value for the entire next packet, The authenticator is verified by verifying the validity of the key included in the next packet, and then decrypting the packet to obtain the keyed hash value of the next packet. It is characterized by acquiring.

  In addition, in a twentieth aspect of the present invention, in the above aspect, the means for generating the authenticator includes: encrypting a key included in each packet using a key included in a previous packet; and verifying the authenticator. The key is obtained by decrypting the encrypted key included in the packet with the previously obtained key.

  According to a twenty-first aspect of the present invention, in the above aspect, the generation of the authenticator includes two or more key chains, calculates two or more authenticators using each key chain, and The verification is characterized by verifying any one of two or more authenticators.

  According to a twenty-second aspect of the present invention, in the above aspect, the generation of the authenticator includes two or more key chains, calculates two or more authenticators using each key chain, and The verification is characterized in that the first authenticator subsequent to the data part is verified, and the verified authenticator and its key are deleted from the packet and then transferred to the next communication device.

  A twenty-third aspect of the present invention is characterized in that, in the above aspect, the length of the authenticator included in each packet is different for each key chain.

  According to a twenty-fourth aspect of the present invention, in the above aspect, the network is a wireless communication path.

  According to a twenty-fifth aspect of the present invention, a process for storing a key chain in which a series of keys is formed by repeating a hash value for each key, and the key chains in order for the divided data images to be transmitted. Use in order to calculate a hash value with a key from the data part and the key and assign it to the previous packet to be sent, and thereafter, the data part and key in the previous packet and the key previously calculated A process for generating an authenticator for each packet by repeatedly calculating a hash value with a key from the attached hash value and assigning it to the packet sent one before, and sending the generated packet to the network A program that causes a communication device to execute processing to be performed.

  According to a twenty-sixth aspect of the present invention, in the above aspect, the process for receiving a packet from the network, the process for storing a key for confirming the validity of the packet, and the reception based on the stored key. Calculates that the key included in the packet is a continuous hash value, calculates the keyed hash value for the entire packet including the next authenticator, and calculates the calculated keyed hash included in the next packet It is a program characterized by causing a communication device to execute processing for verifying an authenticator by comparing whether the values are the same.

  A twenty-seventh aspect of the present invention is a data communication program for realizing the function of the data communication method.

  The present invention has been described above with reference to the embodiments and aspects. However, the present invention is not necessarily limited to the above-described embodiments and aspects, and various modifications may be made within the scope of the technical idea. I can do it.

  This application claims the priority on the basis of Japanese application Japanese Patent Application No. 2008-221872 for which it applied on August 29, 2008, and takes in those the indications of all here.

  The integrity guarantee method for updating a program image according to the present invention is useful for distributing a secure program image in a network using wireless communication. In particular, it is effective in a device having a limited capability as compared with a PC in a wireless sensor network field using a wireless communication protocol represented by IEEE802.15.4 or ZigBee.

1 to 7, 201 to 207 Communication device 10, 210 Network 11, 111, 211 Key chain storage unit 12, 112, 212 Data image input unit 13, 113, 213 Transmission packet generation unit 14, 114, 214 Trust anchor generation unit 15 115, 215, 26, 126, 226 Network communication unit 16, 116, 216, 27, 127, 227 Hash calculation unit 17, 117, 217, 28, 128, 228 Cryptographic calculation unit 118 Transmission key encryption unit 21, 121, 221 Key storage unit 22, 122, 222 Data image reconstruction unit 23, 123, 223 Hash chain verification unit 24, 124, 224 Key chain verification unit 25, 125, 225 Trust anchor verification unit 129 Key decryption unit

Claims (26)

Communication for guaranteeing integrity, comprising a communication device on the transmission side, a communication device on the reception or transfer side, and a network connecting the communication device on the transmission side and the communication device on the reception or transfer side A system,
The transmission side communication device is:
Means for storing a key chain in which a series of keys consists of repeated hash values for each key;
Using the key chain in order for the divided data images to be transmitted, a hash value with a key is calculated from the data part and the key, and is added to the previous transmitted packet. By repeating the calculation of the keyed hash value from the data part of the previous packet, the key, and the previously calculated keyed hash value, and assigning it to the previous transmitted packet, Means for generating an authenticator;
Means for transmitting the generated packet to the network;
The communication device on the receiving or transferring side is:
Means for receiving packets from the network;
Means for storing a key for verifying the validity of the packet;
Based on the stored key, calculate that the key included in the received packet is a continuous hash value, calculate the keyed hash value for the entire packet including the next authenticator, And a means for verifying the authenticator by comparing whether it is the same as the calculated keyed hash value. The means for generating the authenticator comprises a packet to be transmitted composed of a key included in the next packet and a keyed hash value for the entire next packet, and further encrypted with a key included in the next packet,
The means for verifying the authenticator confirms the validity of the key included in the next packet of the received packet, and then decrypts the packet to obtain a keyed hash value of the next packet. Item 12. The communication system according to Item 1. The means for generating the authenticator encrypts the key included in each packet using the key included in the previous packet,
The communication system according to claim 1 or 2, wherein the means for verifying the authenticator acquires the key by decrypting the encrypted key included in the packet with the previously acquired key. . The means for generating the authenticator comprises two or more key chains, and calculates two or more authenticators using each key chain,
The communication system according to any one of claims 1 to 3, wherein the means for verifying the authenticator verifies one of the two or more authenticators. The means for generating the authenticator comprises two or more key chains, and calculates two or more authenticators using each key chain,
The means for verifying the authenticator verifies an initial authenticator subsequent to the data portion, and deletes the verified authenticator and a key related thereto from the packet and then forwards it to the next communication device. The communication system according to claim 3.   6. The communication system according to claim 4, wherein a length of an authenticator included in each packet is different for each key chain.   The communication system according to claim 1, wherein the network is a wireless communication path. Means for storing a key chain in which a series of keys consists of repeated hash values for each key;
Using the key chain in order for the divided data image to be transmitted, a hash value with a key is calculated from the data part and the key, and given to the packet transmitted one before, and thereafter one Authenticate each packet by repeatedly calculating the keyed hash value from the data part of the previous packet, the key, and the previously calculated keyed hash value, and assigning it to the previous packet sent A means of creating children;
Means for transmitting the generated packet to the network.   The means for generating the authenticator comprises a packet to be transmitted composed of a key included in the next packet and a hash value with a key for the entire next packet, and further encrypted with a key included in the next packet. The communication device according to claim 8.   The communication device according to claim 8 or 9, wherein the means for generating the authenticator encrypts a key included in each packet using a key included in a previous packet.   The means for generating the authenticator comprises two or more key chains, and calculates two or more authenticators using each key chain. Communication device.   12. The communication apparatus according to claim 11, wherein the length of the authenticator included in each packet is different for each key chain. Means for receiving packets from the network;
Means for storing a key for verifying the validity of the packet;
Calculate that the key included in the received packet is a continuous hash value based on the stored key, calculate a keyed hash value for the entire packet including the next authenticator, And a means for verifying the authenticator by comparing whether or not the hash value with the key is already included.   The means for verifying the authenticator confirms the validity of the key included in the next packet of the received packet, and then decrypts the packet to obtain a keyed hash value of the next packet. Item 14. The communication device according to Item 13.   The communication device according to claim 13 or 14, wherein the means for verifying the authenticator acquires the key by decrypting the encrypted key included in the packet with the previously acquired key. .   16. The communication apparatus according to claim 13, wherein the means for verifying the authenticator verifies one of two or more authenticators.   14. The means for verifying the authenticator verifies an initial authenticator subsequent to the data portion, and deletes the verified authenticator and a key related thereto from the packet and then forwards them to the next communication device. The communication device according to claim 15. On the sending side, a key chain consisting of a series of keys consisting of repeated hash values for each key is stored,
Using the key chain in order for the divided data image to be transmitted, a hash value with a key is calculated from the data part and the key, and given to the packet transmitted one before, and thereafter one Authenticate each packet by repeatedly calculating the keyed hash value from the data part of the previous packet, the key, and the previously calculated keyed hash value, and assigning it to the previous packet sent Creates a child, sends the generated packet to the network,
On the receiving side, a key for checking the validity of the packet is stored,
Receiving packets from the network;
Based on the stored key, calculate that the key included in the received packet is a continuous hash value, calculate the keyed hash value for the entire packet including the next authenticator, A data communication method comprising: verifying an authenticator by comparing whether or not the calculated keyed hash value is the same. The authenticator is generated by configuring a packet to be transmitted with a key included in the next packet and a keyed hash value for the entire next packet, and further encrypting with a key included in the next packet,
19. The verification of the authenticator is performed by confirming a validity of a key included in a next packet of a received packet and then decrypting the packet to obtain a keyed hash value of the next packet. The data communication method described in 1. The generation of the authenticator encrypts the key included in each packet using the key included in the previous packet,
The data communication according to claim 18 or 19, wherein the means for verifying the authenticator obtains the key by decrypting the encrypted key included in the packet with the previously obtained key. Method. The generation of the authenticator includes two or more key chains, and calculates two or more authenticators using each key chain,
21. The data communication method according to claim 18, wherein the verification of the authenticator is performed by verifying any one of two or more authenticators. The generation of the authenticator includes two or more key chains, and calculates two or more authenticators using each key chain,
19. The verification of the authenticator is performed by verifying a first authenticator subsequent to a data portion, and transferring the verified authenticator and a key related thereto to a next communication apparatus after deleting the verified authenticator and a key related thereto from the packet. Item 21. The data communication method according to any one of Items 20.   23. The data communication method according to claim 21, wherein the length of the authenticator included in each packet is different for each key chain.   The data communication method according to any one of claims 18 to 23, wherein the network is a wireless communication path. A process of storing a key chain in which a series of keys consists of repeated hash values for each key;
Using the key chain in order for the divided data image to be transmitted, a hash value with a key is calculated from the data part and the key, and given to the packet transmitted one before, and thereafter one Authenticate each packet by repeatedly calculating the keyed hash value from the data part of the previous packet, the key, and the previously calculated keyed hash value, and assigning it to the previous packet sent The process of creating children,
A program that causes a communication device to execute processing for transmitting a generated packet to a network. Processing to receive packets from the network;
A process of storing a key for checking the validity of the packet;
Calculate that the key included in the received packet is a continuous hash value based on the stored key, calculate a keyed hash value for the entire packet including the next authenticator, A program for causing a communication device to execute processing for verifying an authenticator by comparing whether or not it is the same as a calculated keyed hash value contained in

Images