KR19990039365A - Public key encryption method using precomputation in safety module - Google Patents

Abstract

The present invention proposes an encryption method capable of effectively performing entity authentication and digital signature by providing a security module having the same capability as an existing IC card in the authenticator / signer side terminal.

A private key is stored in the user IC card, and the safety module in the terminal has a master key. With this secret key and master key, the terminal and the IC card perform mutual authentication, distribute the session key, encrypt the user's private key with the session key, and transmit it to the security module in the terminal. The safety module stores the power calculation and the reciprocal calculation in advance before the signature or entity authentication is started. Since the stored value is used for the actual signature or authentication, the authentication value or the signature value can be effectively calculated by performing a modular multiplication and a modular sum.

Description

Public key encryption method using precomputation in safety module

The present invention relates to an encryption method using a private key of a public key cryptosystem, and more particularly, to a method capable of performing operations required for entity authentication and digital signature in advance.

Encryption algorithms can be divided into two categories. One is a symmetric cryptosystem such as DES and the other is an asymmetric cryptosystem such as RSA, which is also called a public key cryptosystem. A symmetric cryptosystem is a case where the encryption key and the decryption key match, and anyone who knows the key can perform decryption, so the security and distribution of the key becomes an important problem.

On the other hand, public key cryptosystems are different from encryption keys and decryption keys, and the cryptographic keys are disclosed to everyone and only the user has the decryptor. Therefore, since only the security of the decryption key is important and there is no need to share secret information, there is an advantage that the movement of the security information is small.

W. Diffie and M. Hellman proposed this public key cryptosystem. In public key cryptosystem, each user's key consists of private key and public key, and the security of key depends on the difficulty of unilateral problem that it is impossible to calculate private key with public key even if public key is disclosed to all users. have. Here, the unidirectional difficulty used is based on the difficulty of factoring the prime factorization or discrete logarithm, and the larger the key, the harder it is to solve.

Odlyzko proposed a key size that can be safely used for the time being by comparing the computational complexity expected in 2014 and the difficulty of an algorithm to solve prime factorization problems. Comparing this to the difficulty of discrete algebraic problems, the size of the private key must be at least 160 bits and the size of the public key must be at least 768 bits for safe use for at least the next 10 years. As such, in public key cryptosystems, the size of keys is considerably large, which lowers the efficiency, but is widely used in terms of ease of key management and security services such as digital signatures.

In public key cryptosystems, IC cards with a physical-resistance device are used for the safe storage of private keys. That is, since a private key is generally a random number of 160 bits or more, it is almost impossible to memorize it, so that an IC card is used for its storage. When a private key is stored in an IC card and a digital signature is generated or an entity is authenticated, the card is inserted into a card reader and a desired process is performed. At this time, in order to prevent leakage of the private key, calculations should be made in the IC card without sending the private key to the terminal. Therefore, the IC card for the public key cryptographic system must have its own arithmetic function together with the security device and such a card is called a smart card.

1 shows a schematic diagram of an apparatus for an entity authentication protocol and a digital signature protocol, which are representative applications of the public key cryptography concept. Here, reference numeral 1 denotes a terminal, and the terminal 1 has a terminal circuit 10 capable of supplying power to the IC card 2 and receiving data. The terminal 1 is connected to a terminal 3 that acts as a verifier as described below, and the terminal 3 can be implemented by a personal computer, a workstation, or the like.

In the device configured as described above, entity authentication protocol will be described first.

A person who wants to prove his or her identity (or identity) is called a prover, and a person who verifies whether the prover matches his claim is called a verifier. As described above, the verifier may be a personal computer, a workstation, or a terminal 3 in which the entity authentication protocol is implemented.

It is assumed that the prover has a private key X which only he knows, such as an IC card 2, and the verifier has already obtained the prover's public key Y. The prover proves that he has a private key (X) corresponding to the public key (Y), and that the private key (X) should not be known, so that calculations in which the private key (X) is used are computationally capable IC cards. In (2). The operation protocol of the IC card 2 and the verifier is as follows.

Step 1 (A1) (random number generation step): The prover's IC card 2 generates a predetermined random number K. FIG.

Step 2 (A2) (calculation value calculation step): The proof value R is calculated from the prover's IC card 2 as a random number K and transmitted to the verifier through the terminal 1.

Step 3 (A3) (requirement value generation step): The verifier generates a random number E as a challenge value and sends it to the prover.

Step 4 (A4) (Authentication value calculation step): The prover's IC card 2 calculates the authentication value (S) from the prover's private key (X), the proof value (R), and a random number (E). Send to verifier

Step 5 (A5) (verification step): The verifier verifies with the prover's public key Y, the stored proof value (R), a random number (E), and the authentication value (S).

Next, the digital signature protocol will be described.

The signer wants to add his digital signature to the digital message (M), and the verifier can receive the message and the signature attached to it, and then verify the signature to verify the origin and change of the message.

The verifier may be a terminal 3 in which a digital signature protocol is implemented as shown in FIG. 1 and may be a person using the digital signature protocol. It is assumed that the signer has a private key X which only he knows, such as IC card 2, and that the verifier already has the public key Y of the prover. Since the signer's private key X should not be known, the calculation in which the private key X is used is made in the IC card 2 having a computing capability.

Step 1 (D1) (random number generation step): A random number K is generated in the IC card 2 of the signer.

Step 2 (D2) (Signature Value Calculation Step 1): The signature value R is calculated from the signer's IC card 2 as a random number K and transmitted or stored in the terminal 1.

Step 3 (D3) (Message Hash Step): The signer's terminal compresses the message into a hash function H and transmits the result to the IC card 2. In some cases, the signature value R may be input to the hash function H together with the message (eg, Schnor digital signature).

Step 4 (D4) (Signature Value Calculation Step 2): The signer's IC card 2 calculates the signature value S using the signer's private key (X), signature value (R) and hash function (H). (1) is sent together with the signature value R (if stored in step 2), and the signer's terminal 1 transmits the message and signature values (R, S) in concatenated (∥) to the verifier (where If only one of the signature values (R) or (S) is signed).

Step 5 (D5) (Signature Verification Step): The verifier verifies the signature R ′S for the message M with the signer's public key Y.

Here, the calculation of steps A2 and D2 includes a modulus power (g ^k mod P), so the total calculation time can be regarded as the time taken in steps A2 and D2. However, currently commercially available IC cards can only perform simple random number generation and encryption algorithms and do not have the ability to multiply integers of 768 bits or more in 100 times in real time. This requires a special computing device called the Cnypt-Engine. In other words, using the RAM and the central processing unit in the current IC card, it is difficult to implement the calculation of the above-mentioned steps A2 and D2 in a necessary time.

In order to solve this problem, a modular calculation program is implemented in software, stored in EEPROM, and pre-calculated calculations are made in advance when time-consuming calculations are made when the IC card is not in use, and when the actual signature is generated and authenticated. The method has been proposed. However, the conventional precalculation method loses computational power when the IC card is off-line, i.e. when the card is not used (no power supply), and thus cannot perform precomputation. There is a problem that it is difficult to implement a practical encryption system with an IC card and a terminal.

SUMMARY OF THE INVENTION The present invention has been made to solve this problem, and an object of the present invention is to use a precomputation in a safety module that makes it possible to easily perform entity authentication / digital signature by performing a precalculation algorithm in a terminal of a prover / signer. It is to provide a key encryption device.

It is another object of the present invention to provide a public key encryption method using precomputation in a security module that enables a digital signature to be easily generated by performing a precomputation algorithm in the signer's terminal.

In order to achieve this object, the present invention provides a proof module having a predetermined IC card storing a private key (X) and a secret encryption key equipped with a security module having a master key, a random number generation algorithm, and a modular operation algorithm. A method of proving its identity to a verifier having a prover's public key using a terminal, i) Before the entity authentication is initiated, the safety module includes a plurality of random numbers (K _j ) and the random number (K _j ). _j ) corresponding proof value (R _j ) Generating a precomputation step; Ii) the safety module is not used when entity authentication is initiated. (K _j, R _j ) Selecting one at (K, R) and transmitting (R) to the verifier as an attestation value; Iv) the verifier stores the proof value (R) and sends a request value to generate a t-bit random number (E) and send it to the prover; Iv) the secure module of the prover comprises a private key acquisition step of learning a private key (X) from the IC card; Iv) the authenticator confirms whether the random number E is t bits, and the SM 11 calculates the authentication value S and transmits this value to the verifier; V) The verifier obtains the public key of the prover and includes a verification step of performing a verification expression.

The present invention also provides that a signer with a predetermined IC card stored private key (X) and secret key encryption generates a digital signature using a security module with a master key, a random number generation algorithm and a modular operation algorithm. And a verifier having the signer's public key to verify the signature, i) before the digital signature is initiated, the safety module generates a plurality of random numbers. (K _j ) And corresponding to this random number (K ′ _j , R _j ) A precalculation step of generating each; Ii) the secure module of the prover comprises a private key acquisition step of obtaining a private key (X) from the IC card; 모듈) The safety module is not used ( K ′ _j , R _j A message hashing step of selecting one from) and the signer compressing a predetermined message into a hash function and sending the result H to the IC card; Iii) the signature module calculates a signature value (S), and the signer generates a signature value (R, S) in concatenation with the message and sends it to the verifier; V) The verifier has a signature verification step of obtaining a hash value H as a hash function for the message M with the signer's public key and then performing a signature verification expression.

1 is a view showing a conventional encryption device,

2 is a schematic block diagram of an apparatus for performing an encryption method according to the present invention;

3 is a view schematically showing a sequence of an encryption method according to the present invention;

<Description of Symbols for Main Parts of Drawings>

1, 3: terminal 2: IC card

10 terminal circuit 11 safety module

The basic technical idea of the present invention is to construct a security module (referred to as SM) that performs a precalculation algorithm in a terminal on the prover / signer side. In this way, the data obtained by the precomputation algorithm in the SM is safely stored, and when the signature or the entity is authenticated, the private key is transferred from the IC card to the SM. In the SM, the signature generation or the entity authentication is performed using the pre-calculated values. Will be calculated.

On the other hand, in order to implement the present invention, the private key is exposed to the terminal on the prover / signer side, and the IC card must first confirm whether the terminal is legitimate and then transmit the private key. To this end, the SM stores a secret encryption key which is a result of encrypting data about a user with a master key and an IC card with a master key. The IC card checks whether the SM has a master key and the terminal checks whether the IC card has a secret encryption key and whether it is legitimate with each other. During or after this process, the session key is distributed between the IC card and the SM, and the private key is encrypted with the session key and transmitted to the SM of the terminal. Here, the session key must be different each time a private key is used (that is, one session is formed).

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

Fig. 2 is a block diagram of the device according to the present invention, where 1 denotes a terminal on the prover / signer side, the terminal 1 being capable of supplying power to the IC card 2 and exchanging data. A circuit 10 and a security module (hereinafter referred to as SM) 11 are formed. The terminal 1 is connected to the verifier as described below, and the verifier may be implemented as a terminal, a personal computer, a workstation, etc., but is represented as the terminal 3 in the present specification.

Here, the IC card 2 of the present invention is provided with a central processing unit, ROM, RAM, 8Kbyt EEPROM (Electrically Erasable PROM), and a COS (Chip Operating System) 11 is stored in the ROM. The EEPROM also stores cryptographic algorithms, random number generation algorithms, and secret encryption and private keys. The encryption algorithm refers to a symmetric key encryption algorithm used for transmitting secret data to the terminal 1, and the random number generation algorithm is used for mutual authentication and distribution as described below as an algorithm for generating a random number. In addition, the secret encryption key refers to a value obtained by encrypting data of users as a master key in the SM 11 as key data stored for card authentication when a card is issued. This secret encryption key is used as a key of the symmetric key encryption algorithm as described later. In addition, the private key means key data used only for signature or entity authentication, and should not be exposed or changed with only the user.

In addition, the SM 11 in the terminal 1 is composed of hardware having the same capability as the IC card 2, and has a ROM and an EEPROM. Here, the COS is stored in the ROM, and the encryption algorithm, random number generation algorithm, modular operation algorithm, precomputation algorithm, and master key are stored in the EEPROM.

Here, the encryption algorithm is the same algorithm as the algorithm stored in the IC card 2, and the random number generation algorithm is an algorithm for generating random numbers and is used for signature, entity authentication, mutual authentication, and session key distribution as described below.

Modular arithmetic algorithms are required for signature and entity authentication calculations and consist of a large number of products, modular reduction, and so on. The precomputation algorithm is composed of a random number generation algorithm and a modular arithmetic algorithm. The precomputation algorithm refers to an algorithm that calculates and stores data for signing while it is not signed. The master key is a key stored in all terminals by the terminal provider for card authentication and is used as a key of the symmetric key encryption algorithm.

3A and 3B show a procedure in which a device having the above-described configuration performs entity authentication and digital signature. The flowchart of FIG. 3 illustrates the Schnorr entity authentication protocol and DSS, a digital signature standard algorithm of the United States, as an example, and the definitions of symbols and notations used are as follows.

P: decimal with more than 768 bits

Q: a decimal number dividing P-1 by more than 160 bits

G: a ^{(P-1) / Q} mod P, 1 <a <P-1 ego a ^{(P-1) / Q} mod P = 1 Satisfied

h (): | Q | Hash function of collision avoidance with output of length

X: Private key 0 <X <Q

Y: public key Y = G ^X mod P

t: Safety variable above 80

Z | Number of bits in Z

When generating a signature or authenticating a certificate | Q | Generate a random bit (K) G ^K mod P Should be calculated. Inverse in the US Digital Signature Standard Algorithm (DSS) (K ^-1 ) Must also be calculated. In order to perform the inverse calculation, we need to divide about | Q | by integers of the | Q | size integer, and the power-of-sequence calculation requires the average (3 | Q |) / 2 modular product of | P | -size integers. These calculations spend most of the computation time on authenticating the certificate, generating the signature, and are messages that have nothing to do with the message to be signed or the subject of the certificate. Therefore, multiple random numbers (idle-time or avalable time) K _j , j = 1,2,3, ....) to calculate and store the corresponding values, and save the calculation time by using a pre-calculation algorithm that writes the stored data when needed. The invention utilizes this precomputation algorithm.

3A is a diagram illustrating a procedure of performing an entity authentication protocol using the pre-calculation algorithm of the present invention.

Step 0 (E0) (precalculation step):

As described above, when j = 1, 2, 3, ..., K _j ) And proof value ( R _j ).

K _j = r () Here r () means a random number generation algorithm.

R _j = (G ^Kj mod P) mod Q

In other words, the SM 11 generates random numbers at idle time. K _j ) And proof value ( R _j ) To calculate several. Where random number ( K _j ) Must be stored securely, and the proof value ( R _j ) May be stored in a memory other than the SM 11 since the data will be released later.

Step 1 (E1) (Commitment (R) Transfer Step

When the entity authentication protocol starts, the authenticator's SM 11 (or terminal 1) is not used ( K _j , R _j Select one from) and set it to (K, R) and send R as proof to the verifier. Where selected ( K _j , R _j ) Should be disposed of safely.

Step 2 (E2) (Challenge (E) Transfer Step)

The verifier stores the proof value (R) and generates a t-bit random number (E) and sends it to the prover.

Step 3 (E3) (Private Key Acquisition Step)

The prover's IC card 2 and the SM 11 distribute mutual authentication and session keys, and the prover's IC card 2 encrypts the private key X with a session key and transmits it to the SM 11 in the terminal 1. do. The SM 11 decrypts the ciphertext of the private key X with the session key and acquires the private key X. The acquisition step of such a private key (X) is described in detail later.

Step 4 (E4) (Transfer of Response (S))

The prover checks whether the random number E is t bits, calculates the next in the SM 11, and discards the used K and R completely.

S = (K-EX) mod Q

The authentication value S is then sent to the verifier.

Phase 5 (E5) (Validation Phase)

The verifier obtains the authenticator's public key (Y) (G ^S Y ^E mod P) mod Q = R The authorization will be confirmed.

In the above description, the greatest amount of real-time calculation is performed on the prover side, that is, on the IC card 11 and the SM 11, to perform one modular product and one modular sum to calculate the authentication value S. This amount of computation can implement a practical entity authentication system as an 8-bit microprocessor in the current IC card 11.

Next, a description will be given of the process for the IC card 2 to transmit the private key X to the SM 11 in the above-described step 3, that is, the private key acquisition step.

Step 1 (F1) (the mutual authentication step between the IC card 2 and the terminal 1)

This is a procedure for confirming whether the IC card 2 and the terminal 1 are legitimate devices. The SM 11 checks whether the IC card 2 has a secret encryption key made of a master key, and the IC card 2 checks whether the SM 11 has a master key.

Step 2 (F2) (session key distribution step)

Each time a private key (X) is used, one session is formed, and a different key is distributed to each session. The session key is shared between the IC card 2 and the SM 11 using a secret encryption key, a master key, and a random number, and the session key distribution can be performed in the mutual authentication process.

Step 3 (F3) (Send Private Key)

The IC card 2 encrypts the private key with an encryption algorithm using the shared session key and transmits the result to the terminal 11.

Step 4 (F4) (private key decryption step)

The SM 11 decrypts the private key encrypted with the shared session key to obtain the private key of the user.

3b illustrates a digital signature generation process according to the present invention. As an example, DSS is described next.

Phase 0 (G1) (precalculation phase)

As in the step F1, the SM 11 has a random number as follows when j = 1, 2, 3, ... K _j ) And proof value ( R _j Will occur).

K _j r () where r () represents a random number generation algorithm.

K ′ _j = K _j ^-1 mod Q

R _j = (G ^{K j} mod P) mod Q

That is, the SM 11 stores data at idle time. K ′ _j , R _j ) To calculate several. here K ′ _j Should be stored inside SM (11), R _j Can also be stored externally.

Phase 1 (G1) (Private Key Acquisition Phase)

When the digital signature protocol starts, the IC card 2 and the SM 11 distribute mutual authentication and session keys as in steps F1 to F4 described above, and the IC card 20 uses the private key X as the session key. The encryption is transmitted to the SM 11 in the terminal 1. The SM 11 decrypts the cipher text of the private key X with the session key to acquire the private key X.

Phase 2 (G2) (Message Hash Phase)

Unused ( K ′ _j , R _j ) Select one from K ^-1 , R ) And select ( K ′ _j , R _j ) Is disposed of safely. The terminal 1 of the signer compresses the message into a hash function and transmits the result H to the IC card.

Phase 3 (G3) (Signature Generation Phase)

The SM 11 calculates the signature value S with the signer's private key X, the signature value R, and the hash value H as follows.

S = K ^-1 (H + XR) mod Q

The signer's terminal 1 receives the signature values R and S from the SM 11 and concatenates them with the message and sends them to the verifier (here, only one signature value R or S is not signed).

Phase 4 (G4) (Signature Verification Step)

The verifier obtains the hash value (H) as a hash function for the message (M) (or with R) with the signer's public key (Y), and then verifies the signature R∥S as follows.

U = S ^-1 H, V = S ^-1 R

( G ^U Y ^V mod P ) Verify that mod Q = R

That is, in the present invention, by configuring the security module in the terminal to handle most of the calculation for the entity authentication and signature, it is possible to overcome the limitation of the computational capacity of the current IC card and to implement a secure shnol cryptographic protocol. As described above, the IC card of the present invention is a type in which only a private key is further stored in a conventional IC card, and the SM has a hardware configuration such as an IC card and includes a special operation program such as modular operation. Calculate power that takes the most time when calculating entity authentication and signature using this R = f (G ^K mod P) Or reciprocal calculation K ^-1 mod Q By precomputing, it is possible to quickly perform the calculation of the authentication value of the entity-Shinol type, the signature generation, and the like.

As described above, the present invention has an effect that the authentication and digital signature process can be effectively and quickly performed by using an existing IC card by performing a part of a calculation process necessary for executing the public key cryptographic protocol in advance by using a separate safety device. .

Claims (4)

The private key (X) and the secret key are stored in a predetermined IC card and have a master key, and a random number generation algorithm and a modular operation algorithm are performed in a security module, and a validator having a public key. As an entity authentication method of Iii) before the entity authentication is initiated, the safety module generates a plurality of random numbers; K _j ) And this random number ( K _j Proof value corresponding to K _j , R _j = (G ^Kj mod P) mod Q: P is a decimal number over 768 bits, Q is a fractional number that divides P-1 over 160 bits, G is a ^{(P-1) / Q} mod P, 1 <a <P-1 ego a ^{(P-1) / Q} mod P> 1 A pre-calculation step of generating a number satisfactory; Ii) when the entity authentication is initiated, the safety module is not used ( K _j , R _j Selecting one from) and setting it to (K, R) and transmitting (R) to the verifier as an attestation value; Iii) the requestor transmitting the request value by storing the proof value (R), generating a random number (E) of t bits, and transmitting the generated random number (E) to the prover; Iv) the secure module of the prover comprises a private key learning step of obtaining a private key (X) from the IC card; Iv) The prover checks whether the random number E is t bits, and the SM 11 calculates an authentication value (S, S = (K-EX) mod Q) and transmits this value to the verifier. Transmitting an authentication value; Iv) the verifier is the public key of the Y = G ^X mod P ) (Verification: G ^S Y ^E mod P) mod Q = R Public key encryption method using pre-computation in a safety module having a verification step of performing entity authentication by confirming authorization. The method of claim 1, The private key acquisition step, The IC card checking whether the safety module has a master key, and the safety module checking whether the IC card has a secret key; Sharing the same session key with the IC card and the safety module, respectively; Encrypting the private key with an encryption algorithm using a shared session key and transmitting the result to the security module; And the security module decrypts a private key encrypted with the shared session key. The private key (X) and the secret key are stored in a predetermined IC card, and have a master key between the signer whose random number generation algorithm and the modular operation algorithm are performed in the security module, and the verifier with the public key. As a digital signature method, Iii) before the digital signature is initiated, the safety module generates a plurality of random numbers ( K _j ) And this random number ( K _j Corresponding to K ′ _j : K ′ _j = K _j ^-1 mod Q ) And signature value (R _j- (G ^K mod P) mod Q) Where P is a fraction of 768 bits or more, Q is a fraction G that divides P-1 of 160 bits or more a ^{(P-1) / Q} mod P, 1 <a <P-1 ego a ^{(P-1) / Q} mod P> 1 A precomputation step each forming a number satisfying a value; Ii) the secure module of the prover comprises a private key acquisition step of obtaining a private key (X) from the IC card; Iii) the safety module is not used. (K ′ _j , R _j ) A message hashing step of selecting one from and the signer compressing a predetermined message into a hash function and sending the result H to the IC card; 안전) The safety module SM (11) is a signature value ( S: S = K ^-1 (H + XR) a signature generation step of calculating mod Q), wherein the signer concatenates the signature values (R, S) with a message and sends them to the verifier; Iii) The verifier is the signer's public key ( Y = G ^X mod P ), The hash value (H) is obtained from the hash function against the message (M), and the signature R∥S is verified. (U = S ^-1 H mod Q, VS ^-1 R mod Q, (G ^U Y ^V mod P) mod Q = R) A public key encryption method using precomputation in a safety module having a signature verification step of verifying the identity. The method of claim 3, wherein The private key acquisition step, The IC card checking whether the safety module has a master key, and the safety module checking whether the IC card has a secret key; Sharing the same session key with the IC card and the safety module, respectively; Encrypting the private key with an encryption algorithm using a shared session key and transmitting the result to the security module; And the security module decrypts a private key encrypted with the shared session key.