KR20050117478A - Inter-authentication method and device - Google Patents

Abstract

An inter-authentication method capable of safely and easily performing inter-authentication. In the inter- authentication process, a private key K0 of the initial value is stored in a client and a server (Pc0, Ps0). The client generates a random number R, calculates password data C and authentication data A, and transmits the result to the server (Pc1). The server receives the authentication data A and the password data C from the client, generates a random number R, calculates and returns password data S and authentication data Q, and updates the private key K0 to a new private key K1 (Ps1). The client receives the authentication data B and the password data S from the server, generates a random number R, calculates the password data C2 and the authentication data A2, returns the results to the server, and updates the private key K0 to the new private key K1 (Pc2). The client and the server check whether validity is satisfied.

Description

Mutual authentication method and device {INTER-AUTHENTICATION METHOD AND DEVICE}

The present invention relates to a mutual authentication method and apparatus in a device such as a computer system connected to a network, a method of generating a one-time ID, an authentication method, an authentication system, a server, a client, and a program.

In particular, the present invention is a very suitable one-time ID for use in authentication between a mutual authentication method and an apparatus and a plurality of apparatuses or applications that verify validity of a relationship between at least a first authentication apparatus and a second authentication apparatus. The present invention relates to a generation method, an authentication method using the one-time ID, an authentication system, a server, a client, and a program.

In order for a user on the network to prove his or her identity, authentication is required. Authentication means that the prover proves his or her identity to the verifier by some protocol and is an essential technique in the field of electronic commerce and the like. For example, when the user wants to prove his or her identity to the server, the user corresponds to the prover and the server corresponds to the verifier. On the contrary, if the server wants to prove its identity to the user, the server corresponds to the prover and the user corresponds to the verifier. Since the position may be reversed among 1-to-1 devices, mutual authentication which mutually authenticates is required.

Mutual authentication is not limited between a user and a server, but is widely used as a method of proving identity between arbitrary computers. In recent years, it has been known to use public key cryptography, so that the prover has a public key and a private key, and by some protocol indicates to the verifier that the prover has a secret key corresponding to the public key. Prove it.

However, in the conventional mutual authentication method, since the key used for authentication is single, once a key is known, a third party may become a user and authenticate. In addition, the user had to pay attention to the storage of the key and could not use it easily.

For example, in an asynchronous network such as the Internet, a plurality of computers may communicate at the same time, and the prover may simultaneously execute a protocol with a plurality of verifiers. In WWW (World Wide Web), between server of HTTP (Hypertext Transfer Protocol: protocol that WWW server and WWW browser or Web browser use to receive information such as file) and client Multiple authentications are required.

In the mutual authentication technique described above, conventionally, when communicating between computers (for example, between client and server) through a network, in order to exclude unauthorized access or the like, prior to providing a service or the like. Authenticate In this authentication, both parties share predetermined secret information (for example, an ID, a password, a random number, or a function value that takes such information as an argument) that is not known to a third party, based on the secret information. It is common to verify each legitimacy with each other.

On the other hand, RFC (Request For Comments) officially issued by the Internet Engineering Task Force (IETF) defines IPsec (Security Architecture for Internet Protocol) as a security protocol for encrypting and authenticating IP packets over the Internet. In this IPsec, an automatic key exchange protocol called IKE (Internet Key Exchang), which dynamically generates and exchanges encryption and authentication parameters, is adopted as a standard (for example, see Japanese Patent Application Laid-Open No. 2002-374238 (paragraph number 0002). ~ 0009).

In recent years, one-time IDs have been introduced into the IKE scheme, thereby realizing ID information protection, denial of service attack (DoS) attack prevention, and remote access, which have been problematic with the IKE scheme using the existing shared key. A key exchange and authentication method called P-SIGMA has been proposed.

In this P-SIGMA, for example, key exchange and authentication are performed in the order shown in FIG.

First, the client transmits a SA (Security Association) proposal, a random number Rc, a Diffie-Hellman (DH) disclosure value g ^x , and an OID (one-time ID) to the server. In addition, the SA proposal includes proposals regarding cryptographic algorithms, authentication methods, parameters used for key exchange, and the like.

Next, the server identifies the client from the received OID and rejects the communication if it cannot identify it. If it can be identified, IDs (server IDs) encrypted with the accepted SA, random number Rs, DH public value g ^y , HASHs, and session key e are transmitted to the client. In addition, session key e is a function value of a keyed hash function that takes an existing shared key, a random number Rs, a random number Rc, and a DH common key g ^xy , and HASHs is an existing shared key, random number Rs, random number Rs, and DH public value g. Function value of pseudorandom function taking ^x , g ^y, and IDs as arguments.

The client then verifies the HASHs received by the client and verifies the legitimacy of the server based on these HASHs. If the HASHs are correct, the IDC (client ID) encrypted by the HASHc and the session key e is transmitted to the server. Here, HASHc is a function value of a pseudorandom function that takes as arguments the existing shared key, random number Rs, random number Rc, DH public values g ^x , g ^y, and IDc.

The server then validates the received HASHc and verifies the legitimacy of the client based on this HASHc. If the HASHc is correct, terminate the protocol.

In this P-SIGMA, the OID (One Time ID) is defined as follows.

OID1 = prf (K, 1)

OID2 = prf (K, 2)

          …

OIDn = prf (K, n)

(Equation 1)

In this definition, OIDn is the one-time ID used in establishing the nth SA, prf is a pseudorandom function, K is a value generated from an existing shared key, or an existing shared key.

For this reason, according to the P-SIGMA, the introduction of the OID prevents the third party from specifying the sender and the receiver, and provides an effect that the OID can be identified as the identification information if the sender and the receiver are legitimate. At the same time, since the OID is changed when communicating between the client and the server (i.e., every time the SA is generated or updated), it is possible to obtain the effect that a third party cannot predict the next OID.

However, in the P-SIGMA, if the existing shared key is known once, all OIDs are predicted, and as a result, there is a problem that the security (ie, PFS: Perfect Forward Security) that cannot affect the future of the OID is not guaranteed. there was.

As mentioned above, although the key exchange / authentication method called P-SIGMA was mentioned as a concrete example, in the authentication method which authenticates between a some apparatus or an application using a one-time ID generally, based on specific secret information, All one-time IDs are generated and have the same problem as above.

SUMMARY OF THE INVENTION The present invention has been made in view of various inconvenient facts in the prior art, and its first object is to obtain a mutual authentication method and apparatus capable of securely and simply mutually authenticating.

A second object of the present invention is to provide a method for generating a one-time ID, which is difficult to eavesdropping and excellent in security, an authentication method using the one-time ID, an authentication system, a server, a client, and a program.

Brief description of the drawings

1 is a diagram for explaining a conventional authentication method called P-SIGMA.

2 is a block diagram showing a schematic configuration of a client computer and a server computer according to an embodiment of the present invention.

3 is a flowchart showing a conceptual process in mutual authentication according to the embodiment of the present invention.

4 is an image diagram showing a detailed process in mutual authentication according to the embodiment of the present invention.

5 is a schematic configuration diagram showing one embodiment of an authentication system according to the present invention.

6 is a block diagram showing the schematic configuration of the server of FIG.

FIG. 7 is a block diagram showing a schematic configuration of the client of FIG. 1.

8 is a view for explaining a first embodiment of the authentication method according to the present invention.

9 is a view for explaining a second embodiment of the authentication method according to the present invention.

FIG. 10 is a diagram for explaining a third embodiment of the authentication method according to the present invention. FIG.

It is a figure explaining 4th embodiment of the authentication method which concerns on this invention.

12 is a view for explaining a fifth embodiment of the authentication method according to the present invention.

It is a figure explaining 6th Embodiment of the authentication method which concerns on this invention.

14 is a diagram for explaining a conventional authentication method called OSPA.

15 is a diagram for explaining a seventh embodiment of the authentication method according to the present invention.

FIG. 16 is a diagram illustrating a modification of FIG. 15.

Best Mode for Carrying Out the Invention

Disclosure of the Invention

In order to achieve the above object, the present invention provides a mutual authentication method for authenticating a mutual relationship between a first authentication device and a second authentication device connected through a communication line. The storage data for specifying the first authentication device and the storage data for specifying the second authentication device are described above. The first authentication device and the second authentication device, based on the update result updated by using the stored data of the previous authentication for each authentication by the authentication made beforehand between the first authentication device and the second authentication device, as the history data. It includes the memory process to memorize in common with each of them. The first authentication device newly generates stored data using the stored history data, The history data is stored by a first transmission step of encrypting the generated new storage data using the history data and transmitting the encrypted data to the second authentication device, the storage data from the second authentication device, and the transmitted new storage data. And a new update data generated while the second authentication device generates new data by using the stored data and the stored history data from the first authentication device. Transmission step of encrypting the data using the history data and transmitting the encrypted data to the first authentication device, and second update step of updating the history data by the stored data from the first authentication device and the new data stored therein. And at least one of the first authentication device and the second authentication device, comprising: Year when the validity of the stored data is satisfied, verifies that the first mutual authentication between the device and the second authentication device is just.

The present invention also implements a mutual authentication device for performing the mutual authentication method. The mutual authentication device is constituted by a first authentication device and a second authentication device connected through a communication line, and the first authentication device and the second authentication device are used for authenticating a mutual relationship between the first authentication device and the second authentication device. A first memory installed in the authentication device and storing memory data for specifying the first authentication device; and a second memory installed in the second authentication device and storing data for specifying the second authentication device. Authentication data storage means for storing stored data of the previous authentication for each authentication by authentication made in advance between the memory and the first authentication device and the second authentication device, and an update result updated using the authentication data. History data storage means stored in common to each of the first authentication device and the second authentication device as history data, and the first authentication device or the second authentication device. Among them, the storage data generating means, which is installed in the authentication apparatus on the authentication data transmission side and newly creates the storage data using the history data, and the generated new storage data is encrypted using the history data to authenticate the data reception side. The first transmission means for transmitting to the authentication device of the authentication device and the storage device from the authentication device on the authentication data transmission side and the stored data from the authentication device on the authentication data reception side, and newly stored data. Storage data generating means to be generated, second transmission means for encrypting the generated new stored data using the history data and replying to the authentication device on the authentication data transmission side, and the authentication device on the authentication data transmission side. Memory data and the transmission provided by the authentication apparatus on the authentication data receiving side First update means for updating the history data by the new stored data, and on the authentication apparatus on the authentication data receiving side, the stored data from the authentication apparatus on the authentication data transmission side, and the newly answered data. And second updating means for updating the history data by the stored data, wherein at least one device of the first authentication device and the second authentication device establishes the validity of the storage data based on the history data. At this time, verification means for verifying that the mutual relationship between the first authentication device and the second authentication device is justified is provided.

Like this The mutual authentication device may have arithmetic means for calculating the authentication data for encrypting the generated new stored data using the history data. Moreover, this mutual authentication apparatus can also have the random number generation means which produces | generates the data for encryption, when generating the authentication data by the said calculation means.

In the present invention, the storage data for specifying the first authentication device and the storage data for specifying the second authentication device are commonly stored in the first authentication device and the second authentication device as the history data, respectively. This history data is the update result updated using the memory data by the last authentication for every authentication by authentication made previously mutually between the 1st authentication apparatus and the 2nd authentication apparatus. The first authentication device encrypts and transmits the new storage data to the second authentication device using the history data storing the new storage data while generating the new storage data using the stored history data. The second authentication device receives this, and the second authentication device generates new storage data using the stored data from the first authentication device and the stored history data. The new stored data is encrypted using history data stored therein and transmitted to the first authentication device. At this time, the first authentication device updates the history data with the stored data from the second authentication device and the new data transmitted. In addition, the second authentication device updates the history data with the storage data from the first authentication device and the new storage data transmitted. After this transmission step, when the validity of the stored data is established in at least one of the first authentication device and the second authentication device based on the history data, the mutual relationship between the first authentication device and the second authentication device is justified. Verify that That is, in one authentication device of the first authentication device and the second authentication device, it is possible to receive data including the history from the other authentication device and combine it with the stored history data. In the case of transmission, data based on newly different history data is transmitted from the stored history data, so that the same data cannot be transmitted. Because of this, Improving the secretiveness can also be done.

More specifically, the storage data for specifying the first authentication device which stores the history data as the history data K and stores the history data as K is the encryption data C and the authentication data R, and the second authentication device. The storage data for specifying the data is characterized by the dark data S and the authentication data Q.

The first transmission step newly generates and encrypts the authentication data R of the stored history data K while generating the encryption data C using the encryption data S and the authentication data R of the stored history data K. The new authentication data R is encrypted using the history data K to obtain the authentication data A, and the authentication data A and the new authentication data C are transmitted to the second authentication device. Receiving the data from the authentication apparatus, the new encryption data C transmitted, the newly generated encryption data S received, the newly generated authentication data Q received, and the new authentication data R transmitted, The history data K is updated, and the second transmission step receives the data from the first authentication device, receives the new encryption data C and the stored data. While newly generating the encryption data S using the authentication data Q of the data K, using the history data K which newly generated the authentication data Q of the stored history data K, and memorize | stored the new authentication data Q which was produced | generated, Encrypting and obtaining authentication data B, and transmitting the authentication data B and the new encryption data S to the first authentication device, wherein the second update step includes the received new encryption data C, newly generated encryption data S, The history data K is updated by the newly generated authentication data Q and the received new authentication data R, and at least one device of the first authentication device and the second authentication device performs encryption based on the history data K. When the validity of the data is established, it is verified that the mutual relationship between the first authentication device and the second authentication device is justified.

The said storing process stores the update result by authentication in the said 1st transmission process, a 1st update process, a 2nd transmission process, and a 2nd update process as history data, It is characterized by the above-mentioned.

At least one of the authentication data R and the authentication data Q is at least one of a random number, data capacity and time data generated by the random number generating means.

In the first transmission step of the first authentication device, a value of a calculation result of a function determined by the encryption data S and the authentication data R is generated as the encryption data C, and in the second transmission step of the second authentication device, The value of the operation result of the function predetermined by the encryption data C and the authentication data Q is generated as the encryption data S. It is characterized by the above-mentioned.

In the first transmission step of the first authentication device, a value of a calculation result of a function predetermined by the generated new authentication data R and the history data K is obtained as the authentication data A, and the second of the second authentication device is obtained. In the transmission process, the value of the calculation result of a function predetermined by the new authentication data Q and the said history data K which were produced is calculated | required as authentication data B, It is characterized by the above-mentioned.

The verification step of the first authentication device includes authentication data Q stored in the history data K, and It is characterized by verifying that the correlation is justified when the value of the operation result of the predetermined function is matched with the received dark data S by the dark data C generated before the previous transmission.

The verification process of the second authentication device is performed when the value of the calculation result of the function determined by the encryption data S and the authentication data R stored in the history data K coincides with the received encryption data C. It is characterized by verifying that is justified.

The storage step is characterized in that the data obtained as a result of performing a plurality of the first transmission step, the second transmission step, the first update step, and the second update step as a history data K are stored.

Obviously, according to the present invention, when mutually authenticating between the first authentication device and the second authentication device, the history data is stored in common to each of the first authentication device and the second authentication device, By updating the history data, it is possible to securely and easily mutually authenticate each other. For example, the information of the client computer and the server computer cannot be leaked from the information received between the client computer and the server computer. It is said to have an effect.

The present invention also provides a method for generating a one-time ID used in the mutual authentication method and apparatus. This is a method for generating the one-time ID using identification information that can be used only once in authentication between a plurality of devices or applications, as the one-time ID. In addition to generating a variable shared key for each predetermined communication unit required, a function value of a one-way function that takes the variable shared key as an argument is obtained, and the one-time ID is generated from this function value. .

Here, the one-way function means that it is simple to obtain the result (function value) from the argument, but it is difficult to obtain the argument from the result, and the one-way function includes, for example, a hash function and a pseudorandom function. do.

As the predetermined communication unit, for example, a series of communication between the client and the server between the establishment of the SA in IPsec and the invalidation of the SA can be set as the predetermined communication unit, It is also possible to set one data transmission / reception performed between devices or applications as a predetermined communication unit.

The variable shared key may be any key as long as it is secret information unknown to a third party that is changed for each of the predetermined communication units and is shared between devices for authentication or between applications.

Authentication means that when one device (or application) accesses the other device (or application), the other device confirms the validity of the other device. , In the authentication, information (ID) used by the corresponding other device transmitted from at least one device to the other device to identify the other device.

The authentication includes one-way authentication in which one device authenticates the other device, mutual authentication in which both devices authenticate each other, and the like. For example, as a method of using the one-time ID in the authentication, both devices generate one-time IDs, one device sends the one-time ID to the other device, and the other device sends the one-time ID. And a method of identifying or authenticating the other device by comparing and combining the one-time ID received from the other device with the one-time ID generated by itself.

According to the present invention, in the method of generating the one-time ID using identification information that can be used only once in authentication between a plurality of devices or applications, as the one-time ID, the apparatus or application for the authentication may be used. A variable shared key is generated for each predetermined communication unit for which authentication is required, and a function value of a one-way function having the variable shared key and information on the communication order or number of times is obtained, and the one-time function is obtained from the function value. It is characterized by generating an ID.

The present invention also relates to a method for generating the one-time ID using identification information that can be used only once in authentication between a plurality of devices or applications, as the one-time ID. In addition, while generating a random number in a predetermined communication unit requiring the authentication, a function value of a one-way function that takes this random number and a predetermined shared key as an argument is obtained and generates the one-time ID from the function value. It is characterized by.

According to the present invention, in the authentication between one device and the other device, the one-time ID is generated by both devices, with the identification information that can be used only once as the one-time ID. Sends a one-time ID to one device, and the other device identifies or authenticates the other device by comparing and combining the one-time ID received from the other device with the one-time ID generated by itself. In a case, in which the one device and the other device generate the one-time ID, the one device and the other device generate a variable shared key that changes for each predetermined communication unit requiring the authentication. In addition, a function value of a one-way function that takes this variable shared key as an argument is obtained, and the one-time ID is generated from this function value.

The present invention further provides the one-time ID as the one-time ID for identification information that can be used only once in authentication between one device and the other device, and the one-time device is generated by both devices. Sends a one-time ID to a device, and the other device identifies or authenticates the other device by comparing and combining the one-time ID received from the other device with the one-time ID generated by itself. 1. A method in which one device and another device generate a one-time ID, wherein the one device and the other device generate a variable shared key that varies for each predetermined communication unit that requires authentication. In addition, a function value of a one-way function having the variable shared key and information on the communication order or the number of times as an argument is obtained, and the one-time ID is generated from this function value. Is that.

The present invention also provides the one-time ID as the one-time ID as identification information that can be used only once in authentication between one device and the other device, and the one-time device is used as the other device. When a one-time ID is sent to a device and the other device identifies or authenticates the other device by comparing and combining the one-time ID received from the other device with the one-time ID generated by itself. In the method in which one device and the other device generate the one-time ID, the one device and the other device generate this random number while generating a random number in a predetermined communication unit requiring the authentication. And a function value of a one-way function having a predetermined shared key as an argument to generate the one-time ID from the function value.

The present invention also generates a variable shared key that varies for each communication unit, obtains a function value of a one-way function that takes this variable shared key as an argument, generates a one-time ID from the function value, and generates this one-time ID. An authentication method for authenticating between a first device and a second device that communicates with each other using (SIGNALn), wherein the first device uses the variable shared key shared in advance with the second device. While generating a time ID, the function value of the one-way function Fc whose at least one generated one-time ID and the ID preset in the first device are taken as arguments, and the Diffie-Hellman public value previously stored in the first device. A step of transmitting one side to the second device, the second device obtaining the one-time ID and the function value of the one-way function Fc by arithmetic operation, and the result of the calculation and the circle received from the first device. The combination of the ID and the function value of the one-way function Fc determines the validity of the first device, and if the second device determines that the first device is valid, Transmitting, to the first device, a function value of the one-way function Fs having at least a predetermined ID as an argument, and the other of the Diffie-Hellman public value previously stored in the second device, to the first device; And calculating a function value of the one-way function Fs by a calculation, and determining the validity of the second device by a combination of the result of this operation and the function value of the one-way function Fs received from the second device. It is to be done.

The present invention also provides the authentication method, wherein, as the one-way function Fc, a predetermined shared key, a similarity having the Diffie-Hellman public value, an ID preset in the first device, and a one-time ID as arguments. At the same time as using the random number function, the predetermined shared key as the one-way function Fs, the ID preset in the second device, the one of the Diffie-Hellman public value and the other of the Diffie-Hellman public value, the one-time ID. It is characterized by using a pseudo-random function that takes as an argument.

The present invention also generates a variable shared key, obtains a function value of a one-way function that takes information on the variable shared key and communication order as arguments, generates a one-time ID from this function value, An authentication method for authenticating between a first device and a second device using a first variable shared key with which the first device is shared between the first device and the second device. A function value of a one-way function having information as an argument is generated as the first one-time ID (SIGNALn, j), and the ID preset in the first device using the first variable shared key, Encrypting one of the Diffie-Hellman public values previously stored in the second device, the Diffie-Hellman public value previously stored in the first device, and the first one-time ID, and encrypting the encrypted data and the first one-time ID in the second device. To send about The second device obtains the first one time ID by a calculation, and identifies the first device by a combination of the calculation result and the first one time ID received from the first device. Step and, if the second device can identify the first device, decrypt the encrypted data using the first variable shared key, and preset the first device included in the decoded data. Determining the validity of the first device based on the ID, the ID previously set in the corresponding second device, and the first one-time ID; and when the second device determines that the first device is justified. Generate a function value of a one-way function as a second one-time ID (SIGNAL 'n, 1) which takes as an argument the information about the communication order of the first variable shared key and the corresponding second device; One or more of the Diffie-Hellman published values received from the first device A second Diffie-Hellman common key is generated as the second variable shared key from the other of the Diffie-Hellman public values previously stored in the second device, the second variable shared key, the ID preset in the first device, the corresponding The first device includes a function value of the one-way function h that takes an ID preset in the second device and the second one-time ID, the other of the Diffie-Hellman public value, and the second one-time ID. For the second one-time ID, and the first device obtains the second one-time ID by a calculation, and the combination of the operation result and the second one-time ID received from the second device A step of identifying a second device and, if the first device can identify the second device, stored in advance to the other of the Diffie-Hellman published values received from the second device and to the first device; Part of the Diffie-Hellman published value A Diffie-Hellman common key is generated as the second variable shared key, and a function value of the one-way function h is calculated by operation using the second variable shared key, and the result of the operation and the second device are calculated. And a step of determining the validity of the second device by a combination with the function value of the one-way function h received from.

The present invention is also characterized in that in the authentication method, a one-way function different from the one-way function for generating the first one-time ID is used as a one-way function for generating the second one-time ID. .

The present invention also generates a predetermined variable shared key between devices or applications, generates a random number in a predetermined communication unit, and obtains a function value of a one-way function that takes the random number and the shared key as arguments, An authentication method for generating a one-time ID from this function value and performing authentication (mutual authentication) between a first device and a second device using this one-time ID, wherein the first device comprises a first random number. And a function value of a one-way function having a first shared key shared with the second device as a factor as a first one time ID (SIGNALc1), and obtaining the first one time. Transmitting an ID and the first random number to the second device, the second device generates a second random number, and takes the first random number and the first shared key as arguments; Function value of the one-way function is converted to the second one-time ID (SIGNALs1). And sending the second one-time ID and the second random number to the first device, and wherein the first device is based on the first random number and the first shared key. A step of determining the validity of the second device by obtaining a one-time ID of 2 by a calculation and comparing the result of the calculation with the second one-time ID received from the second device, and the first The device generates a second shared key based on the first random number and the second random number, and uses the second shared key, the first random number, and the second random number as one argument. Obtaining a function value of a function as a third one-time ID (SIGNALc2), and transmitting the third one-time ID to the second device, and wherein the second device is configured to the first random number and the second random number. The second shared key is generated based on the second shared key, and the first random number is generated. The third one-time ID is obtained by calculation based on the second random number, and the validity of the first device is determined by comparing the calculation result with the third one-time ID received from the first device. It is characterized by having a step for determining.

The present invention also generates a predetermined variable shared key between devices or applications, generates a random number in a predetermined communication unit, obtains a function value of a one-way function that takes the random number and the shared key as arguments, and An authentication method for generating a one-time ID from a function value and performing authentication (mutual authentication) between a first device and a second device using this one-time ID, wherein the first device generates a first random number. While generating, a function value of a one-way function having a shared key previously shared with the second device is obtained as the first one time ID SIGNALc ₁ , and the first one time ID and the Sending a first random number to the second device; and generating a second random number by the second device, and a function value of a one-way function that takes the first random number and the shared key as arguments. a second one-time ID (SIGNALs ₁₎ of the old The second one time ID and the second random number are transmitted to the first device, and the first device is based on the first random number and the shared key and the second one time. Determining an ID of the second device by comparing the result of the calculation with the second one-time ID received from the second device, and the first device determines the ID. Obtaining a function value of a one-way function having a random number of 1, the second random number, and the shared key as a third one-time ID (SIGNALc ₂ ), and transmitting the third one-time ID to the second device; And the second device obtains the third one-time ID by a calculation based on the first random number, the second random number, and the shared key, and receives the result of the calculation and the first device received from the first device. Justification of the first apparatus by comparison with three one-time ID It is characterized by having a prescribed step.

The present invention also provides the authentication method, wherein the first random number and the second random number are transmitted in a state encrypted with a shared key shared in advance between the first device and the second device. It is characterized by.

The present invention further provides the authentication method, wherein the second device transmits the second one time ID and the second random number to the first device, wherein the second device is configured to perform the first operation. The predetermined random number shared in advance with the device is used as an initial random number, a predetermined operation is performed using the initial random number and the first random number as arguments, and the result of the operation is transmitted to the first device. The first device is characterized in that the calculation result received from the second device is used together with the second one-time ID as the determination data of the justification of the second device.

The present invention further provides, in the authentication method, in the step of the first device transmitting the third one time ID to the second device, the first device comprises the first random number and the second random number. A predetermined operation is performed with a random number as an argument, and the calculation result is transmitted to the second device, while the second device receives the calculation result received from the first device as determination data of the justification of the first device. Is used together with the third one-time ID.

The present invention also generates a predetermined variable shared key between devices or applications, generates a random number in a predetermined communication unit, obtains a function value of a one-way function taking the random number and the shared key as an argument, An authentication method for generating a one-time ID from a value and authenticating between a first device and a second device using the one-time ID, wherein the first device generates a first random number, A function value of a one-way function having a shared key, a first stored random number, and a second stored random number pre-shared with a second device as arguments is obtained as the first one-time ID SIGNALci, and the first device. Transmitting the first encrypted data obtained by encrypting the ID set in advance to the second device, the ID preset in the second device and the first random number with the shared key, and the first one time ID to the second device; , The second device A step of identifying the first device by a combination of the calculation result and the first one time ID received from the first device by obtaining the first one time ID by a calculation; and the second If the device can identify the first device, the first encrypted data is decoded using the shared key and included in the decoded data, the ID preset in the first device and the corresponding second device. A step of determining the validity of the first device based on the ID set in advance, and generating a second random number when the second device determines that the first device is valid, and generates the second random number. A function value of a one-way function that takes a random number of 1, the second stored random number, and the shared key as an argument, is obtained as a second one-time ID (SIGNALsi), and is assigned to the ID preset in the first device and the second device. Recall a preset ID and the second random number Transmitting second encrypted data encrypted with Yuki and the second one-time ID to the first device, and wherein the second device converts the first stored random number into the first random number; Substituting the second random random number with the second random number, and the first device obtains the second one-time ID by arithmetic operation, and the result of the calculation and the first received from the second device. By the combination with the one-time ID of 2, the step of identifying the second device, and when the first device can identify the second device, decrypts the second encrypted data using the shared key. And determining the validity of the second device based on the ID preset in the second device and the ID preset in the first device included in the decoded data, and the first device determines the first validity. Memory random number of the first random number, the second random number And a step of replacing the memory random number with the second random number, respectively.

In the authentication method, the first storage random number is replaced by the first random number and the second random number is replaced by the second random number. The shared key is generated based on the second stored random number, thereby changing the shared key.

The present invention also generates a variable shared key that varies for each communication unit, obtains a function value of a one-way function that takes the variable shared key as an argument, generates a one-time ID from the function value, and generates this one-time ID (SIGNALn). A server for authenticating with a client using the method comprising: a function value of a one-way function Fc having at least an argument of a client ID preset in the client, and one of a Diffie-Hellman public value previously stored in the client, Receiving means for receiving the one-time ID from the client, a function value Fc of the one-way function, and the one-time ID by calculation, and a result of this operation and the one-time ID and the one-way function received from the client; Judging means for judging the legitimacy of the client by comparison with a function value of Fc; Sending to the client the other of the function value of the one-way function Fs that takes at least the server ID preset in the server as an argument and the Diffie-Hellman public value previously stored in the server. It is characterized by having a means.

The present invention also generates a variable shared key that varies for each communication unit, obtains a function value of a one-way function that takes the variable shared key as an argument, generates a one-time ID from the function value, and generates this one-time ID (SIGNALn). In the client authenticating with the server using the above, the one-time ID is generated using a variable shared key shared in advance with the server, and at least the client ID preset in the client is taken as an argument. Transmitting means for obtaining the function values of the one-way function Fc by arithmetic operations, and transmitting one of these one-time IDs and the function values of the one-way function Fc and the Diffie-Hellman public value previously stored in the client to the server; A function value of the one-way function Fs whose argument is a server ID set in advance at least as an argument, and another one of the Diffie-Hellman public values previously stored in the server. The receiving means for receiving from the server and the function value of the one-way function Fs are calculated by calculation, and the validity of the server is obtained by comparing the result of this operation with the function value of the one-way function Fs received from the server. And judging means for judging.

The present invention is also characterized in that the server and the client are provided as an authentication system.

The present invention also generates a variable shared key that changes for each communication unit, obtains a function value of a one-way function that takes the variable shared key as an argument, generates a one-time ID from the function value, and generates this one-time ID (SIGNALn). A program that executes a server that authenticates with a client based on a), wherein a function value of a one-way function Fc that takes at least an argument of a client ID preset in the client, and a Diffie-Hellman previously stored in the client. A process of receiving one of the values and the one-time ID from the client, a function value Fc and the one-time ID of the one-way function by calculation, and the operation result and the one-time ID received from the client. And a process for determining the validity of the client by comparison with a function value of the one-way function Fc, and the client determining the validity. In the case where it is determined that the operation is successful, a process of transmitting, to the client, the function value of the one-way function Fs that takes at least a server ID preset in the server as an argument, and the other of the Diffie-Hellman public value previously stored in the server. It is characterized by running on the server.

The present invention also generates a variable shared key that varies for each communication unit, obtains a function value of a one-way function that takes this variable shared key as an argument, generates a one-time ID from the function value, and generates this one-time ID. A program to be executed by a client that authenticates with a server based on (SIGNALn), wherein the one-time ID is generated using a variable shared key shared with the server in advance and the client is previously generated. The function values of the one-way function Fc having at least the client ID set as an argument are calculated by calculation, and one of these one-time IDs and the function values of the one-way function Fc and the Diffie-Hellman public value previously stored in the client is sent to the server. A process of transmitting, a function value of the one-way function Fs having at least a server ID set in advance in the server, and a Diff stored in advance in the server; a process of receiving the other of the ie-Hellman public value from the server, calculating a function value of the one-way function Fs by operation, and comparing the result of this operation with a function value of the one-way function Fs received from the server. By causing the client to execute a process for determining the validity of the server.

The present invention also generates a variable shared key, obtains a function value of a one-way function that takes as a parameter information on the variable shared key and communication order, generates a one-time ID from the function value, and generates this one-time ID. A server for authenticating with a client using a first variable, wherein the first variable shared key previously shared with the client and a function value of a one-way function having information about a communication order of the client as arguments are used as a first value. The first one time ID (SIGNALn, j) of the first one time ID, the client ID preset to the client, the server ID preset to the server, and one of the Diffie-Hellman public values previously stored in the client. Calculating encrypted data encrypted with a first variable shared key, receiving means for receiving the first one time ID from the client, and the first one time ID Obtained by using the first variable shared key when the client can be identified and the client can be identified by a combination of the operation result and the first one-time ID received from the client. Judging means for decoding the encrypted data and judging the legitimacy of the client based on the client ID, the server ID, and the first one-time ID included in the decoded data; Is determined to be valid, a function value of a one-way function whose second variable shared key and information on the communication order of the server is taken as a second one-time ID (SIGNAL'n, 1) is generated. The Diffie-Hellman common key is obtained from one of the Diffie-Hellman published values received from the client and the other of the Diffie-Hellman published values previously stored in the server. A function value of the one-way function h, which is generated as a second variable shared key and takes as arguments the second variable shared key, the client ID, the server ID, and the second one-time ID; and the Diffie-Hellman disclosure. And transmitting means for transmitting the other of the value and the second one time ID to the client.

The present invention also generates a variable shared key that varies for each communication unit, obtains a function value of a one-way function that takes the variable shared key as an argument, generates a one-time ID from the function value, and uses this one-time ID. A client authenticating with a server, comprising: a first original function value of a one-way function whose first variable variable is pre-shared with the server and information about the communication order of the client; Generated as a time ID (SIGNALn, j), and using the first variable shared key, a client ID preset for the client, a server ID preset for the server, and a Diffie-Hellman public value stored in advance for the client. And transmission means for encrypting the first one time ID and transmitting the encrypted data and the first one time ID to the server, and the first variable. With the function value of the one-way function taking as a argument the information about the communication order between the Yukey and the server as the second one-time ID (SIGNAL'n, 1), the Diffie-Hellman common key is used as the second variable shared key. A function value of a one-way function h that takes the second one-time ID, the second variable shared key, the client ID, and the server ID as arguments, and the other of the Diffie-Hellman public values previously stored in the server; Receiving means for receiving the second one-time ID from the server, and calculating the second one-time ID by arithmetic operation, and combining this calculation result with the second one-time ID received from the server. By identifying the server and identifying the server, the Diffie-Hellman from the other of the Diffie-Hellman published values received from the server and the Diffie-Hellman published values previously stored in the client. Common key Generated as a second variable shared key, the function value of the one-way function h is obtained by arithmetic operation using the second variable shared key, and the result of this operation and the function of the one-way function h received from the server. The combination with a value is provided, the determination means which determines the legitimacy of the said server is characterized by the above-mentioned.

The present invention is also characterized in that an authentication system is constructed from the server and the client.

The present invention also generates a predetermined variable shared key between devices or applications, generates a random number in a predetermined communication unit, obtains a function value of a one-way function taking the random number and the shared key as an argument, A function of a one-way function that generates a one-time ID from a value and authenticates it with the client using this one-time ID, with the first shared key previously shared with the client as an argument. Using the value as the first one-time ID SIGNALc ₁ , first receiving means for receiving the first one-time ID and the first random number generated by the client and the second random number are generated. In addition, a function value of a one-way function that takes the first random number and the first shared key as arguments is obtained as a second one-time ID (SIGNALs ₁ ), and the second one-time ID and the first value are obtained. 2 random numbers By a transmission sudanwa, the first random number, the second the third one-time ID to the functional value of the one-way function to the shared key of the random number and the second by the factor of (SIGNALc ₂₎ for transmitting to the client, the third Second receiving means for receiving a one-time ID from the client, and generating the second shared key based on the first random number and the second random number; The third one-time ID is obtained by a calculation based on a random number of 1 and the second random number, and the validity of the client is determined by comparing the result of this operation with the third one-time ID received from the client. It is characterized by including the determination means to.

The present invention also generates a predetermined variable shared key between devices or applications to generate a random number in a predetermined communication unit, and obtains a function value of a one-way function that takes the random number and the shared key as an argument, A first random number is generated from a value, and a client that generates a first random number and authenticates each other with the server using the one-time ID is generated. First transmitting means for obtaining a function value of a one-way function having a shared key as an argument as a first one-time ID (SIGNALc ₁ ), and transmitting the first one-time ID and the first random number to the server. And generate a second one-time ID and the server by using a function value of a one-way function that takes the first random number and the first shared key as arguments as a second one-time ID (SIGNALs ₁ ). The generated second random number to the server The second one-time ID based on the first reception means and the first random number and the first shared key, and the second one-time received from the server. A judging means for judging the legitimacy of the server by comparison with an ID; and when the judging means judges that the server is legitimate, a second based on the first random number and the second random number. While generating a shared key, a function value of a one-way function having the second shared key, the first random number, and the second random number as an argument is obtained as the third one-time ID (SIGNALc ₂ ). And second transmitting means for transmitting a three-time ID to the server.

The present invention is also characterized in that the server and the client are provided as an authentication system.

The present invention further relates to the invention described in claim 29, wherein a predetermined variable shared key is generated between devices or applications, a random number is generated within a predetermined communication unit, and the one-way direction takes the random number and the shared key as arguments. A server that obtains a function value of a function, generates a one-time ID from the function value, and authenticates with the client using the one-time ID, and takes a shared key shared with the client in advance. First receiving means for receiving the first one-time ID and the first random number generated by the client from the client, using the function value of the one-way function as a first one-time ID (SIGNALc ₁ ); Generates a second random number, obtains a function value of a one-way function that takes the first random number and the shared key as a second one-time ID (SIGNALs ₁ ), and obtains the second one-time ID; Wow Transmission means for transmitting the second random number to the client, and a function value of a one-way function having the shared key, the first random number, and the second random number as an argument as a third one-time ID SIGNALc ₂ ; And calculating the third one-time ID based on the second receiving means for receiving the third one-time ID from the client and the first random number, the second random number, and the shared key. And a judging means for judging the validity of the client by comparing the operation result with the third one-time ID received from the client.

The present invention also generates a predetermined variable shared key between devices or applications, generates a random number in a predetermined communication unit, obtains a function value of a one-way function that takes the random number and the shared key as arguments, For clients that generate a one-time ID from this function value and use this one-time ID to authenticate each other with the server. A first one-time function (SIGNALc ₁ ) is obtained by generating a first random number and obtaining a function value of a one-way function whose argument is a shared key previously shared with the server. First transmission means for transmitting an ID and the first random number to the server, and a function value of a one-way function taking the first random number and the shared key as arguments as a second one-time ID (SIGNALs ₁ ). The second one-time ID is received based on the second one-time ID, receiving means for receiving the second random number generated by the server from the server, and the first random number and the shared key. Determining means for determining the validity of the server by comparing the result of this operation with the second one-time ID received from the server, and determining that the server is justified by the determining means. In the case, the first random number, the second Number and obtain a function value of the one-way function to the shared keys by the factor as a third one-time ID (SIGNALc _2), characterized in that align a second transmitting means for transmitting for a third one-time ID to the server, will be.

The present invention is also characterized in that the server and the client are provided as an authentication system.

The present invention also generates a predetermined variable shared key between devices or applications, generates a random number in a predetermined communication unit, obtains a function value of a one-way function that takes the random number and the shared key as arguments, A server that generates a one-time ID from this function value and authenticates with the client using this one-time ID, wherein the shared key, first stored random number, and second shared with the client in advance. Receiving a _first one-time ID from the client using a function value of a one-way function as a first one-time ID (SIGNALc ₁ ), and generating a first random number generated by the client, Receiving first encrypted data obtained by encrypting a client ID preset in the client and a server ID preset in the corresponding server with the shared key; A new means and the first one-time ID are obtained by calculation, and the combination of the operation result and the first one-time ID received from the client identifies the client and identifies the client. Determining means for decrypting the first encrypted data using the shared key and determining the validity of the client based on the client ID and the server ID included in the decrypted data; When the judging means determines that the client is justified, a second random number is generated and a function value of a one-way function taking the first random number, the second stored random number, and the shared key as arguments. obtain a second one-time ID (SIGNALs ₁₎ of the client ID, the server ID and the encrypted data of second random numbers encrypted with the share of the second, of the second And transmitting means for transmitting a time ID to the client, and replacing means for replacing the first stored random number with the first random number and the second stored random number with the second random number, respectively. It is.

The present invention also generates a predetermined variable shared key between devices or applications, generates a random number in a predetermined communication unit, obtains a function value of a one-way function taking the random number and the shared key as an argument, In a client that generates a one-time ID from a value and authenticates with the server using the one-time ID, a first random number is generated, and a shared key shared with the server in advance, The function value of the one-way function having the first memory random number and the second memory random number as an argument is obtained as the first one-time ID SIGNALc ₁ , and the client ID preset in the client, the server ID preset in the server, First encryption data obtained by encrypting the first random number with the shared key, transmission means for transmitting the first one time ID to the server, the first random number, and the second The second one-time ID is received from the server using a function value of a memory random number and a one-way function having the shared key as the second one-time ID (SIGNALs ₁ ), and is generated by the server. A receiving means for receiving from said server the second random data obtained by encrypting the random number of said, said client ID and said server ID with said shared key, and said second one-time ID by calculation; When the server can be identified by the combination with the second one-time ID received from the server and the server can be identified, the second encrypted data is decoded using the shared key, and the decoded data is decoded. Determination means for determining the validity of the server based on the server ID and the client ID included in the data, the first stored random number as the first random number, and the second stored random number as the above-mentioned. Substitution means for substituting each of the second random numbers is provided.

The present invention is also characterized in that the server and the client are provided as an authentication system.

The present invention also provides the authentication system, wherein the server and the client replace the first stored random number with the first random number and the second stored random number with the second random number, respectively. The shared key is generated based on these first and second random numbers, thereby changing the shared key.

According to the present invention, a variable shared key that is changed for each communication unit is generated, a function value of a one-way function that takes this variable shared key as an argument is obtained, a one-time ID is generated from this function value, and the one-time ID ( According to an authentication method for authenticating between a first device and a second device that communicate with each other using SIGNALn), a function value of a one-way function having a variable shared key as an argument is obtained, and a one-time ID is obtained from this function value. For example, even if the variable shared key is leaked to a third party, even if the variable shared key is leaked to a third party, the variable shared key changes every predetermined communication unit. One-time ID cannot be predicted. In other words, it is possible to generate a one-time ID having difficulty in eavesdropping and excellent safety, and it is possible to realize safety (PFS) affecting the future of the one-time ID.

The present invention also generates a variable shared key, obtains a function value of a one-way function whose argument is information on the order or number of communication with the variable shared key, generates a one-time ID from the function value, and generates this one-time. Since the authentication is performed between the first device and the second device using the ID, for example, even if the variable shared key is leaked to a third party, the variable shared key changes for every predetermined communication unit. Since the information on the communication order or the number of times changes for each communication, it is virtually impossible to predict the one-time ID other than the one-time ID generated using the leaked variable shared key. It is also very difficult to predict the one-time ID generated by using. In other words, it is possible to generate a one-time ID having difficulty in eavesdropping and excellent safety, and it is possible to realize safety (PFS) affecting the future of the one-time ID.

The present invention also generates a predetermined variable shared key between devices or applications, generates a random number in a predetermined communication unit, obtains a function value of a one-way function that takes the random number and the shared key as arguments, and Since the one-time ID was generated from the function value and the one-time ID was used to perform authentication (mutual authentication) between the first device and the second device, for example, the shared key was leaked to a third party. Even if the function value of the one-way function is changed for each predetermined communication unit by the random number, the one-time ID cannot be predicted unless the random number generated in the predetermined communication unit is known. In other words, it is possible to generate a one-time ID having difficulty in eavesdropping and having excellent safety, thereby realizing a safety (PFS) that will be completed in the future of the one-time ID.

The present invention also allows authentication between devices (client and server) using one-time IDs generated by the various one-time ID generation methods described above. While the sender / receiver cannot be specified, the one-time ID can be grasped as identification information as long as it is a valid sender / receiver.

As a result, resistance to DoS attacks, spoofing, and the like can be strengthened, and even in an open network environment, ID information can be protected and communication safety can be improved. In addition, it is possible to remotely access and to improve convenience.

The present invention also provides a pseudo-random function having a predetermined shared key, a Diffie-Hellman public value, an ID preset in the first device, and a one-time ID as arguments as the one-way function Fc used to determine the validity of the first device. A predetermined one-way function Fs used to determine the validity of the second device, the ID set in advance on the other device of the Diffie-Hellman public value and the other of the Diffie-Hellman public value, one time Since a pseudo-random function using ID as an argument is used, it is possible to reduce the number of communication times required three times in the conventional key exchange / authentication method to two times, thereby enabling quick and secure authentication and key exchange. do.

In addition, the present invention further generates a variable shared key that varies for each communication unit, obtains a function value of a one-way function that takes the variable shared key as an argument, generates a one-time ID from the function value, or generates a variable shared key. Obtains a function value of a one-way function that takes a variable shared key and information about a communication sequence as arguments, generates a one-time ID from the function value, generates a predetermined variable shared key between devices or applications, or While generating a random number in a communication unit, a function value of a one-way function that takes this random number and the shared key as an argument, and generates a one-time ID from the function value. By using the one-time ID generated by the user to authenticate between devices (between client and server), eavesdropping is difficult and excellent in safety. It is possible to generate a time ID, it is possible to obtain an advantage in that it is possible to realize the safety (PFS) on the one-time ID future.

In addition, the present invention furthermore generates a variable shared key that changes for each communication unit, obtains a function value of a one-way function that takes the variable shared key as an argument, generates a one-time ID or generates a variable shared key from the function value, Obtains a function value of a one-way function whose argument is information regarding the variable shared key and communication order, generates a one-time ID from the function value, generates a predetermined variable shared key between devices or applications, or By generating a random number in a communication unit, various one-time ID generation methods such as obtaining a function value of a one-way function taking the random number and the shared key as arguments and generating a one-time ID from the function value The generated one-time ID is used to authenticate between devices (between client and server), so that third parties cannot specify the sender or receiver. On the other hand, if a valid sender / receiver is obtained, the one-time ID can be identified as identification information.

Therefore, resistance to DoS attack, spoofing, etc. can be strengthened, and even in an open network environment, ID information can be protected and communication safety can be improved. In addition, the remote access can be enabled, and the convenience can be improved.

Such objects and advantages of the present invention will be further clarified by the following embodiments described with reference to the accompanying drawings.

(Embodiment 1)

EMBODIMENT OF THE INVENTION Hereinafter, an example of embodiment of this invention is described in detail with reference to drawings. FIG. 2: is a schematic structure of the client computer and server computer which concern on 1st Embodiment of this invention, and this invention. It is a block diagram which shows schematic structure of this applicable network system. This embodiment applies the present invention when mutual authentication is performed between a server computer and a client computer in a network.

In FIG. 2, the network system includes at least a CPU-or a plurality of client computers 10, and a CPU at least-or a plurality of server computers 40 each include a modem, a router, and a TA (terminal adapter). It is connected to a network (for example, the Internet) 32 via a terminal adapter). Such a computer can receive information by mutual communication via the network 32.

In addition, although each of the client computer 10 and the server computer 40 is demonstrated by one computer, as shown in FIG. 2, the client computer 10 and the server computer 40 may be more than one. .

In addition, when the client computer 10 conforms to the first authentication apparatus of the present invention, when the server computer 40 conforms to the first authentication apparatus of the present invention, the client computer 10 authenticates the second authentication. Conforms to the device. The network 32 also conforms to the communication line of the present invention.

In this embodiment, a case of applying the Internet as a network will be described. In this case, at least one computer can function as a WWW server, and another machine can function as a WWW client.

Specifically, each client computer 10 is provided with a WWW browser, and by activating the WWW browser, the server computer 40 can be arbitrarily accessed through the network 32. At this time, the access position (data composed of the position of the server computer 40 of the access destination and the position of the information in the server computer 40) is designated by a URL (Uniform Resource Locator).

When there is an access request from the client computer 10, the server computer 40 transmits the data at the position designated by the URL to the client computer 10 of the access via the network 32. . At this time, data is generally transmitted in accordance with HTTP.

In addition, an IP (Internet Protocol) address is used for identification of the client computer 10. In addition, the user's own input, a predetermined code, or the like can be used as the user ID for identification of the user who operates the client computer 10.

The computer is provided with input devices such as a keyboard and a mouse, respectively, for inputting instructions to the computer, and a display is provided for displaying results of processing by the computer. In addition, since a computer is a general and general hardware structure, detailed description is abbreviate | omitted.

The client computer 10 has an input device 12 for inputting system parameters and the like, and the input device 12 is connected to a random number generator 14 and a memory 16 that generate a random number R according to the input. The random number generator 14 is connected to a memory 16 and an authentication data calculator 18 for obtaining authentication data A based on the random number R. The authentication data calculator 18 is connected to a communication interface (hereinafter referred to as communication I / F; 30) connected to the network 32 in order to communicate with the server computer 40 via the network 32. It is.

The verifier 20 is connected to the communication I / F 30. This verifier 20 is also connected to a memory 16 and an authentication data operator 18. In addition, when the validator 20 authenticates with the server computer 40, it is determined that the mutual relationship is invalid by the OK device 22 and the authentication indicating that the mutual relationship is determined to be justified by the authentication. It is also connected to the NG apparatus 24 which displays the thing.

The server computer 40 has an input device 42 for inputting system parameters and the like. The input device 42 is connected to a random number generator 44 and a memory 46 that generate a random number Q according to the input. . The random number generator 44 is connected to a memory 46 and an authentication data operator 48 for obtaining authentication data B based on the random number R. The authentication data calculator 48 is connected to the communication I / F 60 in order to communicate with the client computer 10 via the network 32.

The verifier 50 is connected to the communication I / F 60. This verifier 50 is also connected to a memory 46 and an authentication data operator 48. In addition, when the validator 50 authenticates with the client computer 10, it is determined that the mutual relationship is invalid by the OK device 52 and the authentication indicating that the mutual relationship is determined to be justified by the authentication. It is also connected to the NG apparatus 54 which displays what was determined.

[Conceptual process]

Next, the conceptual process of mutual authentication in the network system of this embodiment is demonstrated. In the present embodiment, mutual authentication between computers is performed by passing digital data. 3, the processing process of mutual authentication is shown as a flowchart.

In step 100, the client computer 10 and the server computer 40 store the common initial value (hidden key K ₀ ) which is common to both by a predetermined procedure.

The predetermined procedure is to set initial values when mutual authentication between the client computer 10 and the server computer 40 is executed. For example, since data common to the client computer 10 and the server computer 40 is held as an initial value, either or both of the client computer 10 and the server computer 40 can be stored. The initial value determined by the three-character computer is provided to both the client computer 10 and the server computer 40.

This provision is to transmit the initial value electronically, such as an electronic mail, and to send the printed matter which printed the initial value to both the client computer 10 and the server computer 40, and to send the client computer 10 and This is achieved by inputting to each of the server computer 40.

In the present embodiment, the initial value is provided between the client computer 10 and the server computer 40 to maintain a state common to both the client computer 10 and the server computer 40. The initial value is updated for each data number created between the client and the client 10 and the server 40 after the data transfer history is the initial value.

In other words, the initial value is set to both the client computer 10 and the server computer 40. If it is a common value, you may hold | maintain both sides by providing arbitrary values as mentioned above, but in order to maintain a common state in both the client computer 10 and the server computer 40 by arbitrary algorithms. The result of the data transfer between the client computer 10 and the server computer 40 is preferable. In the present embodiment, any algorithm can be used in the order of maintaining both data of the transmitting side and the receiving side in common in both the transmitting side and the receiving side. Specifically, data of the result of mutual authentication described later will be described. I use it.

In addition, the format (for example, format) of the data memorize | stored by both the client computer 10 and the server computer 40 is not limited similarly. That is, data stored in both the client computer 10 and the server computer 40 is not limited to the sameness of the data as long as the final values of the data are the same. For example, it may be stored in a different format. In this way, even when the data on the other hand leaks, the data on the other hand can be maintained.

First, in step 110, the client computer 10 sends authentication data. This authentication data is the first data requesting mutual authentication from the client computer 10 to the server computer 40, and is generated in the client computer 10 using the stored initial value as a concealment key. The data is stored and encrypted by the concealment key and sent.

Next, in step 120, the authentication data sent from the client computer 10 is received in the server computer 40, and the stored initial value is used as a concealment key at this point in the server computer 40. In addition to storing the data generated by the server, authentication data encrypted with the concealment key is sent. In addition, the authentication data includes some data included in the authentication data received from the client computer 10.

Thereby, the authentication data sent from the server computer 40 can be sent as data representing that the response to the request from the client computer 10 is a response. After sending the authentication data, the received authentication data is analyzed, and a new concealment key is generated using each of the data generated in the server computer 40, and stored as a new concealment key. Updates a hidden key

Next, in step 130, the authentication data sent from the server computer 40 is received in the client computer 10, and the stored initial value is used as a concealment key at this point in the client computer 10. In addition to storing the data generated by the server, the authentication data encrypted by the concealment key is sent. In addition, the authentication data includes some data included in the authentication data received from the server computer 40.

Thereby, the authentication data sent from the client computer 10 can be sent as data expressed as being a response to the one sent from the server computer 40. After sending the authentication data, the received authentication data is analyzed, and a new concealment key is generated using each of the data generated in the client computer 10, and stored as a new concealment key. Update the concealment key.

Therefore, at the time when the process of step 130 ends, the initial value (hidden key) is updated in both the client computer 10 and the server computer 40, and it can be maintained as a common value (hidden key). have.

In following step 140, it is determined whether the process of both the client computer 10 and the server computer 40 completed the predetermined number of times predetermined. The number of times of this determination reference | standard is set in advance at least 1 time, and in this embodiment, the value of the number of times common to both the client computer 10 and the server computer 40 is hold | maintained. In addition, the judgment reference number may hold the value of a different number of times in each of the client computer 10 and the server computer 40. In this case, although the standard of authentication is different for each of the client computer 10 and the server computer 40, if the authentication is justified, it is achieved by reporting that multiple times of data transfer are required on the computer side with fewer judgment criteria. can do. By referring to the number of times, the client computer 10 is denied until the update process in step 140 and the server computer 40 end the number of times the update process is held. If the number of determination criteria is set once, the process proceeds directly to Step 150 without being denied to Step 140.

Therefore, at the point judged affirmatively in step 140, all values (hidden keys) are updated by both the client computer 10 and the server computer 40, and the common values (hidden keys) are maintained by both. Will be. In step 150, the authentication process is performed in both the client computer 10 and the server computer 40, and the process ends.

The authentication process is made by determining whether the transmitted authentication data is legitimate data or not, using the latest hidden key stored. This authentication process can be performed in common between both the client computer 10 and the server computer 40. When this authentication process is completed, mutual authentication is completed by both the client computer 10 and the server computer 40.

[Detailed process]

Next, mutual authentication referred to in the above conceptual process will be described in detail.

(Organization of data including concealment key)

In the present embodiment, since the concealment key is updated to the latest data for each information pass, it functions as history data K. In the following description, the hidden key K is denoted by the same notation as functioning as the historical data K.

The concealment key K including the initial value used as the authentication data in the conceptual process is the encryption data C for specifying the client computer 10 and the authentication data R and the encryption data S for specifying the server computer 40 and the authentication. It consists of data Q. In addition, in the following description, although the subtracting key K, the cancer data C, the authentication data R, the authentication data S, and the authentication data Q append the subscript which increases from initial value "0", and expresses an update state, these are general In the case of explanation, only the symbols with subscripts removed will be described.

In this embodiment, as an initial value, it is assumed that the result of the data transfer made by both the client computer 10 and the server computer 40 described later is specifically stored, and the historical data is already inherent. .

The concealment key K uses the calculation result of the function g (C, S, Q, R) using each of the encryption data C, the authentication data R, the encryption data S, and the authentication data Q. The function g is an example of a polynomial, a multiplication, a sum of products, and a hash function with simplification and coefficient addition.

The first value for generating the initial values C ₀ and R ₀ on the client computer 10 side may be automatically generated by using a value set by the user for the encryption data C and the authentication data R. It is preferable that the contents of the authentication data R fluctuate randomly for every number of information, and according to the present embodiment, the random data generated in the random number generator 14 is used as the authentication data R. However, the present invention is not limited to using random numbers in the authentication data R. For example, you can use time data such as the current date, date, date and time, arbitrary file size stored in the computer, time stamp, and capacity when receiving information.

Similarly, the first value for generating the initial values S ₀ and Q ₀ on the server computer 40 side is a value set by the operator managing the server computer 40 with respect to the encryption data S and the authentication data Q. You can use it or generate it automatically. As described above, it is preferable that the contents of the authentication data Q fluctuate randomly for every number of information. In this embodiment, the random number generated by the random number generator 44 is used as the authentication data Q. However, the present invention is not limited to the use of random numbers in the authentication data Q. For example, it is possible to use time data such as the current date, date, date and time, arbitrary file capacity or time stamp stored in the computer, capacity when receiving information, and the like.

In addition, although the authentication data R on the client computer 10 side and the authentication data Q on the server computer 40 side are transmitted to the other side, in order to make it difficult to specify by the third party about the transmission data, You need to do a bean. Here, in the present embodiment, the authentication data R transmitted from the client computer 10 to the server computer 40 and the authentication data Q transmitted from the server computer 40 to the client computer 10 are concealed. Cover up with key K.

That is, in the case of transmitting from the client computer 10 to the server computer 40, the authentication data A is generated and transmitted by a predetermined function (R, K). The function 일례 exemplifies a polynomial, a multiplication, sum of products, and a hash function with simplification and coefficient addition. Similarly, when transmitting from the server computer 40 to the client computer 10, the authentication data B is generated and transmitted by the predetermined functions w (Q, K). The function w takes as an example a polynomial, a multiplication, a sum of products, and a hash function with simplification and coefficient addition. Next, an example of a function # and w is shown.

A _m = ｖ (R, K) = R _m + K _m-1

B _m = w (Q, K) = Q _m + K _m-1

However, it is a natural number of m ≥ 1.

In addition, although the encryption data C on the client computer 10 side and the encryption data S on the server computer 40 side are transmitted to the other side, as described below, the encryption data is changed in the number of times of information transfer. have. That is, the encryption data C transmitted from the client computer 10 to the server computer 40 generates and transmits the new encryption data C by the function y (S, R) predetermined in the case of the transmission. The function y is an example of a polynomial, a multiplication, a sum of products, and a hash function with simplification and coefficient addition. Similarly, when transmitting from the server computer 40 to the client computer 10, the encryption data S is generated and transmitted by the predetermined function z (C, Q). The function z exemplifies a polynomial, a multiplication, a sum of products, and a hash function with simplification and coefficient addition. Next, an example of the functions y and z is shown.

C _m = y (S, R) = S _m-1 + R _m-1

B _m = w (C, Q) = C _m-1 + Q _m-1

However, it is a natural number of m ≥ 1.

In addition, in the transmission of dark data, identification by a third party makes it difficult, so it is good to perform the beaning. For example, the concealment data K transmitted from the client computer 10 to the server computer 40 and the encryption data S transmitted from the server computer 40 to the client computer 10 are concealed with a concealment key K. It's okay to do it. In other words, it may be a function in which a hidden key K is added as a parameter.

(Detailed process)

4 is an image diagram showing a detailed process in mutual authentication according to the first embodiment of the present invention. Hereinafter, the detailed process of this embodiment is demonstrated with reference to FIG.

Step P0: The concealment key K ₀ of the initial value is stored in each of the client computer 10 and the server computer 40. This process corresponds to step 100 of FIG. 3 and processes Pc0 and Ps0 of FIG.

Step P1: The client computer 10 generates a random number R, calculates the encryption data C and the authentication data A, and sends it to the server computer 40. FIG. This process corresponds to step 110 of FIG. 3 and process Pc1 of FIG. 4.

That is, the client computer 10 generates the random number R1 in the random number generator 14. The generated random number R ₁ , C ₀ , S ₀ , Q ₀ , and R ₀ constituting the concealed key K ₀ and the concealed key K ₀ stored in the memory 16 are input to the authentication data operator 18. The authentication data operator 18 uses the encryption data S ₀ and the authentication data R ₀ constituting the concealed key K ₀ and the concealed key K ₀ stored in the random number R ₁ and the memory 16. By v, new cancer data C ₁ and new authentication data A ₁ are obtained. The new encryption data C ₁ and authentication data A ₁ thus obtained are stored in the memory 16 and output to the communication I / F 30 and transmitted to the server computer 40 via the network 32. This transmission data corresponds to data Dc1 of FIG.

Step P2: The server computer 40 receives the authentication data A and the encryption data C from the client computer 10, generates a random number Q, calculates the encryption data S and the authentication data Q, and calculates the client computer 10. Send by At the same time, the stored concealment key K ₀ is updated to the new concealment key K ₁ . This process corresponds to step 120 of FIG. 3 and process Ps1 of FIG. 4.

That is, in the server computer 40, the encryption data C ₁ and authentication data A ₁ from the client computer 10 are input to the verifier 50 via the communication I / F 60. At this time, the server computer 40 generates the random number Q ₁ in the random number generator 44. The generated random numbers Q ₁ and C ₀ , S ₀ , Q ₀ , and R ₀ constituting the concealed key K ₀ and the concealed key K ₀ stored in the memory 46 are input to the authentication data operator 48. The verifier 50 also outputs the encryption data C ₁ and the authentication data A ₁ from the client computer 10 to the authentication data calculator 48.

The authentication data operator 48 uses the random number Q ₁ , the received encryption data C _1, and the authentication data Q ₀ constituting the stored concealment key K ₀ and the concealment key K ₀ . The cancer data S ₁ and the new authentication data B ₁ are obtained. The new encryption data S ₁ and authentication data B ₁ thus obtained are output to the communication I / F 60 and transmitted to the client computer 10 via the network 32. This transmission data corresponds to data Ds1 of FIG.

At this time, the server computer 40 obtains new data for each data constituting the concealment key K as an initial value. That is, the cancer data C ₁ received from the client computer 10 for the cancer data C, the cancer data S ₁ calculated by the authentication data operator 48 for the cancer data S, and the random number generator 44 for the authentication data Q. ) is a random number Q _1, for the authentication data R from the inversion by the authentication data received from the client a, the computer 10, i.e., the random number R ₁ can be obtained by subtracting the concealment key K ₀ occurred in.

Here, the encryption data C ₁ , the authentication data S ₁ , the authentication data Q ₁ , and the authentication data R ₁ are updated as new data and updated as a new concealment key K ₁ . As a result, the server computer 40 can automatically update the latest data as the history of the concealment key K. FIG.

Step P3: The client computer 10 receives the authentication data B and the encryption data S from the server computer 40, generates a random number R, calculates the encryption data C ₂ and the authentication data A _2, and calculates the server computer ( 40). At the same time, the stored concealed key K ₀ is updated to the new concealed key K ₁ . This process corresponds to step 130 of FIG. 3 and process Pc2 of FIG. 4.

That is, in the client computer 10, the encryption data S ₁ and the authentication data B ₁ from the server computer 40 are input to the verifier 20 via the communication I / F 30. At this time, the client computer 10 generates the random number R ₂ in the random number generator 14. The generated random number Q ₂ and C ₀ , S ₀ , Q ₀ , and R ₀ constituting the concealed key K ₀ and the concealed key K ₀ stored in the memory 46 are input to the authentication data operator 18. The verifier 20 also outputs the encryption data S ₁ and the authentication data B ₁ from the server computer 40 to the authentication data calculator 18. At this time, in the client computer 10, new data (data constituting the new concealment key K ₁ ) is obtained for each data constituting the concealment key K ₀ stored in the memory 16 as an initial value. It is. That is, the encryption data C can be obtained by subtracting the authentication data Q ₀ stored in the memory 16 constituting the concealment key K ₀ from the encryption data S ₁ received from the server computer 40. The darkening data C ₁ transmitted last time stored in the data C ₁ or the memory 16 corresponds. It is obtained by subtracting the inversion, that is, the concealment key K ₀ , from the authentication data S ₁ received from the server computer 40 for the encryption data S and the authentication data B ₁ received from the server computer 40 for the authentication data Q. for the authentication data Q _1, the authentication data R that is the last time the generated random number R _1.

Here, the encryption data C ₁ , the authentication data S ₁ , the authentication data Q ₁ , and the authentication data R ₁ are updated as new data and updated as a new concealment key K ₁ . Thereby, the client computer 10 can automatically update the same hidden key K as the server computer 40 to the latest data. In addition, data computing unit (18) for authentication, generates a random number R _2, to update the history data authentication data K ₁ R _1, received amjeung data S ₁ and with a concealed key K ₁ of the new the function y, v New cancer data C ₂ and new authentication data A ₂ are obtained. The new encryption data C ₂ and the authentication data A _{2 obtained} are stored in the memory 16 and output to the communication I / F 30 and transmitted to the server computer 40 via the network 32. . This transmission data corresponds to data Dc2 of FIG.

  Step P4: The process of steps P2 and P3 is executed only a predetermined number m. In addition, in this embodiment, since the predetermined number m includes at least one data pass, it includes the number of times (m = 1) which is not repeated. That is, since the historical data of the data transfer made by both parties is used at the time of data transfer made between the client computer 10 and the server computer 40, even if the data transfer is once, Since the data is received including the history between the 10 and the server computer 40, the data is not simply data but is effective because it is the history data. Repeating the processes of steps P2 and P3 only a few times is effective for improving the accuracy of judging the validity of data.

  In other words, the process of repeating the above process is determined in advance by repeating the number of times of repeating, that is, the number of times of execution, so that the value of the concealed key K is updated so that it is possible to suppress the third party from catching the change. do. In this way, the concealment key K which is held in common for the client computer 10 and the server computer 40 is updated as many times as the latest state according to the history so far. It is difficult to derive K.

Step P2, and the result of the process of P3 executed only a predetermined number m, a client, a computer 10 and a server, it has the respective computer 40, hiding keys K _m, and C constituting the concealing key K _{m m,} S _m The values of, Q _m and R _m are retained. Moreover, when m = 1, the value of one time of data transfer is hold | maintained.

  In addition, the execution process which repeats a process corresponds to the process execution by the determination of step 140 of FIG. 3, and repeating the process of Ps1 and Pc2 from process Pc1 about the process of Psm and Pcm from process Pc2 of FIG.

Step P5: After the process is finished, each of the client computer 10 and the server computer 40 checks whether the received data is valid or not, and if it is successful, mutual authentication succeeds. The relationship between the two is allowed, and when it is not established, mutual authentication fails and the relationship is rejected. This process corresponds to step 150 of FIG. 3 and processes P _{Sm + 1} and P _{Cm + 1} of FIG. 4.

When authenticating after one execution, the first data is transmitted from the client computer 10, but the client computer 10 records the history of the client computer 10 and the server computer 40 at that time. As an initial value including, the authentication data A ₁ and the encryption data C ₁ generated by the stored concealment key K ₀ are transmitted to the server computer 40. This process corresponds to sending data Dc1 after process Pc1 of FIG.

Server, a computer (40), via the communication I / F (60) amjeung data from the client, the computer 10 in the verifier (50) C ₁ and authentication data A is _1, the input verifier for amjeung data C ₁ Justification is checked at (50). Since the received cancer data C ₁ is generated based on the data of the previous history, the server computer 40 constitutes a hidden key K ₀ (here, an initial value) which is updated and stored in the latest state. The encryption data S ₀ and the authentication data R ₀ are used to determine whether or not the calculation result of the function y of the above description is identical with the received data, and if it is matched, the validity is acknowledged. If the validity is recognized, the processing is continued after notifying the OK device 52 of the validity, and if not, the processing is terminated after the NG device 54 is notified.

When the validity is recognized and processing continues, the random number generator 44 generates a random number Q ₁ in the same manner as in step P2 above, and the authentication data calculator 48 generates the encryption data S ₁ and the authentication data B ₁ . In addition to transmitting to the client computer 10, the concealment key is updated to the latest concealment key K ₁ .

This authentication process corresponds to the process of the process Ps _{m + 1} of FIG. In this case, since it is not executed repeatedly, it corresponds to processing with m = 0. That is, each time data is transmitted from the client computer 10 to the server computer 40, authentication can be performed using data including the history received from the client computer 10 on the server computer 40 side. .

On the other hand, in the client computer 10, the encryption data S ₁ and the authentication data B ₁ from the server computer 40 are input to the verifier 20 via the communication I / F 30. In the client computer 10, the validator 20 verifies validity with respect to the encryption data S1. Since the received cancer data S ₁ is generated in the server computer 40 on the basis of the data of the previous history similarly to the cancer data C, the client computer 10 conceals the updated state stored in the latest state. Using the encryption data C ₀ and the authentication data Q ₀ constituting the key K ₀ (here, the initial value), it is determined whether or not the result of the calculation of the function z of the above-described technique matches the received data. Justification is recognized, and in the case of disagreement, it is denied. If the validity is recognized, the processing is continued after notifying the OK device 22 of the validity, and if not, the processing is terminated after the NG device 24 is notified.

When the validity is recognized and processing continues, the process shifts to processing to be performed between the client computer 10 and the server computer 40. In addition, in order to maintain the identity of the historical data K with the server computer 40, the client computer 10 updates the concealment key to the latest concealment key K ₁ in the same manner as in step P3.

This authentication process corresponds to the process of process Pc _{m + 1} of FIG. In this case, since it is not executed repeatedly, it corresponds to processing with m = 0. That is, each time data is sent from the server computer 40 to the client computer 10, authentication can be performed using data including the history received from the server computer 40 on the client computer 10 side. .

  In addition, each time data is sent from the client computer 10 to the server computer 40, or whenever data is sent from the server computer 40 to the client computer 10, the receiving side authenticates. You can run a session with this authentication multiple times, with a session that involves doing so.

Next, the case of authenticating after repeating several executions is demonstrated. In this case, the m-th data transmission is performed from the client computer 10, and the client computer 10 uses the concealment key K _m , which has been updated by m repetitions, to thereby form the server computer 40. The authentication data A _{m + 1} and the encryption data C _{m + 1} are transmitted. This process corresponds to sending data Dc _{m + 1} after process Pc _m in FIG.

First, in the server computer 40, the encryption data C _{m + 1} and the authentication data A _{m + 1} from the client computer 10 are input to the verifier 50 via the communication I / F 60. In the server computer 40, the validator 50 verifies validity with respect to the cancer data C _{m + 1} . Since the received cancer data C _{m + 1} is generated based on the data of the previous history, in the server computer 40, the cancer data S _m constituting the hidden key K _m updated and stored in the latest state. And using the authentication data R _m , it is determined whether or not the calculation result of the function y of the above description matches the received data or not, and if it matches, the validity is recognized. If the validity is recognized, the processing is continued after notifying the OK device 52 of the validity, and if not, the processing is terminated after notifying the NG device 54 that it is invalid.

When the validity is recognized and the processing is continued, the processing is continued in the same manner as in step P2, and a random number Q _{m + 1} is generated in the random number generator 44, and the encryption data S _{m + 1 is} authenticated in the authentication data operator 48. The data B _{m + 1} is generated and transmitted to the client computer 10, and the hidden key is updated to the latest hidden key K _{m + 1} . This authentication process corresponds to the process of the process Ps _{m + 1} of FIG.

On the other hand, in the client computer 10, the encryption data S _{m + 1} and the authentication data B _{m + 1} from the server computer 40 are input to the verifier 20 via the communication I / F 30. In the client computer 10, the validator 20 verifies validity with respect to the encryption data S _{m + 1} . Since the received cancer data S _{m + 1} is generated in the server computer 40 based on the previous history data as in the cancer data C, the client computer 10 is updated and stored in the latest state. Using the encryption data C _m and authentication data Q _m constituting the concealed key K _m , it is determined whether the result of the calculation of the function z of the above technique matches the received data, and if it does, the validity is recognized. In case of inconsistency, it justifies the justification. If the validity is recognized, the processing is continued after notifying the OK device 22 that there is a validity, and when it is denied, the processing is terminated after notifying the NG device 24 that it is invalid.

If the validity is recognized and processing continues, the process shifts to processing to be performed between the client computer 10 and the server computer 40. In addition, in order to maintain the identity of the historical data K with the server computer 40, the client computer 10 updates the concealment key to the latest concealment key K _{m + 1} in the same manner as in step P3. This authentication process corresponds to the process of process Pc _{m + 1} of FIG.

As described above, in the present embodiment, when mutual authentication is performed between the client computer 10 and the server computer 40, both parties have a common concealment key K, and the concealment key K is provided for each number of information. It is updating. For this reason, even if the data at the time of information transmission is analyzed, it is difficult to specify the data for authentication, the confidentiality can be improved, and mutual authentication can be surely performed.

Although the above has been described as an example between the client computer 10 and the server computer 40, in the asynchronous network such as the Internet, the server computer 40 needs to be authenticated with respect to the client computer 10. . In this case, the processing may be separated for each user ID of the client computer 10.

The above process can be stored in a form executable on a floppy disk as a recording medium as a processing program of the client computer 10 and the server computer 40. In this case, plugging in and unplugging each device A floppy disk unit (FDU) can be connected, and the recorded processing program can be executed from the floppy disk via the FDU. In addition, the processing program may be stored (installed) and executed so as to be accessible to RAM or another storage area (for example, a hard disk device) in the computer. In addition, you may store in ROM beforehand. As the recording medium, there are magnetic tapes such as discs such as CD-ROM, MD, MO, DVD, DAT, etc., and when using them, CD-ROM device, MD device, MO device, DVD device, DAT as a corresponding device You may use a device.

  As described above, according to the first embodiment of the present invention, in the case of mutual authentication between the first authentication device and the second authentication device, history data is common to each of the first authentication device and the second authentication device. As the data is stored and the history data is updated, mutual authentication can be performed safely and easily. For example, the key of the client computer is not leaked from the information received between the client computer and the server computer. This has the effect of being able to authenticate.

(Embodiment 2)

5 is a schematic configuration diagram showing a second embodiment of an authentication system according to the present invention. This authentication system is outlined by a server (second device) 10 and a client (first device) 20 connected to each other via a network 40 such as a public line network or the Internet. In this embodiment, a plurality of servers A, B, C,... That provide various services. Is connected to the server 10, and the server 10 is connected to the servers A, B, C,... It is supposed to function as an authentication server for determining whether or not to access the network.

  As shown in FIG. 6, the server 10 is composed of a CPU 11, a RAM 12, a storage device 13, an input device 14, a display device 15, a communication device 16, and the like. Each part is connected by the bus 17.

The CPU (Central Processing Unit) 11 includes various processing programs stored in the storage area of the storage device 13, various instructions input from the input device 14 or the communication device 16, or various data corresponding to the instructions. Etc. are stored in the RAM 12, and various processes are executed in accordance with various processing programs stored in the RAM 12 according to their input instructions and various data, and temporarily storing the processing results in the RAM 12; At the same time, output is performed to the display device 15 and the like.

This CPU 11 constitutes a receiving means and a determining means in the server 10, and is a HASHc and a one-time ID (SIGNAL) which are function values of a one-way function (one-way function Fc) that takes a client ID as an argument. Received data received from the client 20 when receiving the DH public value g ^x (one of the Diffie-Hellman public values) from the client 20 (ie, receiving a request for access from the client 20). And the one-time ID and the HASHc are calculated by the calculation using the stored data stored in the storage device 13 and the client 20 is compared with the one-time ID and the HASHc received from the client 20. The process of determining the validity of) is performed.

Further, the CPU 11 constitutes a transmission means in the server 10, and when the client 20 determines that the client 20 is justified, the CPU 11 uses the received data and the stored data to take a server ID as an argument. The client 20 calculates the HASHs that are the function values of the one-way function (one-way function Fs) by calculation, and calculates the DH public values g ^y (the other of the Diffie-Hellman public values) stored in the HASHs and the storage device 13. The processing to send is executed.

  The one-time ID (SIGNAL) is identification information that can be used only once for authentication between the server and the client. When generating the one-time ID, the encryption key K (variable shared key) changes for each predetermined communication unit. ) Is read from the storage device 13, a function value of a hash function (one-way function) taking this encryption key K as an argument is obtained, and the one-time ID is generated from this function value.

  The RAM (Random Access Memory) 12 has a storage area for storing data related to authentication, such as data transmitted and received between the client 20 and the like, a working area of the CPU 11, and the like.

The storage device 13 has a storage medium 13a in which programs, data, and the like are stored, and the storage medium 13a is composed of a magnetic, optical recording medium, or semiconductor memory. The storage medium 13a is fixedly provided by the storage device 13, or is detachably mounted, and stores a variety of processing programs, control data, and the like executed by the CPU 11, and relates to authentication. And a storage area for storing various data (for example, data acquired by the client 20 or the ID issuance management server 30 (described later), data generated in the process of authentication, etc.). The program, data, and the like stored in the storage medium 13a can also be configured to receive part or all of the data from another server or the like via the network 40. In this storage medium 13a, the server ID, the DH public value g ^y , the random number R shared with the client 20, and the like are stored in advance in the step before starting the authentication process.

  The input device 14 is comprised by a keyboard, a pointing device, etc., and outputs an input instruction signal to the CPU 11.

  The display device 15 is constituted by a cathode ray tube (CRT), a liquid crystal display (LCD), or the like, and displays display data input from the CPU 11. The communication device 16 is constituted by a modem, a router, a bridge, or the like, outputs data received from the client 20 or the like through the network 40 to the CPU 11, and is received from the CPU 11. One data is outputted to the client 20 and the like via the network 40.

  On the other hand, the client 20 is composed of a CPU 21, a RAM 22, a storage device 23, an input device 24, a display device 25, a communication device 26, and the like as shown in FIG. It is connected by. Specifically, examples of the client 20 include a personal computer, a portable information terminal such as a PDA (Personal Digital Assistance), a mobile phone that can use an Internet connection service, and the like. In addition, since each component of this client 20 is substantially the same as each component of the server 10 mentioned above, only the difference is demonstrated below.

That is, the CPU 21 of the client 20 constitutes a transmission means in the client 20, and generates a one-time ID SIGNAL based on an instruction input from the input device 24 or the like. HASHc, which is a function value of a one-way function (one-way function Fc) that takes a client ID as an argument, is obtained, and these one-time IDs and the DH public values g ^x (Diffie-Hellman public values) stored in advance in the storage unit 23 are obtained. On the other hand, the process of transmitting to the server 10 is performed.

In addition, the CPU 21 constitutes a receiving means and a determining means in the client 20, and HASHs and DH public values g ^y (Diffie) which are function values of a one-way function (one-way function Fs) that takes a server ID as an argument. When receiving the other of the Hellman public values from the server 10 (that is, the server 10 determines that the client 20 is legitimate), HASHs are calculated by calculation using the stored data stored in the storage device 23, and the process of determining the legitimacy of the server 10 is executed by comparing the result of the calculation with the HASHs received from the server 10. .

The storage device 23 has a storage medium 23a in which a program, data, and the like are stored, and the storage medium 23a stores a memory for storing various processing programs, control data, and the like, which are executed by the CPU 21. Area, a storage area for storing various types of data related to authentication (for example, data acquired from the server 10 or the ID issuance management server 30 (described later), data generated in the process of authentication), and the like. . In this storage medium 23a, the client ID, the DH public value g ^x , the random number R shared with the server 10, and the like are stored in advance in the step before starting the authentication process.

  The ID issuance management server 30 issues and manages secret information (for example, a random number R used to generate an initial value of one-time ID, etc.), a client ID, a server ID, and the like shared between the client and the server. It is a server. The ID issuance management server 30 stores the secret information, the password, and the like in the ID of the user who uses the client 20 (for example, a credit No, a periodic net ID, an employee No, a student No, a specific member No, etc.). You have a database that is attached and stored. In addition, the ID issuance management server 30 updates the secret information in the database at regular intervals, and updates the secret information online (for example, by e-mail) or offline (for example, by mail, etc.). ) Is distributed to both the client 20 and the server 10. In addition, the issuance of the secret information may be based on a issuance request from the client 20 or the server 10.

Next, 2nd Embodiment of the authentication method performed by the authentication system which consists of the said structure is demonstrated based on FIG. This method applies the one-time ID (SIGNAL) related to the present invention to the IKE method specified in RFC2409.

First, in step S1, the client 20 serving as an initiator generates an one-time ID SIGNAL on the occasion of SA generation by IKE, and calculates HASHc by arithmetic operations. A process of transmitting the ID and HASHc and the DH public value g ^x stored in the storage device 23 to the server 10 serving as the responder together with the proposal of the SA.

Here, SIGNAL which is a one-time ID is generated as follows using a hash function, for example.

SIGNAL ₁ = R

SIGNAL ₂ = hash (K ₁ )

SIGNAL ₃ = hash (K ₂ )

               …

SIGNAL _n = hash (K _n-1 )

                                         … … (Equation 2)

In the definition of SIGNAL, hash is a hash function, R is issued from the ID issuing management server 30 to both the server 10 and the client 20, and the random number shared between them is generated, and K _i is generated as the i-th session. The encryption key (variable shared key) of the shared server client share. In addition, the session represents a communication unit from the establishment of the SA until the SA is invalidated.

  That is, according to the definition formula of SIGNAL, a function value of a hash function whose argument is the encryption key K generated in the previous session is obtained, and the function value is used as SIGNAL of this session. In the first session, the random number R shared in advance between the server and the client is used as the initial value of SIGNAL. In addition, the said encryption key Ki is calculated | required from following Formula (3), for example.

K _i = prf (shared key, g ^xy , SIGNAL _i )

                                          … … (Equation 3)

In this equation (3), g ^xy is a DH common key, and the shared key is an arbitrary shared key between server and client.

On the other hand, HASHc is obtained as a function value of a pseudorandom function (keyed hash function) that takes a shared key, a DH public value g ^x , IDc (client ID), and SIGNAL as shown in the following equation (4). .

HASHc = prf (shared key, g ^x , IDc, SIGNAL)

                                         … … (Equation 4)

  Next, in step S2, the server 10 obtains SIGNAL and HASHc by arithmetic operations, and justifies the client 20 by comparing these arithmetic results with SIGNAL and HASHc received from the client 20. The judgment process is performed.

As a result of the determination, when the received data and the calculation result coincide, and the client 20 determines that it is legitimate, the HASHs are obtained by calculation and the DH public value g stored in the HASHs and the storage device 13 is calculated. A process of transmitting ^y to the client 20 together with the accepted SA is executed (step S3). On the other hand, when the received data and the calculation result do not match and it is determined that the client 20 is not valid, access from the client 20 is denied and the authentication process ends.

Here, HASHs is a function value of a pseudo-random function (keyed hash function) that takes a shared key, a DH public value g ^x , g ^y , IDs (server ID), and SIGNAL as shown in the following expression (5). Obtained as

HASHs = prf (shared key, g ^x , g ^y , IDs, SIGNAL)

                                         … … (Eq. 5)

Further, in the step S3, to generate a DH public value g ^x DH shared-key g ^xy from the is received from the storage device (13) DH public value g ^y and the client 20 stored in, DH shared-key g ^xy Is stored in the storage device 13 as well.

  Next, in step S4, the client 20 obtains HASHs by calculation, and performs a process of determining the legitimacy of the server 10 by comparing the result of the calculation with the HASHs received from the server 10. Run

As a result of the determination, when the received data and the calculation result coincide with each other and the server 10 determines that the server 10 is legitimate, the DH public value g ^x stored in the storage device 23 and the received data from the server 10 are determined. After the DH common key g ^xy is generated from the DH public value g ^y and stored in the storage device 23, the authentication process is terminated and the process proceeds to the next data transfer process. On the other hand, when the received data and the calculation result do not match and it is determined that the server 10 is not valid, access to the server 10 is stopped and the authentication process ends.

  As described above, according to the second embodiment, the function value of the hash function whose argument is the encryption key K (variable shared key), which varies from session to session, is used as the one-time ID (SIGNAL). Even if the encryption key K is leaked to a third party, the encryption key K is changed for each session, so that one time IDs other than the one time ID generated using the leaked encryption key K cannot be predicted. In other words, it is possible to generate a one-time ID having difficulty in eavesdropping and excellent safety, and it is possible to realize safety (PFS) affecting the future of the one-time ID.

  In addition, since the one-time ID (SIGNAL) is used for authentication between the client and the server, the third-party cannot identify the sender and the receiver, and if it is a legitimate sender / receiver, the one-time ID can be identified as the identification information. There is a number. As a result, resistance to DoS attacks, spoofing, and the like can be strengthened, and even in an open network environment, ID information can be protected and communication safety can be improved. In addition, remote access can be made, and the convenience can be improved.

In this embodiment, the server uses a pseudo random number function that takes a shared key, a DH public value gx, IDc (client ID), and SIGNAL as the one-way function Fc used to determine the validity of the client 20. As the one-way function Fs used to determine the validity of (10), a pseudo-random function that takes a shared key, DH public values g ^x , g ^y , IDs (server ID), and SIGNAL as arguments is used. In this method, it is possible to reduce the number of communication required three times in two, and to realize quick and secure authentication and key exchange.

  (Embodiment 3)

  In the second embodiment described above, a function value of a hash function whose argument is an encryption key (variable shared key) generated in a previous session is obtained, and this function value is the one-time ID (SIGNAL) of this session. In this third embodiment, the function value of the hash function whose arguments are the shared key generated in the last session and the communication order in the session is obtained, and this function value is used for this session. It is used as a one-time ID at the time of each communication. It is the same as that of 2nd Embodiment except the part peculiar to this 3rd Embodiment. In this 3rd Embodiment, the same code | symbol is attached | subjected to the same part as 2nd Embodiment, and the description is abbreviate | omitted.

It is a figure explaining 3rd embodiment of the authentication method which concerns on this invention. In this third embodiment, first, in step P1, the client 20 generates SIGNALn, ₁ (the first one-time ID), and IDc (client ID), IDs (server ID), The DH public values gxn and SIGNALn, ₁ are encrypted with a shared key K _n-1 (first variable shared key), and a process of transmitting this encrypted data and SIGNALn, ₁ to the server 10 is executed.

  Here, SIGNAL uses SIGNAL, which is used as the j-th communication of the client 20 in the i-th session, as SIGNALi, j, and SIGNAL, which is used as the j-th communication of the server 10 in the i-th session. 'i, j is generated as follows.

SIGNAL ₁ , _j = hash (R, j) i = 1

SIGNAL _i , _j = hash (K _i-1 , j) i≥2

SIGNAL ' ₁ , _j = hash' (R, j) i = 1

SIGNAL ' _i , _j = hash' (K _i-1 , j) i≥2

                                         … … (Equation 6)

In the definition formula (6) of the SIGNAL, hash and hash 'are different hash functions, and R is a random number issued from the ID issuing management server 30 to both the server 10 and the client 20 and shared between them. , Ki is the DH common key g ^xiyi (shared key) shared by the i th session.

That is, according to the definition formula (6) of the above SIGNAL, the function value of the hash function whose argument is the shared key Ki-1 generated in the last session and the communication order j in this session is obtained, and this function value is obtained this time. Set to SIGNAL for the jth communication of the session. In the first session (i = 1), however, the function value of the hash function whose arguments are the shared random number R between the server and the communication sequence j in the session is obtained, and the value of the function It is set as SIGNAL used for the jth communication.

Next, in step P2, the server 10 obtains SIGNAL _n , ₁ by a calculation, and the client 20 uses a combination of the result of this calculation and SIGNAL _n , ₁ received from the client 20. If it can't identify it, it refuses communication. If it can be identified, the encrypted data is decrypted using the shared key K _i-1 , and the validity of the client 20 is determined based on IDc, IDs, and SIGNAL _n , ₁ contained in the decrypted data. Run the process.

As a result of the determination, when the received data and the stored data previously stored in the server 10 coincide, and the client 20 judges that it is legitimate, SIGNAL _n , ₁ (second And the DH common key g ^xnyn from the DH public value g ^xn received from the client 20 and the DH public value g ^yn prestored in the server 10. Second variable shared key), and the client 20 stores the function values of the hash function h and the DH public values g ^yn , SIGNAL _n , ₁ , which take the shared keys Kn, IDc, IDs, and SIGNAL _n , ₁ as arguments. The process to transmit is performed (step P3). On the other hand, when the received data and the stored data do not coincide and the client 20 is determined to be unjust, the access from the client 20 is denied and the authentication process ends.

Next, in step P4, the client 20 obtains SIGNAL _n , ₁ by a calculation, and the server 10 uses a combination of this calculation result and SIGNAL ' _n , ₁ received from the server 10. ) And rejects communication if it cannot. If it can be identified, the DH common key g ^xnyn is generated as the shared key Kn from the DH public value g ^yn received from the server 10 and the DH public value g ^xn stored in advance in the client 20. Using the shared key K _n , the function value of the hash function h is obtained by calculation, and the validity of the server 10 is determined by the combination of the result of this operation and the function value of the hash function h received from the server 10. The process of determining is performed.

  As a result of the determination, when the received data and the calculation result coincide with each other and the server 10 determines that it is legitimate, the authentication process is terminated, and the flow proceeds to the next data transfer process. On the other hand, when the received data and the calculation result do not match and it is determined that the server 10 is not valid, access to the server 10 is stopped and the authentication process ends.

If the server 10 needs to confirm that the client 20 has shared the shared key Ki, the shared key K after the client 20 determines the legitimacy of the server 10 in this step P4. _{What is} necessary is just to make the server 10 transmit the function value of the hash function h which takes _n , IDc, and IDs as an argument.

As described above, according to the third embodiment, the function value of the hash function whose arguments are the shared key K _i-1 (variable shared key) generated in the previous session and the communication sequence j in this session. Since this function value is used as the one-time ID (SIGNAL) valid only for the jth communication of the session, for example, the shared key K _n generated in the nth session is leaked to a third party. also, so that the shared key K _n is changed for each session, to estimate the one-time ID other than the generated by using the leaked shared key K _n one-time ID (SIGNAL _{n + 1, j,} SIGNAL _{n + 1, j)} There will be no. In other words, it is possible to generate a one-time ID having difficulty in eavesdropping and excellent safety, and it is possible to realize safety (PFS) affecting the future of the one-time ID.

  In addition, since the authentication between the client and the server is performed using the one-time ID (SIGNAL), as in the second embodiment described above, the calculation amount and the memory due to a large amount of calculation request and response request, etc. DoS attacks can be prevented, and even in an open network environment, ID information can be protected and communication safety can be improved.

  In addition, a method using a cookie (random number) is generally known as a method of preventing a DoS attack. According to this method, a DoS attack from the same IP address can be prevented by forming a secret known only by the IP address and the cookie creator. On the other hand, in the case of SIGNAL of the present embodiment, the SIGNAL that becomes valid next time cannot be predicted unless the DH common key is known. Therefore, by using SIGNAL for each communication, a cookie-like effect can be obtained. In addition, cookies do not allow the IP address to change during the session, but SIGNAL may change. In addition, the use of cookies does not prevent DoS attacks that forge IP addresses, but it can also prevent such attacks because IP addresses are irrelevant in one-time IDs.

  Also, in the present embodiment, for example, the client 20 sends the first message of the protocol (step P1), and the server 10 calculates the DH key exchange correspondingly (step P2). Consider the case where the second message is sent (step P3). If the message of the server 10 is lost on the way or is stolen by an attacker and the client 20 cannot receive it, the client 20 needs to send the first message once again. At this time, the server 10 cannot determine whether the correct client 20 has resent the communication or whether the attacker is replaying by reading the first message. Here, when the client 20 sends the first message again, the client 20 sends the same content as the message sent at the first challenge, so that the server 10 also sends a copy of the previously reply message as it is. do. This avoids the use of unnecessary DH key exchange calculations and prevents DoS attacks from replay attacks.

In this embodiment, the function value of the hash function whose argument is the shared key (DH common key) K _i-1 generated in the previous session and the communication procedure j in this session is obtained, and this function value is obtained. Although it is supposed to generate as a one-time ID (SIGNAL) valid only for the j-th communication of the session, for example, it is also possible to generate SIGNAL as follows.

SS _j = h1 (K _i-1 )

SIGNAL _i , _j = hash (SS _{i, j} )

SIGNAL ' _i , _j = hash' (SS _{i, j} )

                                         … … (Eq. 7)

In the definition expression (7) of SIGNAL, SS _i is a function value of a hash function whose argument is the DH common key K _i-1 shared by the (i-1) th session.

In this case, for example, AK _i and the encryption key are SK _i for the authentication key used in the i-th session.

AK _i = h2 (K _i-1 ), SK _i = h3 (K _i-1 )

You may ask for it from the expression In addition, h1, h2, and h3 are unidirectional hash functions without collision.

In this way, when generating the authentication key and the encryption key from SS _i , in step P1 described above, the client 20 encrypts the IDc, IDs, DH public values g ^xn and SIGNAL _n , ₁ to the server 10. ), Use the authentication key AKn. In addition, in step P3, the hash function h sent by the server 10 to the client 20 is used as a hash function having the encryption keys SK _n , IDc, IDs and SIGNAL ' _n , ₁ as arguments.

By doing so, even if the attacker could know the value of either SS _i , AK _i , or SK _i , no other value could be calculated. Therefore, after the attacker is a legal user in the i-th session, to the key exchange, AKi, SIGNAL, need the ID information of the regular user (IDs, IDc), to the encrypted communication, SK _i SIGNAL, a regular user of the ID information and information on the number of times of communication are required.

In addition, the DH public value g ^xn of the client 20 in the nth session is encrypted using the authentication key AK _i (h2 (K _i-1 )). Thus, an attacker who does not know AK _i cannot know g ^xn . Therefore, the Diffie-Hellman common key generated and shared in this manner is not only computationally quantitative but also informatively secure.

  (Embodiment 4)

  In the second and third embodiments described above, the Diffie-Hellman key exchange is performed at the same time as the authentication. In the fourth embodiment, the Diffie-Hellman key exchange is omitted. It is the same as that of 2nd Embodiment except the part peculiar to this 4th Embodiment. In this 4th Embodiment, the same code | symbol is attached | subjected to the same part as 2nd Embodiment, and the description is abbreviate | omitted.

It is a figure explaining 4th embodiment of the authentication method which concerns on this invention. In this fourth embodiment, first, the client 20 generates a random number Rc (first random number), and the shared key K1 (first shared) previously shared with the server 10. The function value of the pseudo-random function prf (K1, R0) taking the key) and the random number R0 (initial random number) as an argument, as SIGNAL _c1 (the first one-time ID) (step S11), and the SIGNAL _c1 and the shared key K1. The process of transmitting the encrypted random number Rc to the server 10 is executed (step S12).

Next, the server 10 generates a random number Rs (second random number), and the pseudo-random number function prf (K1, Rc) having the random number Rc decoded by the shared key K1 and the shared key K1 as an argument. The function value is obtained as SIGNAL _s1 (second one-time ID) (step S13), and the result of a predetermined operation that takes a random number Rs and a random number R0 + Rc (random numbers R0 and Rc as arguments) encrypted with the SIGNAL _s1 and the shared key K1. For example, an exclusive logical OR of both) is transmitted to the client 20 (step S14).

Next, the client 20 obtains the SIGNAL _s1 by calculation based on the random number Rc and the shared key K1, and compares the result of the operation with the SIGNAL _s1 received from the server 10 to determine the server 10. ) And a process of determining the validity of the server 10 by comparing the received data of the random number R0 + Rc with the calculation result (step S15).

As a result of the determination, when the received data and the calculation result coincide with each other, and the server 10 determines that it is legitimate, the client 20 uses the shared key K2 (the second based on the random number Rc and the random number Rs). And a function value of the pseudo-random function prf (K2, Rs, Rc) taking the shared key K2, the random number Rs, and the random number Rc as arguments, as SIGNAL _c2 (third one time ID), The process of transmitting this SIGNAL _c2 and the random number Rc + Rs (the predetermined calculation result which takes a random number Rc and Rs as an argument) to the server 10 is performed (step S16). On the other hand, when the received data and the calculation result do not match and it is determined that the server 10 is not valid, access to the server 10 is stopped and the authentication process is terminated.

The server 10 receives SIGNAL _c2 from the client 20, generates a shared key K2 based on the random number Rc and the random number Rs, and calculates the SIGNAL _c2 based on the shared key K2, the random number Rs, and the random number Rc. The client 20 is identified by comparison of this operation result with the SIGNAL _c2 received from the client 20, and the client is compared with the operation data and the received data of the random number Rc + Rs. The process of determining the validity of (20) is performed (step S17).

  As a result of the determination, when each of the received data and the calculation result coincide with each other, and the client 20 determines that it is legitimate, the authentication process is terminated, and the flow proceeds to the next data transfer process. On the other hand, when the received data and the calculation result do not coincide and the client 20 is determined to be unjust, the access from the client 20 is denied and the authentication process is terminated.

  As described above, according to the fourth embodiment, the function value of the pseudo-random number function prf whose argument is the random number generated in the process of mutual authentication and the shared key K changed in the process of mutual authentication is used as the one-time ID. As described above, as in the second embodiment described above, the security of the one-time ID can be improved, and quick and secure mutual authentication can be realized.

  (Embodiment 5)

  In the fourth embodiment described above, the shared key used for generating the one-time ID SIGNAL is changed in the process of mutual authentication. In the fifth embodiment, the shared key is fixed. have.

That is, in this fifth embodiment, as shown in FIG. 11, the client 20 first generates a random number Rc (first random number) and is shared in advance with the server 10. The function value of the pseudorandom function prf (K, R0), which takes a shared key K and a random number R0 (initial random number) as an argument, is obtained as SIGNAL _c1 (the first one-time ID) (step S21), and the shared key with the SIGNAL _c1 is obtained. A process of transmitting the random number Rc encrypted with K to the server 10 is executed (step S22).

Next, the server 10 generates a random number Rs (second random number), and the pseudo-random function prf (K, Rc) having the random number Rc decoded with the shared key K and the shared key K as arguments. The function value is obtained as SIGNAL _s1 (second one-time ID) (step S23), and the result of a predetermined operation taking a random number Rs and a random number R0 + Rc (random numbers R0 and Rc as arguments) encrypted with the SIGNAL _s1 and the shared key K. ) Is transmitted to the client 20 (step S24).

Next, the client 20 obtains SIGNAL _s1 by calculation based on the random number Rc and the shared key K, and compares the result of the operation with the SIGNAL _s1 received from the server 10 to determine the server 10. ) And a process of determining the validity of the server 10 by comparing the received data of the random number R0 + Rc with the calculation result (step S25).

As a result of the determination, when the received data and the calculation result coincide with each other and the server 10 determines that the server 10 is legitimate, the pseudo-random number that the client 20 takes as its argument a random number Rc, a random number Rs, and a shared key K The function value of the function prf (K, Rs, Rc) is obtained as SIGNAL _c2 (third one-time ID), and this SIGNAL _c2 and the random number Rc + Rs (the result of a predetermined operation taking the random numbers Rc and Rs as arguments) are obtained from the server ( The process to transmit to 10 is executed (step S26). On the other hand, when the received data and the calculation result do not match and it is determined that the server 10 is not valid, access to the server 10 is stopped and the authentication process ends.

Server 10, receives the SIGNAL _c2 from the client 20, based on the random number Rc, the random number Rs and the shared key K obtain by the SIGNAL _c2 in operation, it received from the operation result, and a client 20 SIGNAL _The client 20 is identified by the comparison with _c2 , and the process of determining the validity of the client 20 is executed by comparing the received data of the random number Rc + Rs with the calculation result (step S27).

  As a result of the determination, when each of the received data and the calculation result coincide with each other, and the client 20 determines that it is legitimate, the authentication process is terminated, and the flow proceeds to the next data transfer process. On the other hand, when the received data and the calculation result do not coincide and the client 20 is determined to be unjust, the access from the client 20 is denied and the authentication process is terminated.

  As described above, according to the fifth embodiment, since the function value of the pseudorandom function prf having the random number generated in the process of mutual authentication and the shared key K as arguments is used as the one-time ID, for example, Even if the shared key K is leaked to a third party, since the function value of the pseudo-random function prf is changed in sequence during mutual authentication by random numbers, as long as the random number generated in the process of mutual authentication is not known, The time ID cannot be predicted. Therefore, as in the second to fourth embodiments described above, the safety of the one-time ID can be improved, and quick and secure mutual authentication can be realized.

  (Embodiment 6)

It is a figure explaining 6th Embodiment of the authentication method which concerns on this invention. In the sixth embodiment, first, the client 20 generates a random number R _ci (random number of 1), and the shared key K _i and the random number R _ci shared in advance with the server 10. Returns the value of the function of the pseudorandom function prf (K _i , R _ci-1 , R _si-1 ) taking the argument _-1 (first memory random number) and random number R _si-1 (second memory random number) as SIGNAL _ci The process calculated | required as (1st one time ID) is performed (step S31).

In addition, R _ci is a random number generated by the client 20 in the i th session, R _si is a random number generated by the server 10 in the i th session, and K _i is a variable share used in the i th session. Each key is shown. The random numbers R _ci-1 and R _si-1 generated in the last (i-1st) session are stored in the storage areas 13 and 23 of the storage devices 13 and 23 of the server 10 and the client 20, respectively. Based on these random numbers R _ci-1 and R _si-1 , the shared key K _i is generated.

After generating the SIGNAL _c1 , the client 20 encrypts IDc (client ID), IDs (server ID), and the encrypted data E _Ki (IDc, IDs, R _ci ) by encrypting the random number R _ci with the shared key K _i . And SIGNAL _c1 are transmitted to the server 10 (step S32).

The server 10 receives SIGNAL _c1 from the client 20, calculates SIGNAL _c1 based on the shared key K _i , the random number R _ci-1, and the random number R _si-1 by arithmetic, and calculates the result of the operation and the client. By comparison with SIGNAL _c1 received from (20), the client 20 is identified, and if it cannot be identified, communication is rejected. If it can be identified, the encrypted data E _Ki (IDc, IDs, .R _ci ) is decrypted using the shared key K _i , and the validity of the client 20 is based on the IDc and IDs included in the decrypted data. The process of determining is performed.

As a result of the determination, when the received data and the stored data previously stored in the server 10 coincide with each other and the client 20 determines that it is legitimate, it generates a random number R _si (second random number), The function value of the pseudorandom function prf (K _i , R _ci , R _si-1 ), which takes a random number R _ci , a random number R _si-1 and a shared key K _i , is obtained as SIGNAL _s1 (second one-time ID). . And, in the storage area that stores the random number _{R ci-1, R si-} 1, with also stores the random number R _ci, R _si, respectively, a shared key K _{i + 1} based on these random numbers R _ci, R _si The process of generating and storing is executed (step S33).

Then, the server 10 transmits the encrypted data E _Ki (IDs, IDc, R _si ) and SIGNAL _s1 obtained by encrypting IDc, IDs, and the random number R _si with the shared key K _i , to the client 20. (Step S34).

On the other hand, when the received data and the stored data do not coincide and the client 20 is determined to be unjust, the access from the client 20 is denied and the authentication process ends.

Client 20, and receives the SIGNAL _s1 from the server 10, and the shared key K _i, based on the random number R _ci and the random number R _si-1, obtain by the SIGNAL _s1 in operation, the result of the operation, the client (20 The server 10 is identified by comparison with the SIGNAL _s1 received from the parentheses. If the identification is not possible, the communication is rejected. On the other hand, if it can be identified, the encrypted data E _Ki (IDs, IDc, R _si ) is decrypted using the shared key K _i , and based on the IDc and IDs included in the decoded data, The process of determining the validity is performed. When the server 10 can be identified, not only can the communication partner be identified, but also the server 10 can confirm that the random number R _ci has been received.

As a result of the above determination, when the received data and the stored data previously stored in the client 20 coincide with each other and the server 10 determines that the server 10 is legitimate, random numbers R _ci-1 and R _si-1 are stored. After storing the random numbers R _ci and R _si in the stored memory area, generating and storing the shared key K _{i + 1} based on these random numbers R _ci and R _si (step S35), the corresponding authentication process ends. The flow proceeds to the next data transfer process. On the other hand, when the received data and the stored data do not match and it is determined that the server 10 is not valid, access from the server 10 is denied and the authentication process is terminated.

As described above, according to the sixth embodiment, not only the same action and effect as in the fourth embodiment described above can be obtained, but also IDc, IDs, and the random number R _si are encrypted with the shared key K _i . By sending the encrypted data E _Ki (IDs, IDc, R _si ) to the communication partner, even if the encrypted data can be rewritten by an attacker, for example, ID information (IDs, IDc) included in the encrypted data. ) Is not correctly decoded, the server 10 or the client 20, which has received this data, can easily detect whether the sent encrypted data is wrong, and can discard it without receiving random numbers. In addition, even when the value of SIGNAL _c1 overlaps with a plurality of other clients, the communication partner can be easily identified by referring to ID information (IDs, IDc) included in the encrypted data.

  In addition, according to the sixth embodiment, since the communication partner checks whether the server client's ID information (IDs, IDc) is correctly encrypted or not, the validity of the communication partner is determined. In the fourth embodiment described above, it is possible to reduce the number of times required for communication three times to two times, thereby enabling more efficient authentication.

  (Embodiment 7)

It is a figure explaining 7th Embodiment of the authentication method which concerns on this invention. In the seventh embodiment, first, the client 20 generates a random number R _ci (the first random number), and the fixed shared key K and the random number R shared in advance with the server 10. The function value of the pseudorandom function prf (K, R _ci-1 , R _si-1 ), which takes _ci-1 (first memory random number) and random number R _si-1 (second memory random number) as arguments, is SIGNAL _c1. The process calculated | required as (1st one time ID) is performed (step S41).

R _ci denotes a random number generated by the client 20 in the i-th session, and R _si denotes a random number generated by the server 10 in the i-th session. The random numbers R _ci-1 and R _si-1 generated in the last (i-1st) session are stored in the storage areas 13 and 23 of the storage device 13 and 23 of the server 10 and the client 20, respectively. have.

After generating the SIGNAL _c1 , the client 20 encrypts IDc (client ID), IDs (server ID) and random number R _ci with the encrypted data E _K (IDc, IDs, R _ci ). A process of transmitting SIGNAL _c1 to the server 10 is executed (step S42).

The server 10 receives SIGNAL _c1 from the client 20, calculates SIGNAL _c1 based on the shared key K, the random number R _ci-1, and the random number R _si-1 , and computes the result of the operation and the client ( The client 20 is identified by comparison with the SIGNAL _c1 received from 20), and communication is rejected if it cannot be identified. If it can be identified, the encrypted data E _K (IDc, IDs, R _ci ) is decrypted using the shared key K, and the validity of the client 20 is determined based on the IDc and IDs included in the decoded data. To execute the processing.

As a result of the determination, when the received data and the stored data previously stored in the server 10 coincide with each other and the client 20 determines that it is legitimate, it generates a random number R _si (second random number), The function value of the pseudorandom number function prf (K, R _ci , R _si-1 ), which takes a random number R _ci , a random number R _si-1, and a shared key K as arguments, is obtained as SIGNAL _s1 (second one-time ID). Then, a _process of storing the random numbers R _ci and R _si in the storage area storing the random numbers R _ci-1 and R _si-1 is executed (step S43).

Subsequently, the server 10 transmits the encrypted data E _K (IDs, IDc, R _si ) and SIGNAL _s1 obtained by encrypting IDc, IDs, and the random number R _si with the shared key K, to the client 20. It executes (step S44).

  On the other hand, when the received data and the stored data do not coincide and the client 20 is determined to be unjust, the access from the client 20 is denied and the authentication process ends.

From the client 20, the server 10 is received, and a shared key K, the random number R _ci and the random number R _si-1, based on obtain by the SIGNAL _s1 to the computation, computation results and the client 20, the SIGNAL _s1 from The server 10 is identified by comparison with the received SIGNAL _s1 , and communication is rejected if it cannot be identified. On the other hand, if it can be identified, the encrypted data E _K (IDs, IDc, R _si ) is decrypted using the shared key K, and the validity of the server 10 is based on the IDc and IDs included in the decoded data. The process of determining is performed. When the server 10 can be identified, not only can the communication partner be identified, but also the server 10 can confirm that the random number R _ci has been received.

As a result of the above determination, when the received data and the stored data previously stored in the client 20 coincide with each other and the server 10 determines that the server 10 is legitimate, random numbers R _ci-1 and R _si-1 are stored. The random number R _ci and R _si are stored in the stored memory area, and the shared key K is generated and stored based on these random numbers R _ci and R _si (step S45). Transfer to the transfer process. On the other hand, when the received data and the stored data do not match and it is determined that the server 10 is not valid, access from the server 10 is denied and the authentication process is terminated.

As described above, according to the seventh embodiment, not only can the same effects and effects be obtained as in the fifth embodiment described above, but also the encrypted data can be rewritten by an attacker, for example. In addition, the server 10 or the client 20 that has received the data can easily detect whether the encrypted data sent is wrong and can be discarded without receiving random numbers. In addition, even when the value of SIGNAL _c1 overlaps with a plurality of other clients, the communication partner can be easily identified by referring to ID information (IDs, IDc) included in the encrypted data. In addition, according to the seventh embodiment, in the above-described fourth embodiment, it is possible to reduce the number of times required for communication three times to two times, thereby enabling more efficient authentication.

  (Embodiment 8)

  In this eighth embodiment, a replay attack prevention method using a one-time ID will be described. A replay attack is an attack in which an attacker (third party) taps and reuses communication information that was valid when a formal communication was sent in the past.

  First, an authentication method using a password called OSPA (Optimal Strong Password Authentication) (Chun-Li LIN, Hung-Min SUN, Tzonelih HWANG, Attacks and Solutions on Strong- Password Authentication, IEICE TRANS.COMMUN., VOL.E84-B , NO. 9, September 2001.) will be described based on FIG. 14.

Prior to the authentication, the client 20 stores the hash function h and the password P in advance, and the server 10 stores the hash function h, the session number n, the IDc (client ID), and the verification information h ² ( P ＠ n) is stored and stored in advance. The verification information h ² (P # n) is information generated by the hash function h using an exclusive logical sum of the password P and the communication number n in the information for validating the validity of the client 20. In addition, h ² (P ＠ n) indicates that the hash function h is calculated twice, that is, h (h (P ＠ n)), and ＠ in this expression represents an exclusive OR.

  In this authentication method, first, the client 20 transmits IDc to the server 10 (step S51).

  When the server 10 receives the IDc from the client 20 and compares the received IDc with the IDc stored in advance, the client 20 identifies the client 20 and rejects the communication if it cannot be identified. . If it can identify, the session number n is transmitted to the server 10 (step S52).

When the client 20 receives the session number n from the server 10, the client 20 receives the first to third authentication information using the received session number n, the hash function h and the password P stored in advance. C1, C2, C3 are generated (step S53), and these C1, C2, C3 are transmitted to the server 10 (step S54). Where C1 = h (P ＠ n) ＠h ² (P ＠ n), C2 = h ² (P ＠ (n + 1)) ＠ h (P ＠ n), C3 = h ³ (P ＠ (n + 1)).

The server 10 receives C1, C2, and C3 from the client 20, and first confirms that the received C1 ≠ C2. This is calculated even when calculating with C1 = h (P ＠ n) ＠h ² (P ＠ n), C2 = h (P ＠ n) ＠h ² (P ＠ n), and C3 = h ³ (P ＠ n). There is a possibility that the server 10 authenticates the client 20 and stores h ² (P ＠ n) instead of h ² (P ＠ (n + 1)) as the following verification information. Therefore, this is done to prevent the occurrence of such inconvenience.

Subsequently, the server 10 calculates h (P, n) and h ² (P ＠ (n + 1)) from C1 and C2 by calculation. That is, h (P ＠ n) is derived by obtaining an exclusive OR between the received C1 and the verification information h ² (P ＠ n) stored in advance, and the exclusive OR of this h (P ＠ n) with the received C2. to obtain the h ² lead to (P @ (n + 1) ).

Then, using the hash function h stored in advance, h (h (P ＠ n)) is calculated from the obtained h (P ＠ n), and this h (h (P ＠ n)) is stored in advance. how to match the verification information h ² (P @ n) for, otherwise, to verify the image. At the same time, the obtained ^{h 2 (P @ (n +} 1)) by using the hash function h from ^{h (h 2 (P @ (} n + 1))) calculate, is ^{h (h 2 (P @ (} n + 1 It is verified whether))) matches with the received C3 or not (step S55).

The results of these test, to match either, to update the client 20, if one party is determined to have, h ² (P @ (n + 1)) from the information for verification h ² (P @ n) After updating the number of sessions from n to n + 1, the access from the client 20 is accepted, and the authentication process ends. On the other hand, when it is determined that the client 20 is not justified as a result of the verification at least on either side, access from the client 20 is denied and the authentication process is terminated.

According to the authentication method described above, it is possible to securely authenticate the eavesdropper and to update the verification information for each session from h ² (P 로부터 n) to h ² (P ＠ (n + 1)). There is an advantage.

  However, in the above authentication method, there was a problem in that a replay attack using the authentication information C1, C2, and C3 once used cannot be prevented once again.

  Here, the inventors have developed the following authentication method as an authentication method for solving such a problem.

It is a figure explaining 8th embodiment of the authentication method which concerns on this invention. As shown in Fig. 15, the hash function h and the password P are stored in advance in the client 20, and the hash function h, the number of sessions n, IDc, and the verification information h ² (P) are stored in the server 10. When n is stored in advance, the client 20 first transmits an IDc to the server 10 (step S61).

  The server 10 receives the IDc from the client 20, and identifies the client 20 by comparing the received IDc with the IDc stored in advance, and rejects the communication if the client 20 cannot be identified. . If it can identify, the session number n is transmitted to the server 10 (step S62).

The client 20 receives the number of sessions n from the server 10, and uses the received number of sessions n, the hash function h and the password P stored in advance, to form the first to third authentication information C1, C2. , C3, SIGNAL _n are generated (step S63), and these C1, C2, C3, SIGNAL _n are transmitted to the server 10 (step S64). Where C1 = h (P ＠ n) ＠h ² (P ＠ n), C2 = h ² (P ＠ (n + 1)) ＠ h (P ＠ n), C3 = h ³ (P ＠ (n + 1)), SIGNALn = h (h ² (P ＠ n), n). That is, SIGNAL _{n, which} is a one-time ID used in the _nth session, is a function value of the hash function h that takes the verification information h ² (P # n) and the number of sessions n as arguments.

The server 10 receives C1, C2, C3, and SIGNAL _n from the client 20, and first calculates SIGNAL _n based on the verification information h ² (P # n) and the number of sessions n previously stored. The client 20 is identified by comparison between the result of this operation and the SIGNAL _n received from the client 20, and communication is rejected when it cannot be identified. If you can identify is, after confirming that the received one C1 ≠ C2, h from the C1 and C2 (P @ n), h 2 (P @ (n + 1)) for a calculation.

Next, the server 10 calculates h (h (Phn)) from the obtained h (P hn) using the hash function h stored in advance, and h (h (P ＠ n)). Verifies whether or not it matches with the verification information h ² (P ＠ n) stored in advance. At the same time, the obtained ^{h 2 (P @ (n +} 1)) by using the hash function h from ^{h (h 2 (P @ (} n + 1))) calculate, is ^{h (h 2 (P @ (} n + 1 It is verified whether))) coincides with the received C3 or not (step S65).

The results of these test, to match either, to update the client 20, if one party is determined to have, h ² (P @ (n + 1)) from the information for verification h ² (P @ n) After updating the number of sessions from n to n + 1, the access from the client 20 is accepted, and the authentication process ends. On the other hand, when it is determined that the client 20 is not justified as a result of the verification at least on either side, access from the client 20 is denied and the authentication process is terminated.

According to the authentication method, since h ² (P ＠ n), which is verification information, is not feared to be known to the attacker, the SIGNAL of the next session is not predicted to the attacker. In addition, SIGNAL cannot be used in other sessions, effectively preventing replay attacks by attackers.

  In addition, as shown in FIG. 16, in addition to the hash function h and the password P, when the session number n is also stored and stored in the client 20 in advance, the above-described processes of steps S61 and S62 can be omitted. Do. In this case, therefore, it is possible to effectively prevent replay attack by an attacker while enabling protection against eavesdropping of the ID information IDc.

  In addition, in each of the above embodiments, the one-time ID is used for authentication between a plurality of devices, but it is also possible to use the one-time ID for authentication between a plurality of applications in one device. In each of the above embodiments, the case where the authentication method according to the present invention is applied to the client server system is exemplified. However, the present invention is not limited thereto. For example, the present invention is applied to a peer-to-peer system. It is also possible to apply the authentication method associated with this.

In addition, it is also possible to use the authentication method according to the present invention for each access by the user, in which case, the user is prompted to enter the password, and the value generated from the password or the password (including the one-time password) can be used. It can be used as data for authentication with a one-time ID.

As described above, according to the present invention, it is possible to generate a one-time ID having difficulty in eavesdropping and having excellent safety, and to realize safety (PFS) affecting the future of the one-time ID.

In addition, since the one-time ID generated by the one-time ID generation method according to the present invention is used for authentication between devices (client and server), the third party cannot identify the sender and the receiver. For example, a valid sender / receiver can identify the one-time ID as identification information.

  Therefore, resistance to DoS attacks, spoofing, etc. can be strengthened, and even in an open network environment, ID information can be protected and communication safety can be improved. In addition, it is possible to remotely access and to improve convenience.

  In addition, according to the present invention, it is possible to reduce the number of communication times required three times in the conventional key exchange / authentication method to two times, and to realize quick and secure authentication and key exchange.

Although this invention was demonstrated based on the preferable embodiment shown in drawing, it is clear that a person of the said company can change variously and modify easily, without deviating from the idea of this invention. The present invention also includes such modifications.

Claims (50)

A mutual authentication method for authenticating a mutual relationship between a first authentication device and a second authentication device connected through a communication line, The storage data for specifying the first authentication device and the storage data for specifying the second authentication device are stored by the previous authentication for each authentication by authentication previously made between the first authentication device and the second authentication device. A storage step of storing the update result updated using the storage data as history data in common in each of the first authentication device and the second authentication device; The first authentication device is a first transmission step of encrypting the generated new storage data using the history data and transmitting it to the second authentication device while newly generating the storage data using the stored history data. A first updating step of updating the history data by the stored data from the second authentication device and the transmitted new stored data; The second authentication device encrypts the generated new storage data using the history data while newly generating the storage data using the storage data and the stored history data from the first authentication device. And a second updating step of updating the history data by the stored data from the first authentication device and the transmitted new stored data, In at least one of the first authentication device and the second authentication device, when the validity of the stored data is established on the basis of the historical data, verifying that the mutual relationship between the first authentication device and the second authentication device is justified. Mutual authentication method, characterized in that. The storage data for storing the history data as the history data K and specifying the first authentication device and identifying the first authentication device are the encryption data C and the authentication data R. The stored data for specifying the device is the encryption data S and the authentication data Q. The mutual authentication method. The authentication data R of the stored history data K according to claim 2, wherein the first transmission step newly generates the encryption data C using the encryption data S and the authentication data R of the stored history data K. Newly generated and generated new authentication data R is encrypted using the history data K to obtain authentication data A, and the authentication data A and the new authentication data C are transmitted to the second authentication device. The first update step receives the data from the second authentication device, and transmits the new encryption data C transmitted, the newly generated encryption data S received, the newly generated authentication data Q received, and the By the new authentication data R which was transmitted, the said history data K is updated,   The second transmission step is stored while receiving the data from the first authentication device and newly generating the encryption data S using the received authentication data C and the authentication data Q of the stored history data K. The authentication data Q is newly generated for the authentication data Q of the existing history data K, encrypted using the history data K storing the generated new authentication data Q to obtain the authentication data B, and the authentication data B and the new encryption data S are removed. 1 send it to the authentication device, In the second updating step, the history data K is updated by the received new cancer data C, newly generated cancer data S, newly generated authentication data Q, and received new authentication data R. At least one device of the first authentication device and the second authentication device verifies that the mutual relationship between the first authentication device and the second authentication device is justified when the validity data of the authentication data is established based on the history data K. Mutual authentication method, characterized in that. The said storage process stores the update result by authentication in the said 1st transmission process, a 1st update process, a 2nd transmission process, and a 2nd update process as history data, It is characterized by the above-mentioned. Mutual authentication method. The mutual authentication method according to claim 2, wherein at least one of the authentication data R and the authentication data Q is at least one of a random number, a data capacity, and time data generated by a random number generating means. The method according to claim 2, wherein, in the first transmission step of the first authentication device, a value of a calculation result of a predetermined function by the encryption data S and the authentication data R is generated as the encryption data C, and the In the second transmission step, the authentication data C and the authentication data Q generate the value of the calculation result of the predetermined function as the encryption data S. The mutual authentication method characterized by the above-mentioned. The method according to claim 2, wherein in the first transmission step of the first authentication device, the authentication data A is obtained by calculating the value of the calculation result of a predetermined function based on the generated new authentication data R and the history data K, 2. The mutual authentication method of claim 2, wherein the second transmission step of the authentication device obtains the value of the calculation result of the predetermined function based on the generated new authentication data Q and the history data K as the authentication data B. The verification step of the first authentication device according to claim 2, wherein in the verification step of the first authentication device, the value of the calculation result of the function determined in advance by the authentication data Q stored in the history data K and the encryption data C generated before the previous transmission is received. And verifying that the mutual relationship is legitimate when it matches the cancer data S. The verification process of the said 2nd authentication apparatus is a value of the operation result of the predetermined function by the encryption data S memorize | stored in the said history data K, and the authentication data R should match the received encryption data C. And verifying that said mutual relationship is legitimate. The data storage method according to claim 2, wherein the storage step stores, as history data K, data obtained as a result of performing a plurality of the first transmission step, the second transmission step, the first update step, and the second update step. Mutual authentication method. A mutual authentication device, which is completed from a first authentication device and a second authentication device connected through a communication line, and authenticates a mutual relationship between the first authentication device and the second authentication device, A first memory installed in the first authentication device and storing memory data for specifying the first authentication device; A second memory installed in the second authentication device and storing memory data for specifying the second authentication device; Authentication data storage means for storing the storage data by the previous authentication for each authentication by the mutual authentication between the first authentication device and the second authentication device in advance; History data storage means for storing the update result updated using the authentication data as history data in common in each of the first authentication device and the second authentication device; Storage data generation means, provided in the authentication apparatus on the side of authentication data transmission, of the first authentication apparatus or the second authentication apparatus, and newly generating stored data using the history data; First transmitting means for encrypting the generated new stored data using the history data and transmitting the encrypted new stored data to the authentication apparatus on the authentication data receiving side; Storage data generation means which is provided in the authentication device on the authentication data receiving side and newly generates the storage data using the stored data from the authentication device on the authentication data transmission side and the stored history data; Second transmission means for encrypting the generated new stored data using the history data and replying to the authentication apparatus on the authentication data transmission side; First updating means provided in the authentication apparatus on the authentication data transmission side and updating the history data by the stored data returned from the authentication apparatus on the authentication data reception side and the transmitted new storage data; Second updating means which is installed in the authentication device on the authentication data receiving side and updates the history data by the stored data from the authentication device on the authentication data transmission side and the newly stored new data; In at least one of the first authentication device and the second authentication device, when the validity of the stored data is established based on the history data, it is verified that the mutual relationship between the first authentication device and the second authentication device is justified. A mutual authentication device comprising a verification means. 12. The mutual authentication device according to claim 11, further comprising computing means for calculating authentication data for encrypting the generated new stored data using the history data. 13. The mutual authentication device according to claim 12, further comprising random number generating means for generating data for encryption at the time of generating the data for authentication by said calculating means. In the authentication between a plurality of mutually authenticated devices or applications, a method for generating the one-time ID using identification information that can be used only once as the one-time ID, In each device or application for authentication, a variable shared key is generated for each predetermined communication unit requiring authentication, and a function value of a one-way function that takes this variable shared key as an argument is obtained. And generating the one-time ID from the one-time ID. In the method for generating the one-time ID by using the identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID, In each apparatus or application for authentication, a one-way function that generates a variable shared key that changes for each predetermined communication unit that requires authentication, and takes information about the variable shared key and the order or number of times of communication. A method for generating a one time ID, wherein a function value is obtained and the one time ID is generated from the function value. In the method for generating the one-time ID by using the identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID, In each device or application for authentication, a random number is generated in a predetermined communication unit requiring the authentication, and a function value of a one-way function that takes this random number and a predetermined shared key as an argument is obtained. And generating the one-time ID from the one-time ID. While the one-time ID is generated by the two devices by using the identification information that can be used only once in authentication between one device and the other device as the one-time ID, the one device is one-time to the other device. In the case where the ID is transmitted and the other device identifies or authenticates the other device by comparing and combining the one-time ID received from the other device with the one-time ID generated by itself, A method in which a device and the other device generate a one-time ID, The device on the one hand and the device on the other hand generate a variable shared key that changes for each predetermined communication unit requiring the authentication, obtain a function value of a one-way function that takes the variable shared key as an argument, and And generating the one time ID. While the one-time ID is generated by the two devices by using the identification information that can be used only once in authentication between one device and the other device as the one-time ID, the one device is one-time to the other device. In the case where the ID is transmitted and the other device identifies or authenticates the other device by comparing and combining the one-time ID received from the other device with the one-time ID generated by itself, A method in which a device and the other device generate a one-time ID, The apparatus on the one hand and the apparatus on the other hand generate a variable shared key that changes for each predetermined communication unit requiring the authentication, and function as a factor taking the variable shared key and information on the communication order or number of times as an argument. And generating a value to generate the one-time ID from the function value. With the identification information that can be used only once in authentication between one device and the other device as the one time ID, the one time ID is generated by both devices, and the other device is connected to the other device. In the case where a time ID is transmitted and the other device identifies or authenticates the other device by comparing and combining the one time ID received from the other device with the one time ID generated by itself, A device of and a method of generating a one-time ID by one device, The other device and the other device generate a random number in a predetermined communication unit requiring the authentication, obtain a function value of a one-way function that takes the random number and the predetermined shared key as arguments, and And generating the one time ID. In authentication between devices or applications, a variable shared key that is changed for each predetermined communication unit requiring the authentication is generated in each device or application that performs the authentication using one-time identification information as one-time ID. In addition, a function value of a one-way function that takes this variable shared key as an argument is obtained, the one-time ID is generated from this function value, and the generated one-time ID is used to generate the function value between the first device and the second device. In the authentication method for authentication, The first device generates the one-time ID using a variable shared key shared in advance with the second device, and at least acquires the generated one-time ID and the ID preset in the first device. Transmitting, to the second device, one of a function value of the one-way function Fc, and a Diffie-Hellman public value previously stored in the first device, The second device obtains the function value of the one-time ID and the one-way function Fc by calculation, and combines the result of this operation with the function value of the one-time ID and the one-way function Fc received from the first device. Determining the validity of the first device; If it is determined that the second device is justified, the function value of the one-way function Fs which takes as an argument at least the ID preset in the second device and the Diffie-Hellman stored in advance in the second device. Sending the other of the published values to the first device, The first device obtains the function value of the one-way function Fs by calculation, and combines the result of this operation with the function value of the one-way function Fs received from the second device, thereby validating the second device. An authentication method comprising the step of determining. The method according to claim 20, wherein at the same time using a pseudo-random function having a predetermined shared key, the Diffie-Hellman public value as the one-way function Fc, an ID preset in the first device, and the one-time ID as arguments, A pseudo-random function that takes as its argument the predetermined shared key, the Diffie-Hellman public value, the other of the Diffie-Hellman public value, the ID preset in the second device, and the one time ID as the one-way function Fs. Authentication method characterized in that to use. A variable shared key that is changed for each predetermined communication unit that requires the authentication is generated in each device or application that performs the authentication by using the identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID. In addition, a function value of a one-way function having the variable shared key and information on the communication order or number of times as an argument is obtained, the one-time ID is generated from the function value, and the generated one-time ID is used to generate the function value. In an authentication method for authenticating between one device and a second device, The first one-time ID is a first one-time ID of which the first device uses a function value of a one-way function whose first variable variable key is previously shared between the second device and information on the communication order of the first device. And an ID set in advance in the first device, an ID preset in the second device, a Diffie-Hellman public value pre-stored in the first device, using the first variable shared key, and Encrypting the first one time ID and transmitting the encrypted data and the first one time ID to the second device; The second device obtains the first one time ID by a calculation, and identifies the first device by a combination of the calculation result and the first one time ID received from the first device. Steps, When the second device is able to identify the first device, the encrypted data is decrypted using the first variable shared key, and an ID preset in the first device included in the decoded data, Determining the validity of the first device based on the ID preset in the second device and the first one-time ID; When the second device determines that the first device is valid, the second device uses a function value of a one-way function whose information is about the communication order between the first variable shared key and the second device. A second Diffie-Hellman common key is generated from one of the Diffie-Hellman published values received from the first device and the other of the Diffie-Hellman published values previously stored in the second device. A function value of a one-way function h that is generated as a variable shared key and takes as arguments the second variable shared key, an ID preset in the first device, an ID preset in the second device, and the second one-time ID. Sending the other of the Diffie-Hellman published value and the second one-time ID to the first device, The first device obtains the second one-time ID by calculation, and identifies the second device by a combination of the calculation result and the second one-time ID received from the second device. Steps, If the first device is able to identify the second device, the other of the Diffie-Hellman published values received from the second device and the Diffie-Hellman published values previously stored in the first device. On the other hand, a Diffie-Hellman common key is generated as the second variable shared key, and the function value of the one-way function h is calculated by operation using the second variable shared key, and the operation result and the first value are calculated. And a step of judging the validity of the second device by the combination with the function value of the one-way function h received from the two devices. The authentication method according to claim 22, wherein a one-way function different from the one-way function for generating the first one time ID is used as the one-way function for generating the second one time ID. A random number is generated within a predetermined communication unit requiring the authentication in each device or application that performs the authentication using identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID. Obtains a function value of a one-way function that takes this random number and a predetermined shared key, generates the one-time ID from the function value, and uses the generated one-time ID to generate a function value between the first device and the second device. In the authentication method for authentication of, The first device generates a first random number and obtains, as a first one-time ID, a function value of a one-way function that takes as an argument a first shared key previously shared with the second device. Sending the first one-time ID and the first random number to the second device; The second apparatus generates a second random number, obtains a function value of a one-way function that takes the first random number and the first shared key as a second one-time ID, and obtains the second random number. Sending the one-time ID of the and the second random number to the first device, The first device obtains the second one-time ID based on the first random number and the first shared key by arithmetic operation, and obtains the result of the operation and the second circle received from the second device. Comparing the time ID with the step of determining the validity of the second device; The first device generates a second shared key based on the first random number and the second random number, and generates the second shared key, the first random number, and the second random number. Obtaining a function value of a one-way function as an argument as a third one-time ID, and transmitting the third one-time ID to the second device; The second device generates the second shared key based on the first random number and the second random number, and the second shared key, the first random number, and the second random number. Calculating the validity of the first device by comparing the result of the calculation with the third one-time ID received from the first device based on the calculation; An authentication method characterized by the above-mentioned. A random number is generated within a predetermined communication unit requiring the authentication in each device or application that performs the authentication using identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID. Obtains a function value of a one-way function that takes this random number and a predetermined shared key, generates the one-time ID from the function value, and uses the generated one-time ID to generate a function value between the first device and the second device. In the authentication method for authentication of, The first device generates a first random number and obtains, as the first one-time ID, the function value of a one-way function that takes as a parameter a shared key previously shared with the second device. Transmitting a one-time ID of 1 and the first random number to the second device; The second device generates a second random number, obtains a function value of a one-way function that takes the first random number and the shared key as an argument as a second one time ID, and obtains the second one time. Transmitting an ID and said second random number to said first apparatus, The first device obtains the second one time ID based on the first random number and the shared key by arithmetic operation, and compares the operation result with the second one time ID received from the second device. A step of determining the validity of the second apparatus by comparison, The first device obtains, as a third one time ID, a function value of a one-way function that takes the first random number, the second random number, and the shared key as arguments, and obtains the third one time ID from the second device. To send about The second device obtains the third one-time ID based on the first random number, the second random number, and the shared key by arithmetic operation, and receives the result of the operation and the third device received from the first device. And a step of determining the validity of the first device by comparison with a one-time ID. The authentication method according to claim 24, wherein the first random number and the second random number are transmitted in an encrypted state with a shared key shared in advance between the first device and the second device. Way. The authentication method according to claim, wherein the first random number and the second random number are transmitted in a state encrypted with a shared key shared in advance between the first device and the second device. 27. The method according to any one of claims 24 to 26, wherein the second device transmits the second one time ID and the second random number to the first device. The predetermined random number shared in advance with the first device is used as an initial random number, and a predetermined operation is performed using the initial random number and the first random number as arguments, and the result of the operation is transmitted to the first device. The first apparatus uses the calculation result received from the second apparatus as the determination data of the validity of the second apparatus together with the second one time ID. The method according to claim 24, wherein in the step of the first device transmitting the third one time ID to the second device, the first device takes the first random number and the second random number as arguments. While performing a predetermined operation and transmitting the result of the calculation to the second device, the second device receives the result of the calculation received from the first device as determination data of the validity of the first device. Authentication method characterized by using together with a three-time ID. 26. The method according to claim 25, wherein, in the step in which the first device transmits the third one time ID to the second device, the first device takes a predetermined factor that takes the first random number and the second random number as arguments. Performs a calculation and transmits the result of the calculation to the second device, while the second device receives the result of the calculation received from the first device as determination data of the validity of the first device. An authentication method characterized by using with a one-time ID. A random number is generated within a predetermined communication unit requiring the authentication in each device or application that performs the authentication using identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID. Obtains a function value of a one-way function that takes this random number and a predetermined shared key, generates the one-time ID from the function value, and uses the generated one-time ID to generate a function value between the first device and the second device. In the authentication method for authentication of, The first device generates a first random number, and is a function value of a one-way function that takes a shared key, a first stored random number, and a second stored random number shared in advance with the second device. Is the first one-time ID, and the first encrypted data obtained by encrypting the ID set in advance in the first device, the ID preset in the second device, and the first random number with the shared key, Transmitting a one time ID to the second device; The second device obtains the first one time ID by a calculation, and identifies the first device by a combination of the calculation result and the first one time ID received from the first device. Steps, When the second device is able to identify the first device, the first encrypted data is decrypted using the shared key, and the ID preset in the first device included in the decrypted data and the corresponding device. Determining the validity of the first device based on an ID preset in the second device, When the second device determines that the first device is valid, the second device generates a second random number and takes one direction that takes the first random number, the second stored random number, and the shared key as arguments. Second encrypted data obtained by obtaining a function value of a function as a second one-time ID, encrypting an ID preset in the first device, an ID preset in the second device, and the second random number with the shared key; Transmitting the second one time ID to the first device; The second apparatus replacing the first memory random number with the first random number and the second memory random number with the second random number, respectively; Obtaining, by the first device, the second one-time ID by calculation, and identifying the second device by a combination of the calculation result and the second one-time ID received from the second device. and, When the first device is able to identify the second device, the second encrypted data is decrypted using the shared key, and the ID preset in the second device included in the decrypted data and the corresponding device. Determining the validity of the second apparatus based on an ID preset in the first apparatus, And the first device has a step of replacing the first stored random number with the first random number and the second stored random number with the second random number, respectively. 32. The method according to claim 31, wherein after replacing the first memory random number with the first random number and the second memory random number with the second random number, respectively, the first memory random number and the second memory random number are used. Generating the shared key to change the shared key. In authentication between devices or applications, a variable shared key that is changed for each predetermined communication unit requiring the authentication is generated in each device or application that performs the authentication using one-time identification information as one-time ID. In addition, a server that obtains a function value of a one-way function that takes this variable shared key, generates the one-time ID from the function value, and uses the generated one-time ID to authenticate with the client. , A function value of a one-way function Fc having at least an argument of a client ID set in advance in the client, a Diffie-Hellman public value previously stored in the client, and receiving means for receiving the one-time ID from the client; The function value Fc and the one-time ID of the one-way function are obtained by calculation, and the result of this operation is compared with the function value of the one-time function Fc and the one-way function Fc received from the client. Judging means for judging; When the judging means determines that the client is legitimate, the function value of the one-way function Fs which takes as an argument at least the server ID preset in the server and the other of the Diffie-Hellman public value previously stored in the server. A server comprising a transmitting means for transmitting to a client. In authentication between devices or applications, a variable shared key that is changed for each predetermined communication unit requiring the authentication is generated in each device or application that performs the authentication using one-time identification information as one-time ID. In addition, in a client that obtains a function value of a one-way function that takes this variable shared key as its argument, generates the one-time ID from the function value, and authenticates with the server using the generated one-time ID. , The one-time ID is generated using a variable shared key shared with the server in advance, and a function value of the one-way function Fc that takes at least an argument of the client ID preset in the client is calculated by operation. Transmitting means for transmitting to the server one of a time ID and a function value of a one-way function Fc and a Diffie-Hellman public value previously stored in the client; Receiving means for receiving, from the server, a function value of a one-way function Fs having at least a server ID preset in the server as an argument, and the other of a Diffie-Hellman public value previously stored in the server; And determining means for determining the validity of the server by obtaining a function value of the one-way function Fs by operation and comparing the result of this operation with a function value of the one-way function Fs received from the server. Client. In the authentication system configured by the server and the client, the server and the client, in the authentication between the devices or the applications, in each of the devices or applications for the authentication using the identification information which can be used only once as the one-time ID, Generates a variable shared key that changes for each predetermined communication unit requiring authentication, obtains a function value of a one-way function that takes the variable shared key as an argument, generates the one-time ID from the function value, and generates the generated value. Authenticate with the client using the established one-time ID, The server is configured to receive, from the client, one of a function value of a one-way function Fc having at least an argument of a client ID set in advance in the client, a Diffie-Hellman public value previously stored in the client, and the one-time ID from the client. Sudan, The function value Fc and the one-time ID of the one-way function are obtained by calculation, and the result of this operation is compared with the function value of the one-time function Fc and the one-way function Fc received from the client. Judging means for judging; When the judging means determines that the client is legitimate, the function value of the one-way function Fs which takes as an argument at least the server ID preset in the server and the other of the Diffie-Hellman public value previously stored in the server. A transmission means for transmitting to the client, The client generates the one-time ID by using a variable shared key shared with the server in advance, and computes a function value of the one-way function Fc that takes at least an argument of the client ID preset in the client. Transmitting means for obtaining one of these one-time IDs and function values of the one-way function Fc and the Diffie-Hellman public values previously stored in the client, to the server; Receiving means for receiving, from the server, a function value of a one-way function Fs having at least a server ID preset in the server as an argument, and the other of a Diffie-Hellman public value previously stored in the server; And determining means for determining the validity of the server by obtaining a function value of the one-way function Fs by operation and comparing the result of this operation with a function value of the one-way function Fs received from the server. Certification system. In authentication between devices or applications, a variable shared key that is changed for each predetermined communication unit requiring the authentication is generated in each device or application that performs the authentication using one-time identification information as one-time ID. In addition, a function value of a one-way function that takes this variable shared key as an argument is obtained, and the one-time ID is generated from the function value, and the server that authenticates with the client based on the generated one-time ID is generated. In the program that executes, A process of receiving a function value of a one-way function Fc having at least an argument of a client ID set in advance in the client, a Diffie-Hellman public value previously stored in the client, and the one-time ID from the client; The function value Fc and the one-time ID of the one-way function are obtained by calculation, and the result of this operation is compared with the function value of the one-time function Fc and the one-way function Fc received from the client. Processing to determine, If it is determined that the client is legitimate, then the function value of the one-way function Fs, which takes at least the server ID preset in the server as an argument, and the other of the Diffie-Hellman public value previously stored in the server, for the client A program for causing the server to execute a transmitting process. In authentication between devices or applications, a variable shared key that is changed for each predetermined communication unit requiring the authentication is generated in each device or application that performs the authentication using one-time identification information as one-time ID. In addition, a function value of a one-way function that takes this variable shared key as an argument is generated, and the one-time ID is generated from the function value, and the client authenticates with the server based on the generated one-time ID. In the program that executes, The one-time ID is generated using a variable shared key shared with the server in advance, and a function value of the one-way function Fc that takes at least an argument of the client ID set in advance in the client is calculated by operation. A process of transmitting to the server one of a time ID and a function value of a one-way function Fc and a Diffie-Hellman public value previously stored in the client; A process of receiving from the server a function value of a one-way function Fs having at least a server ID preset in the server as an argument, and the other of a Diffie-Hellman public value previously stored in the server; A function value of the one-way function Fs is obtained by an operation, and the client is subjected to a process of determining the validity of the server by comparing the result of this operation with a function value of the one-way function Fs received from the server. The program characterized in that. A variable shared key that is changed for each predetermined communication unit that requires the authentication is generated in each device or application that performs the authentication by using the identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID. In addition, a function value of a one-way function that takes the variable shared key and information on the communication order or number of times as an argument is obtained, and the one-time ID is generated from the function value, and the generated one-time ID is used to communicate with the client. For a server that authenticates between The first one-time ID as a first one-time ID is a function value of a one-way function that takes as an argument a first variable shared key previously shared with the client and information about the communication order of the client. The encrypted data obtained by encrypting one of the client ID preset in the client, the server ID preset in the server, the Diffie-Hellman public value prestored in the client with the first variable shared key, and the first one-time ID. Receiving means for receiving from the client, When the first one-time ID is obtained by a calculation and the combination of the result of the calculation and the first one-time ID received from the client can identify the client and identify the client. And decrypting the encrypted data using the first variable shared key to determine validity of the client based on the client ID, the server ID, and the first one-time ID included in the decrypted data. Judging means, And when the judging means determines that the client is legitimate, generates a function value of a one-way function as a second one-time ID that takes as argument a information about the communication order between the first variable shared key and the server. And generate a Diffie-Hellman common key as a second variable shared key from one of the Diffie-Hellman public values received from the client and the other of the Diffie-Hellman public values previously stored in the server. A function value of a one-way function h that takes a variable shared key, the client ID, the server ID, and the second one-time ID as the argument, the other of the Diffie-Hellman public value, and the second one-time ID. And transmitting means for transmitting to the client. A variable shared key that is changed for each predetermined communication unit that requires the authentication is generated in each device or application that performs the authentication by using the identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID. In addition, a function value of a one-way function having the variable shared key and information on the communication order or the number of times as an argument is obtained, the one-time ID is generated from this function value, and the generated one-time ID is used to generate a function value. A client authenticating between a first one time ID and a function value of a one-way function whose first variable variable is previously shared with the server and information on the communication order of the client. And a client ID set in advance for the client by using the first variable shared key, Transmitting means for encrypting one of the preset server IDs, the Diffie-Hellman public values previously stored in the client, and the first one-time ID, and transmitting the encrypted data and the first one-time ID to the server. and, The function value of the one-way function, which takes the first variable shared key and the information on the communication order of the server as an argument, is the second one-time ID, and the Diffie-Hellman common key is the second variable shared key. A function value of a one-way function h that takes a one-time ID of two, the second variable shared key, the client ID, and the server ID as arguments, and the other of the Diffie-Hellman public value previously stored in the server; Receiving means for receiving a second one-time ID from the server; When the second one-time ID is obtained by a calculation, and the server is identified and the server is identified by a combination of the operation result and the second one-time ID received from the server, A Diffie-Hellman common key is generated as the second variable shared key from the other of the Diffie-Hellman public value received from the server and the one of the Diffie-Hellman public value previously stored in the client. A function value of the one-way function h is obtained by a calculation using a second variable shared key, and the validity of the server is determined based on a combination of the result of this operation and the function value of the one-way function h received from the server. And a determination means. In an authentication system constituted by a server and a client, the server and the client each use a device or application that performs the authentication using identification information that can be used only once in authentication between a plurality of devices or between applications as a one-time ID. Generate a variable shared key that changes for each predetermined communication unit requiring authentication, obtain a function value of a one-way function whose information is about the variable shared key and the communication order or number of times; Generate a one-time ID, use this generated one-time ID to authenticate with the client, The server uses a first one-time ID as a function value of a one-way function having a first variable shared key previously shared with the client and information about the communication order of the client as the first one-time ID. Encrypted data obtained by encrypting one of a time ID, a client ID preset in the client, a server ID preset in the server, a Diffie-Hellman public value prestored in the client with the first variable shared key, and the first Receiving means for receiving a one-time ID from the client; When the first one-time ID is obtained by a calculation and the combination of the result of the calculation and the first one-time ID received from the client can identify the client and identify the client. And decrypting the encrypted data using the first variable shared key to determine validity of the client based on the client ID, the server ID, and the first one-time ID included in the decrypted data. Judging means, And when the judging means determines that the client is legitimate, generates a function value of a one-way function as a second one-time ID that takes as an argument information on the communication order between the first variable shared key and the server. And generate a Diffie-Hellman common key as a second variable shared key from one of the Diffie-Hellman public values received from the client and the other of the Diffie-Hellman public values previously stored in the server. A function value of a one-way function h that takes a variable shared key, the client ID, the server ID, and the second one-time ID, and the other one of the Diffie-Hellman public value and the second one-time ID. A transmission means for transmitting to the client, The client generates, as a first one-time ID, a function value of a one-way function having a first variable shared key previously shared with the server and information on the communication order of the client as an argument, The first variable shared key is used to encrypt a client ID preset for the client, a server ID preset for the server, a Diffie-Hellman public value prestored in the client, and the first one-time ID. Transmitting means for transmitting the encrypted data and the first one time ID to the server; The function value of the one-way function, which takes the first variable shared key and the information on the communication order of the server as an argument, is the second one-time ID, and the Diffie-Hellman common key is the second variable shared key. A function value of a one-way function h that takes a second one-time ID, the second variable shared key, the client ID, and the server ID as arguments, and the other of the Diffie-Hellman public value previously stored in the server; Receiving means for receiving the second one time ID from the server; When the second one-time ID is obtained by a calculation and the combination of the result of this operation and the second one-time ID received from the server identifies the server and identifies the server, A Diffie-Hellman common key is generated as the second variable shared key from the other of the Diffie-Hellman public value received from the server and the one of the Diffie-Hellman public value previously stored in the client. Determination means for determining the validity of the server based on a combination of the result of this operation and the function value of the one-way function h received from the server using a variable shared key of two; Authentication system characterized by having a. A random number is generated within a predetermined communication unit requiring the authentication in each device or application that performs the authentication using identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID. A server that obtains a function value of a one-way function that takes this random number and a predetermined shared key, generates the one-time ID from the function value, and uses the generated one-time ID to authenticate each other with the client. To The first one-time ID and the first random number generated by the client are function values of a one-way function having a first shared key shared with the client as an argument as the first one-time ID. First receiving means for receiving from the client; While generating a second random number, a function value of a one-way function that takes the first random number and the first shared key as arguments is obtained as a second one time ID, and the second one time ID and the Transmitting means for transmitting a second random number to the client; Second receiving means for receiving a function value of a one-way function having the first random number, the second random number, and the second shared key as a third one time ID from the client; , Generate the second shared key based on the first random number and the second random number, and generate the third shared key based on the second shared key, the first random number, and the second random number And a determination means for determining the validity of the client by obtaining a one-time ID by an operation and comparing the result of this operation with the third one-time ID received from the client. A random number is generated within a predetermined communication unit requiring the authentication in each device or application that performs the authentication using identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID. A client that obtains a function value of a one-way function that takes this random number and a predetermined shared key, generates the one-time ID from the function value, and authenticates with the server using the generated one-time ID. To A first one-time ID is obtained by generating a first random number and obtaining a function value of a one-way function whose first shared key is shared with the server as an argument as a first one-time ID. First transmitting means for transmitting the first random number to the server; The function value of a one-way function having the first random number and the first shared key as arguments is a second one-time ID, and the second one-time ID and the second random number generated by the server are described. Receiving means for receiving from a server, Calculating the second one-time ID based on the first random number and the first shared key by operation, and comparing the result of this operation with the second one-time ID received from the server, Judging means for judging the legitimacy of the server, If the server determines that the server is legitimate, the second shared key is generated based on the first random number and the second random number, and the second shared key is generated. And a second transmitting means for obtaining a function value of a one-way function having a random number of 1 and the second random number as an argument as a third one-time ID, and transmitting this third one-time ID to the server. Client. In the authentication system configured by the server and the client, the server and the client, in each of the apparatus or application for the authentication using the identification information that can be used only once in authentication between a plurality of devices or between applications as a one-time ID, Generates a random number in the predetermined communication unit requiring the authentication, obtains a function value of a one-way function that takes the random number and the predetermined shared key as arguments, generates the one-time ID from the function value, and generates the generated value. Configured to authenticate each other with the client using the established one-time ID, The server generates a first one-time ID and a function value of a one-way function having a first shared key shared with the client as an argument as a first one-time ID. First receiving means for receiving a first random number from the client;   While generating a second random number, a function value of a one-way function that takes the first random number and the first shared key as arguments is obtained as a second one time ID, and the second one time ID and the Transmitting means for transmitting a second random number to the client; Second receiving means for receiving a function value of a one-way function having the first random number, the second random number, and the second shared key as a third one time ID from the client; , Generate the second shared key based on the first random number and the second random number, and generate the third shared key based on the second shared key, the first random number, and the second random number Determination means for determining the validity of the client by obtaining a one-time ID by a calculation and comparing the result of this operation with the third one-time ID received from the client; The client generates a first random number, obtains a function value of a one-way function whose first shared key is shared with the server as an argument, as the first one-time ID, and then obtains the first random number. First sending means for sending the one-time ID of the and the first random number to the server; A function value of a one-way function having the first random number and the first shared key as arguments, the second one-time ID as the second one-time ID, and the second random number generated by the server; Receiving means for receiving from Calculating the second one-time ID based on the first random number and the first shared key by operation, and comparing the result of this operation with the second one-time ID received from the server, Judging means for judging the legitimacy of the server, If the server determines that the server is legitimate, the second shared key is generated based on the first random number and the second random number, and the second shared key is generated. And a second transmitting means for obtaining a function value of a one-way function having a random number of 1 and the second random number as an argument as a third one-time ID, and transmitting this third one-time ID to the server. Authentication system. A random number is generated within a predetermined communication unit requiring the authentication in each device or application that performs the authentication using identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID. A server that obtains a function value of a one-way function that takes this random number and a predetermined shared key, generates the one-time ID from the function value, and uses the generated one-time ID to authenticate each other with the client. To The first one-time ID and the first random number generated by the client are described as a first one-time ID as a function value of a one-way function that takes a shared key previously shared with the client as an argument. First receiving means for receiving from the client,   While generating a second random number, a function value of a one-way function having the first random number and the shared key as an argument is obtained as a second one time ID, and the second one time ID and the second one are obtained. Transmitting means for transmitting a random number to the client; Second receiving means for receiving the third one-time ID from the client using a function value of a one-way function having the shared key, the first random number, and the second random number as arguments; , Calculating the third one-time ID based on the first random number, the second random number, and the shared key by operation, and comparing the result of this operation with the third one-time ID received from the client, And judging means for judging the legitimacy of the client. A random number is generated within a predetermined communication unit requiring the authentication in each device or application that performs the authentication using identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID. A client that obtains a function value of a one-way function that takes this random number and a predetermined shared key, generates the one-time ID from the function value, and uses the generated one-time ID to authenticate each other with the server. To   Generates a first random number, obtains a function value of a one-way function having a shared key pre-shared with the server as a first one-time ID, and obtains the first one-time ID and the first one. First transmitting means for transmitting a random number of 1 to the server, The second one-time ID and the second random number generated by the server are obtained from the server, with the function value of the one-way function taking the first random number and the shared key as arguments as the second one-time ID. Receiving means for receiving, Obtaining the second one-time ID based on the first random number and the shared key by operation, and validating the server by comparing the operation result with the second one-time ID received from the server. Judging means for judging; When the server judges that the server is legitimate, the function value of the one-way function taking the first random number, the second random number, and the shared key as arguments is obtained as the third one-time ID. And second transmitting means for transmitting a third one-time ID to the server. In an authentication system constituted by a server and a client, the server and the client each use the identification information that can be used only once in authentication between a plurality of devices or applications, as a one-time ID, and each of the devices or applications that perform the authentication. Generates a random number in a predetermined communication unit requiring the authentication, obtains a function value of a one-way function that takes the random number and the predetermined shared key as arguments, and generates the one-time ID from the function value. Configured to authenticate each other with the client using this generated one-time ID, The server uses the first one-time ID and the first generated by the client as a first one-time ID as a function value of a one-way function having a shared key previously shared with the client as an argument. First receiving means for receiving a random number from the client,   While generating a second random number, a function value of a one-way function having the first random number and the shared key as an argument is obtained as a second one time ID, and the second one time ID and the second one are obtained. Transmitting means for transmitting a random number to the client; Second receiving means for receiving the third one-time ID from the client using a function value of a one-way function having the shared key, the first random number, and the second random number as arguments; , Calculating the third one-time ID based on the first random number, the second random number, and the shared key by operation, and comparing the result of this operation with the third one-time ID received from the client, Determination means for determining the validity of the client; The client generates a first random number, obtains a function value of a one-way function having a shared key previously shared with the server as a first one-time ID, and obtains the first one-time. First transmitting means for transmitting an ID and said first random number to said server, The second one-time ID and the second random number generated by the server are received from the server using the first random number and a function value of a one-way function taking the shared key as arguments as the second one-time ID. Receiving means to say, Obtaining the second one-time ID based on the first random number and the shared key by operation, and validating the server by comparing the operation result with the second one-time ID received from the server. Judging means for judging; When the server judges that the server is legitimate, the function value of the one-way function taking the first random number, the second random number, and the shared key as arguments is obtained as the third one-time ID. And second transmitting means for transmitting a third one-time ID to the server. A random number is generated within a predetermined communication unit requiring the authentication in each device or application that performs the authentication using identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID. A server that obtains a function value of a one-way function that takes this random number and a predetermined shared key, generates the one-time ID from the function value, and uses the generated one-time ID to authenticate each other with the client. To The first one-time ID is defined as a function value of a one-way function having a shared key, a first stored random number, and a second stored random number shared with the client as the first one-time ID. Receiving, from the client, the first random data generated by the client, the first encrypted data obtained by encrypting a first server ID set in the client, a server ID preset in the client, and a server ID preset in the server with the shared key. Sudan, When the first one-time ID is obtained by a calculation and the combination of the result of the calculation and the first one-time ID received from the client can identify the client and identify the client. Judging means for decoding said first encrypted data using said shared key and judging the legitimacy of said client based on said client ID and said server ID included in said decoded data; When the determination means determines that the client is justified, a function value of a one-way function that generates a second random number and takes the first random number, the second stored random number, and the shared key as arguments; Is obtained as a second one-time ID, and the second encrypted data obtained by encrypting the client ID, the server ID, and the second random number with the shared key, and the second one-time ID are transmitted to the client. A transmission means, And a substitution means for replacing the first memory random number with the first random number and the second memory random number with the second random number, respectively. A random number is generated within a predetermined communication unit requiring the authentication in each device or application that performs the authentication using identification information that can be used only once in authentication between a plurality of devices or between applications as the one-time ID. A client that obtains a function value of a one-way function that takes this random number and a predetermined shared key, generates the one-time ID from the function value, and uses the generated one-time ID to authenticate each other with the server. To   A function value of a one-way function that takes a shared key, a first stored random number, and a second stored random number pre-shared with the server while generating a first random number is used as the first one time ID. Obtaining first encrypted data obtained by encrypting a shared ID of the client ID, a server ID preset in the server, and the first random number with the shared key, and transmitting the first one-time ID to the server. A transmission means, Receiving the second one-time ID from the server using the first random number, the second stored random number, and a function value of a one-way function having the shared key as arguments as the second one-time ID, Receiving means for receiving second encrypted data generated by the server, second encrypted data obtained by encrypting the client ID and the server ID with the shared key; When the second one-time ID is obtained by a calculation and the combination of the result of the calculation and the second one-time ID received from the server can identify the server and identify the server. Deciding means for decoding the second encrypted data using the shared key and determining the validity of the server based on the server ID and the client ID included in the decoded data; And a substitution means for replacing the first memory random number with the first random number and the second memory random number with the second random number, respectively. In an authentication system constituted by a server and a client, the server and the client may each be a device or application that performs the authentication using one-time ID as identification information that can be used only once in authentication between a plurality of devices or between applications. In addition, while generating a random number in a predetermined communication unit requiring the authentication, a function value of a one-way function that takes this random number and a predetermined shared key as an argument, and generates the one-time ID from the function value, Configured to authenticate each other with the client using this generated one-time ID, The server uses the first one-time ID as a function value of a one-way function having a shared key, a first storage random number, and a second storage random number shared beforehand as the first one-time ID. The client receives first encrypted data obtained by receiving a one-time ID from the client and encrypting the first random number generated by the client, a client ID preset in the client, and a server ID preset in the server with the shared key. Receiving means for receiving from When the first one-time ID is obtained by a calculation and the combination of the result of the calculation and the first one-time ID received from the client can identify the client and identify the client. Determination means for decrypting the first encrypted data using the shared key and determining the validity of the client based on the client ID and the server ID included in the decrypted data; When the determination means determines that the client is justified, a function value of a one-way function that generates a second random number and takes the first random number, the second stored random number, and the shared key as arguments; Is obtained as a second one-time ID, and the second encrypted data obtained by encrypting the client ID, the server ID, and the second random number with the shared key, and the second one-time ID are transmitted to the client. A transmission means, Substituting means for substituting said 1st memory random number into a said 1st random number, and said 2nd memory random number into a said 2nd random number, Moreover, The client generates a first random number and uses a function value of a one-way function that takes a shared key, a first stored random number, and a second stored random number pre-shared with the server as a first value. The first encrypted data obtained by obtaining a one-time ID, a client ID set in advance in the client, a server ID set in the server, and the first random number with the shared key, and the first one-time ID in the server. Transmitting means for transmitting to Receiving the second one-time ID from the server using the first random number, the second stored random number, and a function value of a one-way function having the shared key as arguments as the second one-time ID, Receiving means for receiving second encrypted data generated by the server, second encrypted data obtained by encrypting the client ID and the server ID with the shared key; When the second one-time ID is obtained by a calculation and the combination of the result of the calculation and the second one-time ID received from the server can identify the server and identify the server. Deciding means for decoding the second encrypted data using the shared key and determining the validity of the server based on the server ID and the client ID included in the decoded data; And a substituting means for replacing the first stored random number with the first random number and the second stored random number with the second random number, respectively. The server and the client according to claim 49, wherein the server and the client respectively replace the first memory random number with the first random number and the second memory random number with the second random number. And generating the shared key based on the memory random number and the second memory random number, thereby changing the shared key.