WO2011152084A1 - Efficient mutual authentication method, program, and device - Google Patents

Efficient mutual authentication method, program, and device Download PDF

Info

Publication number
WO2011152084A1
WO2011152084A1 PCT/JP2011/053093 JP2011053093W WO2011152084A1 WO 2011152084 A1 WO2011152084 A1 WO 2011152084A1 JP 2011053093 W JP2011053093 W JP 2011053093W WO 2011152084 A1 WO2011152084 A1 WO 2011152084A1
Authority
WO
WIPO (PCT)
Prior art keywords
signature
mutual authentication
random number
encryption
computer
Prior art date
Application number
PCT/JP2011/053093
Other languages
French (fr)
Japanese (ja)
Inventor
尚宜 佐藤
恵輔 伯田
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Publication of WO2011152084A1 publication Critical patent/WO2011152084A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Definitions

  • the present invention relates to security technology, and more particularly to technology for mutually authenticating a partner or a device.
  • Authenticating technology is a technology for confirming that the other party of communication or dialogue is the intended person or thing, and is a fundamental technology for ensuring security in devices that can be accessed by Internet communications and unspecified majority.
  • Authentication includes a method using an encryption technique and biometric authentication in which identity verification is performed based on biometric information.
  • authentication is performed at the beginning of communication or the like, and if it is the intended partner, permission to enter the room or encrypted communication using the shared key after executing the key sharing protocol. At that time, if the authentication is not secure and the other party's legitimacy is unclear, it is guaranteed that unauthorized use of the service and leakage of confidential information are prevented by providing subsequent services and sending / receiving important information. I can't do it. The security of certification should be carefully considered.
  • Authentication methods using cryptographic techniques are mainly divided into those based on common key cryptographic techniques and those based on public key cryptographic techniques (see, for example, Non-Patent Documents 1 and 2).
  • the secret key (Secret key) is shared in advance between the two parties to be authenticated, and when one of them authenticates the other, only the one that has the secret key (Secret key) is executed.
  • the method of determining whether or not it is possible is called common key encryption technology-based authentication. Using common key cryptography, a random number is encrypted, and it is confirmed whether the other party can be decrypted correctly.
  • a challenge response type authentication based on the common key cryptography and a message authenticator (Message Authentication Code, MAC) ) Is generated, and MAC-based authentication or the like that confirms whether or not the MAC is correct is typical.
  • the authentication based on the common key encryption technology generally has a fast processing speed and a relatively small implementation scale, so that authentication with a low resource device such as an IC card or a large number of users is possible. It is used in servers that have to process them simultaneously, and ticket gates that have to complete authentication in a very short time.
  • each user has one private key (Private key) and the corresponding public key is made public, so the key management cost is lower than the authentication based on common key cryptography. I'll do it. That is, the secret information that may be leaked from one user is the user's own private key (Private key), and the influence on the entire system is minimal.
  • the processing speed of public key cryptography is about 100 to 1000 times slower than the authentication based on the common key cryptography, and the memory area and circuit scale required for implementation also increase.
  • it is mounted on an IC card and used, it must be a system that can take a processing time for authentication from one second to several seconds.
  • public key cryptography and digital signature online / offline publication
  • common key cryptography by executing pre-calculation in mutual authentication and performing processing after an actual processing target is input.
  • a mutual authentication technique using a combination of key encryption and online / offline signature using a combination of key encryption and online / offline signature.
  • the key management cost can be reduced, and mutual authentication with low-resource devices such as IC cards, high-speed mutual authentication that requires instantaneous processing, and speeding up of a server that performs simultaneous processing for a large number of users can be achieved. It becomes possible.
  • the above mutual authentication method is In the step in which the device A confirms the validity of the device B, According to apparatus A above Generating a random number rA during authentication; Transmitting the generated random number rA to the device B; According to device B above Generating a signature for the random number rA using the stored signature generation pre-calculation data after receiving the random number rA; Transmitting the generated signature to the device A; According to apparatus A above Verifying the received signature using the signature verification key of device B; Determining that the device B is valid if it is determined that the signature is correct, and determining that the device B is invalid if it is determined that the signature is not correct.
  • the device B performing mutual authentication confirms the validity of the device A
  • device B above Generating a random number rB during authentication; Performing public key encryption of the random number rB using the stored pre-calculation data for encryption; Transmitting the ciphertext resulting from the encryption to the device A;
  • apparatus A above Decrypting the received ciphertext using the private key of the device A; Transmitting the decryption result to the device B;
  • device B above Collating the stored random number rB with the decryption result received from the device A; A step of determining that the device A is valid if the random number rB matches the decryption result, and determining that the device A is invalid if they do not match.
  • the figure which illustrates the outline of the mutual authentication apparatus which is 1st embodiment.
  • the figure which illustrates the sequence of the signature utilization part in mutual authentication The figure which illustrates the sequence of the public key encryption utilization part in mutual authentication.
  • the figure which illustrates the structure of the reader / writer and IC card in 2nd embodiment The figure which illustrates the sequence of the proxy prior calculation process in 2nd embodiment.
  • FIG. 1 is a schematic diagram of mutual authentication executed by the mutual authentication device A100 and the mutual authentication device B200 according to the first embodiment of the present invention.
  • the mutual authentication device A100 includes a processing unit 110, a storage unit 120, a random number generation unit 131, and an external communication unit 132.
  • the mutual authentication device B includes a processing unit 210, a storage unit 220, a random number generation unit 231, and an external communication unit 232.
  • the external communication unit 132 of the mutual authentication device A100 and the external communication unit 232 of the mutual authentication device B200 can communicate with the communication line 310 via a network.
  • mutual authentication between the mutual authentication device A100 and the mutual authentication device B is performed.
  • the processing unit 110 of the mutual authentication apparatus A100 includes a signature verification unit 111 and a public key encryption / decryption unit 112.
  • the storage unit 120 of the mutual authentication apparatus A100 includes a signature verification key storage area 121 that stores the signature verification key of the mutual authentication apparatus B200, and a public key encryption / decryption key storage area 122 that stores the decryption key of the mutual authentication apparatus A100.
  • the processing unit 210 of the mutual authentication apparatus B200 includes a signature generation unit 211, a public key encryption / encryption unit 212, and a pre-data calculation unit 213 used for signature generation and public key encryption / encryption.
  • the storage unit 220 of the mutual authentication device B200 includes a signature generation key storage region 221 that stores the signature generation key of the mutual authentication device 200, a public key encryption / cryptography key storage region 222 that stores the public key of the mutual authentication device A, and A calculation data storage area 223 and a temporary data storage area 224 are provided.
  • the signature verification unit 111 reads the signature verification key from the signature verification key storage area 121 and performs signature verification on the signature verification target data obtained through the external communication unit 132.
  • the public key encryption / decryption unit 112 reads the decryption key from the public key encryption / decryption key storage area 122 and decrypts the decryption target data obtained via the external communication unit 132.
  • the signature generation unit 211 reads the signature generation key from the signature generation key storage area 221, reads the precalculation data from the precalculation data storage area 223, obtains a random number from the random number generation unit 231, and is obtained via the external communication unit 232.
  • the signature is generated for the signature generation target data.
  • the public key encryption / encryption unit 212 reads the encryption key from the public key encryption / encryption key storage area 222, reads the precalculation data from the precalculation data storage area 223, and encrypts the random number obtained from the random number generation unit 231.
  • the prior data calculation unit 213 is obtained from the signature generation key read from the signature generation key storage area 221 and the random number generation unit 231 at an arbitrary time before the mutual authentication device A100 and the mutual authentication device B200 perform mutual authentication. All the calculations necessary for signature generation that can be executed before the signature target data is given are performed using the random numbers, and the results are stored in the precalculation data storage area 223.
  • the prior data calculation unit 213 obtains the encryption key read from the public key encryption / decryption key storage area 222 and the random number generation unit 231 at an arbitrary time before the mutual authentication device A100 and the mutual authentication device B200 perform mutual authentication. Using the obtained random number, all calculations necessary for encryption that can be executed before the data to be encrypted are given are performed, and the results are stored in the pre-calculated data storage area 223.
  • the functions of the processing units 110 and 210 of the mutual authentication device A100 and the mutual authentication device B200 are executed by a CPU that executes a program stored in the storage device in a computer including a CPU, a storage device, and a communication device. This is realized.
  • the random number generation units 131 and 231 may be realized by the CPU executing a program, or may be realized by hardware.
  • the program may be stored in the storage device in advance, or if necessary, the program is introduced into the storage device from another device via an external interface or communication device (not shown) and a medium that can be used by the computer. May be.
  • the medium refers to, for example, a storage medium that can be attached to and detached from an external interface, or a communication medium (that is, a wired, wireless, optical network, or a carrier wave or digital signal that propagates through the network 320).
  • the mutual authentication device A In the mutual authentication between the mutual authentication device A100 and the mutual authentication device B200, the mutual authentication device A first obtains a random number rA from the random number generation unit 131 and transmits it from the external communication unit 132 to the mutual authentication device B.
  • the random number rA is sent to the external communication unit 232 via the communication line 310, the network 320, and the like.
  • the mutual authentication device B generates a signature sB according to the above procedure for the sent random number rA. Further, a random number rB is obtained from the random number generator 231 and stored in the temporary data storage area 224. Further, rB is encrypted by the above procedure to calculate ciphertext C. The external communication unit 232 transmits sB and C to the mutual authentication device A.
  • the mutual authentication device A first verifies the signature of sB and C obtained through the external communication unit 132 by the above procedure for sB. If it is determined that the signature is correct, it is determined that the mutual authentication device B is correct, then C is decrypted by the above procedure, and the decryption result rB ′ is transmitted to the mutual authentication device B via the external communication unit 132 again. If the signature is not judged correct, the mutual authentication device B is not judged correct.
  • the mutual authentication device B compares the rB ′ received via the external communication unit 232 with the rB read from the temporary data storage area 224 and determines that the mutual authentication device A is correct. If they do not match, the mutual authentication device A is not judged correct.
  • the signature method used in the mutual authentication may be any method that can reduce the processing amount when the signature target data is input by performing pre-calculation before the signature target data is input in the signature generation.
  • the public key encryption method used in the mutual authentication method is a method that can reduce the amount of processing when data to be encrypted is input by performing pre-calculation before the data to be encrypted is input in encryption. Anything is fine.
  • FIG. 2 is a sequence diagram showing processing of a signature use part of mutual authentication when an elliptical Schnoor signature (see Non-Patent Document 3) is used as an example of a signature method.
  • the rational point P on the elliptic curve suitable for elliptical Schnoor signature is fixed and stored in the signature verification key storage area 121 of the mutual authentication apparatus A100 and the signature generation key storage area of the mutual authentication apparatus B200.
  • the data of the rational point P is read from the signature generation key storage area (S10), then the random number generation unit 231 generates a random number r and sends it to the pre-data calculation unit 213 (S11). ).
  • the random number generation unit 131 generates a random number rA and transmits it to the mutual authentication device B200 through the external communication unit 132 (S13).
  • the mutual authentication device B200 After receiving rA through the external communication unit 232, the mutual authentication device B200 reads r and R from the precalculation data storage area 223 (S14), and reads the signature generation key x from the signature generation key storage area 221 (S15).
  • H is a hash function.
  • the mutual authentication device B200 transmits [R, H (rA, R), S] as a signature value for rA to the mutual authentication device A100 through the external communication unit 232 (S16).
  • the mutual authentication device A100 Upon receiving the signature values [R, H (rA, R), S] through the external communication unit 132, the mutual authentication device A100 first uses the signature verification unit 111 to open the public key Q of the mutual authentication device B200 from the signature verification key storage area 121.
  • the signature method used in the present embodiment is not only the elliptic Schnoer signature but also a method in which pre-calculation in the signature generation process greatly reduces the processing after inputting the signature target data and is safe as a signature. Applicable if available.
  • FIG. 3 is a sequence diagram showing processing of a public key encryption using part of mutual authentication when a modified El Gamal encryption is used as an example of public key encryption.
  • the rational point P ′ on the elliptic curve suitable for the modified El Gamal encryption is fixed and stored in the public key encryption key storage area of the mutual authentication device B200.
  • the data of the rational points P ′ and Q ′ are read from the public key encryption / decryption key storage area 222 (S20), and then the random number generation unit 231 generates the random number r1, and the pre-data
  • the data is sent to the calculation unit 213 (S21).
  • the random number generation unit 131 generates random numbers r2 and rB and sends them to the public key encryption unit 212 (S23).
  • RB is also sent to and stored in the temporary data storage area 224 (S24).
  • the key of the common key encryption E is Q1
  • the encryption target data is c0
  • represents a data combination.
  • the mutual authentication device B200 transmits [R1, C] to the mutual authentication device A100 through the external communication unit 232 (S27).
  • RB ′ D (Q1, C) is calculated.
  • D is a decryption function of the common key encryption E
  • the key is Q1
  • the decryption target data is C.
  • the public key encryption / decryption unit 112 confirms that the constant c0 is correct, and if correct, transmits rB 'to the mutual authentication device B200 through the external communication unit 132 (S29).
  • the mutual authentication device B200 that has received rB ′ through the external communication unit 232 reads rB from the temporary data storage area 224 (S30). If rB and rB ′ match, the mutual authentication device A100 is determined to be correct. Judged as illegal.
  • the public key encryption used in the present embodiment is not limited to the above-described modified El Gamal encryption, the processing after the input of the data to be encrypted is greatly reduced by performing pre-calculation in the encryption processing, and the encryption is safe. Any method is applicable.
  • the order of the processing part using the signature and the processing part using the public key cryptography may be switched.
  • FIG. 4 is a configuration diagram of the IC card 400 and its reader / writer 300. These have communication means 501 and 502 and can transmit and receive data.
  • the communication means may be contact or non-contact.
  • the reader / writer 300 is applied as the mutual authentication device A100 in the first embodiment, and the IC card 400 is applied as the mutual authentication device B200.
  • the pre-data calculation unit of the IC card 400 While the pre-data calculation unit of the IC card 400 is energized, it may perform pre-calculation necessary for the number of subsequent mutual authentications and store the pre-calculation data, or at the time of shipment. Precalculation data may be calculated in advance and stored in a storage area. In these cases, new precalculation data may be used each time mutual authentication is performed while managing consumption of the precalculation data.
  • a method may be used in which a trusted server executes a pre-calculation for the next time on behalf of each server when each mutual authentication is normally completed, and the calculation result is received and stored.
  • FIG. 5 is a sequence diagram showing the procedure of the n-th mutual authentication.
  • the IC card 400 stores pre-calculation data necessary for the n-th mutual authentication.
  • the reader / writer 300 and the IC card 400 perform mutual authentication by the method described in the first embodiment (S13, S16, S27, S29).
  • communication S16 and S27 may be performed in parallel.
  • the order of S13, S16 and S27, S29 may be changed, and communication may be performed in the order of S27, S29, S13, S16. In that case, you may perform communication S29 and S13 in parallel.
  • the reader / writer 300 determines that the IC card 400 is correct and the IC card 400 determines that the reader / writer 300 is correct, the reader / writer 300 acts as a proxy for the pre-calculation necessary for the (n + 1) th authentication of the IC card 400. Run with.
  • the pre-calculation data is transmitted to the IC card 400 (S40).
  • the IC card 400 stores the precomputed data in the precomputed data storage area and uses it for the (n + 1) th mutual authentication.
  • a dedicated computer that performs the pre-calculation may be used separately.
  • the subsequent processing or service may be stopped, or a mutual authentication request may be made again. Even in that case, mutual authentication is performed a prescribed number of times, and if all are not determined to be correct, subsequent processing and services are stopped.
  • a large number of users may be taps (smart taps) that have a function of transmitting information such as the power consumption status of each user to each server in the sensor network and the smart grid.
  • FIG. 6 is a configuration diagram of a server that performs mutual authentication with a large number of users.
  • the server 600 can communicate with a large number of users 500 through the network 700.
  • the server 600 is applied as the mutual authentication device A100 in the first embodiment, and each user in a large number of users 500 is applied as the mutual authentication device B200.
  • the server 600 can communicate with the pre-calculation server 900 that performs the pre-calculation through the communication path 800, and the pre-calculation server may perform the pre-calculation in the mutual authentication apparatus A100.
  • the server 600 prepares precalculation data for the required number of times according to the number of users and the frequency.
  • FIG. 7 is a configuration diagram of the traveling vehicle 1020 and the roadside machine 1010.
  • the traveling vehicle 1020 and the roadside machine 1010 can transmit and receive data by wireless communication 1030.
  • the vehicle 1020 is applied as the mutual authentication device A100 in the first embodiment, and the roadside machine 1010 is applied as the mutual authentication device B200.
  • the roadside device 1010 includes a communication unit 1011 and a mutual authentication device A1012.
  • the vehicle 1020 includes a communication unit 1021 and a mutual authentication device B1022.
  • the vehicle 1020 calculates the precalculation data described in the first embodiment before executing the mutual authentication, and stores it in the storage unit in the mutual authentication device B1022.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Challenge-response type mutual authentication combines a signature method and a public key encryption method. When a signature is generated, the signature method makes it possible for the amount of processing performed when signature target data is input to be decreased by means of precomputation. When encryption is performed for public key encryption, the public key encryption method makes it possible for the amount of processing performed when encryption target data is input to be decreased by means of precomputation. By focusing on procedures which can perform precomputation as well as performing authentication, the actual processing time for authentication is reduced to a comparable level with mutual authentication based on common key encryption.

Description

効率的相互認証方法、プログラム、及び装置Efficient mutual authentication method, program, and apparatus 参照による取り込みImport by reference
 本出願は、2010年5月31日に出願された日本特許出願第2010-123722号の優先権を主張し、その内容を参照することにより本出願に取り込む。 This application claims the priority of Japanese Patent Application No. 2010-123722 filed on May 31, 2010, and is incorporated herein by reference.
 本発明は、セキュリティ技術に係り、特に相互に相手や機器を認証しあう技術に関する。 The present invention relates to security technology, and more particularly to technology for mutually authenticating a partner or a device.
 認証技術は通信や対話の相手が意図した人あるいは物であることを確認する技術であり、インターネット通信や不特定多数がアクセス可能な機器において、セキュリティを確保するための根幹にある技術である。認証には、暗号技術を用いた方法や、生体情報を元に本人確認を行う生体認証などがある。 Authenticating technology is a technology for confirming that the other party of communication or dialogue is the intended person or thing, and is a fundamental technology for ensuring security in devices that can be accessed by Internet communications and unspecified majority. Authentication includes a method using an encryption technique and biometric authentication in which identity verification is performed based on biometric information.
 いずれにおいても、通信などの最初に認証を行い、意図した相手である場合には、入室の許可や、鍵共有プロトコル実行後にその共有鍵による暗号化通信を行う。その際、認証が安全でなく、相手の正当性があやふやな状態ならば、その後に行われるサービス提供や重要な情報の送受信などで、サービス不正利用や機密情報漏洩を防止していることを保証することはできない。認証の安全性は慎重に検討されるべきものである。 In any case, authentication is performed at the beginning of communication or the like, and if it is the intended partner, permission to enter the room or encrypted communication using the shared key after executing the key sharing protocol. At that time, if the authentication is not secure and the other party's legitimacy is unclear, it is guaranteed that unauthorized use of the service and leakage of confidential information are prevented by providing subsequent services and sending / receiving important information. I can't do it. The security of certification should be carefully considered.
 暗号技術を用いた認証では、あるユーザ(あるいは物)は、自身のみが知っている秘密情報をもとにあるデータを作成し、それを相手に確認してもらう形で実行される。認証の過程、あるいは認証後にユーザの秘密情報が相手にもれないよう暗号技術を用いて構成されなければならない。
 暗号技術を用いた認証方法としては、主に共通鍵暗号技術をベースにしたものと公開鍵暗号技術をベースにしたものに分けられる(例えば、非特許文献1、2参照。)。 In authentication using encryption technology, a certain user (or thing) is executed in the form of creating certain data based on confidential information known only by the user and confirming it with the other party. It must be configured using encryption technology so that the secret information of the user is not shared with the other party after the authentication process.
Authentication methods using cryptographic techniques are mainly divided into those based on common key cryptographic techniques and those based on public key cryptographic techniques (see, for example, Non-Patent Documents 1 and 2).
 ここでは認証しあう二者で事前に秘密鍵(Secret key)を共有しておき、一方が他者を認証する際、その秘密鍵(Secret key)を持っているもののみが可能な処理を実行できるか否かで判断する方法を共通鍵暗号技術ベースの認証と呼ぶ。共通鍵暗号を用いて、乱数を暗号化し、相手が正しく復号できるか否かを確認する、共通鍵暗号ベースのチャレンジレスポンス型認証や、乱数に対して相手にメッセージ認証子(Message Authentication Code、MAC)を生成してもらい、正しいMACであるかどうかを確認する、MACベースの認証などが代表的である。 Here, the secret key (Secret key) is shared in advance between the two parties to be authenticated, and when one of them authenticates the other, only the one that has the secret key (Secret key) is executed The method of determining whether or not it is possible is called common key encryption technology-based authentication. Using common key cryptography, a random number is encrypted, and it is confirmed whether the other party can be decrypted correctly. A challenge response type authentication based on the common key cryptography and a message authenticator (Message Authentication Code, MAC) ) Is generated, and MAC-based authentication or the like that confirms whether or not the MAC is correct is typical.
 公開鍵暗号技術ベースの認証は、証明者(自己を証明する人(物))のみが秘密鍵(Private key)を持ち、検証者は、対応する公開鍵を用いて秘密鍵(Private key)を持っているもののみが可能な処理を実行できるか否かで正しい証明者か否かを判断する方法のことをさす。RSA暗号などの公開鍵暗号を用いて、暗号化した乱数を相手が正しく復号できるか否かを確認する、公開鍵暗号ベースの認証や、乱数に対して相手にデジタル署名を生成してもらい、正しい署名であるかどうかを確認する、デジタル署名ベースの認証、また、認証専用に設計された公開鍵暗号技術ベースの認証方法(例えば、非特許文献3参照。)などがある。 In authentication based on public key cryptography, only the prover (person who proves himself / herself) has the private key (Private key), and the verifier uses the corresponding public key to obtain the private key (Private key). This is a method for judging whether or not the correct certifier is based on whether or not only the possessed item can execute the possible processing. Use public key cryptography such as RSA cryptography to check whether the other party can correctly decrypt the encrypted random number, public key cryptography based authentication, or ask the other party to generate a digital signature for the random number, There are digital signature-based authentication for confirming whether or not the signature is correct, and public-key cryptography-based authentication methods (for example, see Non-Patent Document 3) designed exclusively for authentication.
 暗号技術を用いた認証において、共通鍵暗号技術ベースの認証は一般に認証する二者における処理速度が速く、実装規模も比較的小さいため、ICカードなどの低リソースデバイスでの認証や、大量のユーザを同時に処理しなければならないサーバ、また、非常に短時間に認証を終えなければならない改札機などで利用されている。 In the authentication using encryption technology, the authentication based on the common key encryption technology generally has a fast processing speed and a relatively small implementation scale, so that authentication with a low resource device such as an IC card or a large number of users is possible. It is used in servers that have to process them simultaneously, and ticket gates that have to complete authentication in a very short time.
 しかし、鍵の事前共有のためのコストや、ユーザ数の増大による必要な秘密鍵(Secret key)の個数の爆発的増大などの問題があり、システムによっては複数ユーザにひとつの秘密鍵(Secret key)を割り当てるなどの妥協が採用されている場合もある。しかし明らかにこのような妥協は安全性に問題がある。例えば極端な例として、システムで共通のひとつの秘密鍵(Secret key)で運用する場合などは、あるひとりのユーザからの鍵の漏洩によりシステム全体の安全性が損なわれ、鍵の総入れ替えなどの大規模な復旧処理が発生する。このように、ユーザ数の多いシステムでは安全性を確保するためには、鍵管理のコストをかけなければならない。 However, there are problems such as the cost for pre-sharing keys and the explosive increase in the number of secret keys (Secret key) required due to the increase in the number of users. Depending on the system, there is one secret key (Secret key) for multiple users. ) May be used. But obviously such a compromise is a safety issue. For example, as an extreme example, when operating with a single secret key (Secret key) that is common in the system, the security of the entire system is compromised due to the leakage of the key from one user, and the entire key is replaced. A large-scale recovery process occurs. In this way, in a system with a large number of users, it is necessary to spend key management costs in order to ensure security.
 一方、公開鍵暗号技術ベースの認証では、各ユーザがひとつの秘密鍵(Private key)を持ち、対応する公開鍵を公開するため、共通鍵暗号技術ベースの認証に比べ、鍵の管理コストが少なくて済む。すなわち、ひとりのユーザから漏れる可能性のある秘密情報は、そのユーザ自身の秘密鍵(Private key)であり、システム全体に及ぼす影響は最小限である。 On the other hand, in the authentication based on public key cryptography, each user has one private key (Private key) and the corresponding public key is made public, so the key management cost is lower than the authentication based on common key cryptography. I'll do it. That is, the secret information that may be leaked from one user is the user's own private key (Private key), and the influence on the entire system is minimal.
 しかし一般に公開鍵暗号の処理速度は共通鍵暗号技術ベースの認証に比べ、100倍~1000倍程度遅く、また実装に必要なメモリ領域や、回路規模も大きくなる。ICカードに実装し利用されている例もあるが、認証のための処理時間を1秒から数秒かけてもよいシステムでなければならない。 However, in general, the processing speed of public key cryptography is about 100 to 1000 times slower than the authentication based on the common key cryptography, and the memory area and circuit scale required for implementation also increase. Although there is an example in which it is mounted on an IC card and used, it must be a system that can take a processing time for authentication from one second to several seconds.
 公共交通機関の改札でのICカードと改札機との相互の認証ではそのような長い処理時間は許容されず、共通鍵暗号技術ベースの認証を用いざるを得ないのが現状である。また、高速ですれ違う車と車との間の通信などで瞬時に認証する必要がある場合にも公開鍵暗号技術ベースの認証では時間がかかりすぎる。 Such a long processing time is not allowed in the mutual authentication between the IC card and the ticket checker at the ticket gate of public transportation, and the current situation is that the authentication based on the common key encryption technology has to be used. Also, even when it is necessary to instantly authenticate between cars passing each other at high speed, the authentication based on the public key cryptosystem takes too much time.
 このように、暗号技術を用いた認証において、公開鍵暗号技術ベースの認証のような鍵管理の容易さを持ちつつ、共通鍵暗号技術ベースのような処理速度を達成する認証方法の実現が求められている。 In this way, in authentication using cryptographic technology, it is necessary to realize an authentication method that achieves the processing speed as in the common key cryptographic technology base while having the ease of key management as in the public key cryptographic technology based authentication. It has been.
 本明細書では、相互認証において、事前計算を実施することにより、実際の処理対象が入力された後の処理が共通鍵暗号並みに高速に実行できる公開鍵暗号と、デジタル署名(online/offline公開鍵暗号、online/offline署名とも呼ばれる)と、を組み合わせて利用する相互認証技術が開示される。 In this specification, public key cryptography and digital signature (online / offline publication) that can be executed as fast as common key cryptography by executing pre-calculation in mutual authentication and performing processing after an actual processing target is input. And a mutual authentication technique using a combination of key encryption and online / offline signature).
 開示されるように、事前計算を行うことで、実際の認証時には共通鍵暗号技術ベースの相互認証と同等の処理速度を達成することが可能となる。 As disclosed, by performing pre-calculation, it is possible to achieve a processing speed equivalent to mutual authentication based on the common key encryption technology during actual authentication.
 これにより、鍵管理のコストを抑えつつ、ICカードなどの低リソースデバイスでの相互認証や、瞬時の処理が必要な、高速な相互認証、また、大量ユーザの同時処理を行うサーバの高速化が可能となる。 As a result, the key management cost can be reduced, and mutual authentication with low-resource devices such as IC cards, high-speed mutual authentication that requires instantaneous processing, and speeding up of a server that performs simultaneous processing for a large number of users can be achieved. It becomes possible.
 一例として、開示されるのは、通信でデータの送受信が可能な二種類の装置Aと装置Bを備えるシステムにおいて、上記装置Aと上記装置Bとが互いに相手装置の正当性を確認する相互認証方法である。 As an example, in a system including two types of devices A and B capable of transmitting and receiving data by communication, mutual authentication in which the device A and the device B mutually confirm the validity of the partner device is disclosed. Is the method.
 上記相互認証方法は、
 上記装置Aが、上記装置Bの正当性を確認するステップにおいて、
 上記装置Aによる、
 認証時に、乱数rAを生成するステップと、
 生成した上記乱数rAを上記装置Bに送信するステップと、
 上記装置Bによる、
 上記乱数rAを受信した後、記憶する署名生成用事前計算データを利用して、上記乱数rAに対する署名を生成するステップと、
 生成した上記署名を上記装置Aに送信するステップと、
 上記装置Aによる、
 上記装置Bの署名検証鍵を用いて、受信した上記署名を検証するステップと、
 上記署名が正しいと判断すれば上記装置Bを正当と判断し、正しくないと判断すれば上記装置Bを不当と判断するステップと、を備えることを特徴とする。 The above mutual authentication method is
In the step in which the device A confirms the validity of the device B,
According to apparatus A above
Generating a random number rA during authentication;
Transmitting the generated random number rA to the device B;
According to device B above
Generating a signature for the random number rA using the stored signature generation pre-calculation data after receiving the random number rA;
Transmitting the generated signature to the device A;
According to apparatus A above
Verifying the received signature using the signature verification key of device B;
Determining that the device B is valid if it is determined that the signature is correct, and determining that the device B is invalid if it is determined that the signature is not correct.
 さらに、上記相互認証方法は、相互認証を行う上記装置Bが、上記装置Aの正当性を確認するステップにおいて、
 上記装置Bによる、
 認証時に、乱数rBを生成するステップと、
 上記乱数rBを、記憶する暗号化用事前計算データを用いて公開鍵暗号化をするステップと、
 上記暗号化の結果である暗号文を上記装置Aに送信するステップと、
 上記装置Aによる、
 上記装置Aの秘密鍵(Private key)を用いて、受信した上記暗号文を復号化するステップと、
 上記復号化結果を上記装置Bに送信するステップと、
 上記装置Bによる、
 上記記憶した乱数rBと、上記装置Aから受信した復号化結果とを照合するステップと、
 上記乱数rBと上記復号化結果とが一致していれば上記装置Aを正当と判断し、一致していなければ上記装置Aを不当と判断するステップと、を備えることを特徴とする。 Further, in the mutual authentication method, in the step where the device B performing mutual authentication confirms the validity of the device A,
According to device B above
Generating a random number rB during authentication;
Performing public key encryption of the random number rB using the stored pre-calculation data for encryption;
Transmitting the ciphertext resulting from the encryption to the device A;
According to apparatus A above
Decrypting the received ciphertext using the private key of the device A;
Transmitting the decryption result to the device B;
According to device B above
Collating the stored random number rB with the decryption result received from the device A;
A step of determining that the device A is valid if the random number rB matches the decryption result, and determining that the device A is invalid if they do not match.
 本発明により、鍵管理コストを抑え、かつ、高速な相互認証が可能になる。
 本発明の他の目的、特徴及び利点は添付図面に関する以下の本発明の実施例の記載から明らかになるであろう。 According to the present invention, key management costs can be reduced and high-speed mutual authentication can be performed.
Other objects, features and advantages of the present invention will become apparent from the following description of embodiments of the present invention with reference to the accompanying drawings.
第一の実施形態である相互認証装置の概略を例示する図。The figure which illustrates the outline of the mutual authentication apparatus which is 1st embodiment. 相互認証における署名利用部分のシーケンスを例示する図。The figure which illustrates the sequence of the signature utilization part in mutual authentication. 相互認証における公開鍵暗号利用部のシーケンスを例示する図。The figure which illustrates the sequence of the public key encryption utilization part in mutual authentication. 第二の実施形態におけるリーダライタとICカードの構成を例示する図。The figure which illustrates the structure of the reader / writer and IC card in 2nd embodiment. 第二の実施形態における代理事前計算処理のシーケンスを例示する図。The figure which illustrates the sequence of the proxy prior calculation process in 2nd embodiment. 第三の実施形態における大量ユーザとサーバの構成を例示する図。The figure which illustrates the structure of the mass user and server in 3rd embodiment. 第四の実施形態における走行車両と路側機の構成を例示する図。The figure which illustrates the structure of the traveling vehicle and roadside machine in 4th embodiment.
 本発明の実施の形態を図面を用いて説明する。 Embodiments of the present invention will be described with reference to the drawings.
 図1は、本発明の第一の実施形態である相互認証装置A100と相互認証装置B200が実行する相互認証の概略図である。 FIG. 1 is a schematic diagram of mutual authentication executed by the mutual authentication device A100 and the mutual authentication device B200 according to the first embodiment of the present invention.
 図示するように、相互認証装置A100は、処理部110と、記憶部120と、乱数生成部131と、外部通信部132と、を備える。 As illustrated, the mutual authentication device A100 includes a processing unit 110, a storage unit 120, a random number generation unit 131, and an external communication unit 132.
 相互認証装置Bは、処理部210と、記憶部220と、乱数生成部231と、外部通信部232と、を備える。 The mutual authentication device B includes a processing unit 210, a storage unit 220, a random number generation unit 231, and an external communication unit 232.
 相互認証装置A100の外部通信部132と、相互認証装置B200の外部通信部232は、通信線310と、ネットワークを介し、通信可能である。 The external communication unit 132 of the mutual authentication device A100 and the external communication unit 232 of the mutual authentication device B200 can communicate with the communication line 310 via a network.
 本実施形態では、相互認証装置A100と相互認証装置Bの相互認証をおこなう。 In this embodiment, mutual authentication between the mutual authentication device A100 and the mutual authentication device B is performed.
 相互認証装置A100の処理部110は、署名検証部111と、公開鍵暗号復号化部112と、を備える。相互認証装置A100の記憶部120は、相互認証装置B200の署名検証鍵を記憶する署名検証鍵記憶領域121と、相互認証装置A100の復号鍵を記憶する公開鍵暗号復号鍵記憶領域122と、を備える。 The processing unit 110 of the mutual authentication apparatus A100 includes a signature verification unit 111 and a public key encryption / decryption unit 112. The storage unit 120 of the mutual authentication apparatus A100 includes a signature verification key storage area 121 that stores the signature verification key of the mutual authentication apparatus B200, and a public key encryption / decryption key storage area 122 that stores the decryption key of the mutual authentication apparatus A100. Prepare.
 相互認証装置B200の処理部210は、署名生成部211と、公開鍵暗号暗号化部212と、署名生成、公開鍵暗号暗号化に用いる事前データ計算部213と、を備える。相互認証装置B200の記憶部220は、相互認証装置200の署名生成鍵を記憶する署名生成鍵記憶領域221と、相互認証装置Aの公開鍵を記憶する公開鍵暗号暗号鍵記憶領域222と、事前計算データ記憶領域223と、一時データ記憶領域224と、を備える。 The processing unit 210 of the mutual authentication apparatus B200 includes a signature generation unit 211, a public key encryption / encryption unit 212, and a pre-data calculation unit 213 used for signature generation and public key encryption / encryption. The storage unit 220 of the mutual authentication device B200 includes a signature generation key storage region 221 that stores the signature generation key of the mutual authentication device 200, a public key encryption / cryptography key storage region 222 that stores the public key of the mutual authentication device A, and A calculation data storage area 223 and a temporary data storage area 224 are provided.
 署名検証部111は、署名検証鍵記憶領域121から署名検証鍵を読み出し、外部通信部132を経て得られた署名検証対象データに対して署名検証を行う。 The signature verification unit 111 reads the signature verification key from the signature verification key storage area 121 and performs signature verification on the signature verification target data obtained through the external communication unit 132.
 公開鍵暗号復号化部112は、公開鍵暗号復号鍵記憶領域122から復号鍵を読み出し、外部通信部132を経て得られた復号対象データの復号を行う。 The public key encryption / decryption unit 112 reads the decryption key from the public key encryption / decryption key storage area 122 and decrypts the decryption target data obtained via the external communication unit 132.
 署名生成部211は、署名生成鍵記憶領域221から署名生成鍵を読み出し、事前計算データ記憶領域223から事前計算データを読み出し、乱数生成部231から乱数を得て、外部通信部232を経て得られた署名生成対象データに対して署名生成を行う。 The signature generation unit 211 reads the signature generation key from the signature generation key storage area 221, reads the precalculation data from the precalculation data storage area 223, obtains a random number from the random number generation unit 231, and is obtained via the external communication unit 232. The signature is generated for the signature generation target data.
 公開鍵暗号暗号化部212は、公開鍵暗号暗号鍵記憶領域222から暗号鍵を読み出し、事前計算データ記憶領域223から事前計算データを読み出し、乱数生成部231から得られた乱数を暗号化する。 The public key encryption / encryption unit 212 reads the encryption key from the public key encryption / encryption key storage area 222, reads the precalculation data from the precalculation data storage area 223, and encrypts the random number obtained from the random number generation unit 231.
 事前データ計算部213は、相互認証装置A100と相互認証装置B200とが相互認証を行う前の任意の時点で、署名生成鍵記憶領域221から読み出した署名生成鍵と、乱数生成部231から得られた乱数を用いて、署名対象のデータが与えられる前に実行可能な、署名生成に必要な全ての計算を行い、その結果を事前計算データ記憶領域223に保存する。また事前データ計算部213は相互認証装置A100と相互認証装置B200とが相互認証を行う前の任意の時点で、公開鍵暗号暗号鍵記憶領域222から読み出した暗号鍵と、乱数生成部231から得られた乱数を用いて、暗号化対象のデータが与えられる前に実行可能な、暗号化に必要な全ての計算を行い、その結果を事前計算データ記憶領域223に保存する。 The prior data calculation unit 213 is obtained from the signature generation key read from the signature generation key storage area 221 and the random number generation unit 231 at an arbitrary time before the mutual authentication device A100 and the mutual authentication device B200 perform mutual authentication. All the calculations necessary for signature generation that can be executed before the signature target data is given are performed using the random numbers, and the results are stored in the precalculation data storage area 223. The prior data calculation unit 213 obtains the encryption key read from the public key encryption / decryption key storage area 222 and the random number generation unit 231 at an arbitrary time before the mutual authentication device A100 and the mutual authentication device B200 perform mutual authentication. Using the obtained random number, all calculations necessary for encryption that can be executed before the data to be encrypted are given are performed, and the results are stored in the pre-calculated data storage area 223.
 相互認証装置A100と相互認証装置B200の、上記処理部110,210の各機能は、それぞれ、CPUと記憶装置と通信装置とを備えた計算機において、記憶装置に格納されたプログラムをCPUが実行することにより、実現される。また、乱数生成部131、231は、同様に、CPUがプログラムを実行することにより実現されても良いし、ハードウェアによって実現されてもよい。 The functions of the processing units 110 and 210 of the mutual authentication device A100 and the mutual authentication device B200 are executed by a CPU that executes a program stored in the storage device in a computer including a CPU, a storage device, and a communication device. This is realized. Similarly, the random number generation units 131 and 231 may be realized by the CPU executing a program, or may be realized by hardware.
 プログラムは、予め記憶装置に格納されていても良いし、必要に応じて、図示しない外部インタフェースや通信装置と、上記計算機が利用可能な媒体を介して、他の装置から上記記憶装置に導入されてもよい。媒体とは、たとえば、外部インタフェースに着脱可能な記憶媒体、または通信媒体(すなわち有線、無線、光などのネットワーク、または当該ネットワーク320を伝搬する搬送波やデジタル信号)を指す。 The program may be stored in the storage device in advance, or if necessary, the program is introduced into the storage device from another device via an external interface or communication device (not shown) and a medium that can be used by the computer. May be. The medium refers to, for example, a storage medium that can be attached to and detached from an external interface, or a communication medium (that is, a wired, wireless, optical network, or a carrier wave or digital signal that propagates through the network 320).
 相互認証装置A100と相互認証装置B200との間の相互認証は、まず相互認証装置Aが乱数生成部131から乱数rAを得て、外部通信部132から相互認証装置Bに送信する。乱数rAは通信線310、ネットワーク320などを経由して外部通信部232に送られる。 In the mutual authentication between the mutual authentication device A100 and the mutual authentication device B200, the mutual authentication device A first obtains a random number rA from the random number generation unit 131 and transmits it from the external communication unit 132 to the mutual authentication device B. The random number rA is sent to the external communication unit 232 via the communication line 310, the network 320, and the like.
 相互認証装置Bは送られた乱数rAに対し、上記手順で署名sBを生成する。さらに乱数生成部231から乱数rBを得て、これを一時データ記憶領域224に記憶する。さらに上記手順でrBを暗号化して暗号文Cを計算する。外部通信部232はsBとCを相互認証装置Aに送信する。 The mutual authentication device B generates a signature sB according to the above procedure for the sent random number rA. Further, a random number rB is obtained from the random number generator 231 and stored in the temporary data storage area 224. Further, rB is encrypted by the above procedure to calculate ciphertext C. The external communication unit 232 transmits sB and C to the mutual authentication device A.
 相互認証装置Aは外部通信部132を経て得られたsBとCに対し、まずsBについて、上記手順で署名検証を行う。この署名を正しいと判断した場合は、相互認証装置Bを正しいと判断し、次にCを上記手順で復号し、復号結果rB’を再び外部通信部132を経て相互認証装置Bに送信する。署名を正しいと判断しない場合は相互認証装置Bを正しいと判断しない。 The mutual authentication device A first verifies the signature of sB and C obtained through the external communication unit 132 by the above procedure for sB. If it is determined that the signature is correct, it is determined that the mutual authentication device B is correct, then C is decrypted by the above procedure, and the decryption result rB ′ is transmitted to the mutual authentication device B via the external communication unit 132 again. If the signature is not judged correct, the mutual authentication device B is not judged correct.
 相互認証装置Bは、外部通信部232を経て受信したrB’と一時データ記憶領域224から読み出したrBとを比較して一致していれば相互認証装置Aを正しいと判断する。
一致していなければ相互認証装置Aを正しいと判断しない。 The mutual authentication device B compares the rB ′ received via the external communication unit 232 with the rB read from the temporary data storage area 224 and determines that the mutual authentication device A is correct.
If they do not match, the mutual authentication device A is not judged correct.
 上記相互認証で用いる署名方法は、署名生成において署名対象のデータが入力される前に事前計算をすることにより署名対象データが入力された際の処理量を削減できる方法ならば何でも良い。また、上記相互認証方法で用いる公開鍵暗号方法は、暗号化において暗号化対象のデータが入力される前に事前計算をすることにより暗号化対象データが入力された際の処理量を削減できる方法ならば何でも良い。 The signature method used in the mutual authentication may be any method that can reduce the processing amount when the signature target data is input by performing pre-calculation before the signature target data is input in the signature generation. Further, the public key encryption method used in the mutual authentication method is a method that can reduce the amount of processing when data to be encrypted is input by performing pre-calculation before the data to be encrypted is input in encryption. Anything is fine.
 図2は署名方法の例として楕円シュノア署名(非特許文献3参照)を用いた場合の相互認証の署名利用部分の処理を示すシーケンス図である。 FIG. 2 is a sequence diagram showing processing of a signature use part of mutual authentication when an elliptical Schnoor signature (see Non-Patent Document 3) is used as an example of a signature method.
 楕円シュノア署名に適した楕円曲線上の有理点Pが固定されていて、相互認証装置A100の署名検証鍵記憶領域121と、相互認証装置B200の署名生成鍵記憶領域に記憶されている。相互認証装置B200の秘密鍵(Private key)xは署名生成鍵記憶領域221に記憶され、公開鍵Q=xPは署名検証鍵記憶領域121に記憶されている。 The rational point P on the elliptic curve suitable for elliptical Schnoor signature is fixed and stored in the signature verification key storage area 121 of the mutual authentication apparatus A100 and the signature generation key storage area of the mutual authentication apparatus B200. The private key (Private key) x of the mutual authentication device B 200 is stored in the signature generation key storage area 221, and the public key Q = xP is stored in the signature verification key storage area 121.
 まず相互認証装置B200側の事前計算として、署名生成鍵記憶領域から有理点Pのデータを読み出し(S10)、次に乱数生成部231で乱数rを生成し、事前データ計算部213に送る(S11)。事前データ計算部213はR=rPを計算し、rとRを事前計算データ記憶領域223に記憶させる(S12)。 First, as pre-computation on the mutual authentication device B 200 side, the data of the rational point P is read from the signature generation key storage area (S10), then the random number generation unit 231 generates a random number r and sends it to the pre-data calculation unit 213 (S11). ). The pre-data calculation unit 213 calculates R = rP, and stores r and R in the pre-calculation data storage area 223 (S12).
 次に、相互認証装置A100が相互認証装置Bを認証する場合、まず、乱数生成部131で乱数rAを生成して外部通信部132を通じて相互認証装置B200に送信する(S13)。 Next, when the mutual authentication device A100 authenticates the mutual authentication device B, first, the random number generation unit 131 generates a random number rA and transmits it to the mutual authentication device B200 through the external communication unit 132 (S13).
 相互認証装置B200はrAを外部通信部232を通じて受信した後、事前計算データ記憶領域223からrとRを読み出し(S14)、また署名生成鍵記憶領域221から署名生成鍵xを読み出す(S15)。 After receiving rA through the external communication unit 232, the mutual authentication device B200 reads r and R from the precalculation data storage area 223 (S14), and reads the signature generation key x from the signature generation key storage area 221 (S15).
 署名生成部211は、S=r+H(rA,R)を計算する。ここでHはハッシュ関数である。相互認証装置B200は[R,H(rA,R),S]をrAに対する署名値として外部通信部232を通じて相互認証装置A100に送信する(S16)。 The signature generation unit 211 calculates S = r + H (rA, R). Here, H is a hash function. The mutual authentication device B200 transmits [R, H (rA, R), S] as a signature value for rA to the mutual authentication device A100 through the external communication unit 232 (S16).
 署名値[R,H(rA,R),S]を外部通信部132を通じて受信した相互認証装置A100は、署名検証部111において、まず署名検証鍵記憶領域121から相互認証装置B200の公開鍵QとシステムパラメータPを読み出し(S17)、R=SP+H(rA,R)Qが成立するか否かをチェックする。 Upon receiving the signature values [R, H (rA, R), S] through the external communication unit 132, the mutual authentication device A100 first uses the signature verification unit 111 to open the public key Q of the mutual authentication device B200 from the signature verification key storage area 121. The system parameter P is read (S17), and it is checked whether or not R = SP + H (rA, R) Q is satisfied.
 成立した場合には相互認証装置B200を正しいと判断し、そうでない場合には不正と判断する。 If it is established, it is determined that the mutual authentication device B200 is correct, otherwise it is determined to be illegal.
 本実施例で用いる署名方法は上記楕円シュノア署名以外にも、署名生成処理において事前計算をすることで署名対象データの入力後の処理が大幅に軽減され、かつ署名として安全であるような方法であれば適用可能である。 The signature method used in the present embodiment is not only the elliptic Schnoer signature but also a method in which pre-calculation in the signature generation process greatly reduces the processing after inputting the signature target data and is safe as a signature. Applicable if available.
 図3は公開鍵暗号の例として変形エルガマル暗号を用いた場合の相互認証の公開鍵暗号利用部分の処理を示すシーケンス図である。 FIG. 3 is a sequence diagram showing processing of a public key encryption using part of mutual authentication when a modified El Gamal encryption is used as an example of public key encryption.
 変形エルガマル暗号に適した楕円曲線上の有理点P’が固定されていて、相互認証装置B200の公開鍵暗号暗号鍵記憶領域に記憶されている。相互認証装置A100の秘密鍵(Private key)x’は公開鍵暗号復号鍵記憶領域122に記憶され、公開鍵Q’=x’P’は公開鍵暗号暗号鍵記憶領域222に記憶されている。 The rational point P ′ on the elliptic curve suitable for the modified El Gamal encryption is fixed and stored in the public key encryption key storage area of the mutual authentication device B200. The private key (Private key) x ′ of the mutual authentication device A 100 is stored in the public key encryption / decryption key storage area 122, and the public key Q ′ = x′P ′ is stored in the public key encryption / decryption key storage area 222.
 まず相互認証装置B200側の事前計算として、公開鍵暗号暗号鍵記憶領域222から有理点P’、Q’のデータを読み出し(S20)、次に乱数生成部231で乱数r1を生成し、事前データ計算部213に送る(S21)。事前データ計算部213はR1=r1P’と、Q1=r1Q’と、を計算し、事前計算データ記憶領域223に記憶させる(S22)。 First, as pre-computation on the mutual authentication device B 200 side, the data of the rational points P ′ and Q ′ are read from the public key encryption / decryption key storage area 222 (S20), and then the random number generation unit 231 generates the random number r1, and the pre-data The data is sent to the calculation unit 213 (S21). The pre-data calculation unit 213 calculates R1 = r1P ′ and Q1 = r1Q ′ and stores them in the pre-calculation data storage area 223 (S22).
 次に、相互認証装置B200が相互認証装置A100を認証する場合、まず、乱数生成部131で乱数r2、rBを生成して公開鍵暗号化部212に送る(S23)。 Next, when the mutual authentication device B200 authenticates the mutual authentication device A100, first, the random number generation unit 131 generates random numbers r2 and rB and sends them to the public key encryption unit 212 (S23).
 また、rBは一時データ記憶領域224にも送られ記憶される(S24)。 RB is also sent to and stored in the temporary data storage area 224 (S24).
 公開鍵暗号暗号化部212は公開鍵暗号暗号鍵記憶領域222から定数c0を読み出し(S26)、共通鍵暗号Eを用いてC=E(Q1,c0||r2||rB)を計算する。ここで共通鍵暗号Eの鍵はQ1、暗号化対象データはc0||r2||rBである。また||はデータの結合を表す。 The public key encryption unit 212 reads the constant c0 from the public key encryption key storage area 222 (S26), and calculates C = E (Q1, c0 || r2 || rB) using the common key encryption E. Here, the key of the common key encryption E is Q1, and the encryption target data is c0 || r2 || rB. Also, || represents a data combination.
 相互認証装置B200は外部通信部232を通じて相互認証装置A100に[R1,C]を送信する(S27)。 The mutual authentication device B200 transmits [R1, C] to the mutual authentication device A100 through the external communication unit 232 (S27).
 相互認証装置A100は外部通信部132を通じて[R1,C]を受信した後、公開鍵暗号復号鍵記憶領域122から復号鍵x’を読み出し(S28)、Q1=x’R1、c0||r2||rB’=D(Q1,C)を計算する。ここでDは共通鍵暗号Eの復号化関数で、鍵はQ1、復号化対象データはCである。 After receiving [R1, C] through the external communication unit 132, the mutual authentication device A100 reads the decryption key x ′ from the public key encryption / decryption key storage area 122 (S28), and Q1 = x′R1, c0 || r2 | | RB ′ = D (Q1, C) is calculated. Here, D is a decryption function of the common key encryption E, the key is Q1, and the decryption target data is C.
 公開鍵暗号復号化部112は定数c0が正しいものであることを確認し、正しければrB’を外部通信部132を通じて相互認証装置B200に送信する(S29)。 The public key encryption / decryption unit 112 confirms that the constant c0 is correct, and if correct, transmits rB 'to the mutual authentication device B200 through the external communication unit 132 (S29).
 外部通信部232を通じてrB’を受信した相互認証装置B200は、一時データ記憶領域224からrBを読み出し(S30)、rBとrB’が一致するならば相互認証装置A100を正しいと判断し、異なるなら不正と判断する。 The mutual authentication device B200 that has received rB ′ through the external communication unit 232 reads rB from the temporary data storage area 224 (S30). If rB and rB ′ match, the mutual authentication device A100 is determined to be correct. Judged as illegal.
 本実施例で用いる公開鍵暗号は上記変形エルガマル暗号以外にも、暗号化処理において事前計算をすることで暗号化対象データの入力後の処理が大幅に軽減され、かつ暗号として安全であるような方法であれば適用可能である。 The public key encryption used in the present embodiment is not limited to the above-described modified El Gamal encryption, the processing after the input of the data to be encrypted is greatly reduced by performing pre-calculation in the encryption processing, and the encryption is safe. Any method is applicable.
 本実施例において、署名を用いた処理部分と、公開鍵暗号を用いた処理部分の順番は入れ替えても良い。 In this embodiment, the order of the processing part using the signature and the processing part using the public key cryptography may be switched.
 次に、第二の実施形態である、ICカードなどの低リソースデバイスと比較的計算能力の高いサーバなどとの相互認証の方法について説明する。 Next, a method for mutual authentication between a low resource device such as an IC card and a server having a relatively high computing capacity, which is a second embodiment, will be described.
 例えば図4は、ICカード400とそのリーダライタ300の構成図である。これらは通信手段501、および502を持ち、データの送受信が可能である。通信手段は接触、非接触を問わない。 For example, FIG. 4 is a configuration diagram of the IC card 400 and its reader / writer 300. These have communication means 501 and 502 and can transmit and receive data. The communication means may be contact or non-contact.
 第一の実施形態における相互認証装置A100としてリーダライタ300を、相互認証装置B200としてICカード400を適用する。 The reader / writer 300 is applied as the mutual authentication device A100 in the first embodiment, and the IC card 400 is applied as the mutual authentication device B200.
 ICカード400の事前データ計算部は通電している間に、以降の想定される相互認証の回数に必要な事前計算を実施して、事前計算データを記憶しても良いし、出荷時などに事前に事前計算データを計算し、記憶領域に保存していても良い。これらの場合、事前計算データの消費を管理しながら、相互認証の度に、毎回、新しい事前計算データを用いればよい。 While the pre-data calculation unit of the IC card 400 is energized, it may perform pre-calculation necessary for the number of subsequent mutual authentications and store the pre-calculation data, or at the time of shipment. Precalculation data may be calculated in advance and stored in a storage area. In these cases, new precalculation data may be used each time mutual authentication is performed while managing consumption of the precalculation data.
 また、図5で説明するように、各相互認証が正常に終了した段階で信頼したサーバに次回用の事前計算を代理で実行してもらい、計算結果を受信して保存する方法でもよい。 Further, as described with reference to FIG. 5, a method may be used in which a trusted server executes a pre-calculation for the next time on behalf of each server when each mutual authentication is normally completed, and the calculation result is received and stored.
 図5は第n回目の相互認証の手順を示すシーケンス図である。 FIG. 5 is a sequence diagram showing the procedure of the n-th mutual authentication.
 ICカード400は第n回目の相互認証に必要な事前計算データを記憶している。リーダライタ300とICカード400は実施例1に記載の方法で相互認証を行う(S13、S16、S27、S29)。ここで通信S16とS27は並行して行ってもよい。また、S13、S16とS27、S29の順番を入れ替え、S27、S29、S13、S16の順番で通信してもよい。その場合、通信S29とS13とを並行して行ってもよい。リーダライタ300がICカード400を正しいと判断し、またICカード400がリーダライタ300を正しいと判断した場合、リーダライタ300はICカード400の第n+1回目の認証のために必要な事前計算を代理で実行する。その事前計算データをICカード400に送信する(S40)。 The IC card 400 stores pre-calculation data necessary for the n-th mutual authentication. The reader / writer 300 and the IC card 400 perform mutual authentication by the method described in the first embodiment (S13, S16, S27, S29). Here, communication S16 and S27 may be performed in parallel. Further, the order of S13, S16 and S27, S29 may be changed, and communication may be performed in the order of S27, S29, S13, S16. In that case, you may perform communication S29 and S13 in parallel. When the reader / writer 300 determines that the IC card 400 is correct and the IC card 400 determines that the reader / writer 300 is correct, the reader / writer 300 acts as a proxy for the pre-calculation necessary for the (n + 1) th authentication of the IC card 400. Run with. The pre-calculation data is transmitted to the IC card 400 (S40).
 ICカード400はその事前計算データを事前計算データ記憶領域に記憶させ、第n+1回目の相互認証時に利用する。 The IC card 400 stores the precomputed data in the precomputed data storage area and uses it for the (n + 1) th mutual authentication.
 リーダライタ300が代理で行う事前計算は、事前計算を行う専用の計算機を別途利用しても良い。 For the pre-calculation performed by the reader / writer 300 on behalf, a dedicated computer that performs the pre-calculation may be used separately.
 相互認証においてどちらか一方が他方を正しいと判断しなかった場合には、その後の処理やサービスを停止してもよいし、再度、相互認証要求をしてもよい。その場合でも、規定の回数の相互認証を行い、全て正しいと判断しなかった場合にはその後の処理やサービスを停止する。 If one of the mutual authentications does not determine that the other is correct, the subsequent processing or service may be stopped, or a mutual authentication request may be made again. Even in that case, mutual authentication is performed a prescribed number of times, and if all are not determined to be correct, subsequent processing and services are stopped.
 次に、第三の実施形態である、大量のユーザとの相互認証を同時に行うサーバでの実施形態について説明する。 Next, a third embodiment, which is a server that simultaneously performs mutual authentication with a large number of users, will be described.
 大量のユーザは、センサネットワークにおける各センサや、スマートグリッドにおいて用いられる、各ユーザの消費電力状況などの情報をサーバに送信する機能を持つタップ(スマートタップ)などでもよい。 A large number of users may be taps (smart taps) that have a function of transmitting information such as the power consumption status of each user to each server in the sensor network and the smart grid.
 図6は、大量のユーザとの相互認証を行うサーバの構成図である。 FIG. 6 is a configuration diagram of a server that performs mutual authentication with a large number of users.
 サーバ600は、ネットワーク700を通じて大量のユーザ500と通信可能である。 The server 600 can communicate with a large number of users 500 through the network 700.
 第一の実施形態における相互認証装置A100としてサーバ600を、相互認証装置B200として大量のユーザ500における各ユーザを適用する。サーバ600は事前計算を実施する事前計算サーバ900と通信路800を通じて通信可能で、事前計算サーバは相互認証装置A100における事前計算を実施するとしてもよい。 The server 600 is applied as the mutual authentication device A100 in the first embodiment, and each user in a large number of users 500 is applied as the mutual authentication device B200. The server 600 can communicate with the pre-calculation server 900 that performs the pre-calculation through the communication path 800, and the pre-calculation server may perform the pre-calculation in the mutual authentication apparatus A100.
 サーバ600は、ユーザ数や頻度に応じて、必要な回数分の事前計算データを用意する。 The server 600 prepares precalculation data for the required number of times according to the number of users and the frequency.
 実際に、大量ユーザ500からの相互認証要求がほぼ同時に来た場合、上記事前計算データを用いて、各ユーザ毎に実施例1に記載の方法で相互認証を実施する。 Actually, when mutual authentication requests from a large number of users 500 are almost simultaneously received, mutual authentication is performed for each user by the method described in the first embodiment using the pre-calculation data.
 第四の実施形態である、走行中の車両と、道路に設置された、車両との通信装置(以下、路側機)との相互認証を行う実施形態について説明する。 An embodiment that performs mutual authentication between a traveling vehicle and a communication device (hereinafter, a roadside machine) installed on a road, which is a fourth embodiment, will be described.
 図7は走行車両1020と、路側機1010の構成図である。 FIG. 7 is a configuration diagram of the traveling vehicle 1020 and the roadside machine 1010.
 走行車両1020と路側機1010は無線通信1030によりデータの送受信ができる。 The traveling vehicle 1020 and the roadside machine 1010 can transmit and receive data by wireless communication 1030.
 第一の実施形態における相互認証装置A100として車両1020を、相互認証装置B200として路側機1010を適用する。 The vehicle 1020 is applied as the mutual authentication device A100 in the first embodiment, and the roadside machine 1010 is applied as the mutual authentication device B200.
 路側機1010は、通信部1011と、相互認証装置A1012を備える。 The roadside device 1010 includes a communication unit 1011 and a mutual authentication device A1012.
 車両1020は、通信部1021と、相互認証装置B1022を備える。 The vehicle 1020 includes a communication unit 1021 and a mutual authentication device B1022.
 車両1020は、相互認証を実行する前までに実施例1に記載の事前計算データを計算し、相互認証装置B1022内の記憶部に記憶する。 The vehicle 1020 calculates the precalculation data described in the first embodiment before executing the mutual authentication, and stores it in the storage unit in the mutual authentication device B1022.
 車両1020が走行中に、路側機1010との無線通信1031および1032が可能な範囲に近づいたとき、通信を開始し、実施例1に記載の手順で相互認証を実施する。 When the vehicle 1020 is traveling and approaches the range where wireless communication 1031 and 1032 with the roadside device 1010 is possible, communication is started and mutual authentication is performed according to the procedure described in the first embodiment.
 相互認証の結果、車両1020、または路側機1010のいずれかが他方を正しいと判断しなかった場合、認証エラーであることを他方に通知し、それ以降に発生した通信内容に従った処理は実行しない。車両1020が他の路側機との無線通信が可能な範囲に近づいたときには、再度、相互認証をおこなう。
 上記記載は実施例についてなされたが、本発明はそれに限らず、本発明の精神と添付の請求の範囲の範囲内で種々の変更および修正をすることができることは当業者に明らかである。 As a result of mutual authentication, if either of the vehicle 1020 or the roadside machine 1010 does not determine that the other is correct, the other is notified that it is an authentication error, and processing according to the communication content that has occurred thereafter is executed. do not do. When the vehicle 1020 approaches a range where wireless communication with another roadside device is possible, mutual authentication is performed again.
While the above description has been made with reference to exemplary embodiments, it will be apparent to those skilled in the art that the invention is not limited thereto and that various changes and modifications can be made within the spirit of the invention and the scope of the appended claims.
 100 点生成装置
 111 記憶部
 112 有理関数記憶領域
 113 基底記憶領域
 114 パラメータ記憶領域
 120 処理部
 121 有理関数計算部
 122 有限体演算計算部
 131 入力部
 132 出力部
 133 通信部 100 point generator 111 storage unit 112 rational function storage area 113 base storage area 114 parameter storage area 120 processing unit 121 rational function calculation unit 122 finite field calculation calculation unit 131 input unit 132 output unit 133 communication unit

Claims (13)

  1.  通信でデータの送受信が可能な二種類の装置Aと装置Bを備えるシステムにおいて、前記装置Aと前記装置Bとが互いに相手装置の正当性を確認する相互認証方法であって、
     前記装置Aが、前記装置Bの正当性を確認するステップにおいて、
     前記装置Aによる、
     認証時に、乱数rAを生成するステップと、
     生成した前記乱数rAを前記装置Bに送信するステップと、
     前記装置Bによる、
     前記乱数rAを受信した後、記憶する署名生成用事前計算データを利用して、前記乱数rAに対する署名を生成するステップと、
     生成した前記署名を前記装置Aに送信するステップと、
     前記装置Aによる、
     前記装置Bの署名検証鍵を用いて、受信した前記署名を検証するステップと、
     前記署名が正しいと判断すれば前記装置Bを正当と判断し、正しくないと判断すれば前記装置Bを不当と判断するステップと、を備える
    ことを特徴とする相互認証方法。     In a system comprising two types of devices A and B capable of transmitting and receiving data by communication, the device A and the device B are mutual authentication methods for confirming the validity of the partner device,
    In the step in which the device A confirms the validity of the device B,
    According to the device A,
    Generating a random number rA during authentication;
    Transmitting the generated random number rA to the device B;
    According to the device B,
    Generating a signature for the random number rA using the pre-calculation data for signature generation stored after receiving the random number rA;
    Transmitting the generated signature to the device A;
    According to the device A,
    Verifying the received signature using the signature verification key of the device B;
    And a step of determining that the device B is valid if it is determined that the signature is correct, and determining that the device B is invalid if it is determined that the signature is not correct.
  2.  請求項1に記載の相互認証方法であって、
     相互認証を行う前記装置Bが、前記装置Aの正当性を確認するステップにおいて、
     前記装置Bによる、
     認証時に、乱数rBを生成するステップと、
     前記乱数rBを、記憶する暗号化用事前計算データを用いて公開鍵暗号化をするステップと、
     前記暗号化の結果である暗号文を前記装置Aに送信するステップと、
     前記装置Aによる、
     前記装置Aの秘密鍵(Private key)を用いて、受信した前記暗号文を復号化するステップと、
     前記復号化結果を前記装置Bに送信するステップと、
     前記装置Bによる、
     前記記憶した乱数rBと、前記装置Aから受信した復号化結果とを照合するステップと、
     前記乱数rBと前記復号化結果とが一致していれば前記装置Aを正当と判断し、一致していなければ前記装置Aを不当と判断するステップと、を備える
    ことを特徴とする相互認証方法。     The mutual authentication method according to claim 1,
    In the step where the device B performing mutual authentication confirms the validity of the device A,
    According to the device B,
    Generating a random number rB during authentication;
    Performing public key encryption of the random number rB using stored pre-calculation data for encryption;
    Transmitting the ciphertext that is the result of the encryption to the device A;
    According to the device A,
    Decrypting the received ciphertext using the device A's private key;
    Transmitting the decryption result to the device B;
    According to the device B,
    Collating the stored random number rB with the decryption result received from the device A;
    A mutual authentication method comprising: determining that the device A is valid if the random number rB and the decryption result match, and determining that the device A is invalid if they do not match .
  3.  請求項1に記載の相互認証方法であって、
     前記装置Aと前記装置Bとが互いに相手装置を正当と判断した場合、前記暗号化用事前計算データまたは、前記署名生成用事前計算データを、前記装置Aが計算し、前記装置Bに送信する
    ことを特徴とする相互認証方法。     The mutual authentication method according to claim 1,
    When the device A and the device B determine that each other device is valid, the device A calculates the pre-calculation data for encryption or the pre-calculation data for signature generation, and transmits it to the device B A mutual authentication method characterized by the above.
  4.  請求項1に記載の相互認証方法であって、
     前記装置Aまたは前記装置Bによる、前記署名生成用事前計算データを計算するステップとして、
     乱数rを生成するステップと、
     楕円曲線上の点のスカラー倍算R=rPを計算するステップと、
     前記乱数rと前記スカラー倍算結果Rを記憶するステップと、を備える
    ことを特徴とする相互認証方法。     The mutual authentication method according to claim 1,
    As the step of calculating the pre-calculation data for signature generation by the device A or the device B,
    Generating a random number r;
    Calculating a scalar multiplication R = rP for points on the elliptic curve;
    Storing the random number r and the scalar multiplication result R. A mutual authentication method comprising:
  5.  請求項2に記載の相互認証方法であって、
     前記装置Aまたは前記装置Bによる、前記暗号化用事前計算データを計算するステップとして、
     乱数r1を生成するステップと、
     楕円曲線上の点のスカラー倍算R1=r1P’を計算するステップと、
     楕円曲線上の点のスカラー倍算Q1=r1Q’を計算するステップと、
     R1、Q1を記憶するステップと、を備える
    ことを特徴とする相互認証方法。     The mutual authentication method according to claim 2,
    As the step of calculating the precalculation data for encryption by the device A or the device B,
    Generating a random number r1,
    Calculating a scalar multiplication R1 = r1P ′ of points on the elliptic curve;
    Calculating a scalar multiplication Q1 = r1Q ′ of points on the elliptic curve;
    Storing R1 and Q1, and a mutual authentication method.
  6.  請求項4に記載の相互認証方法であって、
     前記装置Aと前記装置Bが、楕円曲線上の固定された有理点Pと、前記装置Bの署名検証鍵であるQ=xPと、を記憶し、
     前記装置Bが、署名生成鍵xを記憶し、
     前記装置Bによる前記乱数rAに対する署名を生成するステップにおいて、
     受信した前記乱数rAと、前記スカラー倍算結果Rと、に基づき、ハッシュ値H(rA,R)を計算し、S=r+H(rA,R)を計算し、[R,H(rA,R),S]を前記乱数rAに対する署名とするステップと、を備え、
     前記装置Aによる受信した前記署名を検証するステップにおいて、
     受信した前記署名[R,H(rA,R),S]について、前記装置Bの署名検証鍵Qを用いて、R=SP+H(rA,r)Qが成立するかどうかを調べることにより、前記署名[R,H(rA,R),S]を検証するステップと、を備える
    ことを特徴とする相互認証方法。     The mutual authentication method according to claim 4,
    The device A and the device B store a fixed rational point P on the elliptic curve and Q = xP which is the signature verification key of the device B,
    The device B stores the signature generation key x,
    In the step of generating a signature for the random number rA by the device B,
    Based on the received random number rA and the scalar multiplication result R, a hash value H (rA, R) is calculated, S = r + H (rA, R) is calculated, and [R, H (rA, R) ), S] as a signature for the random number rA,
    Verifying the signature received by the device A,
    For the received signature [R, H (rA, R), S], by using the signature verification key Q of the device B, it is determined whether or not R = SP + H (rA, r) Q is established. Verifying the signature [R, H (rA, R), S].
  7.  請求項5に記載の相互認証方法であって、
     相互認証を行う前記装置Aと前記装置Bが、楕円曲線上の固定された有理点P’と、前記装置Aの公開鍵Q’=x’P’と、を保持し、
     前記装置Aが、復号化鍵x’を記憶し、
     前記装置Bによる、前記装置Aの正当性を確認するステップにおいて、
     乱数r2と乱数rBを生成するステップと、
     前記装置A、前記装置Bが共通に記憶する定数c0、並びに、Q1を鍵とし、および、c0||r2||rBを暗号化対象データとする共通鍵暗号E、を用いて、C=E(Q1,c0||r2||rB)を計算するステップと、
     [R1,C]をAに送信するステップと、
     前記装置Aによる、
     前記装置Aの復号化鍵x’を用いて、受信した[R1,C]について、
     Q1=x’R1を計算するステップと、
     Q1を鍵とし、復号化対象データをCとする、前記共通鍵暗号Eに対応した復号化関数D、を用いて、c0||r2||rB’=D(Q1,C)を計算するステップと、
     記憶する定数c0と、前記復号結果のc0とを照合するステップと、
     前記定数c0と前記復号結果c0とが一致していれば、前記rB’を前記復号化結果とするステップと、を備える
    ことを特徴とする相互認証方法。     The mutual authentication method according to claim 5, wherein
    The device A and the device B performing mutual authentication hold a fixed rational point P ′ on the elliptic curve and the public key Q ′ = x′P ′ of the device A,
    The device A stores the decryption key x ′;
    In the step of confirming the validity of the device A by the device B,
    Generating a random number r2 and a random number rB;
    C = E, using a constant c0 stored in common by the device A and the device B, and a common key encryption E using Q1 as a key and c0 || r2 || rB as encryption target data. Calculating (Q1, c0 || r2 || rB);
    Sending [R1, C] to A;
    According to the device A,
    For the received [R1, C] using the decryption key x ′ of the device A,
    Calculating Q1 = x′R1;
    Calculating c0 || r2 || rB '= D (Q1, C) using a decryption function D corresponding to the common key encryption E, with Q1 as a key and decryption target data as C When,
    Collating a constant c0 to be stored with c0 of the decoding result;
    And a step of setting rB ′ as the decryption result if the constant c0 and the decryption result c0 coincide with each other.
  8.  請求項1に記載の相互認証方法であって、
     前記システムは、さらに、前記装置Bと通信可能な装置B’を備え、
     前記装置B’による、
     請求項4に記載の署名生成用事前計算データを計算するステップ、または、請求項5に記載の暗号化用事前計算データを計算するステップと、
     計算した前記署名生成用事前計算データ、または、前記暗号化用事前計算データを、前記装置Bに送信するステップと、を備える
    ことを特徴とする相互認証方法。     The mutual authentication method according to claim 1,
    The system further includes a device B ′ capable of communicating with the device B,
    According to the device B ′,
    Calculating the pre-calculation data for signature generation according to claim 4, or calculating the pre-calculation data for encryption according to claim 5;
    Transmitting the calculated pre-calculation data for signature generation or the pre-calculation data for encryption to the apparatus B. A mutual authentication method comprising:
  9.  請求項2に記載の相互認証方法であって、
     前記システムは、複数の前記装置Aを備え、
     1つの前記装置Aと、前記装置Bとの相互認証において、前記装置Aを不当と判断した場合に、前記装置Bと他の前記装置Aとによる、請求項1及び2に記載のステップを実行するステップを備える
    ことを特徴とする相互認証方法。     The mutual authentication method according to claim 2,
    The system includes a plurality of the devices A,
    The steps according to claim 1 and 2 are executed by the device B and the other device A when the device A is determined to be invalid in the mutual authentication between the one device A and the device B. A mutual authentication method comprising the step of:
  10.  通信でデータの送受信が可能な二種類の装置Aと装置Bを備え、前記装置Aと前記装置Bとが互いに相手装置の正当性を確認する相互認証システムであって、
     前記装置Aは、
     乱数rAを生成する手段と、
     生成した前記乱数rAを前記装置Bに送信する手段と、
     前記装置Bの署名検証鍵を用いて、前記装置Bが生成した署名を検証する手段と、
     前記署名が正しいと判断すれば前記装置Bを正当と判断し、正しくないと判断すれば前記装置Bを不当と判断する手段と、を備え、
     前記装置Bは、
     記憶する署名生成用事前計算データを利用して、前記装置Aから受信した前記乱数rAに対する署名を生成する手段と、
     生成した前記署名を前記装置Aに送信する手段と、を備える
    ことを特徴とする相互認証システム。     A mutual authentication system comprising two types of devices A and B capable of transmitting and receiving data by communication, wherein the devices A and B mutually confirm the validity of the counterpart device,
    The device A includes
    Means for generating a random number rA;
    Means for transmitting the generated random number rA to the device B;
    Means for verifying the signature generated by device B using the signature verification key of device B;
    Means for determining that the device B is valid if it is determined that the signature is correct, and for determining that the device B is invalid if it is determined that the signature is not correct,
    The device B is
    Means for generating a signature for the random number rA received from the device A using the pre-calculation data for signature generation stored;
    Means for transmitting the generated signature to the device A, and a mutual authentication system.
  11.  請求項10に記載の相互認証システムであって、
     前記装置Bは、
     乱数rBを生成する手段と、
     前記乱数rBを、記憶する暗号化用事前計算データを用いて公開鍵暗号化をする手段と、
     前記暗号化の結果である暗号文を前記装置Aに送信する手段と、
     前記乱数rBと、前記装置Aから受信した復号化結果とを照合する手段と、
     前記乱数rBと前記復号化結果とが一致していれば前記装置Aを正当と判断し、一致していなければ前記装置Aを不当と判断する手段と、を備え、
     前記装置Aは、
     前記装置Aの秘密鍵(Private key)を用いて、受信した前記暗号文を復号化して前記復号化結果とする手段と、
     前記復号化結果を前記装置Bに送信する手段と、を備える
    ことを特徴とする相互認証システム。     The mutual authentication system according to claim 10, comprising:
    The device B is
    Means for generating a random number rB;
    Means for public key encryption using the pre-calculation data for encryption stored in the random number rB;
    Means for transmitting a ciphertext as a result of the encryption to the device A;
    Means for collating the random number rB with the decryption result received from the device A;
    Means for determining that the device A is valid if the random number rB matches the decryption result, and determining that the device A is invalid if they do not match,
    The device A includes
    Means for decrypting the ciphertext received using the private key of the device A to obtain the decryption result;
    Means for transmitting the decryption result to the device B, and a mutual authentication system.
  12.  通信でデータの送受信が可能な二つのコンピュータAとコンピュータBに、互いに相手コンピュータの正当性を確認する相互認証システムを実現させるプログラムであって、
     前記コンピュータAが、前記コンピュータBの正当性を確認するステップとして、
     前記コンピュータAに、
     乱数rAを生成するステップと、
     生成した前記乱数rAを前記コンピュータBに送信するステップと、
     前記コンピュータBの署名検証鍵を用いて、前記コンピュータBが生成した署名を検証するステップと、
     前記署名が正しいと判断すれば前記コンピュータBを正当と判断し、正しくないと判断すれば前記コンピュータBを不当と判断するステップと、を実行させ、
     前記コンピュータBに、
     記憶する署名生成用事前計算データを利用して、前記コンピュータAから受信した前記乱数rAに対する署名を生成するステップと、
     生成した前記署名を前記コンピュータAに送信するステップと、を実行させる
    ことを特徴とするプログラム。     A program that allows two computers A and B capable of transmitting and receiving data by communication to implement a mutual authentication system that mutually verifies the validity of a partner computer
    As the step of the computer A confirming the validity of the computer B,
    In the computer A,
    Generating a random number rA;
    Transmitting the generated random number rA to the computer B;
    Verifying the signature generated by the computer B using the signature verification key of the computer B;
    Determining that the computer B is valid if it is determined that the signature is correct, and determining that the computer B is invalid if it is determined that the signature is not correct;
    In the computer B,
    Generating a signature for the random number rA received from the computer A using stored signature generation pre-calculation data;
    A step of transmitting the generated signature to the computer A.
  13.  請求項12に記載のプログラムであって、
     前記コンピュータBが、前記コンピュータAの正当性を確認するステップとして、
     前記コンピュータBに、
     乱数rBを生成するステップと、
     前記乱数rBを、記憶する暗号化用事前計算データを用いて公開鍵暗号化をするステップと、
     前記暗号化の結果である暗号文を前記コンピュータAに送信するステップと、
     前記乱数rBと、前記コンピュータAから受信した復号化結果とを照合するステップと、
     前記乱数rBと前記復号化結果とが一致していれば前記コンピュータAを正当と判断し、一致していなければ前記コンピュータAを不当と判断するステップと、を実行させ、
     前記コンピュータAに、
     前記コンピュータAの秘密鍵(Private key)を用いて、受信した前記暗号文を復号化して前記復号化結果とするステップと、
     前記復号化結果を前記コンピュータBに送信するステップと、を実行させる
    ことを特徴とするプログラム。     A program according to claim 12,
    As a step in which the computer B confirms the validity of the computer A,
    In the computer B,
    Generating a random number rB;
    Performing public key encryption of the random number rB using stored pre-calculation data for encryption;
    Sending the ciphertext resulting from the encryption to the computer A;
    Collating the random number rB with the decryption result received from the computer A;
    Determining that the computer A is valid if the random number rB matches the decryption result, and determining that the computer A is invalid if they do not match,
    In the computer A,
    Decrypting the received ciphertext using the private key of the computer A to obtain the decryption result;
    Transmitting the decryption result to the computer B.
PCT/JP2011/053093 2010-05-31 2011-02-15 Efficient mutual authentication method, program, and device WO2011152084A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2010-123722 2010-05-31
JP2010123722A JP5393594B2 (en) 2010-05-31 2010-05-31 Efficient mutual authentication method, program, and apparatus

Publications (1)

Publication Number Publication Date
WO2011152084A1 true WO2011152084A1 (en) 2011-12-08

Family

ID=45066473

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2011/053093 WO2011152084A1 (en) 2010-05-31 2011-02-15 Efficient mutual authentication method, program, and device

Country Status (2)

Country Link
JP (1) JP5393594B2 (en)
WO (1) WO2011152084A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015226267A (en) * 2014-05-29 2015-12-14 西日本電信電話株式会社 Access point certification system, communication device, access point, access point certification method, and computer program

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6386967B2 (en) * 2015-04-30 2018-09-05 日本電信電話株式会社 Authentication method and system
CN108605264B (en) * 2015-12-23 2022-10-18 康博泰公司 Method and apparatus for network management

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001255816A (en) * 2000-01-06 2001-09-21 Nippon Telegr & Teleph Corp <Ntt> Device and method for creating electronic signature, and recording medium with this method recorded thereon
JP2006025298A (en) * 2004-07-09 2006-01-26 Oki Electric Ind Co Ltd Mutual authentication method, mutual authentication apparatus, and mutual authentication system
JP2007041461A (en) * 2005-08-05 2007-02-15 Hitachi Ltd Scalar multiplication computing method and device in elliptic curve cryptography

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002245008A (en) * 2001-02-21 2002-08-30 Nippon Telegr & Teleph Corp <Ntt> Method and device for verifying right by using certificate, program, and recording medium
JP4087719B2 (en) * 2003-01-22 2008-05-21 日本電信電話株式会社 Signature encryption method, apparatus and program thereof
JP2004253950A (en) * 2003-02-19 2004-09-09 Toyo Commun Equip Co Ltd Electronic signature high-speed forming method and apparatus by pre-calculation
JP4758110B2 (en) * 2005-02-18 2011-08-24 株式会社エヌ・ティ・ティ・ドコモ Communication system, encryption apparatus, key generation apparatus, key generation method, restoration apparatus, communication method, encryption method, encryption restoration method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001255816A (en) * 2000-01-06 2001-09-21 Nippon Telegr & Teleph Corp <Ntt> Device and method for creating electronic signature, and recording medium with this method recorded thereon
JP2006025298A (en) * 2004-07-09 2006-01-26 Oki Electric Ind Co Ltd Mutual authentication method, mutual authentication apparatus, and mutual authentication system
JP2007041461A (en) * 2005-08-05 2007-02-15 Hitachi Ltd Scalar multiplication computing method and device in elliptic curve cryptography

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHENG, Z.: "Simple Tutorial on Elliptic Curve Cryptography", December 2004 (2004-12-01), Retrieved from the Internet <URL:http://www.eis.mdx.ac.uk/staffpages/m_cheng/link/eccsimple.pdf> [retrieved on 20110311] *
SCHNORR, C.P.: "Efficient Identification and Signatures for Smart Cards", ADVANCES IN CRYPTOLOGY - CRYPTO'89 PROCEEDINGS, LNCS, vol. 435, 1990, pages 239 - 252 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015226267A (en) * 2014-05-29 2015-12-14 西日本電信電話株式会社 Access point certification system, communication device, access point, access point certification method, and computer program

Also Published As

Publication number Publication date
JP5393594B2 (en) 2014-01-22
JP2011250335A (en) 2011-12-08

Similar Documents

Publication Publication Date Title
US11856104B2 (en) Methods for secure credential provisioning
US11757662B2 (en) Confidential authentication and provisioning
KR100827650B1 (en) Methods for authenticating potential members invited to join a group
EP2737656B1 (en) Credential validation
US8670563B2 (en) System and method for designing secure client-server communication protocols based on certificateless public key infrastructure
CN101212293B (en) Identity authentication method and system
US20070245148A1 (en) System and method for securing a credential via user and server verification
CN111769938B (en) Key management system and data verification system of block chain sensor
US10887110B2 (en) Method for digital signing with multiple devices operating multiparty computation with a split key
JP2012521109A (en) Identification method and shared key generation method
CN114598533B (en) Block chain side chain cross-chain identity trusted authentication and data encryption transmission method
Kumar et al. An efficient implementation of digital signature algorithm with SRNN public key cryptography
US9722800B2 (en) Method for creating a derived entity of an original data carrier
JP5393594B2 (en) Efficient mutual authentication method, program, and apparatus
KR20080005344A (en) System for authenticating user&#39;s terminal based on authentication server
CN117176353A (en) Method and device for processing data
CN110572257B (en) Identity-based data source identification method and system
Sadqi et al. A cryptographic mutual authentication scheme for web applications
Surya et al. Single sign on mechanism using attribute based encryption in distributed computer networks
Pejaś et al. Authentication protocol for software and hardware components in distributed electronic signature creation system
CN117714066B (en) Key processing method, device and readable storage medium
CN116015906B (en) Node authorization method, node communication method and device for privacy calculation
EP4231583A1 (en) Methods and arrangements for establishing digital identity
CN115694829A (en) Method and system for generating offline identity authentication token based on SM2 elliptic curve
CN116015906A (en) Node authorization method, node communication method and device for privacy calculation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11789496

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11789496

Country of ref document: EP

Kind code of ref document: A1