WO2020039527A1 - Appareil de traitement de signature, procédé de traitement de signature, système de traitement de signature, et support d'enregistrement lisible par ordinateur - Google Patents

Appareil de traitement de signature, procédé de traitement de signature, système de traitement de signature, et support d'enregistrement lisible par ordinateur Download PDF

Info

Publication number
WO2020039527A1
WO2020039527A1 PCT/JP2018/031055 JP2018031055W WO2020039527A1 WO 2020039527 A1 WO2020039527 A1 WO 2020039527A1 JP 2018031055 W JP2018031055 W JP 2018031055W WO 2020039527 A1 WO2020039527 A1 WO 2020039527A1
Authority
WO
WIPO (PCT)
Prior art keywords
secret key
key information
information
signature
master
Prior art date
Application number
PCT/JP2018/031055
Other languages
English (en)
Japanese (ja)
Inventor
寿幸 一色
春菜 福田
寛人 田宮
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to PCT/JP2018/031055 priority Critical patent/WO2020039527A1/fr
Priority to JP2020537944A priority patent/JP7070689B2/ja
Publication of WO2020039527A1 publication Critical patent/WO2020039527A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/10Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols with particular housing, physical features or manual controls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to a signature processing apparatus, a signature processing method, and a signature processing system that perform a signature process, and further relates to a computer-readable recording medium that records a program for realizing these.
  • the white-box mounting method is a method for dealing with an attack from an attacker, assuming that the attacker has full access to the entire signature processing system.
  • the white-box mounting method is a method for protecting a secret key mounted on a device even when an endpoint (such as an execution environment) is placed in a hostile environment.
  • Patent Documents 1 and 2 disclose devices for generating a secret key by an ID-based signature method.
  • a secret key is created before an application having a digital signature function is installed in the device, and the created secret key is set (stored) in the device.
  • a manufacturer that manufactures the device creates a secret key and sets the created secret key in the manufactured device.
  • Patent Documents 1 and 2 It is difficult for the devices disclosed in Patent Documents 1 and 2 to dynamically generate a secret key. Therefore, even if the devices disclosed in Patent Literatures 1 and 2 are used, it is not possible to protect a dynamically generated secret key as in the white box mounting method.
  • An object of the present invention is to provide a signature processing device, a signature processing method, a signature processing system, and a computer-readable recording medium that can protect a secret key even when dynamically generating secret key information. .
  • a signature processing device includes: A secret key information generation unit that generates secret key information corresponding to the application identification information based on master secret key information set in advance and application identification information for identifying an application; A signature information generation unit that generates signature information corresponding to the message information based on the secret key information and the message information to be signed; In the process of generating the secret key information or the signature information, the master secret key information, or, the secret key information, or, having a secret area to temporarily store both, a secret part, It is characterized by having.
  • a signature processing method includes: (A) generating secret key information corresponding to the application identification information based on preset master secret key information and application identification information for identifying an application; (B) generating signature information corresponding to the message information based on the secret key information and the message information to be signed; (C) in the process of generating the secret key information or the signature information, temporarily storing the master secret key information, the secret key information, or both in a secret area; It is characterized by having.
  • a signature processing system includes: A setting device that sets the master secret key information generated based on the security information in the signature processing device in a secret state, Based on master secret key information set in advance and application identification information for identifying an application, secret key information corresponding to the application identification information is generated, and based on the secret key information and message information to be signed. Generating signature information corresponding to the message information, and temporarily storing the master secret key information, or the secret key information, or both in a secret area in the process of generating the secret key information or the signature information.
  • a terminal device A verification device that verifies the signature information based on the message information.
  • a computer-readable recording medium in which a program according to one aspect of the present invention is recorded, On the computer, (A) generating secret key information corresponding to the application identification information based on preset master secret key information and application identification information for identifying an application; (B) generating signature information corresponding to the message information based on the secret key information and the message information to be signed; (C) in the process of generating the secret key information or the signature information, temporarily storing the master secret key information, the secret key information, or both in a secret area; Is executed.
  • the secret key can be protected even when the secret key is dynamically generated.
  • FIG. 1 is a diagram illustrating an example of a signature processing device.
  • FIG. 2 is a diagram illustrating an example of the signature processing system (registration).
  • FIG. 3 is a diagram illustrating an example of the signature processing system (authentication).
  • FIG. 4 is a diagram illustrating an example of the signature processing system (Modification 1).
  • FIG. 5 is a diagram illustrating an example of the signature processing system (Modification 2).
  • FIG. 6 is a diagram illustrating an example of the operation of the signature processing system (registration).
  • FIG. 7 is a diagram illustrating an example of the operation of the signature processing system (authentication).
  • FIG. 8 is a diagram illustrating an example of a computer that implements the signature processing device.
  • FIG. 1 is a diagram illustrating an example of a signature processing device.
  • the signature processing device 1 is a device capable of protecting a secret key even when a secret key is dynamically generated.
  • the signature processing device 1 includes a secret key information generation unit 2, a signature information generation unit 3, and a secret unit 4.
  • the secret key information generation unit 2 uses the secret key information corresponding to the application ID based on the preset master secret key information (master secret key msk) and the application identification information (application ID) for identifying the application. (Secret key sk) is generated.
  • the signature information generation unit 3 generates signature information ( ⁇ ID , M) corresponding to the message M based on the secret key sk and the message information (message M) to be signed.
  • the concealing unit 4 has a confidential area for temporarily storing the master secret key msk, the secret key sk, or both in the process of generating the secret key sk or the signature information ( ⁇ ID , M).
  • the secret area of the secret part 4 is a secure memory area that is difficult to access from the outside.
  • the hardware of the signature processing device 1 is a circuit configured using a CPU (Central Processing Unit)
  • a cache memory of the CPU may be used.
  • the signature processing apparatus 1 is realized in a state in which data cannot be externally accessed, such as dedicated hardware or TEE (Trusted Execution Environment).
  • the application ID is information for identifying an application corresponding to a service provided by a service provider.
  • the message M is information such as plain text and image data transmitted from the service provider.
  • the secret key sk can be protected as in the white box implementation method. That is, even when the secret key sk is dynamically generated based on the master secret key msk previously stored in the signature processing device 1 and the application ID for identifying the application, the secret key sk is generated by using the secret part 4. Since it is generated, it is possible to prevent the secret key sk from being leaked to the outside.
  • a white-box mounting method it is conceivable that a plurality of secret keys sk for an assumed application are stored in the signature processing device 1 in advance. In this case, the manufacturer knows the secret keys sk. Therefore, it cannot be said that the private key sk is completely protected. Further, since a plurality of secret keys sk are stored in the signature processing device 1 as a white-box mounting method, the storage capacity of the signature processing device 1 is increased.
  • the signature processing device 1 dynamically generates the secret key sk while keeping it secret for each application, it is possible to prevent the manufacturer from knowing the secret key sk. Further, since the plurality of secret keys sk are not stored in advance in the signature processing device 1, the storage capacity of the signature processing device 1 can be reduced.
  • the secret key sk stored in advance in the signature processing device 1 is changed, for example, when it is required to update the secret key sk to ensure security, the secret key It is difficult to protect sk.
  • the signature processing device 1 can dynamically generate the secret key sk while keeping it secret, even if the secret key sk is changed, it is necessary to protect the secret key sk from leaking outside. Can be.
  • FIG. 2 is a diagram illustrating an example of the signature processing system (registration).
  • FIG. 3 is a diagram illustrating an example of the signature processing system (authentication).
  • the signature processing system 20 includes a setting device 21, a terminal device 22, and a verification device 23.
  • the terminal device 22 has the signature processing device 1.
  • the signature processing device 1 in FIG. 2 includes a public key information generation unit 24 in addition to the secret key information generation unit 2, the signature information generation unit 3, and the concealment unit 4.
  • the setting device 21 sets the master secret key information generated based on the security information (security parameter k) in the signature processing device 1 of the terminal device 22 in a secret state.
  • the setting device 21 is provided by a manufacturer that manufactures the terminal device 22.
  • the setting device 21 first obtains the security parameter k prepared by the manufacturer, and based on the security parameter k, the master public key information (master public key mpk) and the master secret key corresponding to the security parameter k. msk.
  • the security parameter k is a parameter that determines the strength of security required by the user, and is, for example, the number of bits of the secret key sk or the length of the message M.
  • the setting device 21 stores the generated master public key mpk and master secret key msk in the signature processing device 1 of the terminal device 22.
  • the setting device 21 generates, for example, a public key generation program in which a master secret key msk is embedded and a secret key generation program, installs the public key generation program in the public key information generation unit 24, and converts the secret key generation program into a secret key. It is installed in the information generation unit 2.
  • the master secret key msk is stored in the white-box mounting method. Also, since the master secret key msk is embedded in the public key generation program and the secret key generation program, the master secret key msk can be further protected.
  • the terminal device 22 is a device that performs registration for using a service and authentication performed when using the service.
  • the terminal device 22 is, for example, a personal computer, a notebook computer, a smartphone, a tablet, or the like.
  • the public key information generation unit 24 of the signature processing device 1 provided in the terminal device 22 generates an application ID based on a preset master secret key msk, an application ID corresponding to a service, and a master public key mpk. Generate the corresponding public key pk.
  • the concealing unit 4 of the signature processing device 1 provided in the terminal device 22 transmits the master secret key msk and / or the public key pk or both generated in the process of generating the public key pk to the secret area. To be stored temporarily. Furthermore, the concealment unit 4 may temporarily store the calculation result related to the master secret key msk, which is generated in the process of generating the public key pk, in the confidential area.
  • the terminal device 22 transmits the public key pk to the verification device 23 provided in the service providing server or the like.
  • the verification device 23 stores the public key pk.
  • the secret key information generation unit 2 of the signature processing device 1 provided in the terminal device 22 first generates a secret key sk corresponding to the application ID based on the master secret key msk and the application ID. Subsequently, the signature information generation unit 3 of the signature processing device 1 provided in the terminal device 22 uses the signature information ( ⁇ ID) corresponding to the message M based on the secret key sk and the message M to be signed for authentication. , M). Subsequently, the terminal device 22 transmits the generated public key pk and the signature information ( ⁇ ID , M) to the verification device 23.
  • the secret key information generation unit 2 and the signature information generation unit 3 store the master secret key msk or the master secret key msk in the secret area of the secret unit 4.
  • the secret key sk or both are temporarily stored.
  • the concealing unit 4 generates an operation result related to the master secret key msk or an operation result related to the secret key sk, which is generated in the process of generating the secret key sk or the signature information ( ⁇ ID , M), or , The calculation results relating to both of them are temporarily stored in the generation process.
  • the concealment unit 4 determines that the master secret key msk, the secret key sk, and the calculation result are not used in the subsequent generation.
  • the master secret key msk, the secret key sk, and the calculation result temporarily stored within a predetermined time are deleted from the secret area.
  • the verification device 23 verifies the signature information ( ⁇ ID , M) based on the message M. Specifically, the verification device 23 verifies the signature information ( ⁇ ID , M) generated based on the message M using the public key pk registered when using the service. When the verification device 23 receives the signature information ( ⁇ ID , M) in the verification (when the signature information ( ⁇ ID , M) is correct), the verification device 23 transmits the acceptance to the terminal device 22 and, Transmits to the terminal device 22 that the request is not accepted.
  • the verification device 23 is provided in a server or the like provided in a service provider.
  • FIG. 4 is a diagram illustrating an example of the cryptographic signature processing system (Modification 1).
  • the setting device 21 first obtains the security parameter k. Subsequently, the setting device 21 generates a parameter Param using the security parameter k.
  • the parameter Param is obtained by executing, for example, Setup (1 ⁇ k). Specifically, the parameter Param is generated using an elliptic curve, a group G having a k-bit prime order p on the elliptic curve, a generator g of the group G, and the like.
  • 1 ⁇ k is data in which 1 are arranged in k bits. It should be noted that another notation indicating that the security parameter is k may be used.
  • the setting device 21 generates the master secret key msk using the hash function H.
  • the master secret key msk is obtained by executing KeyGen_msk (param, 1 @ k).
  • the master secret key msk is, for example, a value randomly selected from [1, p ⁇ 1].
  • p is a prime number determined by param.
  • the setting device 21 generates a master public key mpk.
  • H is a cryptographically secure hash function that receives an arbitrary binary sequence ⁇ 0, 1 ⁇ * and outputs a value of [1, p ⁇ 1].
  • the public key information generation unit 24 generates a public key pk using the parameter Param, data 1 @ k, and secret key sk.
  • [x] g means a constant x times the point g on the elliptic curve.
  • the public key information generation unit 24 conceals the operation result generated in the process of generating the master secret key msk, the secret key sk, the public key pk, the secret key sk, and the public key pk using the concealment unit 4. While generating a secret key sk and a public key pk.
  • the terminal device 22 transmits the public key pk generated by the public key information generation unit 24 to the verification device 23.
  • the signature information generation unit 3 generates signature information ( ⁇ ID , M) using the secret key sk and the message M.
  • the signature information ( ⁇ ID , M) is obtained, for example, by executing SigGen (pk, sk, M). Subsequently, the signature information generation unit 3 transmits the signature information ( ⁇ ID , M) to the verification device 23.
  • SigGen (pk, sk, M) is a signature generation for EC-DSA and EC-Schnorr signatures.
  • a digital signature scheme using an elliptic curve is taken as an example, but another signature scheme may be used.
  • the signature information generation unit 3 may generate signature information ( ⁇ ID , M) using the secret key sk, the message M, and the public key pk.
  • the secret key information generation unit 2 or the signature information generation unit 3 separately from the public key information generation unit 24, the secret key information generation unit 2 or the signature information generation unit 3 generates the public key pk using the parameter Param, the data 1 @ k, and the secret key sk.
  • the verification device 23 performs verification using the registered public key pk and the received signature information ( ⁇ ID , M). For verification, for example, Verify (pk, ( ⁇ ID , M)) is executed to verify whether the data is accepted or rejected. After the verification, the verification device 23 transmits the acceptance to the terminal device 22 if accepted, and transmits the acceptance to the terminal device 22 if not accepted.
  • Verify (pk, ( ⁇ ID , M)) is signature verification of EC-DSA and EC-Schnorr signatures.
  • a digital signature scheme using an elliptic curve is taken as an example, but another signature scheme may be used.
  • FIG. 5 is a diagram illustrating an example of the cryptographic processing signature processing system (Modification 2).
  • the ID-based signature scheme includes four algorithms: ID-Setup, ID-KeyGen, ID-SigGen, and ID-Verify.
  • the ID-Setup receives the security parameter k as input and generates a master secret key msk and a master public key mpk.
  • the ID-KeyGen receives the master secret key msk and the ID and generates a secret key sk ID corresponding to the ID .
  • the ID-SigGen receives the secret key sk ID corresponding to the ID and the signature target message M, and generates signature information ( ⁇ ID , M).
  • the ID-Verify receives the master public key mpk and the signature information ( ⁇ ID , M) as inputs and generates acceptance or rejection. Note that many ID-based signature schemes are known, such as the schemes described in Patent Literature 1 and Patent Literature 2.
  • the setting device 21 first obtains the security parameter k. Subsequently, the setting device 21 executes ID-Setup (1 @ k) using the security parameter k to generate a master secret key msk and a master public key mpk.
  • q is a prime number.
  • the master public key mpk (G1, G2, e, P, Ppub, H1, H2) is generated using the property of the bilinear mapping e.
  • the bilinear mapping e performs mapping from G1 ⁇ G1 to G2 with respect to groups G1 and G2 on two elliptic curves having the prime order q.
  • Generator P is a value belonging to group G1.
  • Ppub is calculated by [s] P.
  • H1 is a hash function that maps an arbitrary binary sequence ⁇ 0, 1 ⁇ * to a group G1 on an elliptic curve.
  • H2 is a hash function that maps ⁇ 0,1 ⁇ * ⁇ G1 to [1, q ⁇ 1].
  • the setting device 21 installs a secret key generation program in which the master secret key msk and the master public key mpk are embedded in the secret key information generation unit 2.
  • the setting device 21 may store the master public key mpk in any memory of the terminal device 22 separately from the secret key generation program.
  • the public key information generation unit 24 may not be provided in the signature processing device 1 of the terminal device 22.
  • the reason is that the master public key mpk is used as the public key pk. By doing so, when generating the public key pk, there is no risk that the master secret key msk, the secret key sk, and the operation results related thereto are leaked.
  • the terminal device 22 transmits the master public key mpk to the verification device 23.
  • the secret key information generation unit 2 executes ID-KeyGen (msk, ID) using the master secret key msk and the application ID to generate a secret key sk ID .
  • the signature information generation unit 3 executes ID-SigGen (sk ID , M) using the secret key sk ID and the message M to generate signature information ( ⁇ ID , M).
  • U is calculated by [r] Q ID .
  • r is a value randomly selected from [1, q-1].
  • V is calculated by [r + h] sk ID .
  • h is calculated by H2 (M, U).
  • the signature information generation unit 3 transmits the signature information ( ⁇ ID , M) to the verification device 23.
  • the signature information generation unit 3 may generate signature information ( ⁇ ID , M) using the secret key sk ID , the message M, and the master public key mpk.
  • ID-Verify mpk, ID, ( ⁇ ID , M)
  • FIG. 6 is a diagram illustrating an example of the operation of the signature processing system (registration).
  • FIG. 7 is a diagram illustrating an example of the operation of the signature processing system (authentication).
  • FIGS. 2 to 5 are appropriately referred to.
  • the signature processing method is performed by operating the signature processing device 1. Therefore, the description of the signature processing method according to the present embodiment is replaced with the following description of the operation of the signature processing device 1.
  • the setting device 21 first obtains the security parameter k, and generates a master secret key msk based on the security parameter k (step A1). Subsequently, the setting device 21 sets the generated master secret key msk in the terminal device 22 (step A2).
  • the setting device 21 first acquires the security parameter k prepared by the manufacturer, and generates a master public key mpk and a master secret key msk corresponding to the security parameter k based on the security parameter k.
  • the setting device 21 stores the generated master public key mpk and master secret key msk in the signature processing device 1 of the terminal device 22.
  • the setting device 21 generates a public key generation program and a secret key generation program in which the master secret key msk is embedded, installs the public key generation program in the public key information generation unit 24, and stores the secret key generation program in the secret key generation program. It is installed in the information generation unit 2.
  • the public key information generation unit 24 of the terminal device 22 determines the public key pk corresponding to the application ID based on the preset master secret key msk, the application ID corresponding to the service, and the master public key mpk. Is generated (step A3).
  • the concealment unit 4 of the terminal device 22 temporarily stores the master secret key msk and / or the public key pk generated in the process of generating the public key pk in the confidential area. Furthermore, the concealment unit 4 may temporarily store the calculation result related to the master secret key msk, which is generated in the process of generating the public key pk, in the confidential area.
  • the terminal device 22 transmits the public key pk to the verification device 23 provided in the service provider server or the like (Step A4).
  • the verification device 23 of the service provider server stores the public key pk (Step A5).
  • the verification device 23 stores the user information and the public key pk in association with each other.
  • the verification device 23 generates a user ID for identifying the user, and transmits the user ID to the terminal device 22.
  • FIDO Fast @ Identity @ Online
  • step A2 the setting device 21 installs the public key generation program in which the master public key is embedded in the public key information generation unit 24, and installs the secret key generation program in which the master secret key msk is embedded in the secret key information generation unit 2. I do.
  • step A4 the terminal device 22 transmits the public key pk generated by the public key information generation unit 24 to the verification device 23.
  • step A1 the setting device 21 executes ID-Setup (1 @ k) using the security parameter k to generate a master secret key msk and a master public key mpk.
  • step A2 the setting device 21 installs a secret key generation program in which the master secret key msk is embedded in the secret key information generation unit 2.
  • step A3 the process of step A3 may not be performed.
  • the reason is that the master public key mpk is used as the public key pk. By doing so, when the public key pk is generated, the risk of leaking the master secret key msk, the secret key sk, and the calculation results related thereto is reduced.
  • step A4 the terminal device 22 transmits the master public key mpk to the verification device 23.
  • the secret key information generation unit 2 generates a secret key sk ID corresponding to the application ID based on the master secret key msk and the application ID (Step B1).
  • the signature information generation unit 3 generates signature information ( ⁇ ID , M) corresponding to the message M based on the secret key sk ID and the message M to be signed for authentication (step B2). Specifically, the user ID is transmitted from the terminal device 22 to the service provider server, and a message M (for example, a random value (challenge) or the like) corresponding to the service is received from the service provider server. After that, the signature information generation unit 3 generates signature information ( ⁇ ID , M).
  • a message M for example, a random value (challenge) or the like
  • the terminal device 22 transmits the generated public key pk and the signature information ( ⁇ ID , M) to the verification device 23 (Step B3).
  • the secret key information generation unit 2 and the signature information generation unit 3 store the master secret key in the secret area of the secret unit 4, which is generated in the process of generating the secret key sk ID or the signature information ( ⁇ ID , M).
  • the msk and / or the secret key sk ID are temporarily stored in the generation process.
  • the concealing unit 4 calculates the operation result related to the master secret key msk or the operation result related to the secret key sk ID generated in the process of generating the secret key sk ID or the signature information ( ⁇ ID , M). Or the operation results related to both of them are temporarily stored in the generation process.
  • the concealment unit 4 determines that the master secret key msk, the secret key sk ID , and the calculation result are not used in the subsequent generation. Then, the master secret key msk, the secret key sk ID , and the calculation result temporarily stored within a predetermined time are deleted from the secret area.
  • the verification device 23 verifies the signature information ( ⁇ ID , M) generated based on the message M using the public key pk registered when using the service (step B4). In addition, when the verification device 23 receives the data after the verification, the verification device 23 transmits the reception to the terminal device 22.
  • step B2 the signature information generation unit 3 executes SigGen (pk, sk, M) using the secret key sk and the message M to generate signature information ( ⁇ ID , M).
  • Step B3 the signature information generation unit 3 transmits the signature information ( ⁇ ID , M) to the verification device 23.
  • the signature information generation unit 3 may generate signature information ( ⁇ ID , M) using the secret key sk, the message M, and the public key pk.
  • the public key pk is generated by the secret key information generation unit 2 or the signature information generation unit 3 separately from the public key information generation unit 24 by using the parameter Param, data 1 @ k, and the secret key sk.
  • step B4 the verification device 23 executes Verify (pk, ( ⁇ ID , M)) using the registered public key pk and the received signature information ( ⁇ ID , M), Verify that it was not accepted.
  • step B5 after the verification, the verification device 23 transmits the acceptance to the terminal device 22 when accepted, and transmits the acceptance to the terminal device 22 when not accepted.
  • step B1 the secret key information generation unit 2 executes ID-KeyGen (msk, ID) using the master secret key msk and the application ID to generate a secret key sk.
  • step B2 the signature information generation unit 3 executes ID-SigGen (sk ID , M) using the secret key sk and the message M to generate signature information ( ⁇ ID , M).
  • the signature information generation unit 3 may generate the signature information ( ⁇ ID , M) using the secret key sk ID , the message M, and the master public key mpk.
  • Step B3 the signature information generation unit 3 transmits the signature information ( ⁇ ID , M) to the verification device 23.
  • Step B4 the verification device 23 executes ID-Verify (mpk, ID, ( ⁇ ID , M)) using the registered public key pk and the received signature information ( ⁇ ID , M). And verify whether it is accepted or rejected.
  • step B5 after the verification, the verification device 23 transmits the acceptance to the terminal device 22 when accepted, and transmits the acceptance to the terminal device 22 when not accepted.
  • the secret key can be protected as in the white-box mounting method. That is, even when the secret key is dynamically generated based on the master secret key msk previously stored in the signature processing device 1 and the application ID for identifying the application, the secret key is generated by using the concealing unit 4. Therefore, it is possible to prevent the secret key from being leaked to the outside.
  • the secret information 4 is used to generate the signature information ( ⁇ ID , M). ), So that the private key cannot be leaked to the outside.
  • the master secret key msk and / or the public key pk or both generated in the process of generating the public key pk are temporarily stored in the secret area, the information can be prevented from leaking to the outside. . Furthermore, since the calculation result generated in the process of generating the public key pk and related to the master secret key msk is temporarily stored in the secret area, such information can be prevented from leaking to the outside.
  • the signature processing device 1 dynamically generates a secret key for each application while keeping it secret, it is possible to prevent the manufacturer from knowing the secret key. Further, since the plurality of private keys are not stored in the signature processing device 1 in advance, the storage capacity of the signature processing device 1 can be reduced.
  • the signature processing device 1 can dynamically generate the secret key while keeping it secret, even if the secret key is changed, it is possible to protect the secret key from leaking outside. it can.
  • the program according to the embodiment of the present invention may be any program that causes a computer to execute steps A1 to A5 shown in FIG. 6 and steps B1 to B5 shown in FIG. By installing and executing this program on a computer, the signature processing device and the signature processing method according to the present embodiment can be realized.
  • the processor of the computer functions as the secret key information generation unit 2, the signature information generation unit 3, the concealment unit 4, and the public key information generation unit 24, and performs processing.
  • the program according to the present embodiment may be executed by a computer system configured by a plurality of computers.
  • each computer may function as any one of the secret key information generation unit 2, the signature information generation unit 3, the concealment unit 4, and the public key information generation unit 24.
  • FIG. 8 is a diagram illustrating an example of a computer that implements the signature processing device.
  • the computer 110 has a CPU 111, a main memory 112, a storage device 113, an input interface 114, a display controller 115, a data reader / writer 116, and a communication interface 117. These units are connected via a bus 121 so as to be able to perform data communication with each other.
  • the computer 110 may include a GPU (Graphics Processing Unit) or an FPGA (Field-Programmable Gate Array) in addition to or instead of the CPU 111.
  • the CPU 111 performs various operations by expanding the program (code) according to the present embodiment stored in the storage device 113 into the main memory 112 and executing them in a predetermined order.
  • the main memory 112 is typically a volatile storage device such as a DRAM (Dynamic Random Access Memory).
  • the program according to the present embodiment is provided in a state stored in computer-readable recording medium 120.
  • the program according to the present embodiment may be distributed on the Internet connected via the communication interface 117.
  • the storage device 113 includes a semiconductor storage device such as a flash memory in addition to a hard disk drive.
  • the input interface 114 mediates data transmission between the CPU 111 and input devices 118 such as a keyboard and a mouse.
  • the display controller 115 is connected to the display device 119 and controls display on the display device 119.
  • the data reader / writer 116 mediates data transmission between the CPU 111 and the recording medium 120, reads out a program from the recording medium 120, and writes a processing result of the computer 110 to the recording medium 120.
  • the communication interface 117 mediates data transmission between the CPU 111 and another computer.
  • the recording medium 120 include a general-purpose semiconductor storage device such as CF (Compact @ Flash (registered trademark)) and SD (Secure Digital), a magnetic recording medium such as a flexible disk (Flexible @ Disk), or a CD-ROM.
  • CF Compact @ Flash
  • SD Secure Digital
  • An optical recording medium such as a ROM (Compact Disk Read Only Memory) can be used.
  • the signature processing device 1 can also be realized by using hardware corresponding to each unit instead of a computer in which a program is installed. Furthermore, part of the signature processing device 1 may be realized by a program, and the remaining part may be realized by hardware.
  • a secret key information generation unit that generates secret key information corresponding to the application identification information based on master secret key information set in advance and application identification information for identifying an application;
  • a signature information generation unit that generates signature information corresponding to the message information based on the secret key information and the message information to be signed;
  • the master secret key information, or, the secret key information, or, having a secret area to temporarily store both, a secret part A signature processing device having:
  • the signature processing device (Appendix 2) The signature processing device according to claim 1, wherein In the process of generating the secret key information or the signature information, the concealing unit may calculate an operation result related to the master secret key information, an operation result related to the secret key information, or an operation related to both. A signature processing device for temporarily storing a result.
  • (Appendix 6) (A) generating secret key information corresponding to the application identification information based on preset master secret key information and application identification information for identifying an application; (B) generating signature information corresponding to the message information based on the secret key information and the message information to be signed; (C) in the process of generating the secret key information or the signature information, temporarily storing the master secret key information, the secret key information, or both in a secret area; Signature processing method having
  • a setting device that sets the master secret key information generated based on the security information in the signature processing device in a secret state, Based on master secret key information set in advance and application identification information for identifying an application, secret key information corresponding to the application identification information is generated, and based on the secret key information and message information to be signed. Generating signature information corresponding to the message information, and temporarily storing the master secret key information, or the secret key information, or both in a secret area in the process of generating the secret key information or the signature information.
  • a terminal device And a verification device that verifies the signature information based on the message information.
  • the signature processing system according to any one of supplementary notes 11 to 14, wherein The terminal device generates the public key information corresponding to the application identification information based on the master secret key information, the application identification information, and the master public key information, and generates the public key information.
  • a signature processing system for temporarily storing the master secret key information, the public key information, or both.
  • (Appendix 20) A computer-readable recording medium recording the program according to any one of supplementary notes 16 to 19, On the computer, (D) generating public key information corresponding to the application identification information based on the master secret key information, the application identification information, and master public key information, In the step (c), in the process of generating the public key information, the master secret key information, the public key information, or both are temporarily stored. Possible recording medium.
  • the secret key can be protected even when the secret key is dynamically generated.
  • the present invention is useful in fields where it is necessary to dynamically generate a secret key.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un appareil de traitement de signature 1 comprenant : une unité de génération d'informations de clé secrète 2 qui génère, sur la base d'informations de clé secrète maîtresse prédéfinies et d'informations d'identification d'application pour identifier une application, des informations de clé secrète correspondant aux informations d'identification d'application ; une unité de génération d'informations de signature 3 qui génère, sur la base des informations de clé secrète et des informations de message à signer, des informations de signature correspondant aux informations de message ; et une unité secrète 4 qui a une zone secrète pour stocker temporairement les informations de clé secrète maître, les informations de clé secrète, ou les deux, dans un processus de génération des informations de clé secrète ou des informations de signature.
PCT/JP2018/031055 2018-08-22 2018-08-22 Appareil de traitement de signature, procédé de traitement de signature, système de traitement de signature, et support d'enregistrement lisible par ordinateur WO2020039527A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2018/031055 WO2020039527A1 (fr) 2018-08-22 2018-08-22 Appareil de traitement de signature, procédé de traitement de signature, système de traitement de signature, et support d'enregistrement lisible par ordinateur
JP2020537944A JP7070689B2 (ja) 2018-08-22 2018-08-22 署名処理装置、署名処理方法、署名処理システム、及びプログラム

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2018/031055 WO2020039527A1 (fr) 2018-08-22 2018-08-22 Appareil de traitement de signature, procédé de traitement de signature, système de traitement de signature, et support d'enregistrement lisible par ordinateur

Publications (1)

Publication Number Publication Date
WO2020039527A1 true WO2020039527A1 (fr) 2020-02-27

Family

ID=69592829

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/031055 WO2020039527A1 (fr) 2018-08-22 2018-08-22 Appareil de traitement de signature, procédé de traitement de signature, système de traitement de signature, et support d'enregistrement lisible par ordinateur

Country Status (2)

Country Link
JP (1) JP7070689B2 (fr)
WO (1) WO2020039527A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120249292A1 (en) * 2011-01-13 2012-10-04 Hong Kong Applied Science And Technology Research Institute Co., Ltd. Proximity based biometric identification systems and methods
JP2014068140A (ja) * 2012-09-25 2014-04-17 Sony Corp 情報処理装置、情報処理方法及びプログラム
JP2017108293A (ja) * 2015-12-10 2017-06-15 ルネサスエレクトロニクス株式会社 半導体集積回路装置およびデータ処理装置

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120249292A1 (en) * 2011-01-13 2012-10-04 Hong Kong Applied Science And Technology Research Institute Co., Ltd. Proximity based biometric identification systems and methods
JP2014068140A (ja) * 2012-09-25 2014-04-17 Sony Corp 情報処理装置、情報処理方法及びプログラム
JP2017108293A (ja) * 2015-12-10 2017-06-15 ルネサスエレクトロニクス株式会社 半導体集積回路装置およびデータ処理装置

Also Published As

Publication number Publication date
JPWO2020039527A1 (ja) 2021-05-13
JP7070689B2 (ja) 2022-05-18

Similar Documents

Publication Publication Date Title
CN109313690B (zh) 自包含的加密引导策略验证
JP5710075B2 (ja) 証明書の検証
US10771264B2 (en) Securing firmware
JP5815525B2 (ja) 情報処理装置、コントローラ、鍵発行局、無効化リスト有効性判定方法および鍵発行方法
KR20200027500A (ko) 디바이스 익명성을 제공하는 키 증명문 생성
CN109639427B (zh) 一种数据发送的方法及设备
US9531540B2 (en) Secure token-based signature schemes using look-up tables
JP2013545388A (ja) ハードウェアデバイスの鍵プロビジョン方法および装置
JP2010503252A (ja) コンピューティング・プラットフォームの証明
CN112514321A (zh) 共享秘密建立
JPWO2017077611A1 (ja) セキュリティ装置、及びセキュリティ方法
KR20050056204A (ko) 메시지 무결성 보증 시스템, 방법 및 기록 매체
US20130019110A1 (en) Apparatus and method for preventing copying of terminal unique information in portable terminal
JP2018117185A (ja) 情報処理装置、情報処理方法
JP6780771B2 (ja) 検証情報付与装置、検証装置、情報管理システム、方法およびプログラム
JP6888122B2 (ja) 半導体装置、更新データ提供方法、更新データ受取方法およびプログラム
US20230254124A1 (en) License control using a memory device having a cryptographic key
JP2021521748A (ja) 物理的複製困難関数を使用して暗号鍵をオンボードで生成するための方法
WO2020039527A1 (fr) Appareil de traitement de signature, procédé de traitement de signature, système de traitement de signature, et support d'enregistrement lisible par ordinateur
CN112784249B (zh) 实现无标识情形下进行移动终端认证处理的方法、系统、处理器及其计算机可读存储介质
EP3785410B1 (fr) Validation de données d'authentification courtes avec preuve de connaissance nulle
WO2024057411A1 (fr) Dispositif et procédé de mise à jour de mémoire, système de traitement d'informations, et support lisible par ordinateur
WO2022162797A1 (fr) Dispositif de traitement d'informations, système d'exécution de programme, procédé de traitement d'informations et programme
JP2015015542A (ja) 情報処理システム
US20240004986A1 (en) Cla certificateless authentication of executable programs

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18931008

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020537944

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18931008

Country of ref document: EP

Kind code of ref document: A1