WO2021124454A1 - Communication equipment, certificate issuing device, certificate issuing system, certificate signing requesting method, certificate signing request program, certificate issuing method, and certificate issuing program - Google Patents

Communication equipment, certificate issuing device, certificate issuing system, certificate signing requesting method, certificate signing request program, certificate issuing method, and certificate issuing program Download PDF

Info

Publication number
WO2021124454A1
WO2021124454A1 PCT/JP2019/049448 JP2019049448W WO2021124454A1 WO 2021124454 A1 WO2021124454 A1 WO 2021124454A1 JP 2019049448 W JP2019049448 W JP 2019049448W WO 2021124454 A1 WO2021124454 A1 WO 2021124454A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
certificate
authentication
verification
certificate issuing
Prior art date
Application number
PCT/JP2019/049448
Other languages
French (fr)
Japanese (ja)
Inventor
晃由 山口
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to PCT/JP2019/049448 priority Critical patent/WO2021124454A1/en
Publication of WO2021124454A1 publication Critical patent/WO2021124454A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • This disclosure relates to the technology for issuing certificates for communication devices.
  • the number of communication devices having a communication function such as IoT (Internet of Things) devices is increasing.
  • IoT Internet of Things
  • TLS Transport Layer Security
  • the communication device needs to obtain a certificate from the certificate issuing device.
  • the certificate issuing device needs to prevent issuing a certificate to an unauthorized communication device.
  • Patent Document 1 describes that the certificate signing request is authenticated by using the hash of the certificate signing request by the secret code of the electronic device.
  • the electronic device calculates the hash of the certificate signing request using the secret code, and transmits the certificate signing request and the hash to the rule controller.
  • the rule controller calculates the hash of the certificate signing request using the secret code of the source electronic device obtained in advance, and whether the calculated hash matches the hash sent from the electronic device. Check if.
  • An object of the present disclosure is to enable appropriate certificate issuance control while suppressing the amount of information managed by a certificate issuing device.
  • the communication equipment related to this disclosure is It is a communication device to which a device ID (Identifier) is assigned.
  • An authentication key acquisition unit that acquires an authentication key generated from the verification key held by the certificate issuing device and the device ID, and the authentication key acquisition unit. It includes a certificate signing request to which the authentication information by the authentication key acquired by the authentication key acquisition unit is attached, and a request transmission unit that transmits the device ID to the certificate issuing device.
  • the authentication information for the certificate signing request is generated by the authentication key generated from the verification key held by the certificate issuing device and the device ID. Therefore, if the certificate issuing device acquires the device ID together with the certificate signing request, the communication device can be authenticated only by managing the verification key. As a result, appropriate certificate issuance control becomes possible while suppressing the amount of information managed by the certificate issuing device.
  • FIG. 1 The block diagram of the certificate issuing system 1 which concerns on Embodiment 1.
  • FIG. The block diagram of the key management apparatus 10 which concerns on Embodiment 1.
  • FIG. The block diagram of the communication apparatus 20 which concerns on Embodiment 1.
  • FIG. The block diagram of the certificate issuing apparatus 30 which concerns on Embodiment 1.
  • FIG. The flowchart which shows the operation of the certificate issuing system 1 which concerns on Embodiment 1.
  • the explanatory view of the operation of the certificate issuing system 1 which concerns on Embodiment 1.
  • FIG. The flowchart which shows the operation of the certificate issuing system 1 which concerns on Embodiment 2.
  • the explanatory view of the operation of the certificate issuing system 1 which concerns on Embodiment 2.
  • FIG. The flowchart which shows the operation of the certificate issuing system 1 which concerns on Embodiment 3.
  • the explanatory view of the operation of the certificate issuing system 1 which concerns on Embodiment 3.
  • the certificate issuing system 1 includes a key management device 10, a communication device 20, and a certificate issuing device 30.
  • the key management device 10 is connected to the certificate issuing device 30 via a communication path 91.
  • the communication device 20 is connected to the certificate issuing device 30 via a communication path 92.
  • FIG. 1 only one communication device 20 is shown. However, there may be a plurality of communication devices 20.
  • the configuration of the key management device 10 according to the first embodiment will be described with reference to FIG.
  • the key management device 10 is a computer.
  • the key management device 10 includes hardware for a processor 11, a memory 12, a storage 13, and a communication interface 14.
  • the processor 11 is connected to other hardware via a signal line and controls these other hardware.
  • the key management device 10 includes an information acquisition unit 111, a key generation unit 112, and a key output unit 113 as functional components.
  • the functions of each functional component of the key management device 10 are realized by software.
  • the storage 13 stores a program that realizes the functions of each functional component of the key management device 10. This program is read into the memory 12 by the processor 11 and executed by the processor 11. As a result, the functions of each functional component of the key management device 10 are realized.
  • the configuration of the communication device 20 according to the first embodiment will be described with reference to FIG.
  • the communication device 20 is a computer.
  • the communication device 20 includes hardware of a processor 21, a memory 22, a storage 23, and a communication interface 24.
  • the processor 21 is connected to other hardware via a signal line and controls these other hardware.
  • the communication device 20 includes an authentication key acquisition unit 211, an authentication information generation unit 212, a request transmission unit 213, a certificate acquisition unit 214, and a communication unit 215 as functional components.
  • the functions of each functional component of the communication device 20 are realized by software.
  • the storage 23 stores a program that realizes the functions of each functional component of the communication device 20. This program is read into the memory 22 by the processor 21 and executed by the processor 21. As a result, the functions of each functional component of the communication device 20 are realized.
  • the configuration of the certificate issuing device 30 according to the first embodiment will be described with reference to FIG.
  • the certificate issuing device 30 is a computer.
  • the certificate issuing device 30 includes hardware for a processor 31, a memory 32, a storage 33, and a communication interface 34.
  • the processor 31 is connected to other hardware via a signal line and controls these other hardware.
  • the certificate issuing device 30 includes a verification key acquisition unit 311, a request acquisition unit 312, an authentication key generation unit 313, a verification unit 314, and a certificate issuing unit 315 as functional components.
  • the functions of each functional component of the certificate issuing device 30 are realized by software.
  • the storage 33 stores a program that realizes the functions of each functional component of the certificate issuing device 30. This program is read into the memory 32 by the processor 31 and executed by the processor 31. As a result, the functions of each functional component of the certificate issuing device 30 are realized.
  • Processors 11, 21, and 31 are ICs (Integrated Circuits) that perform processing. Specific examples of the processors 11, 21, 31 are a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and a GPU (Graphics Processing Unit).
  • CPU Central Processing Unit
  • DSP Digital Signal Processor
  • GPU Graphics Processing Unit
  • the memories 12, 22, and 32 are storage devices that temporarily store data. Specific examples of the memories 12, 22, and 32 are SRAM (Static Random Access Memory) and DRAM (Dynamic Random Access Memory).
  • Storages 13, 23, 33 are storage devices for storing data. Specific examples of the storages 13, 23, and 33 are HDDs (Hard Disk Drives).
  • the storages 13, 23, and 33 are SD (registered trademark, Secure Digital) memory card, CF (CompactFlash, registered trademark), NAND flash, flexible disk, optical disk, compact disk, Blu-ray (registered trademark) disk, and DVD (Digital). It may be a portable recording medium such as Versail Disc).
  • Communication interfaces 14, 24, and 34 are interfaces for communicating with an external device. Specific examples of the communication interfaces 14, 24, and 34 are Ethernet (registered trademark), USB (Universal Serial Bus), and HDMI (registered trademark, High-Definition Multimedia Interface) ports.
  • the operation of the certificate issuing system 1 according to the first embodiment will be described with reference to FIGS. 5 and 6.
  • the operating procedure of the communication device 20 corresponds to the certificate signing request method according to the first embodiment.
  • the program that realizes the operation of the communication device 20 corresponds to the certificate signing request program according to the first embodiment.
  • the operating procedure of the certificate issuing device 30 corresponds to the certificate issuing method according to the first embodiment.
  • the program that realizes the operation of the certificate issuing device 30 corresponds to the certificate issuing program according to the first embodiment.
  • Step S101 of FIG. 5 Verification key generation process
  • the key generation unit 112 of the key management device 10 generates random numbers.
  • the key generation unit 112 generates a verification key from the generated random numbers.
  • the key generation unit 112 sets a random number as it is as a verification key.
  • the key output unit 113 transmits the verification key to the certificate issuing device 30 via the communication path 91.
  • the verification key acquisition unit 311 of the certificate issuing device 30 acquires the transmitted verification key.
  • the verification key acquisition unit 311 writes the verification key to the storage 33.
  • Step S102 in FIG. 5 Information acquisition process
  • the information acquisition unit 111 of the key management device 10 acquires the device ID (Identifier) assigned to the communication device 20.
  • the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the device ID is input to the key management device 10.
  • the information acquisition unit 111 acquires the input device ID.
  • Step S103 of FIG. 5 Authentication key generation process
  • the key generation unit 112 of the key management device 10 generates an authentication key from the verification key generated in step S101 and the device ID acquired in step S102.
  • the key generation unit 112 generates an authentication key by calculating a hash function with a key using the verification key as a key and the device ID as a message.
  • the key output unit 113 outputs an authentication key. In the first embodiment, the key output unit 113 transmits the authentication key to the key registration terminal 41.
  • Step S104 in FIG. 5 Authentication key acquisition process
  • the authentication key acquisition unit 211 of the communication device 20 acquires the device ID acquired in step S102 and the authentication key generated in step S103.
  • the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the device ID and the authentication key are input to the communication device 20.
  • the authentication key acquisition unit 211 acquires the input device ID and authentication key.
  • the authentication key acquisition unit 211 writes the device ID and the authentication key in the storage 23.
  • step S104 After the device ID and the authentication key are written in the storage 23 in step S104, the communication device 20 is installed at the installation location. After that, the processes after step S105 are executed.
  • Step S105 of FIG. 5 Authentication information generation process
  • the authentication information generation unit 212 of the communication device 20 generates a certificate signing request.
  • the authentication information generation unit 212 generates authentication information for the certificate signing request by using the authentication key acquired in step S104.
  • the authentication information generation unit 212 generates authentication information by calculating a hash function with a key using an authentication key as a key and a certificate signing request as a message.
  • Step S106 of FIG. 5 Request transmission process
  • the request transmission unit 213 of the communication device 20 sends the certificate signing request with the authentication information generated in step S105 and the device ID acquired in step S104 to the certificate issuing device 30 via the communication path 92. Send to.
  • Step S107 in FIG. 5 Authentication key generation process
  • the request acquisition unit 312 of the certificate issuing device 30 acquires the certificate signing request with the authentication information transmitted in step S106 and the device ID.
  • the authentication key generation unit 313 of the certificate issuing device 30 generates an authentication key from the verification key acquired in step S101 and the device ID.
  • the authentication key generation unit 313 generates the authentication key by the same method as in step S103.
  • Step S108 of FIG. 5 Verification process
  • the verification unit 314 determines whether or not the authentication information attached to the certificate signing request is valid based on the authentication key generated in step S107.
  • the verification unit 314 generates authentication information by the same method as in step S105. Then, the verification unit 314 determines whether or not the generated authentication information and the authentication information attached to the certificate signing request match, so that the authentication information attached to the certificate signing request is valid. Determine if it exists. If the authentication information is valid, the verification unit 314 proceeds to step S109. On the other hand, if the authentication information is not valid, the verification unit 314 ends the process.
  • Step S109 in FIG. 5 Certificate issuance process
  • the certificate issuing unit 315 of the certificate issuing device 30 issues a certificate.
  • the certificate issuing unit 315 transmits the issued certificate to the communication device 20 via the communication path 92.
  • the certificate acquisition unit 214 of the communication device 20 acquires the certificate and writes it in the storage 23.
  • the certificate issuing unit 315 issues a CA certificate to the application server 42 that communicates with the communication device 20.
  • Step S110 in FIG. 5 Communication processing
  • the communication unit 215 of the communication device 20 establishes a communication path with the application server 42 by using the certificate issued in step S109.
  • the communication unit 215 establishes a communication path for TLS communication.
  • the communication unit 215 communicates with the application server 42 using the established communication path.
  • the certificate issuing device 30 holds the verification key.
  • the communication device 20 holds an authentication key generated from the verification key and the device ID.
  • the communication device 20 generates authentication information for the certificate signing request by using the authentication key.
  • the communication device 20 transmits the certificate signing request with the authentication information and the device ID to the certificate issuing device 30.
  • the certificate issuing device 30 generates an authentication key from the verification key and the device ID.
  • the certificate issuing device 30 determines whether or not the authentication information is valid based on the authentication key.
  • the certificate issuing device 30 does not need to hold the key for each communication device 20, and can authenticate any communication device 20 only by holding the verification key.
  • appropriate certificate issuance control becomes possible while suppressing the amount of information managed by the certificate issuing device 30.
  • each functional component is realized by software.
  • each functional component may be realized by hardware. The difference between the first modification and the first embodiment will be described.
  • the key management device 10 includes an electronic circuit instead of the processor 11, the memory 12, and the storage 13.
  • the electronic circuit is a dedicated circuit that realizes the functions of each functional component, the memory 12, and the storage 13.
  • the communication device 20 includes an electronic circuit instead of the processor 21, the memory 22, and the storage 23.
  • the electronic circuit is a dedicated circuit that realizes the functions of each functional component, the memory 22, and the storage 23.
  • the certificate issuing device 30 includes an electronic circuit instead of the processor 31, the memory 32, and the storage 33.
  • the electronic circuit is a dedicated circuit that realizes the functions of each functional component, the memory 32, and the storage 33.
  • each functional component may be realized by one electronic circuit, or each functional component may be distributed and realized by a plurality of electronic circuits.
  • Modification 2> As a modification 2, some functional components may be realized by hardware, and other functional components may be realized by software.
  • Processors 11,21,31, memories 12,22,32, storages 13,23,33, and electronic circuits are called processing circuits. That is, the function of each functional component is realized by the processing circuit.
  • Embodiment 2 is different from the first embodiment in that the certificate issuing device 30 can manage a plurality of verification keys. In the second embodiment, these different points will be described, and the same points will be omitted.
  • a verification key is generated for each key ID.
  • the key ID is set for each group of the communication devices 20.
  • the group of the communication equipment 20 is set by a method in which the communication equipment 20 installed on the same floor is divided into the same group, or the communication equipment 20 of the same type is divided into the same group.
  • the key ID may be appropriately set according to the verification key, the management method of the communication device 20, and the like.
  • Step S201 of FIG. 7 Verification key generation process
  • the key generation unit 112 of the key management device 10 Similar to step S101 of FIG. 5, the key generation unit 112 of the key management device 10 generates a random number. The key generation unit 112 generates a verification key from the generated random numbers. At this time, the key generation unit 112 assigns a key ID to the verification key.
  • the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the key ID is input to the key management device 10.
  • the key generation unit 112 acquires the input key ID and assigns it to the verification key.
  • the key output unit 113 transmits the verification key and the key ID to the certificate issuing device 30 via the communication path 91.
  • the verification key acquisition unit 311 of the certificate issuing device 30 acquires the transmitted verification key and key ID.
  • the verification key acquisition unit 311 writes the verification key in association with the key ID in the storage 33.
  • Step S202 in FIG. 7 Information acquisition process
  • the information acquisition unit 111 of the key management device 10 acquires the device ID assigned to the communication device 20 and the key ID assigned to the target verification key.
  • the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the device ID and the key ID are input to the key management device 10.
  • the information acquisition unit 111 acquires the input device ID and key ID.
  • Step S203 of FIG. 7 Authentication key generation process
  • the key generation unit 112 of the key management device 10 generates an authentication key from the verification key corresponding to the key ID acquired in step S202 and the device ID acquired in step S202.
  • the key output unit 113 outputs an authentication key.
  • the key output unit 113 transmits the authentication key to the key registration terminal 41.
  • Step S204 of FIG. 7 Authentication key acquisition process
  • the authentication key acquisition unit 211 of the communication device 20 acquires the device ID and key ID acquired in step S202 and the authentication key generated in step S203.
  • the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the device ID, the key ID, and the authentication key are input to the communication device 20.
  • the authentication key acquisition unit 211 acquires the input device ID, key ID, and authentication key.
  • the authentication key acquisition unit 211 writes the device ID, the key ID, and the authentication key in the storage 23.
  • step S204 After the device ID, key ID, and authentication key are written in the storage 23 in step S204, the communication device 20 is installed at the installation location. After that, the processes after step S205 are executed.
  • step S205 of FIG. 7 is the same as the process of step S105 of FIG.
  • Step S206 of FIG. 7 Request transmission process
  • the request transmission unit 213 of the communication device 20 certificates the certificate signing request with the authentication information generated in step S205 and the device ID and key ID acquired in step S204 via the communication path 92. It is transmitted to the issuing device 30.
  • Step S207 of FIG. 7 Authentication key generation process
  • the request acquisition unit 312 of the certificate issuing device 30 acquires the certificate signing request with the authentication information transmitted in step S206, and the device ID and key ID.
  • the authentication key generation unit 313 of the certificate issuing device 30 reads out the verification key corresponding to the acquired key ID among the verification keys written in the storage 33 in step S201.
  • the authentication key generation unit 313 generates an authentication key from the read verification key and the device ID.
  • the authentication key generation unit 313 generates the authentication key by the same method as in step S203.
  • steps S208 to S210 of FIG. 7 is the same as the processing of steps S108 to S110 of FIG.
  • Embodiment 3 the process of updating the verification key will be described.
  • the points different from the second embodiment will be described, and the same points will be omitted.
  • a case where a process for updating the verification key is added to the second embodiment will be described.
  • Step S301 in FIG. 9 Designated reception process
  • the information acquisition unit 111 of the key management device 10 acquires the key ID assigned to the verification key to be updated.
  • the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the key ID is input to the key management device 10.
  • the information acquisition unit 111 acquires the input key ID.
  • Step S302 in FIG. 9 Verification key update process
  • the key generation unit 112 of the key management device 10 Similar to step S201 of FIG. 7, the key generation unit 112 of the key management device 10 generates a random number.
  • the key generation unit 112 generates a verification key from the generated random numbers.
  • the key generation unit 112 updates the verification key by replacing the verification key corresponding to the key ID acquired in step S301 with the newly generated verification key.
  • the key output unit 113 transmits the newly generated verification key and key ID to the certificate issuing device 30 via the communication path 91.
  • the verification key acquisition unit 311 of the certificate issuing device 30 acquires the transmitted verification key and key ID.
  • the verification key acquisition unit 311 updates the verification key corresponding to the key ID with the acquired verification key.
  • Step S303 in FIG. 9 Information acquisition process
  • the information acquisition unit 111 of the key management device 10 acquires the device ID of the communication device 20 in which the authentication key generated by the verification key updated in step S302 is set.
  • the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the device ID is input to the key management device 10.
  • the information acquisition unit 111 acquires the input device ID.
  • Step S304 of FIG. 9 Authentication key update process
  • the key generation unit 112 of the key management device 10 is the verification key updated in step S302, and includes the verification key corresponding to the key ID and the device ID acquired in step S303. Generate an authentication key from.
  • the key output unit 113 of the key management device 10 transmits the newly generated authentication key, device ID, and key ID to the application server 42.
  • the application server 42 has a communication path using the certificate established with the communication device 20.
  • the application server 42 acquires the authentication key, the device ID, and the key ID
  • the application server 42 transmits the authentication key and the key ID to the communication device 20 specified from the device ID via the communication path using the certificate.
  • the authentication key acquisition unit 211 of the communication device 20 acquires the transmitted authentication key and key ID.
  • the authentication key acquisition unit 211 writes the authentication key and the key ID in the storage 23.
  • the communication device 20 acquires a new authentication key from the application server 42 by communication using the certificate signed by the certificate issuing device 30. To do. As a result, when the verification key is updated after the communication device 20 is installed at the installation location, the authentication key generated by the updated verification key can be safely set in the communication device 20.
  • Certificate issuance system 10 Key management device, 11 Processor, 12 Memory, 13 Storage, 14 Communication interface, 111 Information acquisition unit, 112 Key generation unit, 113 Key output unit, 20 Communication equipment, 21 Processor, 22 Memory, 23 Storage, 24 communication interface, 211 authentication key acquisition unit, 212 authentication information generation unit, 213 request transmission unit, 214 certificate acquisition unit, 215 communication unit, 30 certificate issuing device, 31 processor, 32 memory, 33 storage, 34 communication Interface, 311 verification key acquisition unit, 312 request acquisition unit, 313 authentication key generation unit, 314 verification unit, 315 certificate issuance unit, 41 key registration terminal, 42 application server, 91 communication path, 92 communication path.

Abstract

A key management device (10) generates a verification key, and, at the same time, generates an authentication key from the verification key and an equipment identifier (ID) assigned to communication equipment (20). The verification key is handed over to a certificate issuing device (30), whereas the authentication key is handed over to the communication equipment (20). The communication equipment (20) transmits, to the certificate issuing device (30), both the equipment ID and a certificate signing request having attached thereto authentication information given by the authentication key. The certificate issuing device (30) generates an authentication key from both the verification key and the equipment ID that has been transmitted along with the certificate signing request, and then determines, by using the authentication key, whether or not the authentication information is valid. In the case when the authentication information has been determined to be valid, the certificate issuing device (30) issues a certificate.

Description

通信機器、証明書発行装置、証明書発行システム、証明書署名要求方法、証明書署名要求プログラム、証明書発行方法及び証明書発行プログラムCommunication equipment, certificate issuing device, certificate issuing system, certificate signing request method, certificate signing request program, certificate issuing method and certificate issuing program
 本開示は、通信機器に対する証明書の発行技術に関する。 This disclosure relates to the technology for issuing certificates for communication devices.
 IoT(Internet of Things)機器といった通信機能を有する通信機器が増えている。通信機器とサーバとの間の通信の安全性を高くするために、TLS(Transport Layer Security)といった証明書を用いた安全な通信路を用いることが考えられる。
 証明書を用いた安全な通信路を用いるには、通信機器が証明書発行装置から証明書を取得する必要がある。この際、証明書発行装置は、不正な通信機器に対して証明書を発行しないようにする必要がある。 The number of communication devices having a communication function such as IoT (Internet of Things) devices is increasing. In order to increase the security of communication between the communication device and the server, it is conceivable to use a secure communication path using a certificate such as TLS (Transport Layer Security).
In order to use a secure communication path using a certificate, the communication device needs to obtain a certificate from the certificate issuing device. At this time, the certificate issuing device needs to prevent issuing a certificate to an unauthorized communication device.
 特許文献1には、電子装置の秘密コードによる証明書署名要求のハッシュを用いて、証明書署名要求の認証を行うことが記載されている。特許文献1では、電子装置は、秘密コードを用いて証明書署名要求のハッシュを計算し、証明書署名要求とハッシュとをルールコントローラに送信する。ルールコントローラは、事前に取得してある送信元の電子装置の秘密コードを用いて証明書署名要求のハッシュを計算し、計算されたハッシュと、電子装置から送信されたハッシュとが一致するか否かを確認する。 Patent Document 1 describes that the certificate signing request is authenticated by using the hash of the certificate signing request by the secret code of the electronic device. In Patent Document 1, the electronic device calculates the hash of the certificate signing request using the secret code, and transmits the certificate signing request and the hash to the rule controller. The rule controller calculates the hash of the certificate signing request using the secret code of the source electronic device obtained in advance, and whether the calculated hash matches the hash sent from the electronic device. Check if.
特表2016-531516号公報Special Table 2016-531516
 特許文献1に記載された技術では、ルールコントローラは、電子装置毎の秘密コードを管理する必要がある。そのため、電子装置の数が増えると、秘密コードを管理するために必要なメモリの容量が増えてしまう。
 本開示は、証明書を発行する装置が管理する情報量を抑えつつ、適切な証明書の発行制御を可能にすることを目的とする。 In the technique described in Patent Document 1, the rule controller needs to manage the secret code for each electronic device. Therefore, as the number of electronic devices increases, the amount of memory required to manage the secret code increases.
An object of the present disclosure is to enable appropriate certificate issuance control while suppressing the amount of information managed by a certificate issuing device.
 本開示に係る通信機器は、
 機器ID(IDentifier)が割り当てられた通信機器であり、
 証明書発行装置が保持する検証鍵と、前記機器IDとから生成された認証鍵を取得する認証鍵取得部と、
 前記認証鍵取得部によって取得された前記認証鍵による認証情報が付された証明書署名要求と、前記機器IDとを前記証明書発行装置に送信する要求送信部と
を備える。 The communication equipment related to this disclosure is
It is a communication device to which a device ID (Identifier) is assigned.
An authentication key acquisition unit that acquires an authentication key generated from the verification key held by the certificate issuing device and the device ID, and the authentication key acquisition unit.
It includes a certificate signing request to which the authentication information by the authentication key acquired by the authentication key acquisition unit is attached, and a request transmission unit that transmits the device ID to the certificate issuing device.
 本開示では、証明書発行装置が保持する検証鍵と、機器IDとから生成された認証鍵により、証明書署名要求に対する認証情報が生成される。そのため、証明書発行装置は、証明書署名要求とともに機器IDを取得すれば、検証鍵を管理しておくだけで通信機器の認証が可能になる。その結果、証明書発行装置が管理する情報量を抑えつつ、適切な証明書の発行制御が可能になる。 In the present disclosure, the authentication information for the certificate signing request is generated by the authentication key generated from the verification key held by the certificate issuing device and the device ID. Therefore, if the certificate issuing device acquires the device ID together with the certificate signing request, the communication device can be authenticated only by managing the verification key. As a result, appropriate certificate issuance control becomes possible while suppressing the amount of information managed by the certificate issuing device.
実施の形態1に係る証明書発行システム1の構成図。The block diagram of the certificate issuing system 1 which concerns on Embodiment 1. FIG. 実施の形態1に係る鍵管理装置10の構成図。The block diagram of the key management apparatus 10 which concerns on Embodiment 1. FIG. 実施の形態1に係る通信機器20の構成図。The block diagram of the communication apparatus 20 which concerns on Embodiment 1. FIG. 実施の形態1に係る証明書発行装置30の構成図。The block diagram of the certificate issuing apparatus 30 which concerns on Embodiment 1. FIG. 実施の形態1に係る証明書発行システム1の動作を示すフローチャート。The flowchart which shows the operation of the certificate issuing system 1 which concerns on Embodiment 1. 実施の形態1に係る証明書発行システム1の動作の説明図。The explanatory view of the operation of the certificate issuing system 1 which concerns on Embodiment 1. FIG. 実施の形態2に係る証明書発行システム1の動作を示すフローチャート。The flowchart which shows the operation of the certificate issuing system 1 which concerns on Embodiment 2. 実施の形態2に係る証明書発行システム1の動作の説明図。The explanatory view of the operation of the certificate issuing system 1 which concerns on Embodiment 2. FIG. 実施の形態3に係る証明書発行システム1の動作を示すフローチャート。The flowchart which shows the operation of the certificate issuing system 1 which concerns on Embodiment 3. 実施の形態3に係る証明書発行システム1の動作の説明図。The explanatory view of the operation of the certificate issuing system 1 which concerns on Embodiment 3. FIG.
 実施の形態1.
 ***構成の説明***
 図1を参照して、実施の形態1に係る証明書発行システム1の構成を説明する。
 証明書発行システム1は、鍵管理装置10と、通信機器20と、証明書発行装置30とを備える。鍵管理装置10は、証明書発行装置30と通信路91を介して接続されている。通信機器20は、証明書発行装置30と通信路92を介して接続されている。
 図1では、通信機器20は1台だけ示されている。しかし、通信機器20は、複数存在してもよい。 Embodiment 1.
*** Explanation of configuration ***
The configuration of the certificate issuing system 1 according to the first embodiment will be described with reference to FIG.
The certificate issuing system 1 includes a key management device 10, a communication device 20, and a certificate issuing device 30. The key management device 10 is connected to the certificate issuing device 30 via a communication path 91. The communication device 20 is connected to the certificate issuing device 30 via a communication path 92.
In FIG. 1, only one communication device 20 is shown. However, there may be a plurality of communication devices 20.
 図2を参照して、実施の形態1に係る鍵管理装置10の構成を説明する。
 鍵管理装置10は、コンピュータである。
 鍵管理装置10は、プロセッサ11と、メモリ12と、ストレージ13と、通信インタフェース14とのハードウェアを備える。プロセッサ11は、信号線を介して他のハードウェアと接続され、これら他のハードウェアを制御する。 The configuration of the key management device 10 according to the first embodiment will be described with reference to FIG.
The key management device 10 is a computer.
The key management device 10 includes hardware for a processor 11, a memory 12, a storage 13, and a communication interface 14. The processor 11 is connected to other hardware via a signal line and controls these other hardware.
 鍵管理装置10は、機能構成要素として、情報取得部111と、鍵生成部112と、鍵出力部113とを備える。鍵管理装置10の各機能構成要素の機能はソフトウェアにより実現される。
 ストレージ13には、鍵管理装置10の各機能構成要素の機能を実現するプログラムが格納されている。このプログラムは、プロセッサ11によりメモリ12に読み込まれ、プロセッサ11によって実行される。これにより、鍵管理装置10の各機能構成要素の機能が実現される。 The key management device 10 includes an information acquisition unit 111, a key generation unit 112, and a key output unit 113 as functional components. The functions of each functional component of the key management device 10 are realized by software.
The storage 13 stores a program that realizes the functions of each functional component of the key management device 10. This program is read into the memory 12 by the processor 11 and executed by the processor 11. As a result, the functions of each functional component of the key management device 10 are realized.
 図3を参照して、実施の形態1に係る通信機器20の構成を説明する。
 通信機器20は、コンピュータである。
 通信機器20は、プロセッサ21と、メモリ22と、ストレージ23と、通信インタフェース24とのハードウェアを備える。プロセッサ21は、信号線を介して他のハードウェアと接続され、これら他のハードウェアを制御する。 The configuration of the communication device 20 according to the first embodiment will be described with reference to FIG.
The communication device 20 is a computer.
The communication device 20 includes hardware of a processor 21, a memory 22, a storage 23, and a communication interface 24. The processor 21 is connected to other hardware via a signal line and controls these other hardware.
 通信機器20は、機能構成要素として、認証鍵取得部211と、認証情報生成部212と、要求送信部213と、証明書取得部214と、通信部215とを備える。通信機器20の各機能構成要素の機能はソフトウェアにより実現される。
 ストレージ23には、通信機器20の各機能構成要素の機能を実現するプログラムが格納されている。このプログラムは、プロセッサ21によりメモリ22に読み込まれ、プロセッサ21によって実行される。これにより、通信機器20の各機能構成要素の機能が実現される。 The communication device 20 includes an authentication key acquisition unit 211, an authentication information generation unit 212, a request transmission unit 213, a certificate acquisition unit 214, and a communication unit 215 as functional components. The functions of each functional component of the communication device 20 are realized by software.
The storage 23 stores a program that realizes the functions of each functional component of the communication device 20. This program is read into the memory 22 by the processor 21 and executed by the processor 21. As a result, the functions of each functional component of the communication device 20 are realized.
 図4を参照して、実施の形態1に係る証明書発行装置30の構成を説明する。
 証明書発行装置30は、コンピュータである。
 証明書発行装置30は、プロセッサ31と、メモリ32と、ストレージ33と、通信インタフェース34とのハードウェアを備える。プロセッサ31は、信号線を介して他のハードウェアと接続され、これら他のハードウェアを制御する。 The configuration of the certificate issuing device 30 according to the first embodiment will be described with reference to FIG.
The certificate issuing device 30 is a computer.
The certificate issuing device 30 includes hardware for a processor 31, a memory 32, a storage 33, and a communication interface 34. The processor 31 is connected to other hardware via a signal line and controls these other hardware.
 証明書発行装置30は、機能構成要素として、検証鍵取得部311と、要求取得部312と、認証鍵生成部313と、検証部314と、証明書発行部315とを備える。証明書発行装置30の各機能構成要素の機能はソフトウェアにより実現される。
 ストレージ33には、証明書発行装置30の各機能構成要素の機能を実現するプログラムが格納されている。このプログラムは、プロセッサ31によりメモリ32に読み込まれ、プロセッサ31によって実行される。これにより、証明書発行装置30の各機能構成要素の機能が実現される。 The certificate issuing device 30 includes a verification key acquisition unit 311, a request acquisition unit 312, an authentication key generation unit 313, a verification unit 314, and a certificate issuing unit 315 as functional components. The functions of each functional component of the certificate issuing device 30 are realized by software.
The storage 33 stores a program that realizes the functions of each functional component of the certificate issuing device 30. This program is read into the memory 32 by the processor 31 and executed by the processor 31. As a result, the functions of each functional component of the certificate issuing device 30 are realized.
 プロセッサ11,21,31は、プロセッシングを行うIC(Integrated Circuit)である。プロセッサ11,21,31は、具体例としては、CPU(Central Processing Unit)、DSP(Digital Signal Processor)、GPU(Graphics Processing Unit)である。 Processors 11, 21, and 31 are ICs (Integrated Circuits) that perform processing. Specific examples of the processors 11, 21, 31 are a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and a GPU (Graphics Processing Unit).
 メモリ12,22,32は、データを一時的に記憶する記憶装置である。メモリ12,22,32は、具体例としては、SRAM(Static Random Access Memory)、DRAM(Dynamic Random Access Memory)である。 The memories 12, 22, and 32 are storage devices that temporarily store data. Specific examples of the memories 12, 22, and 32 are SRAM (Static Random Access Memory) and DRAM (Dynamic Random Access Memory).
 ストレージ13,23,33は、データを保管する記憶装置である。ストレージ13,23,33は、具体例としては、HDD(Hard Disk Drive)である。また、ストレージ13,23,33は、SD(登録商標,Secure Digital)メモリカード、CF(CompactFlash,登録商標)、NANDフラッシュ、フレキシブルディスク、光ディスク、コンパクトディスク、ブルーレイ(登録商標)ディスク、DVD(Digital Versatile Disk)といった可搬記録媒体であってもよい。 Storages 13, 23, 33 are storage devices for storing data. Specific examples of the storages 13, 23, and 33 are HDDs (Hard Disk Drives). The storages 13, 23, and 33 are SD (registered trademark, Secure Digital) memory card, CF (CompactFlash, registered trademark), NAND flash, flexible disk, optical disk, compact disk, Blu-ray (registered trademark) disk, and DVD (Digital). It may be a portable recording medium such as Versail Disc).
 通信インタフェース14,24,34は、外部の装置と通信するためのインタフェースである。通信インタフェース14,24,34は、具体例としては、Ethernet(登録商標)、USB(Universal Serial Bus)、HDMI(登録商標,High-Definition Multimedia Interface)のポートである。 Communication interfaces 14, 24, and 34 are interfaces for communicating with an external device. Specific examples of the communication interfaces 14, 24, and 34 are Ethernet (registered trademark), USB (Universal Serial Bus), and HDMI (registered trademark, High-Definition Multimedia Interface) ports.
 ***動作の説明***
 図5及び図6を参照して、実施の形態1に係る証明書発行システム1の動作を説明する。
 実施の形態1に係る証明書発行システム1の動作手順のうち通信機器20の動作手順は、実施の形態1に係る証明書署名要求方法に相当する。また、実施の形態1に係る証明書発行システム1の動作のうち通信機器20の動作を実現するプログラムは、実施の形態1に係る証明書署名要求プログラムに相当する。
 実施の形態1に係る証明書発行システム1の動作手順のうち証明書発行装置30の動作手順は、実施の形態1に係る証明書発行方法に相当する。また、実施の形態1に係る証明書発行システム1の動作のうち証明書発行装置30の動作を実現するプログラムは、実施の形態1に係る証明書発行プログラムに相当する。 *** Explanation of operation ***
The operation of the certificate issuing system 1 according to the first embodiment will be described with reference to FIGS. 5 and 6.
Of the operating procedures of the certificate issuing system 1 according to the first embodiment, the operating procedure of the communication device 20 corresponds to the certificate signing request method according to the first embodiment. Further, among the operations of the certificate issuing system 1 according to the first embodiment, the program that realizes the operation of the communication device 20 corresponds to the certificate signing request program according to the first embodiment.
Of the operating procedures of the certificate issuing system 1 according to the first embodiment, the operating procedure of the certificate issuing device 30 corresponds to the certificate issuing method according to the first embodiment. Further, among the operations of the certificate issuing system 1 according to the first embodiment, the program that realizes the operation of the certificate issuing device 30 corresponds to the certificate issuing program according to the first embodiment.
 (図5のステップS101:検証鍵生成処理)
 鍵管理装置10の鍵生成部112は、乱数を生成する。鍵生成部112は、生成された乱数から検証鍵を生成する。具体例としては、鍵生成部112は、乱数をそのまま検証鍵として設定する。
 鍵出力部113は、通信路91を介して、検証鍵を証明書発行装置30に送信する。すると、証明書発行装置30の検証鍵取得部311は、送信された検証鍵を取得する。検証鍵取得部311は、検証鍵をストレージ33に書き込む。 (Step S101 of FIG. 5: Verification key generation process)
The key generation unit 112 of the key management device 10 generates random numbers. The key generation unit 112 generates a verification key from the generated random numbers. As a specific example, the key generation unit 112 sets a random number as it is as a verification key.
The key output unit 113 transmits the verification key to the certificate issuing device 30 via the communication path 91. Then, the verification key acquisition unit 311 of the certificate issuing device 30 acquires the transmitted verification key. The verification key acquisition unit 311 writes the verification key to the storage 33.
 (図5のステップS102:情報取得処理)
 鍵管理装置10の情報取得部111は、通信機器20に割り当てられた機器ID(IDentifier)を取得する。実施の形態1では、通信機器20を製造する工場の製造担当者によって鍵登録端末41が操作され、機器IDが鍵管理装置10に入力される。情報取得部111は、入力された機器IDを取得する。 (Step S102 in FIG. 5: Information acquisition process)
The information acquisition unit 111 of the key management device 10 acquires the device ID (Identifier) assigned to the communication device 20. In the first embodiment, the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the device ID is input to the key management device 10. The information acquisition unit 111 acquires the input device ID.
 (図5のステップS103:認証鍵生成処理)
 鍵管理装置10の鍵生成部112は、ステップS101で生成された検証鍵と、ステップS102で取得された機器IDとから、認証鍵を生成する。具体例としては、鍵生成部112は、検証鍵を鍵とし、機器IDをメッセージとして、鍵付きハッシュ関数を計算することにより、認証鍵を生成する。
 鍵出力部113は、認証鍵を出力する。実施の形態1では、鍵出力部113は、認証鍵を鍵登録端末41に送信する。 (Step S103 of FIG. 5: Authentication key generation process)
The key generation unit 112 of the key management device 10 generates an authentication key from the verification key generated in step S101 and the device ID acquired in step S102. As a specific example, the key generation unit 112 generates an authentication key by calculating a hash function with a key using the verification key as a key and the device ID as a message.
The key output unit 113 outputs an authentication key. In the first embodiment, the key output unit 113 transmits the authentication key to the key registration terminal 41.
 (図5のステップS104:認証鍵取得処理)
 通信機器20の認証鍵取得部211は、ステップS102で取得された機器IDと、ステップS103で生成された認証鍵とを取得する。実施の形態1では、通信機器20を製造する工場の製造担当者によって鍵登録端末41が操作され、機器ID及び認証鍵が通信機器20に入力される。認証鍵取得部211は、入力された機器ID及び認証鍵を取得する。認証鍵取得部211は、機器ID及び認証鍵をストレージ23に書き込む。 (Step S104 in FIG. 5: Authentication key acquisition process)
The authentication key acquisition unit 211 of the communication device 20 acquires the device ID acquired in step S102 and the authentication key generated in step S103. In the first embodiment, the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the device ID and the authentication key are input to the communication device 20. The authentication key acquisition unit 211 acquires the input device ID and authentication key. The authentication key acquisition unit 211 writes the device ID and the authentication key in the storage 23.
 ステップS104で機器ID及び認証鍵がストレージ23に書き込まれた後で、通信機器20は設置場所に設置される。その後、ステップS105以降の処理が実行される。 After the device ID and the authentication key are written in the storage 23 in step S104, the communication device 20 is installed at the installation location. After that, the processes after step S105 are executed.
 (図5のステップS105:認証情報生成処理)
 通信機器20の認証情報生成部212は、証明書署名要求を生成する。認証情報生成部212は、ステップS104で取得された記認証鍵によって証明書署名要求に対する認証情報を生成する。具体例としては、認証情報生成部212は、認証鍵を鍵とし、証明書署名要求をメッセージとして、鍵付きハッシュ関数を計算することにより、認証情報を生成する。 (Step S105 of FIG. 5: Authentication information generation process)
The authentication information generation unit 212 of the communication device 20 generates a certificate signing request. The authentication information generation unit 212 generates authentication information for the certificate signing request by using the authentication key acquired in step S104. As a specific example, the authentication information generation unit 212 generates authentication information by calculating a hash function with a key using an authentication key as a key and a certificate signing request as a message.
 (図5のステップS106:要求送信処理)
 通信機器20の要求送信部213は、ステップS105で生成された認証情報が付された証明書署名要求と、ステップS104で取得された機器IDとを、通信路92を介して証明書発行装置30に送信する。 (Step S106 of FIG. 5: Request transmission process)
The request transmission unit 213 of the communication device 20 sends the certificate signing request with the authentication information generated in step S105 and the device ID acquired in step S104 to the certificate issuing device 30 via the communication path 92. Send to.
 (図5のステップS107:認証鍵生成処理)
 証明書発行装置30の要求取得部312は、ステップS106で送信された認証情報が付された証明書署名要求と、機器IDとを取得する。証明書発行装置30の認証鍵生成部313は、ステップS101で取得された検証鍵と、機器IDとから認証鍵を生成する。ここでは、認証鍵生成部313は、ステップS103と同じ方法により、認証鍵を生成する。 (Step S107 in FIG. 5: Authentication key generation process)
The request acquisition unit 312 of the certificate issuing device 30 acquires the certificate signing request with the authentication information transmitted in step S106 and the device ID. The authentication key generation unit 313 of the certificate issuing device 30 generates an authentication key from the verification key acquired in step S101 and the device ID. Here, the authentication key generation unit 313 generates the authentication key by the same method as in step S103.
 (図5のステップS108:検証処理)
 検証部314は、ステップS107で生成された認証鍵によって、証明書署名要求に付された認証情報が正当であるか否か判定する。具体例としては、検証部314は、ステップS105と同じ方法により、認証情報を生成する。そして、検証部314は、生成された認証情報と、証明書署名要求に付された認証情報とが一致するか否かを判定することにより、証明書署名要求に付された認証情報が正当であるか否か判定する。
 検証部314は、認証情報が正当である場合には、処理をステップS109に進める。一方、検証部314は、認証情報が正当でない場合には、処理を終了する。 (Step S108 of FIG. 5: Verification process)
The verification unit 314 determines whether or not the authentication information attached to the certificate signing request is valid based on the authentication key generated in step S107. As a specific example, the verification unit 314 generates authentication information by the same method as in step S105. Then, the verification unit 314 determines whether or not the generated authentication information and the authentication information attached to the certificate signing request match, so that the authentication information attached to the certificate signing request is valid. Determine if it exists.
If the authentication information is valid, the verification unit 314 proceeds to step S109. On the other hand, if the authentication information is not valid, the verification unit 314 ends the process.
 (図5のステップS109:証明書発行処理)
 証明書発行装置30の証明書発行部315は、証明書を発行する。証明書発行部315は、発行された証明書を、通信路92を介して通信機器20に送信する。すると、通信機器20の証明書取得部214は、証明書を取得して、ストレージ23に書き込む。
 また、証明書発行部315は、通信機器20と通信するアプリケーションサーバ42に対して、CA証明書を発行する。 (Step S109 in FIG. 5: Certificate issuance process)
The certificate issuing unit 315 of the certificate issuing device 30 issues a certificate. The certificate issuing unit 315 transmits the issued certificate to the communication device 20 via the communication path 92. Then, the certificate acquisition unit 214 of the communication device 20 acquires the certificate and writes it in the storage 23.
Further, the certificate issuing unit 315 issues a CA certificate to the application server 42 that communicates with the communication device 20.
 (図5のステップS110:通信処理)
 通信機器20の通信部215は、ステップS109で発行された証明書を用いて、アプリケーションサーバ42との間で通信路を確立する。具体例としては、通信部215は、TLS通信の通信路を確立する。そして、通信部215は、確立された通信路を用いて、アプリケーションサーバ42と通信する。 (Step S110 in FIG. 5: Communication processing)
The communication unit 215 of the communication device 20 establishes a communication path with the application server 42 by using the certificate issued in step S109. As a specific example, the communication unit 215 establishes a communication path for TLS communication. Then, the communication unit 215 communicates with the application server 42 using the established communication path.
 ***実施の形態1の効果***
 以上のように、実施の形態1に係る証明書発行システム1では、証明書発行装置30は検証鍵を保持する。通信機器20は、検証鍵と機器IDとから生成された認証鍵を保持する。通信機器20は、認証鍵により証明書署名要求に対する認証情報を生成する。通信機器20は、認証情報が付された証明書署名要求と、機器IDとを証明書発行装置30に送信する。証明書発行装置30は、検証鍵と機器IDとから認証鍵を生成する。証明書発行装置30は、認証鍵によって認証情報が正当か否かを判定する。
 これにより、証明書発行装置30は、通信機器20毎に鍵を保持しておく必要はなく、検証鍵を保持しておくだけでどの通信機器20についても認証することが可能である。その結果、証明書発行装置30が管理する情報量を抑えつつ、適切な証明書の発行制御が可能になる。 *** Effect of Embodiment 1 ***
As described above, in the certificate issuing system 1 according to the first embodiment, the certificate issuing device 30 holds the verification key. The communication device 20 holds an authentication key generated from the verification key and the device ID. The communication device 20 generates authentication information for the certificate signing request by using the authentication key. The communication device 20 transmits the certificate signing request with the authentication information and the device ID to the certificate issuing device 30. The certificate issuing device 30 generates an authentication key from the verification key and the device ID. The certificate issuing device 30 determines whether or not the authentication information is valid based on the authentication key.
As a result, the certificate issuing device 30 does not need to hold the key for each communication device 20, and can authenticate any communication device 20 only by holding the verification key. As a result, appropriate certificate issuance control becomes possible while suppressing the amount of information managed by the certificate issuing device 30.
 ***他の構成***
 <変形例1>
 実施の形態1では、各機能構成要素がソフトウェアで実現された。しかし、変形例1として、各機能構成要素はハードウェアで実現されてもよい。この変形例1について、実施の形態1と異なる点を説明する。 *** Other configurations ***
<Modification example 1>
In the first embodiment, each functional component is realized by software. However, as a modification 1, each functional component may be realized by hardware. The difference between the first modification and the first embodiment will be described.
 各機能構成要素がハードウェアで実現される場合には、鍵管理装置10は、プロセッサ11とメモリ12とストレージ13とに代えて、電子回路を備える。電子回路は、各機能構成要素と、メモリ12と、ストレージ13との機能とを実現する専用の回路である。
 同様に、各機能構成要素がハードウェアで実現される場合には、通信機器20は、プロセッサ21とメモリ22とストレージ23とに代えて、電子回路を備える。電子回路は、各機能構成要素と、メモリ22と、ストレージ23との機能とを実現する専用の回路である。
 同様に、各機能構成要素がハードウェアで実現される場合には、証明書発行装置30は、プロセッサ31とメモリ32とストレージ33とに代えて、電子回路を備える。電子回路は、各機能構成要素と、メモリ32と、ストレージ33との機能とを実現する専用の回路である。 When each functional component is realized by hardware, the key management device 10 includes an electronic circuit instead of the processor 11, the memory 12, and the storage 13. The electronic circuit is a dedicated circuit that realizes the functions of each functional component, the memory 12, and the storage 13.
Similarly, when each functional component is realized by hardware, the communication device 20 includes an electronic circuit instead of the processor 21, the memory 22, and the storage 23. The electronic circuit is a dedicated circuit that realizes the functions of each functional component, the memory 22, and the storage 23.
Similarly, when each functional component is implemented in hardware, the certificate issuing device 30 includes an electronic circuit instead of the processor 31, the memory 32, and the storage 33. The electronic circuit is a dedicated circuit that realizes the functions of each functional component, the memory 32, and the storage 33.
 電子回路としては、単一回路、複合回路、プログラム化したプロセッサ、並列プログラム化したプロセッサ、ロジックIC、GA(Gate Array)、ASIC(Application Specific Integrated Circuit)、FPGA(Field-Programmable Gate Array)が想定される。
 各機能構成要素を1つの電子回路で実現してもよいし、各機能構成要素を複数の電子回路に分散させて実現してもよい。 As the electronic circuit, a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), and an FPGA (Field-Programmable Gate Array) are assumed. Will be done.
Each functional component may be realized by one electronic circuit, or each functional component may be distributed and realized by a plurality of electronic circuits.
 <変形例2>
 変形例2として、一部の各機能構成要素がハードウェアで実現され、他の各機能構成要素がソフトウェアで実現されてもよい。 <Modification 2>
As a modification 2, some functional components may be realized by hardware, and other functional components may be realized by software.
 プロセッサ11,21,31とメモリ12,22,32とストレージ13,23,33と電子回路とを処理回路という。つまり、各機能構成要素の機能は、処理回路により実現される。 Processors 11,21,31, memories 12,22,32, storages 13,23,33, and electronic circuits are called processing circuits. That is, the function of each functional component is realized by the processing circuit.
 実施の形態2.
 実施の形態2は、証明書発行装置30が複数の検証鍵を管理可能な点が実施の形態1と異なる。実施の形態2では、この異なる点を説明し、同一の点については説明を省略する。 Embodiment 2.
The second embodiment is different from the first embodiment in that the certificate issuing device 30 can manage a plurality of verification keys. In the second embodiment, these different points will be described, and the same points will be omitted.
 ***動作の説明***
 図7及び図8を参照して、実施の形態2に係る証明書発行システム1の動作を説明する。 *** Explanation of operation ***
The operation of the certificate issuing system 1 according to the second embodiment will be described with reference to FIGS. 7 and 8.
 実施の形態2では、鍵ID毎に検証鍵が生成される。実施の形態2では、鍵IDは、通信機器20のグループ毎に設定される。通信機器20のグループは、同じフロアに設置される通信機器20が同じグループに分けられる、同じ種別の通信機器20が同じグループに分けられるといった方法によって設定される。
 なお、鍵IDは、検証鍵又は通信機器20の管理方法等に応じて適宜設定されればよい。 In the second embodiment, a verification key is generated for each key ID. In the second embodiment, the key ID is set for each group of the communication devices 20. The group of the communication equipment 20 is set by a method in which the communication equipment 20 installed on the same floor is divided into the same group, or the communication equipment 20 of the same type is divided into the same group.
The key ID may be appropriately set according to the verification key, the management method of the communication device 20, and the like.
 (図7のステップS201:検証鍵生成処理)
 図5のステップS101と同様に、鍵管理装置10の鍵生成部112は、乱数を生成する。鍵生成部112は、生成された乱数から検証鍵を生成する。
 この際、鍵生成部112は、検証鍵に鍵IDを割り当てる。実施の形態2では、通信機器20を製造する工場の製造担当者によって鍵登録端末41が操作され、鍵IDが鍵管理装置10に入力される。鍵生成部112は、入力された鍵IDを取得して、検証鍵に割り当てる。
 鍵出力部113は、通信路91を介して、検証鍵及び鍵IDを証明書発行装置30に送信する。すると、証明書発行装置30の検証鍵取得部311は、送信された検証鍵及び鍵IDを取得する。検証鍵取得部311は、検証鍵を鍵IDと対応付けてストレージ33に書き込む。 (Step S201 of FIG. 7: Verification key generation process)
Similar to step S101 of FIG. 5, the key generation unit 112 of the key management device 10 generates a random number. The key generation unit 112 generates a verification key from the generated random numbers.
At this time, the key generation unit 112 assigns a key ID to the verification key. In the second embodiment, the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the key ID is input to the key management device 10. The key generation unit 112 acquires the input key ID and assigns it to the verification key.
The key output unit 113 transmits the verification key and the key ID to the certificate issuing device 30 via the communication path 91. Then, the verification key acquisition unit 311 of the certificate issuing device 30 acquires the transmitted verification key and key ID. The verification key acquisition unit 311 writes the verification key in association with the key ID in the storage 33.
 (図7のステップS202:情報取得処理)
 鍵管理装置10の情報取得部111は、通信機器20に割り当てられた機器IDと、対象の検証鍵に割り当てられた鍵IDとを取得する。実施の形態2では、通信機器20を製造する工場の製造担当者によって鍵登録端末41が操作され、機器ID及び鍵IDが鍵管理装置10に入力される。情報取得部111は、入力された機器ID及び鍵IDを取得する。 (Step S202 in FIG. 7: Information acquisition process)
The information acquisition unit 111 of the key management device 10 acquires the device ID assigned to the communication device 20 and the key ID assigned to the target verification key. In the second embodiment, the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the device ID and the key ID are input to the key management device 10. The information acquisition unit 111 acquires the input device ID and key ID.
 (図7のステップS203:認証鍵生成処理)
 鍵管理装置10の鍵生成部112は、ステップS202で取得された鍵IDに対応する検証鍵と、ステップS202で取得された機器IDとから、認証鍵を生成する。
 鍵出力部113は、認証鍵を出力する。実施の形態2では、鍵出力部113は、認証鍵を鍵登録端末41に送信する。 (Step S203 of FIG. 7: Authentication key generation process)
The key generation unit 112 of the key management device 10 generates an authentication key from the verification key corresponding to the key ID acquired in step S202 and the device ID acquired in step S202.
The key output unit 113 outputs an authentication key. In the second embodiment, the key output unit 113 transmits the authentication key to the key registration terminal 41.
 (図7のステップS204:認証鍵取得処理)
 通信機器20の認証鍵取得部211は、ステップS202で取得された機器ID及び鍵IDと、ステップS203で生成された認証鍵とを取得する。実施の形態2では、通信機器20を製造する工場の製造担当者によって鍵登録端末41が操作され、機器IDと鍵IDと認証鍵とが通信機器20に入力される。認証鍵取得部211は、入力された機器IDと鍵IDと認証鍵とを取得する。認証鍵取得部211は、機器IDと鍵IDと認証鍵とをストレージ23に書き込む。 (Step S204 of FIG. 7: Authentication key acquisition process)
The authentication key acquisition unit 211 of the communication device 20 acquires the device ID and key ID acquired in step S202 and the authentication key generated in step S203. In the second embodiment, the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the device ID, the key ID, and the authentication key are input to the communication device 20. The authentication key acquisition unit 211 acquires the input device ID, key ID, and authentication key. The authentication key acquisition unit 211 writes the device ID, the key ID, and the authentication key in the storage 23.
 ステップS204で機器IDと鍵IDと認証鍵とがストレージ23に書き込まれた後で、通信機器20は設置場所に設置される。その後、ステップS205以降の処理が実行される。 After the device ID, key ID, and authentication key are written in the storage 23 in step S204, the communication device 20 is installed at the installation location. After that, the processes after step S205 are executed.
 図7のステップS205の処理は、図5のステップS105の処理と同じである。 The process of step S205 of FIG. 7 is the same as the process of step S105 of FIG.
 (図7のステップS206:要求送信処理)
 通信機器20の要求送信部213は、ステップS205で生成された認証情報が付された証明書署名要求と、ステップS204で取得された機器ID及び鍵IDとを、通信路92を介して証明書発行装置30に送信する。 (Step S206 of FIG. 7: Request transmission process)
The request transmission unit 213 of the communication device 20 certificates the certificate signing request with the authentication information generated in step S205 and the device ID and key ID acquired in step S204 via the communication path 92. It is transmitted to the issuing device 30.
 (図7のステップS207:認証鍵生成処理)
 証明書発行装置30の要求取得部312は、ステップS206で送信された認証情報が付された証明書署名要求と、機器ID及び鍵IDとを取得する。証明書発行装置30の認証鍵生成部313は、ステップS201でストレージ33に書き込まれた検証鍵のうち、取得された鍵IDに対応する検証鍵を読み出す。認証鍵生成部313は、読み出された検証鍵と、機器IDとから認証鍵を生成する。ここでは、認証鍵生成部313は、ステップS203と同じ方法により、認証鍵を生成する。 (Step S207 of FIG. 7: Authentication key generation process)
The request acquisition unit 312 of the certificate issuing device 30 acquires the certificate signing request with the authentication information transmitted in step S206, and the device ID and key ID. The authentication key generation unit 313 of the certificate issuing device 30 reads out the verification key corresponding to the acquired key ID among the verification keys written in the storage 33 in step S201. The authentication key generation unit 313 generates an authentication key from the read verification key and the device ID. Here, the authentication key generation unit 313 generates the authentication key by the same method as in step S203.
 図7のステップS208からステップS210の処理は、図5のステップS108からステップS110の処理と同じである。 The processing of steps S208 to S210 of FIG. 7 is the same as the processing of steps S108 to S110 of FIG.
 ***実施の形態2の効果***
 以上のように、実施の形態2に係る証明書発行システム1では、鍵ID毎に検証鍵が生成される。これにより、通信機器20のグループ毎に別の検証鍵を用いることが可能になる。その結果、一部の検証鍵が漏洩した場合であっても、他の検証鍵を用いるグループの通信機器20については影響が出ない。 *** Effect of Embodiment 2 ***
As described above, in the certificate issuing system 1 according to the second embodiment, a verification key is generated for each key ID. This makes it possible to use different verification keys for each group of communication devices 20. As a result, even if a part of the verification keys is leaked, the communication device 20 of the group using the other verification keys is not affected.
 なお、鍵ID毎に検証鍵が生成されるため、証明書発行装置30が管理する検証鍵が増える。しかし、通信機器20毎に検証鍵を管理する必要はない。したがって、特許文献1に記載された技術に比べると、管理する情報量を抑えることが可能である。 Since the verification key is generated for each key ID, the number of verification keys managed by the certificate issuing device 30 increases. However, it is not necessary to manage the verification key for each communication device 20. Therefore, it is possible to reduce the amount of information to be managed as compared with the technique described in Patent Document 1.
 実施の形態3.
 実施の形態3では、検証鍵を更新する処理を説明する。実施の形態3では、実施の形態2と異なる点を説明し、同一の点については説明を省略する。
 実施の形態3では、実施の形態2に検証鍵を更新する処理を追加した場合について説明する。しかし、実施の形態1に検証鍵を更新する処理を追加することも可能である。 Embodiment 3.
In the third embodiment, the process of updating the verification key will be described. In the third embodiment, the points different from the second embodiment will be described, and the same points will be omitted.
In the third embodiment, a case where a process for updating the verification key is added to the second embodiment will be described. However, it is also possible to add a process of updating the verification key to the first embodiment.
 ***動作の説明***
 図9及び図10を参照して、実施の形態3に係る証明書発行システム1の動作を説明する。 *** Explanation of operation ***
The operation of the certificate issuing system 1 according to the third embodiment will be described with reference to FIGS. 9 and 10.
 (図9のステップS301:指定受付処理)
 鍵管理装置10の情報取得部111は、更新する対象の検証鍵に割り当てられた鍵IDを取得する。実施の形態3では、通信機器20を製造する工場の製造担当者によって鍵登録端末41が操作され、鍵IDが鍵管理装置10に入力される。情報取得部111は、入力された鍵IDを取得する。 (Step S301 in FIG. 9: Designated reception process)
The information acquisition unit 111 of the key management device 10 acquires the key ID assigned to the verification key to be updated. In the third embodiment, the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the key ID is input to the key management device 10. The information acquisition unit 111 acquires the input key ID.
 (図9のステップS302:検証鍵更新処理)
 図7のステップS201と同様に、鍵管理装置10の鍵生成部112は、乱数を生成する。鍵生成部112は、生成された乱数から検証鍵を生成する。鍵生成部112は、ステップS301で取得された鍵IDに対応する検証鍵を、新たに生成された検証鍵に置き換えることにより、検証鍵を更新する。
 鍵出力部113は、通信路91を介して、新たに生成された検証鍵及び鍵IDを証明書発行装置30に送信する。すると、証明書発行装置30の検証鍵取得部311は、送信された検証鍵及び鍵IDを取得する。検証鍵取得部311は、鍵IDに対応する検証鍵を、取得された検証鍵で更新する。 (Step S302 in FIG. 9: Verification key update process)
Similar to step S201 of FIG. 7, the key generation unit 112 of the key management device 10 generates a random number. The key generation unit 112 generates a verification key from the generated random numbers. The key generation unit 112 updates the verification key by replacing the verification key corresponding to the key ID acquired in step S301 with the newly generated verification key.
The key output unit 113 transmits the newly generated verification key and key ID to the certificate issuing device 30 via the communication path 91. Then, the verification key acquisition unit 311 of the certificate issuing device 30 acquires the transmitted verification key and key ID. The verification key acquisition unit 311 updates the verification key corresponding to the key ID with the acquired verification key.
 (図9のステップS303:情報取得処理)
 鍵管理装置10の情報取得部111は、ステップS302で更新された検証鍵により生成された認証鍵が設定された通信機器20の機器IDを取得する。実施の形態3では、通信機器20を製造する工場の製造担当者によって鍵登録端末41が操作され、機器IDが鍵管理装置10に入力される。情報取得部111は、入力された機器IDを取得する。 (Step S303 in FIG. 9: Information acquisition process)
The information acquisition unit 111 of the key management device 10 acquires the device ID of the communication device 20 in which the authentication key generated by the verification key updated in step S302 is set. In the third embodiment, the key registration terminal 41 is operated by a manufacturing person in a factory that manufactures the communication device 20, and the device ID is input to the key management device 10. The information acquisition unit 111 acquires the input device ID.
 (図9のステップS304:認証鍵更新処理)
 図7のステップS203と同様に、鍵管理装置10の鍵生成部112は、ステップS302で更新された検証鍵であって、鍵IDに対応する検証鍵と、ステップS303で取得された機器IDとから、認証鍵を生成する。
 鍵管理装置10の鍵出力部113は、新たに生成された認証鍵と機器IDと鍵IDとを、アプリケーションサーバ42に送信する。アプリケーションサーバ42は、図7のステップS210で、証明書を用いた通信路が通信機器20と確立されている。アプリケーションサーバ42は、認証鍵と機器IDと鍵IDとを取得すると、機器IDから特定される通信機器20に、証明書を用いた通信路を介して、認証鍵及び鍵IDを送信する。通信機器20の認証鍵取得部211は、送信された認証鍵及び鍵IDを取得する。認証鍵取得部211は、認証鍵及び鍵IDをストレージ23に書き込む。 (Step S304 of FIG. 9: Authentication key update process)
Similar to step S203 of FIG. 7, the key generation unit 112 of the key management device 10 is the verification key updated in step S302, and includes the verification key corresponding to the key ID and the device ID acquired in step S303. Generate an authentication key from.
The key output unit 113 of the key management device 10 transmits the newly generated authentication key, device ID, and key ID to the application server 42. In step S210 of FIG. 7, the application server 42 has a communication path using the certificate established with the communication device 20. When the application server 42 acquires the authentication key, the device ID, and the key ID, the application server 42 transmits the authentication key and the key ID to the communication device 20 specified from the device ID via the communication path using the certificate. The authentication key acquisition unit 211 of the communication device 20 acquires the transmitted authentication key and key ID. The authentication key acquisition unit 211 writes the authentication key and the key ID in the storage 23.
 ***実施の形態3の効果***
 以上のように、実施の形態3に係る証明書発行システム1では、通信機器20は、証明書発行装置30によって署名された証明書を用いた通信により、新たな認証鍵をアプリケーションサーバ42から取得する。
 これにより、通信機器20が設置場所に設置された後に検証鍵が更新された場合に、更新後の検証鍵により生成された認証鍵を安全に通信機器20に設定することが可能である。 *** Effect of Embodiment 3 ***
As described above, in the certificate issuing system 1 according to the third embodiment, the communication device 20 acquires a new authentication key from the application server 42 by communication using the certificate signed by the certificate issuing device 30. To do.
As a result, when the verification key is updated after the communication device 20 is installed at the installation location, the authentication key generated by the updated verification key can be safely set in the communication device 20.
 以上、本開示の実施の形態及び変形例について説明した。これらの実施の形態及び変形例のうち、いくつかを組み合わせて実施してもよい。また、いずれか1つ又はいくつかを部分的に実施してもよい。なお、本開示は、以上の実施の形態及び変形例に限定されるものではなく、必要に応じて種々の変更が可能である。 The embodiments and modifications of the present disclosure have been described above. Some of these embodiments and modifications may be combined and carried out. In addition, any one or several may be partially carried out. The present disclosure is not limited to the above embodiments and modifications, and various modifications can be made as necessary.
 1 証明書発行システム、10 鍵管理装置、11 プロセッサ、12 メモリ、13 ストレージ、14 通信インタフェース、111 情報取得部、112 鍵生成部、113 鍵出力部、20 通信機器、21 プロセッサ、22 メモリ、23 ストレージ、24 通信インタフェース、211 認証鍵取得部、212 認証情報生成部、213 要求送信部、214 証明書取得部、215 通信部、30 証明書発行装置、31 プロセッサ、32 メモリ、33 ストレージ、34 通信インタフェース、311 検証鍵取得部、312 要求取得部、313 認証鍵生成部、314 検証部、315 証明書発行部、41 鍵登録端末、42 アプリケーションサーバ、91 通信路、92 通信路。 1 Certificate issuance system, 10 Key management device, 11 Processor, 12 Memory, 13 Storage, 14 Communication interface, 111 Information acquisition unit, 112 Key generation unit, 113 Key output unit, 20 Communication equipment, 21 Processor, 22 Memory, 23 Storage, 24 communication interface, 211 authentication key acquisition unit, 212 authentication information generation unit, 213 request transmission unit, 214 certificate acquisition unit, 215 communication unit, 30 certificate issuing device, 31 processor, 32 memory, 33 storage, 34 communication Interface, 311 verification key acquisition unit, 312 request acquisition unit, 313 authentication key generation unit, 314 verification unit, 315 certificate issuance unit, 41 key registration terminal, 42 application server, 91 communication path, 92 communication path.

Claims (10)

  1.  機器ID(IDentifier)が割り当てられた通信機器であり、
     証明書発行装置が保持する検証鍵と、前記機器IDとから生成された認証鍵を取得する認証鍵取得部と、
     前記認証鍵取得部によって取得された前記認証鍵による認証情報が付された証明書署名要求と、前記機器IDとを前記証明書発行装置に送信する要求送信部と
    を備える通信機器。     It is a communication device to which a device ID (Identifier) is assigned.
    An authentication key acquisition unit that acquires an authentication key generated from the verification key held by the certificate issuing device and the device ID, and the authentication key acquisition unit.
    A communication device including a certificate signing request with authentication information obtained by the authentication key acquired by the authentication key acquisition unit and a request transmission unit for transmitting the device ID to the certificate issuing device.
  2.  前記認証鍵取得部は、前記検証鍵に割り当てられた鍵IDを取得し、
     前記要求送信部は、前記証明書署名要求及び前記機器IDとともに、前記鍵IDを送信する
    請求項1に記載の通信機器。     The authentication key acquisition unit acquires the key ID assigned to the verification key, and obtains the key ID.
    The communication device according to claim 1, wherein the request transmission unit transmits the key ID together with the certificate signing request and the device ID.
  3.  前記通信機器は、アプリケーションサーバとの間で、前記証明書発行装置によって署名された証明書を用いた通信路を確立する通信部
    を備え、
     前記認証鍵取得部は、前記通信路を介して、新たな検証鍵と前記機器IDとから生成された新たな認証鍵を前記アプリケーションサーバから取得する
    請求項1又は2に記載の通信機器。     The communication device includes a communication unit that establishes a communication path with an application server using a certificate signed by the certificate issuing device.
    The communication device according to claim 1 or 2, wherein the authentication key acquisition unit acquires a new authentication key generated from the new verification key and the device ID from the application server via the communication path.
  4.  検証鍵を取得する検証鍵取得部と、
     前記検証鍵取得部によって取得された前記検証鍵と、通信機器に割り当てられた機器ID(IDentifier)とから生成された認証鍵による認証情報が付された証明書署名要求と、前記機器IDとを前記通信機器から取得する要求取得部と、
     前記検証鍵と、前記要求取得部によって取得された前記機器IDとから前記認証鍵を生成する認証鍵生成部と、
     前記認証鍵生成部によって生成された前記認証鍵によって前記認証情報が正当であるか否か判定する検証部と、
     前記検証部によって前記認証情報が正当であると判定された場合に、証明書を発行する証明書発行部と
    を備える証明書発行装置。     The verification key acquisition unit that acquires the verification key,
    The certificate signing request with the authentication information by the authentication key generated from the verification key acquired by the verification key acquisition unit and the device ID (IDentifier) assigned to the communication device, and the device ID. The request acquisition unit acquired from the communication device and
    An authentication key generation unit that generates the authentication key from the verification key and the device ID acquired by the request acquisition unit.
    A verification unit that determines whether or not the authentication information is valid by the authentication key generated by the authentication key generation unit, and
    A certificate issuing device including a certificate issuing unit that issues a certificate when the verification unit determines that the authentication information is valid.
  5.  前記検証鍵取得部は、鍵IDが割り当てられた検証鍵を取得し、
     前記要求取得部は、前記証明書署名要求及び前記機器IDとともに、鍵IDを取得し、
     前記認証鍵生成部は、前記要求取得部によって取得された前記鍵IDが割り当てられた検証鍵と、前記要求取得部によって取得された前記機器IDとから前記認証鍵を生成する
    請求項4に記載の証明書発行装置。     The verification key acquisition unit acquires the verification key to which the key ID is assigned, and obtains the verification key.
    The request acquisition unit acquires the key ID together with the certificate signing request and the device ID.
    The fourth aspect of claim 4, wherein the authentication key generation unit generates the authentication key from the verification key to which the key ID acquired by the request acquisition unit is assigned and the device ID acquired by the request acquisition unit. Certificate issuing device.
  6.  鍵生成装置と、通信機器と、証明書発行装置とを備える証明書発行システムであり、
     前記鍵生成装置は、
     検証鍵を生成するとともに、前記検証鍵と前記通信機器に割り当てられた機器ID(IDentifier)とから認証鍵を生成する鍵生成部
    を備え、
     前記通信機器は、
     前記鍵生成部によって生成された前記認証鍵を取得する認証鍵取得部と、
     前記認証鍵取得部によって取得された前記認証鍵による認証情報が付された証明書署名要求と、前記機器IDとを前記証明書発行装置に送信する要求送信部と
    を備え、
     前記証明書発行装置は、
     前記鍵生成部によって生成された前記検証鍵を取得する検証鍵取得部と、
     前記検証鍵取得部によって取得された前記検証鍵と、前記要求送信部によって送信された前記機器IDとから前記認証鍵を生成する認証鍵生成部と、
     前記認証鍵生成部によって生成された前記認証鍵によって、前記要求送信部によって送信された前記認証情報が正当であるか否か判定する検証部と、
     前記検証部によって前記認証情報が正当であると判定された場合に、証明書を発行する証明書発行部と
    を備える証明書発行システム。     A certificate issuing system including a key generator, a communication device, and a certificate issuing device.
    The key generator is
    It is provided with a key generation unit that generates a verification key and also generates an authentication key from the verification key and the device ID (Identifier) assigned to the communication device.
    The communication device is
    An authentication key acquisition unit that acquires the authentication key generated by the key generation unit,
    It includes a certificate signing request to which the authentication information by the authentication key acquired by the authentication key acquisition unit is attached, and a request transmission unit that transmits the device ID to the certificate issuing device.
    The certificate issuing device is
    A verification key acquisition unit that acquires the verification key generated by the key generation unit,
    An authentication key generation unit that generates the authentication key from the verification key acquired by the verification key acquisition unit and the device ID transmitted by the request transmission unit.
    A verification unit that determines whether or not the authentication information transmitted by the request transmission unit is valid by the authentication key generated by the authentication key generation unit.
    A certificate issuing system including a certificate issuing unit that issues a certificate when the verification unit determines that the authentication information is valid.
  7.  機器ID(IDentifier)が割り当てられた通信機器が、証明書発行装置が保持する検証鍵と、前記機器IDとから生成された認証鍵を取得し、
     前記通信機器が、前記認証鍵による認証情報が付された証明書署名要求と、前記機器IDとを前記証明書発行装置に送信する証明書署名要求方法。     The communication device to which the device ID (Identifier) is assigned acquires the verification key held by the certificate issuing device and the authentication key generated from the device ID.
    A certificate signing request method in which the communication device transmits a certificate signing request to which authentication information by the authentication key is attached and the device ID to the certificate issuing device.
  8.  機器ID(IDentifier)が割り当てられた通信機器用の証明書署名要求プログラムであり、
     証明書発行装置が保持する検証鍵と、前記機器IDとから生成された認証鍵を取得する認証鍵取得処理と、
     前記認証鍵取得処理によって取得された前記認証鍵による認証情報が付された証明書署名要求と、前記機器IDとを前記証明書発行装置に送信する要求送信処理と
    を行う通信機器としてコンピュータを機能させる証明書署名要求プログラム。     A certificate signing request program for communication devices to which a device ID (Identifier) is assigned.
    An authentication key acquisition process for acquiring an authentication key generated from the verification key held by the certificate issuing device and the device ID, and
    The computer functions as a communication device that performs a certificate signing request to which the authentication information by the authentication key acquired by the authentication key acquisition process is attached and a request transmission process for transmitting the device ID to the certificate issuing device. Certificate signing request program to let you.
  9.  証明書発行装置が、検証鍵を取得し、
     前記証明書発行装置が、前記検証鍵と、通信機器に割り当てられた機器ID(IDentifier)とから生成された認証鍵による認証情報が付された証明書署名要求と、前記機器IDとを前記通信機器から取得し、
     前記証明書発行装置が、前記検証鍵と前記機器IDとから前記認証鍵を生成し、
     前記証明書発行装置が、前記認証鍵によって前記認証情報が正当であるか否か判定し、
     前記証明書発行装置が、前記認証情報が正当であると判定された場合に、証明書を発行する証明書発行方法。     The certificate issuing device obtains the verification key and
    The certificate issuing device communicates the device ID with a certificate signing request to which the authentication information by the authentication key generated from the verification key and the device ID (IDentifier) assigned to the communication device is attached. Obtained from the device,
    The certificate issuing device generates the authentication key from the verification key and the device ID,
    The certificate issuing device determines whether or not the authentication information is valid based on the authentication key, and determines whether or not the authentication information is valid.
    A certificate issuing method in which the certificate issuing device issues a certificate when the authentication information is determined to be valid.
  10.  検証鍵を取得する検証鍵取得処理と、
     前記検証鍵取得処理によって取得された前記検証鍵と、通信機器に割り当てられた機器ID(IDentifier)とから生成された認証鍵による認証情報が付された証明書署名要求と、前記機器IDとを前記通信機器から取得する要求取得処理と、
     前記検証鍵取得処理によって取得された前記検証鍵と、前記要求取得処理によって取得された前記機器IDとから前記認証鍵を生成する認証鍵生成処理と、
     前記認証鍵生成処理によって生成された前記認証鍵によって前記認証情報が正当であるか否か判定する検証処理と、
     前記検証処理によって前記認証情報が正当であると判定された場合に、証明書を発行する証明書発行処理と
    を行う証明書発行装置としてコンピュータを機能させる証明書発行プログラム。     Verification key acquisition process to acquire verification key and
    The certificate signing request with the authentication information by the authentication key generated from the verification key acquired by the verification key acquisition process and the device ID (IDentifier) assigned to the communication device, and the device ID. The request acquisition process acquired from the communication device and
    An authentication key generation process for generating the authentication key from the verification key acquired by the verification key acquisition process and the device ID acquired by the request acquisition process.
    A verification process for determining whether or not the authentication information is valid by the authentication key generated by the authentication key generation process, and
    A certificate issuing program that causes a computer to function as a certificate issuing device that performs a certificate issuing process for issuing a certificate when the verification process determines that the authentication information is valid.
PCT/JP2019/049448 2019-12-17 2019-12-17 Communication equipment, certificate issuing device, certificate issuing system, certificate signing requesting method, certificate signing request program, certificate issuing method, and certificate issuing program WO2021124454A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/049448 WO2021124454A1 (en) 2019-12-17 2019-12-17 Communication equipment, certificate issuing device, certificate issuing system, certificate signing requesting method, certificate signing request program, certificate issuing method, and certificate issuing program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/049448 WO2021124454A1 (en) 2019-12-17 2019-12-17 Communication equipment, certificate issuing device, certificate issuing system, certificate signing requesting method, certificate signing request program, certificate issuing method, and certificate issuing program

Publications (1)

Publication Number Publication Date
WO2021124454A1 true WO2021124454A1 (en) 2021-06-24

Family

ID=76477324

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/049448 WO2021124454A1 (en) 2019-12-17 2019-12-17 Communication equipment, certificate issuing device, certificate issuing system, certificate signing requesting method, certificate signing request program, certificate issuing method, and certificate issuing program

Country Status (1)

Country Link
WO (1) WO2021124454A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014053675A (en) * 2012-09-05 2014-03-20 Sony Corp Security chip, program, information processing device, and information processing system
JP2016531516A (en) * 2013-08-19 2016-10-06 スマートガード エルエルシーSmartguard,Llc Secure installation of encryption enable software on electronic devices
WO2017022821A1 (en) * 2015-08-05 2017-02-09 Kddi株式会社 Management device, management system, key generation device, key generation system, key management system, vehicle, management method, key generation method, and computer program
JP2018014629A (en) * 2016-07-21 2018-01-25 Kddi株式会社 Communication system, communication device, communication method, and program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014053675A (en) * 2012-09-05 2014-03-20 Sony Corp Security chip, program, information processing device, and information processing system
JP2016531516A (en) * 2013-08-19 2016-10-06 スマートガード エルエルシーSmartguard,Llc Secure installation of encryption enable software on electronic devices
WO2017022821A1 (en) * 2015-08-05 2017-02-09 Kddi株式会社 Management device, management system, key generation device, key generation system, key management system, vehicle, management method, key generation method, and computer program
JP2018014629A (en) * 2016-07-21 2018-01-25 Kddi株式会社 Communication system, communication device, communication method, and program

Similar Documents

Publication Publication Date Title
US11115418B2 (en) Registration and authorization method device and system
JP6692234B2 (en) System and method for issuing security domain key management using global platform specifications
US9054880B2 (en) Information processing device, controller, key issuing authority, method for judging revocation list validity, and key issuing method
US20210083856A1 (en) Improved hardware security module management
CN102904927B (en) Distributed computer systems with time-dependent credentials
US9699185B2 (en) Unauthorized device detection method, unauthorized device detection server, and unauthorized device detection system
US11082214B2 (en) Key generation apparatus and key update method
US20070044160A1 (en) Program, computer, and data processing method
US11533184B2 (en) Method and apparatus for online and offline generation of unique digital certificates
US20170180338A1 (en) Management apparatus, computer program product, system, device, method, information processing apparatus, and server
JP2011082662A (en) Communication device, and method and program for processing information
US20120239937A1 (en) Information processing device, computer program product, and access control system
JP5848685B2 (en) Storage system
WO2021124454A1 (en) Communication equipment, certificate issuing device, certificate issuing system, certificate signing requesting method, certificate signing request program, certificate issuing method, and certificate issuing program
JP2012033000A (en) Memory device, host device, server device, authentication system, and authentication method
CN114329534A (en) Authority determination method and device, computer equipment and computer readable storage medium
US20210194705A1 (en) Certificate generation method
JP2024507531A (en) Trusted computing for digital devices
WO2020012677A1 (en) Certificate issuing system, requesting device, certificate issuing method, and certificate issuing program
US10498722B2 (en) Methods and apparatus to issue digital certificates
JP6319817B2 (en) Verification device and electronic certificate verification method
CN112861108B (en) Alliance chain data processing method and system
US20230254162A1 (en) Retaining device identities after firmware updates
US11539532B2 (en) Compiling a signature
US20240072999A1 (en) Cloud storage with enhanced data privacy

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19956982

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19956982

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP