JP2002314532A - Method for discovering replica terminal - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow a communication system comprising a center and a plurality of terminals to automatically find out a replica terminal and exclude it at a low cost. SOLUTION: The center and a plurality of the terminals are interconnected through a communication network where encryption communication is implemented by using individual session keys. When the center distributes a new session key to the terminals, the center transmits challenge information to the terminals. Each terminal transmits response information comprising a terminal ID and a temporary public key to the center. The center retrieves a communication log and inspects whether or not a terminal with the same terminal ID but having a different temporary public key exists. When the terminal exists, the center determines the presence of a replica terminal and distributes no session key thereto. Since the copy of the temporary public key produced by the terminals can hardly be copied and the replica terminal cannot produce the same temporary public key, the center can detect the presence of the replica terminal.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for finding a duplicated terminal, and more particularly to a method for finding a duplicated terminal in a communication system comprising a center and n (n is a natural number) terminals. .

[0002]

2. Description of the Related Art In a communication system including a center and a plurality of terminals, there are the following methods for concealing information and authenticating terminals. That is, the center performs encrypted communication with the terminal using the session key. The terminal generates or obtains a session key using an individual secret key stored in advance, and decrypts the encrypted communication from the center. The center checks the authentication information created with the secret key of the terminal and performs terminal authentication.

In such a method, there is a problem how to securely store the secret key in the terminal. Therefore, a secret key is often stored in a tamper-resistant device having tamper resistance, which makes unauthorized access physically difficult. Generally, an IC card is used as a tamper-resistant device. Keep the terminal-specific secret key on the IC card,
A method of inserting this IC card into a terminal and using it is implemented in a GSM mobile phone, a pay satellite broadcasting STB, and the like.

However, in recent years, research on attacks on IC cards has been advanced, and Power Analysis Attacks, which decipher internal secret keys based on current consumption of IC cards, have been devised, and the security of IC cards is not sufficient. If the secret key is leaked, it becomes possible to forge a duplicate terminal using the secret key. In order to prevent the encrypted terminal from intercepting the encrypted communication, it is necessary to take measures such as stopping the encrypted communication and eliminating the duplicated terminal.

[0005] As a method of finding a duplicated terminal, a method of inferring that the contents of encrypted communication are leaked to the outside,
There was a method of regularly examining the duplicate terminal in the black market. Such a method has a low degree of certainty of discovery, takes a long time until discovery, and is difficult to perform automatically without manual intervention.

[0006] To cope with this, a method of detecting a duplicate terminal in advance is described in Reference 1 [Tatsuyuki Matsushita, Yuji Watanabe, Kazukuni Furuhara, Hideki Imai, "Pre-authorization of unauthorized subscribers in content distribution suitable for ITS". Detection Methods, "2000 Cryptography and Information Security Symposium, SCIS2000-C09, 2000.]

[0007] However, the above-mentioned conventional pre-detection method presupposes a broadcast network, ElGamal encryption, and a secret sharing method.
There are many preconditions and low versatility. When a secret key is created using a secret sharing scheme, there is a collusion threshold, which is not secure against collusion. Even if the center is reliable, the amount of communication and the amount of calculation do not decrease. In the same round, a plurality of confidential information cannot be handled per terminal. There is no countermeasure for non-receiving. The condition of the random number is unknown and the security is insufficient. The database is large. in this way,
There is a problem that the system configuration conditions and operation procedures are insufficient, and it is difficult to automatically and efficiently eliminate unauthorized terminals completely.

In order to solve this problem, the present inventor has filed a patent application
2001-11089 proposed a duplicate terminal discovery method for a communication system including a center and n (n is a natural number) terminals (hereinafter referred to as the above invention). This duplicate terminal discovery method
In a communication system consisting of a center and multiple terminals,
This is a method of automatically finding and eliminating a duplicate terminal. By using public key cryptography and a random number generator, a duplicate terminal can be found at a lower cost as compared with a method using a special device or material.

As shown in FIG. 6, in this duplicate terminal discovery method, a center and a plurality of terminals are connected by a communication network that performs cryptographic communication using individual session keys. The center is
Sends challenge information when distributing a new session key to the terminal. The terminal sends response information obtained by encrypting the terminal ID and the terminal random number with the center public key to the center. The center is
The communication log is searched to check for a terminal having the same terminal ID and a different terminal random number. If there is such a terminal, it is determined that a duplicate terminal exists, and the session key is not distributed. Since the random number generated by the original terminal is difficult to duplicate, and the duplicate terminal cannot generate the same random number, the presence of the duplicate terminal can be detected.

That is, the terminal generates a terminal random number for each round, generates a terminal authentication statement for the terminal random number using a terminal secret key, encrypts the terminal authentication statement and the terminal random number with a center public key, and generates a terminal cipher text. Send to the center. The center obtains the terminal authentication text and the terminal random number by decrypting the terminal encryption text with the center secret key, and obtains the terminal authentication text with the terminal public key (or the terminal secret key if the center manages the terminal secret key). Verify. For each round, search the database in which the terminal random number used for delivery of secret information and the terminal ID of the terminal are registered in association with each other, and check for duplicate registrations where the same terminal ID and different terminal random numbers are registered To inspect. The terminal random number and terminal ID of the terminal whose terminal authentication statement verification result is correct and there is no duplicate registration are registered in the database. Using the terminal random number, a common key is generated, the secret information is encrypted with the common key, and transmitted to the terminal as a center ciphertext. The terminal receives the center cipher text, generates a common key from the terminal random number, and decrypts the center cipher text with the common key to obtain secret information.

In order to obtain secret information for each round, the terminal generates an authentication statement for the terminal random number using its own secret key, encrypts the terminal random number and the authentication statement using the public key of the center, and transmits it to the center. Therefore, the center can detect the presence of a duplicate terminal when a different terminal random number is sent from a terminal having the same terminal secret key in the same round. If the duplication terminal does not send the terminal random number for fear of discovery, the duplication terminal cannot obtain the secret information, and thus can be invalidated. Broad systems (applicability to various systems) are high, and there are many systems that can be applied because there are few prerequisites without assuming the broadcast network, ElGamal encryption, and secret sharing. Since there is no collusion threshold and an arbitrarily created secret key can be used, it is secure against collusion.

[0012]

However, in the above-mentioned conventional method for finding a duplicated terminal, a common key cryptosystem is required to encrypt secret information in addition to a public key cryptosystem and a random number generator. Although the cost of the common key cryptosystem is lower than that of the public key cryptosystem, the cost of the common key cryptosystem may cause a problem in a device with a low unit price and a large number such as an IC card.

An object of the present invention is to solve the above-mentioned conventional problems and to efficiently find and eliminate duplicate terminals at lower cost.

[0014]

In order to solve the above-mentioned problems, the present invention provides a method for finding a duplicate terminal of a communication system including a center and n (n is a natural number) terminals. Generating a pair of a temporary secret key and a temporary public key, generating a terminal authentication statement for the temporary public key with the terminal secret key, transmitting the terminal authentication statement and the temporary public key to the center,
The center verifies the terminal authentication statement with the terminal public key (terminal secret key if the center manages the terminal secret key), and for each round, the temporary public key used to deliver the secret information and the terminal terminal The database is searched in correspondence with the ID, and the presence of the duplicate registration in which the same terminal ID and a different temporary public key are registered is checked, and the verification result of the terminal authentication statement is correct and the duplicate registration is performed. Register the temporary public key and the terminal ID of the terminal without the terminal in the database, encrypt the secret information using this temporary public key and send it to the terminal as the center ciphertext, and the terminal receives the center ciphertext and temporarily The secret information is obtained by decrypting with the secret key.

[0015] With this configuration, the terminal can:
In order to obtain secret information for each round, an authentication statement for the temporary public key must be generated using the terminal's own secret key, and the temporary public key and the terminal authentication statement must be sent to the center. In the case where a different terminal random number is sent from a terminal having the same terminal secret key, the presence of a duplicate terminal can be found. If the duplication terminal does not send the temporary public key for fear of discovery, the duplication terminal cannot obtain the confidential information and thus can be invalidated. Further, since the common key encryption is not required, it can be realized at low cost.

Further, the authentication text generation means and the authentication text verification means are digital signature systems or message authentication codes (MAC). With this configuration, in the case of the digital signature scheme, the center does not need to manage the secret key of each terminal, and can prevent the terminal from falling into the center due to unauthorized use of the center. If
The center can perform verification at high speed.

Further, a digital signature or a MAC is included in the center ciphertext. With this configuration, falsification and impersonation of the center ciphertext can be detected.

Further, the digital signature or the MAC includes a time stamp or a serial number. With this configuration, the center can distinguish whether the digital signature or MAC sent from the terminal is a replay attack or a retransmission request by an attacker.

The secret information is configured to be a session key or a group key. With this configuration, it is possible to supply a session key required for encrypted communication and authentication or a group key required for group encrypted communication.

Further, a center random number is added as transmission information of the center, the terminal generates a terminal authentication statement for the center random number, and the center verifies the authentication statement, so that the authentication method becomes challenge-response authentication. , Safety can be improved.

In a case where there are a plurality of types of secret information in one round, the terminal always specifies the same temporary key and information specifying the desired type of secret information in the same round;
The terminal authentication text for these is transmitted. With such a configuration, a duplicated terminal can be found even if there are a plurality of types of secret information.

Further, when the terminal cannot receive communication from the center, the terminal is provided with means for inquiring the center of the current round number and retransmission request means for requesting retransmission. By adopting such a configuration, even when the terminal cannot receive information from the center, it is possible to resume discovery of the duplicated terminal and distribution of the secret information.

Further, the temporary random number generating means of the terminal may not generate another temporary key generator for outputting the same temporary key, and may output the same output as the output of the other temporary key generator by chance. It must satisfy the condition of having a length. With such a configuration, sufficient security against certain attacks can be ensured.

In the course of distributing the group key,
If a duplicate terminal is found, the group key is encrypted with the terminal public key of the terminal to which the group key has not been distributed (or the terminal secret key if the center manages the terminal private key), and the terminal is undistributed. Equipped with means to distribute. With this configuration, the group communication can be restarted at an early stage.

[0025]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiments of the present invention will be described below in detail with reference to FIGS.

(Embodiment) In an embodiment of the present invention, in a communication system in which a center and a plurality of terminals are connected by a communication network for performing cryptographic communication using individual session keys, the center provides a new session key to each terminal. This is a method for finding a duplicate terminal by checking for duplicate terminal IDs by using the fact that a temporary public key generated from a random number generated at a terminal is difficult to duplicate when distributing the terminal.

FIG. 1 is a flowchart of a duplicate terminal finding method according to the embodiment of the present invention. In FIG. 1, the center C
Is an organization that distributes session keys to each terminal. The communication path N is a wireless or wired communication medium capable of performing encrypted communication. The terminal T _i is a communication device that performs encrypted communication with the center C using a session key. There are a plurality of terminals, and i is a terminal ID unique to each terminal. The number of terminals may be one. Phase # 1 is a step of performing a procedure for finding a duplicate terminal. Phase # 2 is a step of performing a procedure for delivering the session key from the center C to the terminal T _i.

FIG. 2 is a diagram showing the configuration of a center used in the duplicate terminal finding method according to the embodiment of the present invention. In FIG. 2, a random number generation unit 1 is a unit that generates a pseudo random number or a true random number. The transmitting unit 2 is a unit that transmits data to a terminal by wire or wirelessly. Authentication statement verification means 3
Is means for decrypting and verifying the authentication text encrypted with the terminal private key with the terminal public key or the terminal secret key. The database means 4 is a database in which communication records with the terminal are compiled. The detecting means 5 is a means for searching a database and detecting terminal duplication. The public key encryption means 6
This is a means for encrypting the session key with the temporary public key.

FIG. 3 is a configuration diagram of a terminal used in the duplicate terminal finding method according to the embodiment of the present invention. In FIG. 3, a transmission unit 2 is a unit that transmits data to a center by wire or wirelessly. The temporary key generation means 7 is a means for generating a temporary set of a secret key and a public key from random numbers. The public key encryption / decryption means 8 is means for decrypting the session key encrypted with the temporary public key using the temporary secret key. The authentication text generation means 9 is a means for generating an authentication text by encrypting the terminal random number and the center random number with the terminal secret key.

FIG. 4 shows a duplicate terminal discovery phase (phase # 1) of the duplicate terminal discovery method according to the embodiment of the present invention.
It is a flowchart of. FIG. 5 is a flowchart of the session key distribution phase (phase # 2) of the duplicate terminal finding method.

The operation of the duplicate terminal discovery method according to the embodiment of the present invention configured as described above will be described. First, the principle of the duplicate terminal finding method will be described with reference to FIG. This duplicate terminal finding method verifies the temporary public key SP _i ^b and the terminal authentication statement transmitted from the terminal T _i at the center C, and confirms that the terminal authentication statement is correct and that a different temporary identification key is present from the terminal having the same terminal ID at the present time. only if the public key SP _i ^b is not transmitted, a method of utilizing a protocol of providing the session key SK _i ^b to the terminal T _i is encrypted with the temporary public key SP _i ^b. However, the superscript b is a round number and does not mean a power. A round is the validity period of a session key. Since the round number is independent for each terminal, it should be strictly identifiable by the terminal ID. However, since the description is complicated and does not get lost, it is simply written as b. The terminal ID i and the round number b may be omitted.

The duplicate terminal discovery method includes two phases, a duplicate terminal discovery phase and a session key distribution phase. In the duplicate terminal discovery phase (phase # 1), the center C performs the terminal T
and _i, to authenticate the temporary terminal T _i has delivered public key SP _i ^b. The center C searches the database and checks for duplicate terminal IDs. If a terminal T _i ′ having the same terminal ID and transmitting a different temporary public key is detected, it can be determined that a duplicate terminal of the original terminal T _i having this terminal ID exists. Session key distribution phase (phase # 2), center C, to the no replication terminal terminal T _i, the session key S
K _i ^b is encrypted with the temporary public key SP _i ^b and delivered.

The challenge-response authentication will be described.
The center C generates a center random number Z _i ^b and generates a challenge CH
It sent as A to the terminal T _i. In response to the center random number Z _i ^b received from the center C and the temporary public key SP _i ^b generated by the terminal itself, the terminal T _i sends the authentication text generated by the terminal's own secret key to the center C as a response RES. Send. By verifying this by the center C, the terminal T _i and its temporary public key SP _i ^b are authenticated. Here, the center C is the terminal T
Confirm the correspondence between _i and its temporary public key SP _i ^b . When a digital signature is used, there is no need to store the secret key of each terminal in the center C, and key management becomes easy.

Temporary public key SP _i ^b and its paired temporary secret key
The generation of SS _i ^b will be described. The temporary key generation means 7 generates a temporary set of a secret key and a public key from random numbers. Public key cryptography is used so that only the terminal that has generated the temporary key pair can decrypt the encrypted session key. As a pair of the temporary public key and the temporary secret key, any type of public key encryption such as RSA encryption may be used. A temporary private key and / or public key pair is simply referred to as a temporary key.

The search of the database will be described. Center C
Searches the database to determine whether the session key SK _i ^b has already been delivered to the terminal T _i . If it has been delivered, the temporary public key SP _i ^b ′ used for delivery is compared with the transmitted temporary public key SP _i ^b . If not, the terminal T
_It is determined that a duplicate terminal of _i exists. Terminal T _i is, so use the same temporary public key in the same round, as long as duplication terminal is not present, the response RES _i ^b which uses a different temporary public key SP _i ^b will not come.

However, as a replay attack, the terminal T_iBut
The duplicate terminal may send the temporary public key again.
is there. As a countermeasure, follow the terminal authentication statement with a serial number or
Not include the same response
May be confirmed by the center C. In addition, temporary public
Open key SP_i ^b'And temporary public key SP_i ^bWhich is the temporary copy terminal
It cannot be distinguished whether it is a public key. Also, if there are multiple
Then the temporary public key SP _i ^b'And temporary public key SP_i ^bBut both
It may be the temporary public key of the terminal. Copy terminal is simply
Duplicate by the duplicate terminal discovery method in any case
The presence of the terminal can be detected.

Session key SK_i ^bWill be described. C
C is an authenticated temporary public key SP _i ^bUsing
Key SK_i ^bTo encrypt. Terminal T_iIs the temporary public key SP_i ^b
Temporary secret key SS paired with_i ^bUsing the session key SK_i ^b
Is decrypted. Terminal secret key S_iEven if is leaked, temporary secret key S
S_i ^bWithout the session key SK_i ^bCannot be decrypted. So
Therefore, in the set of original terminals and duplicate terminals,
SK_i ^bCan only get one
You. If necessary, MAC (Message Authenticatio
n Code: Message authentication code)
A function to detect spoofing can be added.

The updating of the session key SK _i ^b will be described. The center C needs to periodically update the session key and execute the duplicate terminal discovery method in order to cope with the leakage of the session key due to the temporary passing. The shorter this period, the more
Quickly find and invalidate duplicate terminals.

The case where there are a plurality of session keys SK _i ^b will be described. If there are a plurality of types of session keys, each terminal T
_i, if the same round, using the same temporary public key, and transmits the response RES _i ^b you specify the type of session key. However, when using a consecutive number or time stamp, use a value different from the previously used number or stamp. That is, the desired specification information B _i ^b is information specifying the type of secret information, the terminal authentication statement D _i ^b and the temporary public key
Transmit with SP _i ^b . The terminal authentication text D _i ^b is the designated information B _i ^b
To be an authentication sentence.

The center C has a serial number and a time stamp.
Examine the database to make sure the temporary public key is the same
And the terminal T_iTo the same temporary public key
It is encrypted with an open key and delivered. That is, in the same round
And the same temporary public key SP _i ^bInformation sent with
Report B_i ^bSecret information of the type specified by
SP_i ^bAnd encrypted.

A countermeasure against unreceived data will be described. When the terminal T _i is turned off or moved to an area where communication is not possible,
For cases can not receive the challenge CHA _i ^b and the session key, the ability to query the current round number to the center, it is added to the terminal T _i. If the round is advanced, the terminal T _i requests a retransmission to the center.

As described above, a duplicate terminal can be found. Proper terminal T _i transmits a response RES _i ^b above, when the replication terminal does not send a response RES _i ^b is duplicated terminal can not be found, since replication terminal can not obtain the session key, substantially Can be invalidated.

Second, each step of the procedure (phase # 1) for finding a duplicate terminal will be described with reference to FIGS. In the preparation stage, a trusted system administrator (not shown) generates a terminal secret key S _i and a terminal public key Y _i for each terminal T _i . The center C, and distributes the terminal public key Y _i. A corresponding terminal secret key S _i is secretly distributed to each terminal T _i .

In phase # 1-1, the center C shown in FIG.
Generates the center random number Z _i ^b by the random number generation means 1 in FIG. The transmitting unit 2 transmits a challenge CHA _i ^b = Z _i ^b that also serves as a session key update notification to the terminal T _i .

In phase # 1-2, terminal T _i shown in FIG.
Generates a pair of a temporary public key SP _i ^b and a temporary secret key SS _i ^b by the temporary key generation means 7 in FIG. Using the terminal secret key S _i of the terminal itself, the terminal ID (= i), and the center random number Z _i ^b sent as a challenge CHA _i ^b from the center C, the temporary public key SP _i ^b digital signature for the SIG ( S _i , (i‖Z _i ^b ‖S
P _i ^b )) is generated by the authentication statement generation means 9. However, (x‖
y) indicates a concatenation of codes where x is the upper digit and y is the lower digit. SIG (x, y) indicates that the key x is used to calculate the digital signature of y. The digital signature, and terminal authentication statement D _i ^b.

[0046] the center C, these, the response RES _i ^b serving as the session key request notification ^{_{= (i‖SP i b ‖D i b}} ) = (i‖SP i b ‖SIG (S i, (i‖Z i ^b ‖SP _i ^b ))) is transmitted by the transmission means 2.

In phase # 1-3, the center C in FIG.
The receiving means (not shown)_iResponse RES from_i ^b
To receive. The authentication text verification means 4 uses the terminal T_iDevice release for
Key Y _iUsing SIG (S_i, (i‖Z_i ^b‖SP_i ^bVerify))
You. If the verification result is correct, the terminal T_iAnd temporary public key SP_i
^bAnd proceed to phase # 1-4.
No. If the verification result is invalid, the protocol ends.

In the phase # 1-4, the center C uses the terminal ID as a key by the detecting
See If the session key has been delivered, the terminal ID (= i) and the temporary public key SP _i ^b used for delivery are stored in the database.
Are registered in association with each other. If the temporary public key SP _i ^b used for delivery is not registered, that is, the session key SK
If _i ^b has not been delivered, and record the temporary public key SP _i ^b in the database, proceed to Phase # 2. If the temporary public key SP _i ^b used for delivery is registered, that is, the session key SK _i ^b
Is delivered, it is checked whether the temporary public key SP _i ^b ′ recorded in the database is equal to the received temporary public key SP _i ^b . If equal, proceed to phase # 2. If not, it is determined that a duplicate terminal has been found, and the protocol is terminated. In addition, if the center C detects that the same response has been sent by checking the serial number and the time stamp included in the terminal authentication statement, it also determines that a replay attack by the duplicate terminal has been found, and terminates the protocol. .

Third, each step of the session key delivery procedure (phase # 2) will be described with reference to FIGS. 2, 3, and 5. The center C distributes the session key only to the terminal for which no duplicate of the temporary public key SP _i ^b has been detected.

[0050] In phase # 2-1, the center C is a public key encryption unit 6, the session key SK _i ^b the temporary public key SP
_i ^b in to generate encrypted center ciphertext ^{_{EC i b = SP i b [}} SK it b], is transmitted by the transmitting unit 2 to the terminal T _i. Here, x [y] indicates that y is encrypted with the key x.

In phase # 2-2, terminal T_iShows
Center ciphertext EC_i ^b(= SP_i ^b[SK_i
^b]) To receive. Temporary public key SP_i ^bTemporary secret key paired with
SS_i ^bThe public key encryption / decryption means 8 shown in FIG.
EC ciphertext EC_i ^b(= SP_i ^b[SK_i ^b]) Decrypt and session
Key SK_i ^bGet. Terminal T_iBut the center ciphertext EC_i ^b(= SP
_i ^b[SK_i ^b]) Is not received, phase # 1-
Response RES generated in 2_i ^bTemporary release used for
Key SP_i ^bAgain using the sequence number or timestamp
, Recalculate the response, and resend it to Center C
You.

Here, the secret information is used as the session key, but it may be a group key. Also, instead of the encryption key,
It can also be secret information such as electronic money or electronic tickets. In addition, although the description has been made in conjunction with the commonly used two-way challenge-response authentication, it is also possible to use the two-way challenge-response authentication in combination with the one-way authentication without the challenge.

[0053] If a duplicate terminal in the course of distribution of the group key GK ^b is found, the terminal T _i of undelivered the group key GK ^b, and encrypts the group key GK ^b by the terminal public key Y _i, to distribute to the terminal T _i of undistributed. If the center C is managing the terminal secret key, encrypts the group key GK ^b by the terminal secret key S _i, is distributed to the terminal T _i of undelivered. In this way, group communication can be resumed early.

Fourth, the conditions of the temporary key generation means will be described. This condition is equal to the condition of the random number generation means of the above invention. Specifically, it is a temporary key generation unit that generates a temporary key using a random number generated using a random number generator under the following conditions. In other words, "the other random number generator that outputs the same random number cannot be created, and the output length has a negligible probability of being the same output as the output of another random number generator by chance." This is satisfied if the structure of the random number generator can be duplicated but the state of the random number or the seed cannot be duplicated and the output has about 128 bits. Therefore, the next 128-bit random number generator satisfies this condition. -A true random number generator using white noise, etc.-A pseudorandom number generator or pseudorandom number generation software that receives a seed that is difficult to predict and that is updated based on a constantly changing state unique to each terminal

As such seeds, there are the following and combinations thereof. • Terminal memory status and system clock value • Time, time, and count related to terminal operation

Fifth, security will be described. Basically, it is the same as the previous invention. Specifically, the following is dealt with.

[0057]

As can be seen from Table 1, in this embodiment, a temporary public key is used instead of the random number of the conventional method. At this time, assuming that the common key cryptosystem is safe, the session key is decrypted by obtaining the corresponding secret key from the public key that encrypts the random number of the above invention. Decrypting the session key by finding the private key corresponding to the temporary public key is considered equivalent. Further, if the temporary key generation means of the present embodiment has the same conditions as the random number generation means of the above invention, the temporary public key of this embodiment is the same as the random number for finding the duplicate terminal of the above invention. Clearly, it retains similar functionality and security.

Sixth, the difference between the above invention and the present embodiment will be described with reference to Table 2. The public key encryption used in the present embodiment and the previous invention is a public key e33bit,
Compare as RSA encryption with 1024 bits secret key. However, RSA
Cryptography considers the use of a method that speeds up the computation of a secret key using the commonly used Chinese Remainder Theorem. The calculation amount is converted with one power residue of 1024 bits for all parameters as one. N is the total number of terminals.

As shown in Table 2, this embodiment is faster in verifying a response than the previous invention. Therefore, the operation amount of the session key encryption is negligible in both the above-described invention and the present embodiment. It can be said that the above-mentioned invention is a method in which the amount of operation of the terminal is small. In particular, when the total number of terminals n is large, the present embodiment is more effective. In addition, since the temporary key generation can be performed in advance, this calculation amount is considered to be negligible.
The amount of calculation for generating the response is considered to be similar.

The present embodiment has a merit that the operation amount of the session key decryption is larger than that of the above invention, but the common key encryption is not required, so that it can be implemented at a lower cost than the above invention.

[0062]

When the MAC is used in place of the digital signature (the system administrator secretly distributes the terminal secret key S _i to the center instead of the terminal public key Y _{i in} advance), Table 3 And the same tendency as in the case where a digital signature is used.

[0064]

As described above, in the embodiment of the present invention,
In a communication system in which a center and a plurality of terminals are connected by a communication network that performs encryption communication with individual session keys in a communication system in which a center distributes a new session key to each terminal, a method of detecting a duplicate terminal occurs in a terminal. Since the configuration is such that the duplicate of the terminal ID is detected by using the temporary public key that is difficult to duplicate, the duplicate terminal is found, the presence of the duplicate terminal can be automatically detected and eliminated.

[0066]

As is apparent from the above description, according to the present invention, a method for finding a duplicate terminal in a communication system including a center and a plurality of terminals is described. The secret information update notification and the center random number are sent to the terminal as a challenge.
Upon receiving the challenge, generating a temporary public key for each round, generating a terminal authentication statement for the center random number and the temporary public key with the terminal private key, transmitting the terminal authentication statement and the temporary public key to the center, Verifies the terminal authentication text with the terminal public key, searches the database that registers the temporary random number used for the delivery of secret information and the terminal ID in association with each other, and registers a different temporary public key with the same terminal ID The presence / absence of duplicate registration is checked, the terminal public key verification result is correct, and the temporary public key of the terminal without duplicate registration is registered in the database, and the secret information is encrypted with this temporary public key to obtain the center cipher text. The center ciphertext is received by the terminal, and the center ciphertext is decrypted with the temporary secret key that is paired with the temporary public key to obtain secret information. If the duplicate terminal does not send a random number because of the possibility of detecting the end of the terminal and fearing discovery, the duplicate terminal cannot obtain the secret information and thus can be invalidated. In particular, since symmetric key cryptography is not required, implementation at low cost is possible.

[Brief description of the drawings]

FIG. 1 is a flowchart of a duplicate terminal discovery method according to an embodiment of the present invention;

FIG. 2 is a configuration diagram of a center used in a duplicate terminal discovery method according to the embodiment of the present invention;

FIG. 3 is a configuration diagram of a terminal used in a duplicate terminal discovery method according to the embodiment of the present invention;

FIG. 4 is a flowchart of a duplicate terminal discovery phase (phase # 1) of the duplicate terminal discovery method according to the embodiment of the present invention;

FIG. 5 is a flowchart of a session key distribution phase (phase # 2) of the duplicate terminal discovery method according to the embodiment of the present invention;

FIG. 6 is a flowchart of a duplicate terminal finding method according to the above invention.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 1 Random number generation means 2 Transmission means 3 Authentication text verification means 4 Database means 5 Detection means 6 Public key encryption means 7 Temporary key generation means 8 Public key encryption / decryption means 9 Authentication text generation means C Center N Communication path T terminal

──────────────────────────────────────────────────続 き Continued on the front page (51) Int.Cl. ⁷ Identification FI FI Theme Court ゛ (Reference) H04B 7/26 109S (72) Inventor Natsume Matsuzaki 3-20 Shin-Yokohama, Kohoku-ku, Yokohama, Kanagawa 8 Within the Mobile Communication Security Technology Research Laboratories (72) Inventor Tsutomu Matsumoto 13-45 F-term (Reference) 5K104 AA07 AA08 AA09 AA11 AA16 AA18 BA03 EA02 EA06 EA19 KA02 KA06 LA01 LA03 LA06 NA02 NA03 PA12 5K067A AA32 CC14 DD17 EE02 EE10 EE22 HH11 HH22 HH36

Claims (12)

[Claims] 1. A center C and n terminals T (n is a natural number)
_i (where i is a terminal ID), the terminal T _i is a temporary secret key SS in round b
_i ^b (superscript b subscript indicates the round number) to generate a set of temporary public key SP _i ^b and, the terminal authentication statement D _i ^b generated by the terminal secret key S _i with respect to the temporary public key SP _i ^b transmits said terminal authentication statement D _i ^b and the temporary public key SP _i ^b to the center C, the center C, if the terminal public key Y _i (the center manages the terminal secret key terminal secret the terminal authentication statement D _i ^b verified by key S _i), for each round, the temporary and the public key SP _i ^b used for the delivery of secret information, and a terminal ID of the terminal T _i,
Search the database registered corresponding to the same terminal
And different temporary public key is to check the presence or absence of a duplicate registration that is registered in the ID, the terminal authentication statement D _i ^b of the verification result is correct, and the temporary public key SP _i of the overlapping registration is not the terminal T _i ^b and the terminal ID registered in the database, using the temporary public key SP _i ^b, and transmitted to the terminal T _i to encrypt the private information K _i ^b as centers ciphertext EC _i ^b, the terminal T _i, the center receives the ciphertext EC _i ^b, duplicate terminal discovery method characterized in that said temporarily decrypted by a secret key SS _i ^b obtain the secret information K _i ^b. 2. A center C and n terminals T (n is a natural number)
_i (where i is a terminal ID) in the duplicate terminal discovery method of the communication system, wherein the terminal T _i is a temporary secret key SS in round b.
_i ^b (superscript b subscript indicates the round number) and temporary key generation unit for generating a set of temporary public key SP _i ^b and the terminal authentication statement D _i ^b the terminal secret key for the temporary public key SP _i ^b an authentication sentence generating means for generating the S _i, and the terminal side transmission means for transmitting said terminal authentication statement D _i ^b and the temporary public key SP _i ^b, the secret information K _i ^b of the temporary public key SP _i ^b and a public key decryption means for decrypting by said encrypted center ciphertext EC _i ^b one o'clock secret key SS _i ^b, the center C, the terminal authentication statement D _i ^b the terminal public key Y _i
And certification statement verification means (if the center is managing the terminal secret key to the terminal secret key S _i) to verify, in each round,
The temporary public key SP _i ^b used for delivery of secret information and the terminal T
and database means for registering the terminal ID of the _i in correspondence, detecting means for detecting the duplicate registration and different temporary public key in the same terminal ID by searching the database is registered, the terminal authentication statement D _i ^b The verification result of ^b is correct and the temporary public key SP _i ^{b of the} terminal T _i without the duplicate registration
And encrypts the secret information K _i ^b to obtain the center ciphertext EC _i ^b
A public key encryption means for generating a replication terminal discovery method, characterized by comprising a transmission means for transmitting said center ciphertext to the terminal T _i. 3. The authentication sentence generating means and the authentication sentence detecting means are means for using a digital signature or a message authentication code (MAC).
Described duplicate terminal discovery method. 4. The center C is provided with the center ciphertext EC _i ^b
The means for including a digital signature or message authentication code (MAC) to provided to the terminal T _i, replication terminal according to claim 2, characterized in that a means for verifying a digital signature or message authentication code (MAC) Discovery method. 5. The digital signature and a message authentication code (MAC) are provided with means for including a time stamp or a serial number.
3. The duplicate terminal discovery method described in 1. Wherein said secret information K _i ^b is claim 2, characterized in that a group key GK ^b shared session key or the center C and a plurality of terminals of the center C with the terminal T _i Described duplicate terminal discovery method. Wherein said secret information K _i ^b is duplicated terminal discovery method according to claim 2, characterized in that the electronic ticket or the electronic money. Wherein said terminal T _i is authenticated sentence generating means for generating a terminal authentication statement D _i ^b for the center random number Z _i ^b and the temporary public key SP _i ^b received from the center C by the terminal secret key S _i wherein the center C, the center random number Z _i ^b and the center number generating means for generating, center side transmitting unit configured to transmit the center random number Z _i ^b and update notification confidential information in the previous round to the terminal T _i 3. The duplicate terminal discovery method according to claim 2, comprising: To wherein said terminal T _i, and the terminal authentication statement D _i ^b designation information B _i ^b is information specifying the type of desired secret information when the secret information in the same round are a plurality kinds exist Means for transmitting together with the temporary public key SP _i ^b ,
And means for the terminal authentication statement D _i ^b is such is also an authentication statement to the specification information B _i ^b provided on the center C, are sent the same said with temporary public key SP _i ^b in the same round the designation information B _i ^b the type of secret information specified by replication terminal discovery method according to claim 2, characterized in that a means for delivering encrypted by the temporary public key SP _i ^b was. To wherein said terminal T _i, the inquiry means for inquiring the current round number for the center C if it can not receive a communication from the center C, the round number of the terminal T _i and the center C 3. The duplicate terminal discovery method according to claim 2, further comprising retransmission request means for requesting the center C to perform retransmission when b is different. 11. The temporary key generation means cannot generate another temporary key generator that outputs the same temporary key, and an output length that can neglect the probability of being the same output as the output of another temporary key generator by accident. The duplicate terminal discovery method according to claim 2, wherein the condition of having a duplicate terminal is satisfied. 12. If the replication terminal in the course of distribution of the group key GK ^b is found, the terminal public key the group key GK ^b to the terminal T _i of undelivered Y _i (center manages terminal secret key 7. The method according to claim 6, further comprising: means for encrypting the group key GKb with the terminal secret key S _i ) and distributing the encrypted group key GK ^b to the undistributed terminal T _i .