JP2016220062A - Communication device, server, signature verification commission system, and signature verification commission method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow a node to learn the verification result of a server certificate by using a calculation entrusted server in a system that entrusts part of security processing calculation in order to mitigate a burden on the node.SOLUTION: A communication device according to the present invention comprises: transmission/reception means that exchanges information between a plurality of calculation entrusted servers; encryption processing means that selects appropriate keys and encryption algorithm between the calculation entrusted servers, and encrypts or decrypts information exchanged between the calculation entrusted servers; verification calculation entrusting means that gives a parameter necessary to verify a signature encrypted by the encryption processing means to each calculation entrusted server, and entrusts each calculation entrusted server with signature verification calculation; and result determination means that evaluates each verification result of signature verification obtained from each calculation entrusted server.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a communication device, a server, a signature verification entrusting system, and a signature verification entrusting method, and is applied to, for example, a client and a server that construct a network that establishes secure communication (secure communication) against eavesdropping or tampering. To get.

  The TLS protocol (Transport Layer Protocol: RFC5246) is a communication protocol for constructing a secure communication path between a client and a server.

  For example, in a network environment where the communication bandwidth and computation resources of a node are limited, such as a sensor network, it is necessary for a node to implement a certificate-based TLS handshake protocol in terms of communication bandwidth and computation resources. It will be a big burden. As a result, processing and communication that should be performed by the node are delayed.

  Therefore, there is a need for a system that entrusts part of the security processing calculation to reduce the burden on the node.

  Patent Document 1 discloses a system that entrusts a part of communication and security processing calculation originally performed by a node to an external server in the TLS handshake protocol.

  Non-Patent Document 1 discloses a signature method that can be verified.

Japanese Patent Application No. 2014-160643

Keisuke Nagumo and Keisuke Tanaka, "Verification of signature verification method and its security", Symposium on Cryptography and Information Security, 31st, Session 1C3-1, January 21, 2014

  The main role of the TLS handshake protocol is to establish an encryption session key and authenticate a communication partner between a client and a server.

  In particular, authentication to eliminate spoofed entities is an important factor.

  Prior to performing the certificate-based TLS handshake protocol, each entity (eg. TLS client, TLS server) is a private key of a public key pair issued by a certificate authority (CA). In secret. The public key is described in the public key certificate together with the CA signature, and each entity has it. Since this public key certificate is given a CA signature, only the CA can be counterfeited.

  In the certificate-based TLS handshake protocol, as the first step of entity authentication, the authenticated entity passes the public key certificate to the verifying entity, and the verifier confirms the contents described in the public key certificate. In addition, the CA signature is verified. Next, as a second step, the verification-side entity completes authentication by testing whether the authenticated-side entity has private key information corresponding to the public key.

  The partial processing consignment system for TLS handshake disclosed in Patent Document 1 is characterized in that a part of communication and calculation processing of a node serving as a TLS client is consigned to a wireless NW management terminal and a calculation server. However, since the verification of the TLS server certificate (hereinafter also referred to as a server certificate) is left to the wireless NW management terminal in the system, if the wireless NW management terminal is unreliable, the reliability of the authentication is increased. I can't keep it. For example, when the wireless NW management terminal connects to a TLS server different from the TLS server desired by the node and executes the TLS handshake, the node cannot detect this.

  On the other hand, Non-Patent Document 1 proposes a digital signature method that can be commissioned for verification based on the Biliner Diffie-Hellman problem. However, this method cannot be used because it is not currently adopted as a digital signature method of a standard protocol such as TLS. Further, according to the description in Section 7.2 of Non-Patent Document 1, even when the verification is commissioned, one bilinear map calculation and M + r exponential operations are necessary although specific numerical values are unknown. For example, a relatively heavy calculation is required on the entrusting node side.

  Therefore, in view of the above-mentioned problems, the present invention uses a calculation entrusted server in a system that entrusts a part of security processing calculation to reduce the burden on the node, and the node verifies the verification result of the server certificate. It is possible to grasp.

  In order to solve such a problem, a communication device according to the first aspect of the present invention includes (1) transmission / reception means for transmitting / receiving information to / from a plurality of calculation consignment servers, and (2) each calculation consignment server. (3) Necessary for verifying the signature encrypted by the encryption processing means, by selecting an appropriate key and encryption algorithm between them and encrypting or decrypting the information exchanged with the server to be calculated And a verification calculation entrusting means for entrusting each computation entrusted server with each parameter and entrusting each computation entrusted server with the signature verification computation, and (4) evaluation of each verification result of the signature verification obtained from each of the compute entrusted servers And a result determination means for performing the above.

  The server according to the second aspect of the present invention includes: (1) transmission / reception means for exchanging information with a communication device that is a signature verification entrusting source; and (2) an appropriate key and encryption algorithm with the communication device. And a cryptographic processing means for encrypting or decrypting information exchanged with the communication device, and (3) a signature using parameters necessary for signature verification acquired from the communication device that is the source of signature verification It is characterized by comprising verification calculation means for performing verification calculation and giving the verification result of the signature verification to the consignor.

  A signature verification entrusting system according to a third aspect of the present invention is a signature verification entrusting system comprising: a communication device that is a signature verification entrusting source; and a plurality of servers that receive signature verification calculation from the communication device and perform signature verification calculation In the system, (1) the communication device transmits parameters necessary for encrypted signature verification to each server, and (2) each server uses the parameters necessary for signature verification acquired from the communication device to sign. The verification calculation is performed, the verification result of the signature verification is transmitted to the consignor, and (3) the communication device evaluates each verification result of the signature verification acquired from each server.

  A signature verification delegation method according to a fourth aspect of the present invention is a signature verification delegation comprising: a communication device that is a signature verification delegation source; and a plurality of servers that receive signature verification calculation from the communication device and perform signature verification calculation In the system signature verification delegation method, (1) the communication device transmits parameters necessary for encrypted signature verification to each server, and (2) each server is necessary for signature verification acquired from the communication device. The signature verification is calculated using the parameter, the verification result of the signature verification is transmitted to the consignor, and (3) the communication device evaluates each verification result of the signature verification acquired from each server. To do.

  According to the present invention, in a system that entrusts a part of security processing calculation in order to reduce the burden on the node, the node can grasp the verification result of the server certificate by using the computation entrusted server.

It is a block diagram which shows the structure of the network system which concerns on embodiment. It is an internal block diagram which shows the internal structure of the node which concerns on embodiment. It is an internal block diagram which shows the internal structure of the to-be-computed server which concerns on embodiment. It is a sequence diagram which shows the processing operation of the signature verification commissioning method in the network system concerning an embodiment.

(A) Main Embodiment A main embodiment of a communication device, a server, a signature verification entrusting system, and a signature verification entrusting method according to the present invention will be described in detail with reference to the drawings.

(A-1) Example of Server Certificate Signature Verification Method In the following embodiment, a case will be described in which, after a node receives a server certificate of a TLS server, the server certificate is verified using a computed entrusted server. To do. For example, the signature of the server certificate is assumed to be an ECDSA signature scheme (which uses SHA256 for the digest function), which is a signature scheme using elliptic curve cryptography, but is not limited to this. A signature method may be used.

  Note that TLS protocol using elliptic curve cryptography is defined in RFC 4492. Prior to the description of this embodiment, ECDSA signature generation and signature verification will be described.

(ECDSA signature generation)
An elliptic curve E over the prime _{F p} with respect to a prime number p _{(F p),} E _{(F p)} on the base point G and, of order N of G is a system common parameters. In this embodiment, N is a prime number. Also, the signer keeps the signature key x secret, and discloses xG, which is x times G, as a verification key. Here, it is assumed that the verification key xG = _{P x.}

When the signer generates the digital signature σ of the message M, the signer executes the following procedure. The integer expression (value) is a value that uniquely identifies the message M, and for example, a hash value can be used. The message M can be various information, but can be node identification information such as an IP address.
(I) Integer kε [1, N−1] is selected at random (ii) kG = (x _k , y _k ) is calculated and x _{k is set} to an integer expression r (iii) r≡0 (modN) Then, return to (i). (Iv) The integer expression of the digest function value of the message M is set to m. (V) An integer s is calculated by the equation (1).
s = k ⁻¹ (m + xr) mod N (1)
^{However, k -1} is the inverse element calculation unit 130 of the element body _{F p (vi) (r,} s) is the signature sigma.

(ECDSA signature verification)
Verifier is assumed to obtain safely the public key P _x of the pre-signer. When the verifier obtains the message M and the signature σ = (r, s), the verifier verifies that the signature σ is generated by the signer and the message M is not falsified by the following procedure.
(I) Calculate integer representation m of digest function value of message M (ii) Perform calculation according to equation (2), and convert X component x _k ′ of the rational point obtained to integer representation r ′ ms ⁻¹ G + rs ⁻¹ Px = (x _k ′, y _k ′) (2)
(Iii) If r = r ′, the verification is successful, otherwise the verification is failed.

(A-2) Configuration of Embodiment FIG. 1 is a configuration diagram showing a configuration of a network system according to this embodiment. In FIG. 1, the network system 10 according to the embodiment includes a plurality of nodes 100 that can be connected to a wireless network 500, and computation-commissioned servers 300 and 400 that can be connected to the Internet 600.

  The wireless NW management terminal 200 is interposed between the wireless network 500 and the Internet 600, and relays information exchanged between the wireless network 500 and the Internet 600.

  The node 100 is a node (communication device) of the wireless network 500 in which the wireless NW management terminal 200 is a network coordinator. The node 100 can communicate with the calculation commissioned server (300, 400) on the Internet 600 via the wireless NW management terminal 200. Although the communication method between the node 100 and the calculation entrusted servers 300 and 400 is not necessarily one, for example, the ZigBeeIP standard may be applied.

The calculation entrusted servers (300, 400) are servers on the Internet 600. In this embodiment, the signature verification calculation performed by the node 100 is executed on behalf of the node 100, and the verification calculation result is returned to the node 100. is there. Note that node 100, a consignment server 300 and pre-shared key _{K 1} to be calculated, share advance respectively to be calculated consignment server 400 and pre-shared key _{K 2.}

  Further, in this embodiment, the case where signature verification calculation is performed using two calculation-commissioned servers is illustrated, but signature verification calculation may be performed using three or more calculation-commissioned servers. good.

  This embodiment will be described on the premise of the ECDSA signature method. Below, the structure of the node 100 and a calculation entrusted server (300 and 400 are the same structures) is demonstrated in order.

(A-2-1) Internal Configuration of Node 100 FIG. 2 is an internal configuration diagram showing an internal configuration of the node 100 according to the embodiment. In FIG. 2, the node 100 includes a transmission / reception unit 101, an encryption processing unit 102, a pre-shared key holding unit 103, a verification calculation entrusting unit 104, and a result determination unit 105. Note that the hardware of the node 100 includes, for example, a CPU, ROM, RAM, EEPROM, input / output interface unit, wireless communication unit, and the like, and the CPU processes a processing program stored in the ROM. The function of the node 100 is realized. Further, the function as the node 100 may be constructed by installing the processing program in the node 100.

  The transmission / reception unit 101 is a processing unit or device that communicates with the calculation-commissioned servers 300 and 400. The transmission / reception unit 101 has appropriate means (for example, a communication protocol, a communication interface, etc.) for communicating.

  The encryption processing unit 102 selects an appropriate key from the encryption keys that are the shared keys stored in the pre-shared key storage unit 103, and encrypts the message using a predetermined encryption algorithm, or has been encrypted The message is decrypted. It is assumed that the encryption processing by the encryption processing unit 102 also uses a counter in consideration of a replay attack and generates / verifies a message authentication code for detecting message tampering.

The pre-shared key holding unit 103 stores a common key K ₁ and a common key K ₂ that are shared between the calculation-commissioned servers 300 and 400.

The verification calculation entrusting unit 104 entrusts the signature entrustment calculation to the computation entrusted servers 300 and 400 to the computation entrusted servers 300 and 400. Specifically, the verification calculation entrusting unit 104 encrypts parameters necessary for signature verification using a pre-shared key shared with each of the computing entrusted servers 300 and 400, and is necessary for these encrypted signatures. The parameters are transmitted to the calculation entrustment server 300 and the calculation entrustment server 400, respectively. More specifically, in the case of the present embodiment, the signature target message of the public key certificate is M, and the integer representation information of M's SHA-256 digest function value is m, which is also described in the public key certificate. When the digital signature information by CA for the message M is σ = (r, s) and the public key for verifying the signature information σ is P _K , the parameters are (m, P _K , σ).

Result determination unit 105 acquires the verification result R ₁ from the calculated consignment server 300, also similarly, obtains the verification result R ₂ from the calculated consignment server 400 determines the success or failure of the validation. However, the verification result R ₁ and the verification result R ₂ are encrypted and sent by the calculation-commissioned servers 300 and 400.

Here, the verification result R ₁ is the X component of the rational point obtained by the calculation entrusted server 300 using the above-described digital signature information σ and the public key P _K and calculated by the above-described equation (2). the results were converted to integer representation r ₁ is a _'and the first component r of the digital signature information (conveniently and r _1.) and the information (r _1, r ₁ comprising').

Similarly, the verification result R ₂ is obtained by calculating the X component of the rational point obtained by calculating the digital signature information σ by the public key P _K using the public key P _K in the calculation entrusted server 400. results were converted to integer representation r ₂ is a _'and the first component r of the digital signature information (conveniently and r _2.) and the information (r _2, r ₂ comprising').

In this embodiment, when the result determination unit 105 receives the verification result R ₁ and the verification result R ₂ via the transmission / reception unit 101, when r ₁ = r ₁ ′ = r ₂ = r ₂ ′ holds, Judged as “validation success”. On the other hand, if not established, the result determination unit 105 determines “verification failure”.

(A-2-2) Internal Configuration of Calculated Consignment Server FIG. 3 is an internal configuration diagram showing the internal configuration of the calculated consignment server 700 according to this embodiment.

  The internal configurations of the calculation-commissioned servers 300 and 400 basically have the same configuration and realize a common function. Therefore, in FIG. 3, a function common to the calculation-commissioned servers 300 and 400 will be described as a calculation-computed server 700.

  In FIG. 3, the calculation-commissioned server 700 includes a transmission / reception unit 701, an encryption processing unit 702, a pre-shared key holding unit 703, and a verification calculation unit 704.

  Note that the hardware of the calculation entrusted server 700 has, for example, a CPU, ROM, RAM, EEPROM, input / output interface unit, wireless communication unit, and the like, and the CPU processes a processing program stored in the ROM. By doing so, the function of the calculation entrusted server 700 is realized. Moreover, the function as the calculation commissioned server 700 may be constructed by installing the processing program in the calculation commissioned server 700.

  The transmission / reception unit 701 is a processing unit or device that communicates with the node 100 and includes communication means (communication protocol, communication interface).

  The encryption processing unit 702 selects an appropriate key from the encryption keys that are the shared keys stored in the pre-shared key storage unit 703 and encrypts the message using a predetermined encryption algorithm, or the encrypted message Is decrypted.

The pre-shared key holding unit 703 stores a common key K ₁ or a common key K ₂ that is shared with the node 100. In other words, the calculated consignment server 300 stores the common key K ₁ in the pre-shared key holding unit 703 in advance, and the calculated consignment server 400 stores the common key K ₂ in the pre-shared key holding unit 703 in advance. Yes. For example, the pre-shared key holding unit 703 holds the identification information of the node 100 and the common key in association with each other, and can read the corresponding common key based on the identification information of the node 100. Yes. The identification information of the node 100 may be one or a plurality of information that can identify the node 100, and may be, for example, address information such as a MAC address or information that can uniquely identify the node 100. . In any case, when a signature verification entrustment request is acquired from the node 100, various methods of reading the common key of the requesting node 100 can be applied.

The verification calculation unit 704 receives parameters necessary for signature verification and performs signature verification calculation defined in the signature scheme. In the present embodiment, the parameters are the above-described (m, P _K , σ), received in an encrypted state from the node 100 by the transmission / reception unit 701, and decrypted by the encryption processing unit 702 for verification calculation. The unit 704 acquires the parameter. Next, the verification calculation unit 704 obtains the result r ′ obtained by converting the X component of the rational point into the integer representation obtained by calculating the hash value m by the above-described equation (2), and the first digital signature information. Information including the component r is output to the encryption processing unit 702. Information R obtained by encryption by the encryption processing unit 702 is transmitted to the node 100.

(A-3) Operation of Embodiment Next, the processing operation of the signature verification commissioning method in the network system 10 according to this embodiment will be described in detail with reference to the drawings.

  FIG. 4 is a sequence diagram showing the processing operation of the signature verification commissioning method in the network system 10 according to this embodiment.

  It is assumed that the node 100 is a verifier, and the message M, the signer's digital signature σ for the message M, and the signer's public key PK obtained securely are given to the node 100.

  Hereinafter, the flow of processing in which the node 100 verifies the digital signature σ with the public key PK using the calculation-commissioned servers 300 and 400 will be described with reference to FIG.

(Step s1)
In the node 100, the encryption processing unit 102 encrypts the parameters (m, P _K , σ) using the shared key K ₁ stored in the pre-shared key holding unit 103 as an encryption key. Then, the encryption processing unit 102 gives the encryption message enc (K ₁ , m || P _K || σ) to the transmission / reception unit 101. The transmission / reception unit 101 transmits a signal including the encrypted message enc (K ₁ , m || P _K || σ) to the calculation entrusted server 300.

Similarly, the encryption processing unit 102 encrypts the parameters (m, P _K , σ) using the shared key K ₂ stored in the pre-shared key holding unit 103 as an encryption key, and generates an encrypted message enc (K ₂ , m || P _K || 0) is obtained. Then, the cryptographic processing unit 102 transmits a signal including the cryptographic message enc (K ₂ , m || P _K || 0) to the calculation entrusted server 400 via the transmission / reception unit 101. Here, enc (K, X) is a function for encrypting the message X with the key K, and the symbol “||” is an operator for concatenating messages.

(Step s2)
In the calculation entrusted server 300, the transmission / reception unit 701 gives the encryption message enc (K ₁ , m || P _K || σ) acquired from the node 100 to the encryption processing unit 702. The encryption processing unit 702 decrypts the encryption message enc (K ₁ , m || P _K || σ) using the common key K ₁ stored in the pre-shared key storage unit 703. The verification calculation unit 704 converts the hash value h into the integer representation m and then calculates the rational component X component obtained by calculation according to the above equation (2), and the digital signature. Generate a result R ₁ that includes the first component r of the information.

Similarly, in the entrusted server 400 to be calculated, the transmission / reception unit 701 gives the encrypted message enc (K ₂ , m || P _K || σ) received from the node 100 to the encryption processing unit 702. The encryption processing unit 702 decrypts the encryption message enc (K ₂ , m || P _K || σ) using the common key K ₂ stored in the pre-shared key storage unit 703. The verification calculation unit 704 converts the hash value h into the integer representation m and then obtains the result r ′ obtained by converting the X component of the rational point into the integer representation, and the digital signature information. To generate a result R ₂ that includes the first component r.

(Step s3)
In the calculation consignment server 300, the verification calculation unit 704, generates a result r 'of the X component of rational points has been converted into an integer representation has a first and a component r results R ₁ encryption processing portion of the digital signature information Output to 702. The encryption processing unit 702 gives the transmission / reception unit 701 an encrypted message enc (K ₁ , R ₁ ) obtained by encrypting the result R ₁ with the shared key K ₁ stored in the pre-shared key holding unit 203. The transmission / reception unit 701 transmits the encrypted message enc (K ₁ , R ₁ ) to the node 100.

Similarly, in the entrusted server 400, the verification calculation unit 704 generates a result R ₂ including the result r ′ obtained by converting the generated X component of the rational point into an integer representation and the first component r of the digital signature information. The data is output to the encryption processing unit 702. The encryption processing unit 702 gives the transmission / reception unit 701 an encrypted message enc (K ₂ , R ₂ ) obtained by encrypting the result R ₂ with the shared key K ₂ stored in the pre-shared key holding unit 203. The transmission / reception unit 701 transmits the encrypted message enc (K ₂ , R ₂ ) to the node 100.

(Step s4)
In the node 100, the transmission / reception unit 101 receives the encrypted messages enc (K ₁ , R ₁ ) and enc (K ₂ , R ₂ ) from the calculation entrusted servers 300 and 400. The encrypted messages enc (K ₁ , R ₁ ) and enc (K ₂ , R ₂ ) are given to the encryption processing unit 102. The cryptographic processing unit 102 uses the shared keys K ₁ and K ₂ stored in the pre-shared key holding unit 103 to send each of the encrypted messages enc (K ₁ , R ₁ ) and enc (K ₂ , R ₂ ). Decrypt. The results R ₁ and R ₂ decrypted by the encryption processing unit 102 are given to the result determination unit 105. The result determination unit 105 determines that the verification is successful based on the results R ₁ and R ₂ acquired from the cryptographic processing unit 102 when r ₁ = r ₁ ′ = r ₂ = r ₂ ′ holds. Moreover, the result determination part 105 determines with a verification failure, when the above is not materialized.

(A-4) Effect of Embodiment As described above, according to this embodiment, the calculation load on the node is reduced by causing the external server to perform the ECDSA digital signature verification calculation that should be originally performed by the node. be able to. Since the node communicates with the calculation entrusted server using the encryption key shared in advance, the contents are tampered with when the calculation is entrusted and the result is acquired, or a replay attack is applied. Risk can be reduced sufficiently.

  Further, even when the calculation commissioned server performs a calculation different from the calculation that should be originally performed, it can be detected by comparing the verification results of two independent calculation commissioned servers. As a result, the node can safely delegate the signature verification calculation.

  Further, no operation other than comparison of the verification results for evaluating the verification results does not occur at the node. Therefore, it is possible to reduce the load related to the node calculation.

(B) Other Embodiments Although various modified embodiments have been mentioned in the above-described embodiments, the present invention can also be applied to the following modified embodiments.

(B-1) The result determination unit in the node may independently perform the digital signature verification calculation when the verification results R ₁ and R ₂ are different. That is, the node can also verify whether the calculation-commissioned server is performing an illegal calculation.

  (B-2) When using the present invention for verification of a public key certificate in the TLS handshake protocol, if the node implements the protocol according to the embodiment after obtaining the public key certificate, the public key certificate However, since there is, for example, about 1 kilobyte as a general size, the communication amount of the node becomes large.

By the way, since the verification of the public key certificate is performed by verifying the digital signature of the CA included therein, m of (m, P _K , σ) is a hash of information described in the public key certificate. The signature σ can be obtained by calculation and is described in the public key certificate. P _K is a CA signature verification key and can be obtained in advance.

Therefore, instead of (m, P _K , σ), the node encrypts the address information (for example, IP address) of the TLS server or the identification information that can be uniquely converted into the address information, and sends it to each computation entrusted server. transmitted, the calculated consignment server by sending ClientHe11o of TLS handshake message to the TLS server to obtain a public key certificate from the response of the resulting TLS server, the verification result _{R 1} or verification result _{R 2} Can be calculated.

  DESCRIPTION OF SYMBOLS 10 ... Network system, 100 ... Node, 101 ... Transmission / reception part, 102 ... Encryption processing part, 103 ... Pre-shared key holding part, 104 ... Verification calculation consignment part, 105 ... Result determination part, 300 and 400 ... Computation consignment server, 701 ... Transmission / reception unit, 702 ... Encryption processing unit, 703 ... Pre-shared key holding unit, 704 ... Verification calculation unit.

Claims (12)

A transmission / reception means for exchanging information with a plurality of calculation entrusted servers;
An encryption processing means for selecting an appropriate key and encryption algorithm with each of the calculated servers and encrypting or decrypting information to be exchanged with the calculated servers;
Verification calculation entrusting means for entrusting each of the calculated entrusted servers with the parameters necessary for signature verification encrypted by the encryption processing means, and entrusting each of the calculated entrusted servers with the signature verification calculation;
A communication apparatus, comprising: a result determination unit that evaluates each verification result of the signature verification acquired from each of the calculation entrusted servers.   The verification calculation entrusting means includes, as parameters necessary for the signature verification, information including the signature target message or information uniquely identifying the signature target message, the signature verification key, and the signature information. The communication apparatus according to claim 1, wherein the communication apparatus is given to a calculation entrusted server.   The verification calculation entrusting means, as a parameter for entrusting verification of signature information in the public key certificate, identification information of the issue destination of the public key certificate or information including identification information that can be uniquely converted to the identification information, The communication apparatus according to claim 1, wherein the communication apparatus is provided to each of the calculation-computed servers of a consignee. The calculation of signature verification by each of the above entrusted servers is a signature verification calculation in an elliptic curve digital signature algorithm,
The result determination means compares each verification result including the integer representation value of the X component of the rational point and the first component value of the signature information, obtained from each of the plurality of calculation entrusted servers, The verification success is determined when the integer representation value of the X component of the rational point is equal to the first component value of the signature information, and the verification failure is determined otherwise. The communication apparatus as described in. A transmission / reception means for exchanging information with a communication device that is a consignment source of signature verification;
An encryption processing unit that selects an appropriate key and encryption algorithm with the communication device, and encrypts or decrypts information exchanged with the communication device;
A verification calculation means for performing signature verification calculation using parameters necessary for signature verification acquired from a communication device that is a signature verification source and providing the verification result of the signature verification to the source server.   The verification calculation means performs signature verification calculation in an elliptic curve digital signature algorithm, and provides a verification result including an integer representation value of an X component of a rational point and a first component value of signature information to a consignment source The server according to claim 5. The verification calculation means verifies the signature information generated by the certificate authority in the public key certificate,
Parameters necessary for signature verification acquired from the consignment source include identification information of the public key certificate issuance destination or identification information that can be uniquely converted to the identification information,
The verification calculation means acquires the public key certificate of an entity having identification information of an issue destination of the public key certificate or an identification information that can be uniquely converted into the identification information, and in the acquired public key certificate 6. The server according to claim 5, wherein signature verification is calculated using signature verification key of the certificate authority. A communication device that is the source of signature verification;
In a signature verification entrusting system comprising a plurality of servers that perform signature verification calculation entrusted by the communication device,
The communication device sends parameters necessary for encrypted signature verification to the servers,
Each of the servers performs calculation of signature verification using parameters necessary for signature verification acquired from the communication device, and transmits the verification result of the signature verification to a consignor.
A signature verification commissioning system, wherein the communication device evaluates each verification result of signature verification acquired from each of the servers.   The communication apparatus transmits information including a signature target message or information for uniquely identifying the signature target message, a signature verification key, and signature information as parameters necessary for the signature verification to each of the servers. The signature verification commissioning system according to claim 8, wherein: As a parameter necessary for signature verification in the public key certificate, the communication device sends, to each of the servers, information including identification information of the issue destination of the public key certificate or identification information that can be uniquely converted to the identification information. Send
Each of the above servers verifies the signature information generated by the certificate authority in the public key certificate, and the identification information of the public key certificate issuance destination or identification information that can be uniquely converted into the identification information. Obtaining the public key certificate of the entity having the signature, calculating the signature verification using the signature verification key of the certificate authority for the signature information in the acquired public key certificate, and obtaining the verification result as the communication device A signature verification commission system characterized by being sent to The calculation of signature verification by each of the above servers is signature verification calculation in an elliptic curve digital signature algorithm,
The communication device compares each verification result including the integer representation value of the X component of the rational point and the first component value of the signature information, acquired from each of the plurality of calculation entrusted servers, and all the rational The verification success is determined when the integer representation value of the X component of the point is equal to the first component value of the signature information, and the verification failure is determined otherwise. The signature verification commission system described. A communication device that is the source of signature verification;
In the signature verification entrusting method of the signature verification entrusting system comprising a plurality of servers that perform signature verification calculation entrusted from the communication device,
The communication device sends parameters necessary for encrypted signature verification to the servers,
Each of the servers performs calculation of signature verification using parameters necessary for signature verification acquired from the communication device, and transmits the verification result of the signature verification to a consignor.
A signature verification entrusting method, wherein the communication device evaluates each verification result of signature verification acquired from each of the servers.

Images