JP2001344214A - Method for certifying terminal and cipher communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make a terminal connected to a network certifiable by a method capable of maintaining high secrecy and reducing the processing load for ciphering/deciphering. SOLUTION: A 1st common key (session key B) is generated by using secret information corresponding to the machine sort number of the terminal and used for the ciphering of the machine number of the terminal and a 2nd common key (session key D) is generated by using secret information corresponding to the machine number and used for collation. Since the common key for safely transmitting the machine number is generated from the secret information corresponding to the machine sort number, high secrecy can be maintained. In addition, the connection of a terminal other than the specific machine sort to a server can be excluded.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method of authenticating terminals connected to a network and a communication system in which authenticated terminals perform encrypted communication, and more particularly, to ensuring security in communication. .

[0002]

2. Description of the Related Art Conventionally, communication encryption methods include a common key (secret key) encryption method in which a secret key is shared between each other, and a public key that is passed to a partner and holds the private key. There is known a public key encryption system in which information encrypted with a public key is decrypted with a private key. Among them, the public key encryption scheme has high confidentiality (security strength), but the processing load of encryption / decryption is heavier than that of the common key encryption scheme. Conversely, the common key encryption method has a light processing load, but the secret key is leaked to the outside in the process of sharing the secret key, or the encryption key is decrypted by continuously observing the encrypted data There is a possibility that the confidentiality is lower than that of the public key encryption method.

The DH (Diffie-Hellman) method is known as a method for secretly exchanging a common key. In this key exchange method, when the common key K is exchanged between the terminal and the server, first, the terminal and the server use the shared information of, for example, month (p) and day (Z) of the day. , This p
Is calculated from e and Z by e = Zmodp.
Next, the terminal generates and holds the random number a, generates m by a calculation formula of m = e ＾ a, and transmits this m to the server. On the other hand, the server generates and holds the random number b, generates n by a calculation formula of n = e ＾ b, and transmits this n to the terminal.

[0004] The terminal receiving n receives K = n ＾ a = e ＾ a
b generates the encryption key K, and the server that has received m uses K = m ＾ b = e ＾ ab to obtain the same encryption key K as the terminal.
Generate

[0005] Thus, the terminal and the server can hold the common key K. In this case, m flowing through the communication path,
K cannot be easily inferred mathematically from n.

In a communication system, when it is necessary to confirm the validity of a communication partner, an authentication process using encryption is performed. For example, in next-generation interactive multimedia communication services (so-called interactive television) such as video-on-demand, home shopping, and network games, a set-top box of a home communication terminal called an information appliance is used. set-top box:
STB) connects to the service provider's server (information home appliance server) through the network, and the information from the server is sent to S
The information is displayed on a television monitor in the home connected to the TB. In this system, the information home appliance server also provides information after authenticating the STB.

[0007] There are various authentication procedures. In the case of using a common key encryption method, for example, the STB encrypts information known to the information home appliance server with a common key and transmits the encrypted data to the information home appliance server. Send to home appliance server. The information home appliance server receiving this decrypts the received data with the common key,
The decryption result is verified against known information to authenticate the validity of the STB.

It is desirable to use a common key encryption method for authentication of a communication partner in order to reduce the processing load of encryption / decryption.

[0009]

However, in the authentication method using the common key, the method using the DH method for exchanging the common key can exchange the common key with any other party. This method is not suitable for a system that limits the types of STBs that can be connected to the home appliance server (for example, a system that limits the connection to the information home appliance server to STB products manufactured by the same company).

In such a system, it is necessary to authenticate not only the STB by the information home appliance server but also the STB to authenticate the validity of the information home appliance server. Without this authentication, the security of the function of updating the internal information is reduced. Cannot be guaranteed. In order to authenticate the information home appliance server with the STB, the information home appliance server encrypts information known to the STB with a common key and transmits the information to the STB, and the STB decrypts the received data with the common key and decrypts the decrypted result. It is necessary to add a procedure to verify the validity of the information home appliance server against the known information,
There is a problem that it takes time to complete mutual authentication.

The present invention solves such a conventional problem, and mutually authenticates a terminal connected to a network by a method that maintains high confidentiality and has a small processing load for encryption and decryption. It is an object of the present invention to provide a terminal authentication method and to provide a cryptographic communication system that enables encrypted communication between terminals that have been authenticated.

[0012]

Therefore, according to the present invention, in a method of authenticating a terminal connected to a network, a first common key is generated using secret information corresponding to a model number of the terminal, and a first common key is generated. The key is used for encrypting the machine number of the terminal, a second common key is generated using secret information corresponding to the machine number, and the second common key is used for collation.

In a cryptographic communication system including a plurality of terminals connected to a network and a server authenticating the terminals, the server encrypts and transmits the same common key to each terminal, and the plurality of terminals The cryptographic communication is performed mutually using the common key.

In a cryptographic communication system including a plurality of terminals connected to a network and a server authenticating the terminals, each of the terminals exchanges a common key by a zero-knowledge key exchange method, and uses the common key to exchange a common key. It is designed to perform encrypted communication between each other.

Therefore, since the common key for securely transmitting the machine number is generated from the secret information corresponding to the model number, high confidentiality can be maintained. Also,
It is possible to exclude a terminal other than a specific model from connecting to the server.

[0016] Further, the connection of the terminals performing the encrypted communication can be efficiently expanded by using the authentication result.

[0017]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS (First Embodiment) In a first embodiment, a method of authenticating a terminal will be described with an example of a system in which an information home appliance server and an STB are connected.

In this authentication method, the model number and the machine number of the STB are used for authentication. The same model number is assigned to the same model of terminal, and a different body number is assigned to each terminal. The STB holds confidential information (precession key) corresponding to each of the model number and the machine number.
The secret information (precession key) corresponding to each model number of the TB and the secret information (precession key) corresponding to each machine number are stored in a database (DB).

The server authenticates the validity of the machine based on the machine number transmitted from the STB. In order to encrypt the transmission of the machine number, a session key (a key that is temporarily generated) is generated as a common key using the pre-session key of the model number. After the authentication of the device is completed, a session key serving as a common key is generated using the pre-session key corresponding to the device number, and the session key is used to transmit information between the STB and the server. Encryption is performed.

FIG. 2 shows the STB 1 executing this authentication method.
And the configuration of the server 3. The STB 1 includes a model number 11 and a machine number 1 in the one-chip authentication module 10.
2. A ROM (or EPROM) in which the precession key 18 corresponding to the model number and the precession key 17 corresponding to the machine number are written, and a ROM (or EPROM) in which the common key A14 corresponding to the model number is written EPROM)
A random number generator 20 composed of hardware for generating random numbers, a key generator 19 composed of hardware or software for generating an encryption key, and hardware or a device for performing encryption and decryption processing. An encryption / decryption unit 13 composed of software, a work RAM 16 used as a work area for the encryption / decryption processing, and a main processor 15 for distributing the operation of the encryption / decryption processing to each unit are provided.

The server 3 has an authentication processing unit 30 for authenticating the STB 1 to be connected to the network. The authentication processing unit 30 stores a pre-session key and a common key A corresponding to each model number. And a machine number DB 32 in which precession keys corresponding to machine numbers are stored. Further, a random number generator 37, a key generator 35, an encryption / decryption unit 36, a work RAM 33, and a main processor 34
It has.

FIG. 1 schematically shows an authentication procedure between the STB and the information home appliance server. First, the model number is sent from the STB to the server, and the server extracts the precession key A corresponding to the model number from the model number DB 31 (model negotiation).

Next, the random number 1 generated by the STB is transmitted to the server, and the random number 2 generated by the server is transmitted to the STB.
The STB and the server generate a session key B (common key) using the pre-session key A, the random number 1 and the random number 2 by the same formula. The session key B is used only for encrypting / decrypting the machine number transmitted from the STB to the server (key exchange).

The STB encrypts the machine number with the session key B and sends it to the server. The server decrypts this with the session key B, and extracts the pre-session key C corresponding to the decrypted device number from the device number DB32. The server generates a session key D using the precession key C, the random number 1 and the random number 2 in order to confirm that the STB has the same precession key C, and uses the information determined in advance by this key. And a simple calculation formula are encrypted and transmitted to the STB.

The STB also has a precession key C,
A session key D is generated using the random numbers 1 and 2, and the information and the calculation formula sent from the server are decrypted using the key. Then, by confirming that predetermined information is included, it is determined that the validity of the server has been authenticated, and the calculation result of the calculation formula is encrypted with the session key D and transmitted to the server. The server decrypts this with the session key D, verifies the calculation result, and confirms that the STB has the common pre-session key C.

Thus, the authentication of the machine number of the STB is performed, and at the same time, the validity of the server is verified by the STB. The STB authenticates the validity of the server because the server has the shared information (precession key A, precession key C).

FIG. 3 shows a communication procedure between the STB (terminal) and the server in time series. (201) The terminal extracts the model number 101 from the ROM, and (202) transmits the model number 101 to the server. (203) Upon receiving the model number 101, the server (204) uses the model number 101 to
Retrieve 2 from the database.

The database stores secret information in association with the model number. (205) The server generates the random number 103 using the random number generator, stores the generated random number 103 in the RAM on the server, and (206) transmits the generated random number 103 to the terminal. (207) Upon receiving the random number 103, the terminal receives the received random number 103
Is stored in the RAM on the terminal. (208) The terminal extracts the secret information 102 held by itself from the ROM. This is secret information associated with the model number 101. (209) The terminal generates the random number 104. The generated random number 104 is stored in the RAM. (210) The terminal converts the secret information 102, the random number 103, and the random number 104 into a function.
The common key 105 is generated by passing it to f1 (). This function f1 ()
This is a function for generating one number (key) by inputting three numbers. The generated common key 105 is stored in the RAM on the terminal. (211) The terminal transmits the random number 104 to the server. (212) The server receives the random number 104, and
Hold on M. (213) The server uses the secret information 102, the random number 103, and the random number 104 as functions.
The common key 105 is generated by passing it to f1 (). Generated common key 105
Are stored in the RAM.

With the above procedure, the process of the previous stage of sharing the common key used for securely transmitting the machine number is completed. (214) The server sends a key generation completion notification to the terminal. (215) The terminal receives the key generation completion notification.

<Main Process of Authentication> (216) The terminal extracts the machine number 106 from the ROM. (217) The terminal encrypts the machine number 106 using the common key 105, and generates an encrypted machine number 107. (218) The terminal extracts the secret information 108. This is the secret information associated with the machine number 106. (219) The terminal converts the secret information 108, the random number 103, and the random number 104 into a function g1.
() To generate a common key 109, and
Keep on AM. The function g1 () is a function for generating one number (key) by inputting three numbers. (220) The terminal transmits the encryption machine number 107 to the server.

As described above, by using the temporarily generated common key 105, secure transmission and reception of the machine number can be realized. (221) The server receives the encrypted machine number 107. (222) The server decrypts the encrypted machine number 107 using the common key 105, and obtains the machine number 106. (223) The server obtains the corresponding secret information 108 from the database using the machine number 106. The database stores secret information in association with the machine number. (224) The server uses the secret information 108, the random number 103, and the random number 104 as functions.
The common key 109 is passed to g1 (), and the generated common key 109 is stored in the RAM. (225) The server generates the question 110. This problem may be any one that can uniquely derive an answer such as a calculation formula. (226) The server generates an answer 111 corresponding to the question 110. The answer 111 is stored in the RAM. (227) The server encrypts the problem 110 using the common key 109 to generate an encryption problem 112. (228) The server sends the encryption problem 112 to the terminal. (229) The terminal receives the encryption question 112, and (230) decrypts it with the common key 109 to obtain the question 110. Question 1
By including the information previously determined and shared between the terminal and the server in 10, the terminal determines at this point that the validity of the server has been authenticated (described later). (231) The terminal generates an answer 113 corresponding to the question 110. (232) The terminal encrypts the answer 113 with the common key 109 to generate an encrypted answer 114. (233) The terminal transmits the encrypted answer 114 to the server. (234) The server receives the encrypted answer 114, and (235) decrypts it with the common key 109 to obtain the answer 113. (236) The server compares the answer 111 and the answer 113, and if they match, determines that the terminal authentication has been completed.

With the above procedure, the mutual authentication is completed. When all the processes have been completed, the data held in the RAM such as random numbers that are no longer needed are discarded, leaving the common key 109.

In this authentication method, a process at a previous stage for sharing a common key for securely transmitting the machine number is performed, and such a process provides an improvement in confidentiality and is superior to other authentication methods. Can be held.

The processing of (214) and (215) may be omitted. In this process, it is only necessary to confirm how far each other has progressed, and it is also possible to confirm that (220) is completed normally without synchronization.

Further, it is desirable to use a one-way function for which it is difficult to infer the input from the output as the function f1 () and the function g1 () (for example, use a one-way hash function such as MD5 or SHA1). Note that the function f1 () and the function g1 () may be the same.

Various authentications can be realized by devising the problem generated by the server in (225). The problem patterns include:

<Pattern 1> A simple calculation formula is generated as a problem. Since the same calculation result can be derived between the terminal and the server, it can be confirmed that the terminal and the server share the same common key.

<Pattern 2> A problem (quiz) based on a natural sentence registered in advance by the user of the terminal is extracted from the database. Since the answer corresponding to the question is stored in the database as a set, the generation of the answer is also realized by obtaining from the database. On the terminal side receiving this question, the user inputs an answer. In this pattern, user authentication can be realized simultaneously with terminal authentication.

<Pattern 3> The terminal user registers his / her biometric authentication information (for example, voice print) in the database of the server in advance. As a problem, the server requests the terminal to input biometric authentication information. At the same time, the server extracts biometric authentication information from the database as an answer for verification. The user of the terminal transmits the biometric authentication information as an answer to the server via the terminal. The server compares the received biometric authentication information with the biometric authentication information extracted from the database, and determines that the authentication has been completed if the consistency between them can be confirmed.

As described in <Pattern 2> and <Pattern 3>, by performing user authentication together, unauthorized use by a third party can be eliminated. Also, user authentication
The user may obtain unique information such as a PIN registered in the server in advance as a solution to the problem and collate and confirm this.

In the user authentication, the telephone number of the user is registered in the DB of the server in advance, and in the procedure of (221),
The calling number notified from the telephone network when the transmission of (220) is received may be performed by checking whether or not the calling number matches the telephone number registered in the DB in association with the decrypted machine number. . By adding such a procedure, it is possible to prevent a situation where the STB is stolen and illegally used in another place.

Also, by adding information unique to the server (for example, IP address and telephone number information) to the problem generated by the server, the terminal side receives the encrypted problem and decrypts it when the server receives the encrypted problem. Can be authenticated.

As described above, in the authentication method of this embodiment, since only the common key encryption method is used, high-speed authentication processing can be realized.

Further, it is possible to eliminate connection of a terminal other than a specific model to the server. Further, in the process of terminal authentication by the server, the terminal can authenticate the validity of the server substantially, and efficient mutual authentication can be performed.

Here, transmission of random numbers (206) (21)
1) is performed without encryption, but the terminal and the server share the common key A14 corresponding to the model number 101, and this common key A
, The transmitting side may encrypt and transmit the random number, and the receiving side may decrypt the random number and take out the random number.
In this case, since random numbers do not flow through the communication path, security strength is further improved.

(Second Embodiment) In the second embodiment,
The authentication method according to the first embodiment is changed to use only one random number.

FIG. 4 shows a communication procedure between the terminal and the server in the second embodiment in a time-series manner. (301) The terminal extracts the model number 101 from the ROM, and (302) transmits it to the server. (303) Upon receiving the model number 101, the server (304) uses the model number 101 to
Retrieve 2 from the database. (305) The server generates the random number 103 using the random number generator, stores the generated random number 103 in the RAM on the server, and (306) transmits the generated random number 103 to the terminal. (313) The server generates the common key 115 by passing the secret information 102 and the random number 103 to the function f1 (). Generated common key 115 is RAM
Hold on. (307) Upon receiving the random number 103, the terminal receives the received random number 103
Is stored in the RAM on the terminal. (308) The terminal extracts the secret information 102 held by itself from the ROM. This is secret information associated with the model number 101. (310) The terminal generates the common key 115 by passing the secret information 102 and the random number 103 to the function f2 (). The function f2 () is a function for generating one number (key) by inputting two numbers. The generated common key 115 is stored in the RAM on the terminal.

By the above procedure, the process of the previous stage of sharing the common key used for securely transmitting the machine number is completed.

<Main Process of Authentication> (316) The terminal extracts the machine number 106 from the ROM. (317) The terminal encrypts the machine number 106 using the common key 115, and generates an encrypted machine number 116. (318) The terminal extracts the secret information 108. This is the secret information associated with the machine number 106. (319) The terminal generates the common key 117 by passing the secret information 108 and the random number 103 to the function g2 (), and holds the generated common key 117 in the RAM. Function g2 () is two numbers input and one number (key)
Is a function that generates (320) The terminal transmits the encryption machine number 116 to the server. (321) The server receives the encrypted machine number 116. (322) The server decrypts the encrypted device number 116 using the common key 115, and obtains the device number 106. (323) The server obtains the corresponding secret information 108 from the database using the machine number 106. (324) The server passes the secret information 108 and the random number 103 to the function g2 () to generate a common key 117, and holds the generated common key 117 on the RAM.

The subsequent processing is substantially the same as the processing after (225) in the first embodiment (FIG. 3).

In this authentication method, the number of random numbers is reduced by one compared to the first embodiment, so that the security strength is slightly weakened, but the processing speed can be increased.

(Third Embodiment) In the third embodiment,
The procedure of <main processing of authentication> in the authentication method of the first embodiment is shortened.

FIG. 5 shows the communication procedure between the terminal and the server in the third embodiment in a time series. Where (40
The procedures from 1) to (415) (the procedure for sharing a common key for securely transmitting the machine number) are the same as the procedures from (201) to (215) in the first embodiment (FIG. 3). It is.

<Main Process of Authentication> (416) The terminal extracts the machine number 106 from the ROM. (417) The terminal encrypts the machine number 106 using the common key 105, and generates an encrypted machine number 107. (418) The terminal extracts the secret information 108. This is the secret information associated with the machine number 106. (419) The terminal converts the secret information 108, the random number 103, and the random number 104 into a function g1.
() To generate a common key 109, and
Keep on AM. (420) The terminal encrypts the machine number 106 using the common key 109, and generates an encrypted machine number 120. (421) The terminal transmits the encryption machine number 107 and the encryption machine number 120 to the server. (422) The server has the encryption machine number 107 and the encryption machine number 12
0 and are received. (423) The server decrypts the encrypted machine number 107 using the common key 105 to obtain the machine number 106. (424) The server obtains the corresponding secret information 108 from the database using the machine number 106. (425) The server functions secret information 108, random number 103, and random number 104
The common key 109 is passed to g1 (), and the generated common key 109 is stored in the RAM. (426) The server decrypts the encrypted device number 120 using the common key 109, and obtains the device number 121. (427) The server confirms that the machine number 106 and the machine number 121 are the same. If they match, it is determined that the terminal authentication has been completed. (428) The server generates an authentication completion notification 122 and sends the common key 109
To generate an encrypted authentication completion notification 123. (429) The server sends the encrypted authentication completion notification 123 to the terminal. (430) The terminal receives the encrypted authentication completion notification 123. (431) The terminal decrypts the encrypted authentication completion notification 123 with the common key 109 and acquires the authentication completion notification 122. If the authentication completion notification 122 is normal, it is determined that the server authentication is completed.

With the above procedure, mutual authentication of the validity is completed. When all the processes have been completed, the data held in the RAM such as random numbers that are no longer needed are discarded, leaving the common key 109.

In the authentication method of this embodiment, since there is no procedure for transmitting a problem from the server to the terminal and verifying the answer in the course of the main process of the authentication, various authentication methods cannot be introduced. As compared with the first embodiment (FIG. 3), the number of times of communication can be reduced, so that the processing speed can be improved.

(Fourth Embodiment) In the fourth embodiment,
The authentication method according to the third embodiment is changed so that only one random number is used. That is, the second embodiment (FIG. 4)
And the third embodiment (FIG. 5).

FIG. 6 shows a communication procedure between a terminal and a server in the fourth embodiment in chronological order. Where (50
The procedures from 1) to (513) (the procedure for sharing a common key for securely transmitting the machine number) are the same as the procedures from (301) to (313) in the second embodiment (FIG. 4). It is. Also, the procedures (516) to (531) (authentication main processing procedure) correspond to (416) to (431) in the third embodiment (FIG. 5).
The procedure is substantially the same as described above.

In this authentication method, as compared with the third embodiment, the number of random numbers is reduced by one, so that the security strength is slightly reduced, but the processing speed can be increased.

The procedure in the authentication method of the first to fourth embodiments may be recorded on a storage medium, read by a computer of a server, and performed on the server side.

(Fifth Embodiment) In the fifth embodiment,
A system in which a terminal (STB) authenticated from a server by the authentication method according to the first to fourth embodiments performs encrypted communication with another terminal via the server will be described.

As shown in FIG. 7, the STB includes a TV LSI 40 for performing communication with the server 3 and an authentication module 10 for performing encryption / decryption processing of encrypted communication. The authentication module 10 includes one piece of hardware shown in FIG. 2 in order to maintain security strength.

At the time of authentication, the TV LSI 40 sequentially requests the authentication module 10 for data to be sent to the server 3 in accordance with the procedures shown in FIGS. 3 to 6, and returns the requested data to the TV LSI 40. , TV LSI 40 transmits it to the server 3. The TV LSI 40 is also a server 3
And sends it to the authentication module 10. The authentication procedure is executed in this way, and at the stage where the authentication process is completed, the authentication module 10
A session key generated from a pre-session key corresponding to the machine number and a random number is held.

In the encrypted communication after the completion of the authentication, the TV LSI 40
Hand over the data to be transmitted to the authentication module 10 and request its encryption. When the authentication module 10 encrypts the data with the session key and returns the data, the TV LSI 40
This encrypted data is sent to the server 3.

On the other hand, when the server 3 sends the encrypted data to the TV LSI 40, the TV LSI 40 passes the encrypted data to the authentication module 10 and requests the decryption.
The authentication module 10 decrypts the data with the session key held and returns it to the TV LSI 40.

FIG. 8 shows a system for performing cryptographic communication between terminal A and terminal B which have completed such authentication processing.

The server encrypts the common key 150 using the session key (common key) shared with the terminal A as a by-product of the authentication for the terminal A that has completed the authentication processing. Send. Further, the server encrypts the common key 150 using the session key (common key) shared with the terminal B as a by-product of the authentication for the terminal B that has completed the authentication processing, and transmits the encrypted common key 150 to the authentication module of the terminal B. I do. Thus, the authentication module of terminal A and terminal B
While maintaining confidentiality, the common key 150 can be held by each other, and the terminal A and the terminal B can directly perform encrypted communication using the common key 150 via the authentication module.

In this system, the server is in the middle of the communication path between the terminals A and B, and the server knows the common key 150 held by the authentication modules of the terminals A and B. Therefore, the server can monitor the encrypted communication on this communication path as needed (for example, during a criminal investigation).

The server referred to here may be an entire system composed of a plurality of devices.

FIG. 9 shows a system in which the server is not in the middle of the communication path between the terminal A and the terminal B. The authentication modules of the terminal A and the terminal B perform the same procedure as in the case of FIG.
The common key 150 can be obtained, and the terminal A and the terminal B can directly perform encrypted communication using the common key 150 via the authentication module.

In this system, the server knows the common key 150, but since the server is not in the middle of the communication path between the terminal A and the terminal B, the server cannot always monitor the communication path. However, a person who can monitor the communication
You can monitor communications by passing.

In FIG. 10, the authentication modules of terminal A and terminal B authenticated by the server perform a zero knowledge key exchange,
A system that shares a common key 151 is shown. Zero-knowledge key exchange is a method of exchanging keys with a partner who does not have common information, and can be implemented by the DH method or the like. Since the communication partner that performs the zero knowledge key exchange is the one that the server has authenticated,
There is a certain degree of reliability. The terminal A and the terminal B can directly perform encrypted communication via the authentication module using the common key 151 obtained by the zero knowledge key exchange.

Since the server does not know the common key 151, there is no danger that the communication contents will be monitored by the server, and secure encrypted communication can be performed between the terminals. However, since the server is in the middle of the communication path between the terminal A and the terminal B, the communication log remains in the server.

FIG. 11 shows a system suitable for use in a multipoint conference or the like by a large number of people.

The authentication processing unit of the server encrypts the common key 150 using the session key (common key) shared with the terminal A as a by-product of the authentication for the terminal A that has completed the authentication processing. To the authentication module. Similarly, the common key 150 is encrypted and transmitted to the authentication modules of the terminals B and C for which the authentication processing has been completed. Thus, the authentication modules of terminal A, terminal B and terminal C are:
The common key 150 can be held with each other while confidentiality is maintained.

The terminals A, B and C register themselves as clients in the communication distribution unit on the server.

The terminal A, the terminal B, and the terminal C transmit the data encrypted with the common key 150 to the communication distribution unit on the server via the respective authentication modules. The communication distribution unit on the server distributes the transmitted encrypted data to the respective terminals without changing the content.

In this way, encrypted communication can be performed between a large number of terminals, and a multipoint conference or the like by a large number of people can be performed without leaking information to the outside.

In this system, the server is located in the middle of the communication path between the terminal A, the terminal B and the terminal C, and the server knows the common key 150. The road can be monitored.

FIG. 12 shows a case where the server is not in the middle of the communication path in the system of FIG. Terminal A,
The terminal B and the terminal C obtain the common key 150 from the authentication processing unit of the server, register themselves as clients in the communication distribution unit on the server, and use the common key 150 By transmitting the encrypted data to the communication distribution unit on the server, encrypted communication between the servers becomes possible.

In this system, the server knows the common key 150, but since the server is not in the middle of the communication path between the terminals A, B and C, the server cannot always monitor the communication path. However, the person who can monitor the communication
By passing 0, communication can be monitored.

FIG. 13 shows a system in which a large number of terminals authenticated by the server increase the number of terminals having the same common key through zero-knowledge key exchange.

The authentication modules of terminal A and terminal B authenticated by the server exchange zero-knowledge keys and share a common key 151. The authentication modules of the terminal B and the terminal C that have been authenticated by the server perform a zero-knowledge key exchange and share a common key 152. In this case, the terminal B uses the common key 152
And encrypts the common key 151 and sends it to the terminal C. Thus, the authentication modules of the terminal A, the terminal B, and the terminal C can share the common key 151.

The communication distribution unit on the server includes terminals A, B, C
Register as a client. The terminal A, the terminal B, and the terminal C communicate with the common key 150 through the respective authentication modules.
Is transmitted to the communication distribution unit on the server. The communication distribution unit on the server distributes the transmitted encrypted data to each terminal without changing the content.

In this way, encrypted communication can be performed between a large number of terminals, and a multipoint conference or the like by a large number of terminals can be performed without leaking information to the outside. Since these communication partners are all partners authenticated by the server, there is a certain degree of reliability.

In this system, since the server does not know the common key, there is no fear of monitoring the communication contents, and secure encrypted communication can be performed between a plurality of terminals. However, since the server is in the middle of the communication path between the terminals A, B and C, the communication log remains on the server.

Even if the number of terminals further increases, the same common key can be provided by repeating the same procedure.

Note that the cryptographic communication system of the present invention can be applied to a case where the server has authenticated a terminal by an authentication method other than the first to fourth embodiments.

[0089]

As is evident from the above description, the authentication method of the present invention uses only the common key encryption method, so that high-speed authentication processing can be realized.

Further, since the common key for securely transmitting the machine number is generated from the secret information corresponding to the machine number, high confidentiality can be maintained. Further, since the machine number does not flow as raw information on the communication path, the privacy of the owner of the terminal is protected.

Further, connection of a terminal other than a specific model to the server can be eliminated. Further, in the process of terminal authentication by the server, the terminal can authenticate the validity of the server substantially, and efficient mutual authentication can be performed.

Further, the cryptographic communication system of the present invention can efficiently expand the connection of the terminals performing the cryptographic communication by utilizing the authentication result.

[Brief description of the drawings]

FIG. 1 is a diagram showing an authentication method according to a first embodiment,

FIG. 2 is a block diagram showing a configuration of an information home appliance system according to the first embodiment;

FIG. 3 is a diagram illustrating a procedure of an authentication method according to the first embodiment in time series;

FIG. 4 is a diagram illustrating a procedure of an authentication method according to a second embodiment in a time series;

FIG. 5 is a diagram illustrating a procedure of an authentication method according to a third embodiment in chronological order;

FIG. 6 is a diagram illustrating a procedure of an authentication method according to a fourth embodiment in chronological order;

FIG. 7 is a block diagram showing a configuration of an information home appliance system according to a fifth embodiment;

FIG. 8 is a block diagram showing a configuration of a first cryptographic communication system according to a fifth embodiment;

FIG. 9 is a block diagram showing a configuration of a second cryptographic communication system according to a fifth embodiment;

FIG. 10 is a block diagram illustrating a configuration of a third cryptographic communication system according to a fifth embodiment;

FIG. 11 is a block diagram showing a configuration of a fourth cryptographic communication system according to a fifth embodiment;

FIG. 12 is a block diagram showing a configuration of a fifth cryptographic communication system according to a fifth embodiment;

FIG. 13 is a block diagram illustrating a configuration of a sixth cryptographic communication system according to the fifth embodiment.

[Explanation of symbols]

 1 STB 3 server 10 authentication module 11 model number 12 machine number 13, 36 encryption / decryption device 14 common key A 15, 34 main processor 16, 33 work RAM 17 pre-session key corresponding to machine number 18 pre-session key corresponding to machine number Session key 19, 35 Key generator 20, 37 Random number generator 30 Authentication processing unit 31 Model number DB 32 Machine number DB 40 TV LSI

──────────────────────────────────────────────────続 き Continued on the front page (51) Int.Cl. ⁷ Identification symbol FI Theme coat ゛ (Reference) H04L 9/00 673B 675A (72) Inventor Osamu Sasaki 1006 Kazuma Kadoma, Kadoma City, Osaka Prefecture Matsushita Electric Industrial Co., Ltd. F term (reference) 5B085 AE23 AE25 AE29 5B089 GA11 JB22 KA17 KB13 KC40 KC58 KH30 5J104 AA07 AA16 EA24 EA26 KA02 KA04 KA06 KA14 NA02 NA03 NA11 PA07

Claims (23)

[Claims] 1. A method for authenticating a terminal connected to a network, comprising: generating a first common key using secret information corresponding to a model number of the terminal; and encrypting the first common key with a device number of the terminal. And generating a second common key using secret information corresponding to the machine number, and using the second common key for verification. 2. The other party of the terminal transmits a problem encrypted with the second common key to the terminal, and receives a solution of the problem encrypted with the second common key from the terminal. 2. The authentication method according to claim 1, wherein the authentication is decrypted with the second common key, and the answer is compared with a correct answer. 3. The authentication method according to claim 2, wherein the question is a simple calculation formula that gives a unique answer. 4. The authentication method according to claim 2, wherein the question is a question based on a natural sentence in which an answer is registered in advance with the partner. 5. The system according to claim 2, wherein the problem is biometric authentication information of a user registered in advance with the other party.
Authentication method described in. 6. The other party includes predetermined information in the problem and transmits the problem to the terminal, and the terminal determines the predetermined information in the problem decrypted with the second common key. 3. The authentication method according to claim 2, wherein when said information is included, the validity of the other party is confirmed. 7. The authentication method according to claim 6, wherein the predetermined information is unique information of the other party. 8. The authentication method according to claim 7, wherein the unique information is an IP address of the other party. 9. The authentication method according to claim 7, wherein the unique information is telephone number information of the other party. 10. The terminal transmits the machine number encrypted with the first common key and the machine number encrypted with the second common key to another party, and the other party transmits the 1
Decrypting the machine number encrypted with the common key with the first common key to obtain the machine number, generating the second common key using secret information corresponding to the machine number,
Using the second common key, decrypting the machine number encrypted with the second common key to obtain the machine number,
The authentication method according to claim 1, wherein the machine number decrypted with the second common key is compared with the machine number decrypted with the first common key. 11. The first common key includes a function of secret information corresponding to the model number, a first random number generated by a partner of the terminal, and a second random number generated by the terminal. 11. The authentication according to claim 1, wherein the second common key comprises a function of secret information corresponding to the machine number, the first random number, and the second random number. Method. 12. The first common key is composed of a function of secret information corresponding to the model number and a first random number generated by a partner of the terminal. 11. The authentication method according to claim 1, comprising a function of secret information corresponding to a number and the first random number. 13. The authentication method according to claim 11, wherein the random number is transmitted after being encrypted with a third common key corresponding to the model number. 14. The terminal transmits the machine number encrypted with the first common key to the other party, and the other party decrypts the machine number with the first common key and registers the machine number in advance. The authentication method according to claim 1, wherein it is verified whether a telephone number corresponding to the machine number matches a calling number notified from a telephone network. 15. A ROM in which each of a model number, secret information corresponding to the model number, a machine number and secret information corresponding to the machine number is written, a random number generating unit for performing a random number generating process, and a cryptographic key generating unit. Key generation means for performing processing, encryption / decryption means for performing encryption and decryption processing, RAM used as a work area for each processing, and main part for distributing operations to each part to execute authentication processing 15. A terminal device for executing the authentication method according to claim 1, further comprising a one-chip authentication module including a processing unit. 16. A model number database storing a model number of each terminal connected via a network and secret information corresponding to the model number, and a machine number of each terminal and secret information corresponding to the machine number. And a device number database storing random numbers, random number generation means for performing random number generation processing, key generation means for performing encryption key generation processing, encryption / decryption means for performing encryption and decryption processing, An authentication processing unit comprising: a RAM used as a work area for each processing; and a main processing unit for allocating an operation to each unit in order to execute an authentication processing for a terminal.
4. A server that executes the authentication method according to any one of 4. 17. A recording medium in which the procedure of the authentication method according to claim 1 is recorded in a computer-readable state. 18. A cryptographic communication system comprising: a plurality of terminals connected to a network; and a server authenticating the terminals, wherein the server encrypts and transmits the same common key to each of the terminals; A cryptographic communication system wherein terminals perform cryptographic communication with each other using the common key. 19. A cryptographic communication system comprising a plurality of terminals connected to a network and a server authenticating said terminals, wherein each of said terminals exchanges a common key by a zero-knowledge key exchange method and uses said common key. A cryptographic communication system for performing cryptographic communication between devices. 20. The cryptographic communication system according to claim 18, wherein the number of terminals is three or more, and the server distributes data transmitted from each terminal to each terminal. 21. The cryptographic communication system according to claim 18, wherein the server is located in a communication path between the terminals. 22. The cryptographic communication system according to claim 18, wherein said server is not in the middle of a communication path between said terminals. 23. The cryptographic communication system according to claim 18, wherein the server has authenticated the terminal by the authentication method according to any one of claims 1 to 14.