JPH10164051A - User authentication device and method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect that an inspected value is different from a reference value without providing the reference value in a verification device and without inviting disadvantages such as the runaway of a program or the like at the time of sending an appropriate response to a challenge from the verification device by a proving device and authenticating a user. SOLUTION: At the time of access to digital information, the verification device 100 calculates testing information including redundancy to the proving device 200 and delivers it to first and second response information calculation parts 203 and 204. The second response information calculation part 204 utilizes user intrinsic information and auxiliary information for proving, calculates response information and returns it to the inspected value calculation part 104 of the verification device 100. The inspected value calculation part 104 calculates the inspected value and delivers it to an inspected value redundancy inspection part 105. The inspected value redundancy inspection part 105 inspects the redundancy of the inspected value. In the case that an inspected result is a failure, an error processing part 106 is activated.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to a user authentication apparatus and method for authenticating a user's authority.

[0002]

2. Description of the Related Art User authentication is an essential procedure for controlling access to digital information (including proprietary information such as programs). In general, user authentication is performed between a center that centrally manages user-specific secret information such as a password and a user who wants to access, via a network each time, and sharing between the two parties. This is done by confirming the existence of unique secret information. However, this method has the disadvantage of frequent communication between the center and the user, and also involves problems such as the inability to authenticate in a usage environment that is unlikely to assume a network such as a laptop computer. Was.

On the other hand, the present applicant has filed a patent application relating to the invention "user authentication apparatus and method" (Japanese Patent Application No. 8-62076: not disclosed). According to the invention of the related application, when a specific user attempts to access specific digital information, the specific user communicates with the center only once in advance, and relies on a certificate that relies on digital information-specific information and user-specific information. Request for additional information. At the time of access, the verification device generates test information (challenge) from information unique to the digital information, and hands it over to the certification device managed by the user. The proving device generates response information (response) by a predetermined method from the challenge, the proving auxiliary information, and the user unique information, and returns the response information to the verification device. The verification device performs a certain calculation on the response. At this time, if the certification auxiliary information used by the certification device for calculating the response is generated by the center based on the unique information of the correct digital information and the unique information of the user, a certain amount of information is obtained regardless of the user. A value (reference value) is calculated, otherwise no reference value is calculated. Therefore, the verification device can know whether the user has a valid access right by checking whether the value obtained by the calculation is a correct value.

As apparent from the above description, according to the invention of the related application, the verification device does not need to know the individual user and the personal information of the individual, and who the user who is to be authenticated is. Even if there is, you should always perform a certain procedure.

[0005] In practicing the present invention, the certifying device is, for example, a program on a personal computer owned by the user, and the user's unique information is stored in a portable computing device such as an IC card or a PC card in order to prevent unauthorized access by other users. Can be enclosed. The verification device can be a program on another computer connected to the user's personal computer via a network.However, if the verification device is configured as a program directly embedded in digital information to be controlled for access, authentication can be performed. This can be performed on the user's personal computer, which is more effective.

Hereinafter, the invention "user authentication apparatus and method" of the related application will be described in detail with reference to specific examples. In this example, the digital information is an application program, and the verification device is configured as a program embedded in the application program. Hereinafter, the verification device is referred to as a verification program.

The main part of the application program uses, for example, DES (DataEn)
encryption standard). Further, the encryption key K is a RSA (Rivest-Shamir-Adlem) registered in the center in advance.
an) Using public key (E, n)

[0008]

## EQU1 ## K ^* = K ^E mod n is encrypted, and K is stored in the verification program together with (E, n).

On the other hand, the user having the unique information dU requests the center to receive the proof auxiliary information t. The auxiliary information for certification t is generated by the center as follows.

[0010]

T = D−F (d _U , n) where F is a function having d _U and n as arguments, and
Is

[0011]

ED≡1 mod (p−1) (q−1) is satisfied. Here, p and q are two prime factors that satisfy n = pq.

Authentication is performed according to the following procedure. First, when the user starts the application program, the embedded verification program operates to generate a random number r. Subsequently, the verification program

[0013]

Equation 4] by calculating ^{C = r E K * mod n} , delivered to a user of the certification apparatus with n.
In this example, the user's certification device is configured as a program on the user's personal computer, and is hereinafter referred to as a certification program. User specific information is an IC with an arithmetic function
It is assumed to be a card or a PC card, and is hereinafter referred to as a token.

When the certification program passes (C, n) to the token, the token becomes

[0015]

[ ^Mathematical formula-see original document] R '= ^{CF (dU, n)} mod n is calculated and returned to the certification program. The certification program is

[0016]

[Mathematical formula-see original document] R "= C ^t mod n is separately calculated, and R 'is received from the token.

[0017]

[Mathematical formula-see original document] R = R'R "mod n is calculated and returned to the verification program.

In the verification program,

[0019]

## ^EQU8 ## The decryption key K is obtained by K ′ = r ⁻¹ R mod n. Here, only when the user performs the calculation using the correct auxiliary information for certification, K =
K ′ holds.

Finally, the verification program decrypts the encrypted part of the application program using K ′ as a decryption key, and jumps to the start of execution of the decrypted application program.

[0021]

In a specific example of the invention of the above-mentioned related application, the verification device calculates for the inspection but determines the validity of the user's access right only when it matches the reference value. Can authenticate. For example, when the verification device is configured as a program and operates on the user's personal computer, if an unauthorized user can extract the reference value by analyzing the verification program, correct authentication cannot be performed thereafter. Therefore, as described above, the verification program does not hold the reference value itself and is not configured to directly compare the test value with the reference value. If a test value that does not match the reference value is obtained, the subsequent processing is performed. To make sure that is not done correctly. In the above example, it is not necessary to hold the encryption key K itself in the verification program by devising such that the encrypted application program is correctly decrypted only when the correct inspection value is calculated. Configuration.

However, in the above configuration, if an erroneous inspection value is obtained, there arises a problem that it is impossible to predict how the subsequent processing will be performed. For example, if K ′ ≠ K in the previous example, the application program will not be decrypted correctly, and therefore, if the program jumps out of the verification routine, the program will run away, destroying other programs and files on the personal computer, In the worst case, the personal computer itself may be destroyed.

[0023] Even if the verification device cannot correctly calculate the inspection value, it is not necessarily the result of the user attempting an illegal operation, and may be caused by a communication error or the like. Therefore, even if a correct inspection value cannot be obtained, it is necessary to protect the environment of the user.

According to the present invention, in order to solve the above-mentioned problems, it is possible to check that the inspection value differs from the reference value without having a reference value in the verification device and without causing disadvantage such as program runaway. It is intended to enable detection.

[0025]

According to the present invention, in order to achieve the above object, an authentication system comprising a verification device for holding digital information and a certification device used by a user who attempts to access the digital information. In the apparatus, the verification device comprises digital information holding means, test information generation means, check value calculation means, check value redundancy check means, error processing means, and digital information processing means, and the certification device holds user specific information. Means and response information generation means, wherein the test information generation means in the verification device generates test information and sends it to the response information generation means in the certification device, and the response information generation means The response information is generated from the information and the user unique information held in the user unique information holding means, and the response information is generated by the check value calculating means in the verification device. The test value calculation means calculates a test value from the response information and hands it over to the test value redundancy check means, and the test value redundancy check means can detect a predetermined redundancy from the test value. In such a case, the digital information processing means is activated to process the digital information held in the digital information holding means. If the predetermined redundancy cannot be detected, the error processing means is activated. Error processing is performed.

In this configuration, a reference value is generated so as to satisfy conditions (redundancy) such as "a specific sequence appears at a specific position in a reference value" and "a reference value follows a specific format". The check value redundancy check unit in the verification device checks whether the calculated check value satisfies the redundancy, and calls the error processing unit if the redundancy is not obtained, and performs error processing. Therefore, it is possible to detect whether or not the inspection value differs from the reference value without having a reference value in the verification device and without causing disadvantage such as runaway of the program.

According to the present invention, in order to achieve the above object, a verification device for holding digital information,
In an authentication device comprising a certification device used by a user who attempts to access the digital information, the verification device may include an encrypted digital information holding unit, a test information generation unit, a check value calculation unit, a check value redundancy check unit, and a decryption unit. And error processing means and digital information processing means,
The proving device comprises a user-specific information holding unit and a response information generating unit, and the test information generating unit in the verification device generates test information and sends it to the response information generating unit in the proving device. The response information generating means generates response information from the test information and the user unique information held in the user unique information holding means, sends the response information to the inspection value calculation means in the verification device, and The calculating means calculates a check value from the response information and delivers the check value to the check value redundancy check means. If the check value redundancy check means can detect a predetermined redundancy from the check value, the check value Calculates a decryption key from the digital information and delivers it to the decryption means. The decryption means decrypts the encrypted digital information held in the encrypted digital information storage means, and then decrypts the digital information. Performs processing digital information call the decode stage, if the predetermined redundancy could not be detected by calling the error processing means, and to perform an error process.

Also in this configuration, it is possible to detect whether the inspection value is different from the reference value without having a reference value in the verification device and without causing disadvantage such as runaway of the program. Also, the digital information itself is encrypted,
Protected from unauthorized access.

According to the present invention, in order to achieve the above object, a verification device for holding digital information,
In an authentication device comprising a certification device used by a user who attempts to access the digital information, the verification device includes an encrypted digital information holding unit, a test information generation unit, a check value calculation unit, a decryption unit, and a decryption value redundancy inspection unit. The verification device comprises error processing means and digital information processing means, the certifying device comprises user-specific information holding means and response information generating means, and the test information generating means in the verification device generates test information and generates the certifying information. The response information is sent to response information generating means in the apparatus, and the response information generating means generates response information from the test information and the user-specific information held in the user-specific information holding means, and outputs the test value in the verification device. To the calculating means, the check value calculating means calculates a decryption key as a check value from the response information, and hands it over to the decrypting means. The encrypted digital information held in the encrypted digital information holding means is decrypted by using the decryption key, and the decrypted value redundancy checking means can detect a predetermined redundancy from the decrypted digital information. In this case, the digital information processing means is activated to process the decoded digital information. If the predetermined redundancy cannot be detected, the error processing means is activated and error processing is performed. I am trying to be.

In this configuration, the inspection value is used as a decryption key for the encrypted digital information. Then, the digital information is given redundancy, the verification device decodes the digital information for the time being using the calculated check value as a key, and the decoded value redundancy check means checks whether or not the decoded result satisfies the redundancy. If the performance cannot be obtained, error processing means is called to perform error processing. Therefore, it is possible to detect whether or not the inspection value differs from the reference value without having a reference value in the verification device and without causing disadvantage such as runaway of the program. In addition, the digital information itself is also encrypted and protected from unauthorized access.

Further, in the above configuration, the certification device has a certification auxiliary information holding unit, and the response information generation unit combines the certification with the user unique information held in the user unique information holding unit. The response information may be generated based on the proof auxiliary information held in the auxiliary information holding means.

Further, the verification device has a verification basic information holding means, and the test information generation means has the key information K ^* , the random number r, and the RS held in the verification basic information holding means.
Test information (C, n) is obtained from A public key (E, n) using C = r
Calculated by ^E K ^* mod n, the above-mentioned proof auxiliary information t is given by t = D−d _U + w (p−1) (q−1), and the above-mentioned response information generating means is R = C ^t C ^dU mod.
n may be used to generate the response information R, and the test value calculation means may calculate the test value L according to L = r ⁻¹ R mod n.

Further, the verification device has a verification basic information holding means, and the test information generation means has the key information K ^* , the random number r, and the RS held in the verification basic information holding means.
Test information (C, n) is obtained from A public key (E, n) by C = r ^E
K ^* mod n, and the proof auxiliary information t is calculated by using at least the user specific information d _U and a predetermined function F (d _U , n) taking the above n as an argument. d _U , n), and the response information generating means uses the function F (d _U , n) to calculate R = C ^t
The response information R is generated according to C ^{F (dU, n)} mod n, and the inspection value calculation means converts the inspection value L to L = r ⁻¹ R
The calculation may be performed by mod n.

Further, the user unique information holding means and the response information generating means in the certification device may be stored in a tamper-resistant container resistant to physical intrusion such as a probe.

Further, the response information generating means in the certification device comprises a first response information generating means and a second response information generating means, and the test information generating means transmits the test information (C, n). Hand over to the first response information generating means,
The first response information generating means is R ″ = C ^t mod
n and delivers the test information (C, n) to the second response information generating means. The second response information generating means calculates R '= C ^dU mod n to calculate the first response. The first response information generation means may calculate the response information R according to R = R′R ″ mod n.

Further, the response information generating means in the certification device comprises a first response information generating means and a second response information generating means, and the test information generating means transmits the test information (C, n). Hand over to the first response information generating means,
The first response information generating means is R ″ = C ^t mod
n, and passes the test information (C, n) to the second response information generating means. The second response information generating means calculates R '= ^{CF (dU, n)} mod n The first response information generating means may be passed to the first response information generating means, and the first response information generating means may calculate the response information R 1 according to R = R′R ″ mod n.

Further, the user-specific information holding means and the second response information generating means in the certification device may be stored in a tamper-resistant container resistant to physical intrusion such as a probe.

Further, the certification device has a use control information holding unit and a use control information verifying unit, and the use control information verifying unit verifies the use control information held in the use control information holding unit. When the usage control information is genuine, the response information generation means may generate response information and send it to the check value calculation means in the verification device.

In this configuration, the usage control information is verified, and if it is not authentic, no response information is sent to the check value calculation means, so that redundancy cannot be detected. Therefore, error processing is performed and the program does not run away. If the usage control information is genuine, it is possible to detect whether or not the inspection value differs from the reference value without having a reference value in the verification device and without causing disadvantage such as program runaway. Also, by verifying the usage control information, it is possible to perform fine-grained user authentication.

Further, the verification device has a verification basic information holding means, and the test information generation means has the key information K ^* , the random number r, and the RS held in the verification basic information holding means.
Test information (C, n) is obtained from A public key (E, n) by C = r ^E
K ^* mod n, and the proof auxiliary information t is a predetermined function F (d _U , n, I) taking at least the user unique information d _U , the n and the use control information I as arguments. T = D−F (d _U , n, I)
The use control information verification means verifies the use control information I, and if the use control information I is authentic, the response information generation means performs the function F (d _U , n,
With I) to generate the ^{R = C t C F (dU} , n, I) the response information R by modn, the check value calculation means for calculating the check value L by L = r ^-1 R mod n You may do so.

Further, the user unique information holding means, the response information generating means and the use control information verifying means in the certification device are stored in a tamper-resistant container resistant to physical intrusion such as a probe. Is also good.

Further, the response information generating means in the certification device comprises a first response information generating means and a second response information generating means, and the test information generating means transmits the test information (C, n). Hand over to the first response information generating means,
The use control information verification unit verifies the use control information I held in the use control information holding unit, and when the use control information I is authentic, the first response information generation unit uses R ″ = ^Ct mod n is calculated and the test information (C, n) is transferred to the second response information generating means. The use control information holding means transfers the use control information I to the second response information generating means. Delivery, the second response information generating means is R '= ^{CF (dU, n, I)} mod
n is calculated and passed to the first response information generating means,
The first response information generating means is R = R′R ″ mod
The response information R may be calculated based on n.

Further, the user unique information holding means, the second response information generating means and the use control information verifying means in the certification device are stored in a tamper-resistant container resistant to physical intrusion such as a probe. You may do so.

According to the present invention, in order to achieve the above object, in the user authentication method, a step of storing user specific information, a step of receiving test information, a step of storing the test information and the user specific information, Generating response information according to the following; generating inspection information from the response information; determining whether the inspection information includes a predetermined redundancy; and determining whether the inspection information has a predetermined redundancy. If it is determined that the test information is not included, an error processing step is performed, and if it is determined that the test information includes predetermined redundancy, a step of executing predetermined information processing is performed. ing.

Also in this configuration, it is possible to detect whether or not the inspection value differs from the reference value without having a reference value in the verification device and without causing disadvantage such as runaway of the program.

According to the present invention, in order to achieve the above object, a means for storing user specific information in a user authentication device, receiving test information, and responding to the test information and the user specific information. Means for generating response information from the response information, means for generating inspection information from the response information, means for determining whether or not the inspection information includes a predetermined redundancy, and means for determining whether the inspection information includes a predetermined redundancy. If it is determined that there is no redundancy, there is provided means for performing error processing, and means for executing predetermined information processing when it is determined that the inspection information includes predetermined redundancy.

Also in this configuration, it is possible to detect whether the inspection value differs from the reference value without having a reference value in the verification device and without causing disadvantage such as runaway of the program.

[0048]

Embodiments of the present invention will be described below. FIG. 1 is a configuration diagram of a first embodiment of the present invention. In FIG. 1, a verification device 100 includes a verification basic information holding unit 101 and an encrypted digital information holding unit 102.
It has a test information generating means 103, a test value calculating means 104, a test value redundancy checking means 105, an error processing means 106, and a decoding means 107. The key information (K ^* ) 1010 and the random number (r) 10
11 and an RSA public key (E, n) 1012, and the encrypted digital information holding means 100 holds the encrypted digital information.

The certifying device 200 includes a user unique information holding unit 201, a proof auxiliary information holding unit 202, a first response information generating unit 203, and a second response information generating unit 204. The user unique information holding unit 201 and the second response information generating unit 204 are combined with an IC card P
It may be realized as a portable computing device such as a C card.

The data held in the encrypted digital information holding means 100 is, for example, DES (Data Encrypt) using plaintext digital information by using an encryption key K ′.
digital information that has been encrypted according to T. Standard. The key information K ^* held in the verification basic information holding means 101 is calculated from a key intermediate representation K obtained by adding redundancy to the encryption key K ′. The redundancy assumed for the key intermediate representation K has, for example, the following properties. The first N bits of K have a predetermined constant bit pattern b ₁ b ₂ b ₃ ... B _N. K is a repetition of an arbitrary bit pattern having a fixed length. K having the above redundancy is generated as follows. A DES encryption key K ′ is generated using a random number generator. Generated encryption key K ', and K by connecting a bit pattern after the predetermined bit pattern _{b 1 b 2 b 3 ··· b} N. That is, the bit pattern of K ′ is changed to k ₁
Writing and k ₂ ··· k _64,

[0051]

K = b ₁ b ₂ ... B _{N -1} b _N k ₁ k ₂ ... K ₆₃ k ₆₄ A DES encryption key K ′ is generated using a random number generator. K is a bit pattern obtained by repeating the bit pattern k ₁ k ₂ ... K ₆₄ of K ′ a fixed number of times. That is, if the number of repetitions is k,

[0052]

(Equation 10) The key intermediate expression K is an RSA registered in the center in advance.
Using public key (E, n)

[0053]

[Equation 11] K^*= K^E  mod n and the key information K^*Becomes Key information K^*Is the public RSA
Verification basic information holding means 101 together with the open key (E, n)
Is held. Here, K and K ′ are inside the verification device 100.
Is not retained.

The user unique information holding means 201 holds unique information d _U. At the same time, the proof auxiliary information holding means 202 holds the proof auxiliary information t issued by the center. The auxiliary information for certification t is generated by the center as follows.

[0055]

T = D−d _U + w (p−1) (q−1) where p and q are two prime factors satisfying n = pq, w is a random number, and D is a public key of RSA encryption ( E, n) is a secret key corresponding to

[0056]

Satisfies ED≡1 mod (p−1) (q−1).

Authentication is performed according to the following procedure. When accessing digital information, the verification device 1
First, the random number r is stored in the basic information for verification 101
Remove from At this time, the random number r may be calculated each time by the random number generator, or may be extracted from a random number sequence given in advance. Next, the test information C is calculated in accordance with the following equation using E and n extracted from the verification basic information holding unit 101.

[0058]

C = r ^E K ^* mod n The verification device 100 delivers the calculated test information C together with n to the certification device.

The proving device 200 delivers (C, n) to the first and second response information generating means 203 and 204. The second response information generation unit 204 uses the user unique information d _U in the user unique information holding unit 201,

[0060]

[ ^Mathematical formula-see original document] R '= C ^dU mod n is calculated and passed to the first response information generating means 203.
On the other hand, the first response information generating means 203 uses t in the certification auxiliary information holding

[0061]

## EQU16 ## R ″ = C ^t mod n is calculated in advance, and the second response information generating means 204 is further calculated.
Using R 'received from

[0062]

[Mathematical formula-see original document] The response information R is calculated according to R = R'R "mod n. The proving device 200 compares the calculated response information R with the check value calculating means 1 in the verification device 100.
Return to 04.

In the inspection value calculation means 104,

[0064]

The inspection value L is calculated by L = r ^-1 R mod n, and the inspection value redundancy inspection means 10
Hand over to 5. Inspection value redundancy inspection means 105 inspects the redundancy of inspection value L. The redundancy check is performed, for example, as follows. Take out the _first N bits l ₁ l ₂ l ₃ ... L _N of L,
The bit pattern is compared with the bit patterns b ₁ b ₂ ... B _N held in the check value redundancy check means 105. As a result of the comparison, if the two are completely equivalent, the inspection result is regarded as pass, and if not, the inspection result is rejected. If the inspection is successful, a bit string obtained by removing the first N bits from L is set as a decryption key K. The _first 64 bits of L, l ₁ l ₂ l ₃ ... L _64, are removed and compared with the shortened first 64 bits of L. If the two are not equal as a result of the comparison, the test is rejected. This comparison operation is repeated k-1 times, and if no rejection has been made, the inspection result is regarded as pass. If the inspection is acceptable, the decryption key K and _{l 1 l 2 l 3 ··· l} 64 the last obtained
And

If the inspection result by the inspection value redundancy inspection unit 105 is rejected, the error processing unit 106 is activated. The error processing means 106
To the verification device 10 that the response information was incorrect.
Necessary processing such as initialization of 0 is performed.

On the other hand, if the inspection result is passed, the inspection value redundancy inspection unit 105 sends the decryption key K to the decryption unit 107.
Hand over to The decryption means 107 decrypts the encrypted digital information in the encrypted digital information holding means 102 using the decryption key K and the DES algorithm.

If the decoded digital information is, for example, image information or moving image information, the display device is continuously activated to provide the displayed image or moving image to the user.
If the decrypted digital information is, for example, an application program, the process jumps to the execution start point of the decrypted application program after the processing by the decrypting means 107 is completed, and the application program is executed.

Next, a second embodiment of the present invention will be described. FIG. 2 is a configuration diagram of a second embodiment of the present invention. In FIG. 2, a verification device 100 includes a verification basic information holding unit 101 and an encrypted digital information holding unit 102.
It has a test information generating means 103, a check value calculating means 104, a decoded value redundancy checking means 108, an error processing means 106, and a decoding means 107. The key information (K ^* ) 1010 and the random number (r) 10
11 and an RSA public key (E, n) 1012, and the encrypted digital information holding means 102 holds the encrypted digital information.

The certifying device 200 comprises a user-specific information holding unit 201, a proof auxiliary information holding unit 202, a first response information generation unit 203, and a second response information generation unit 204. The user unique information holding means 201 and the second response information calculating means 204 are combined with an IC card / PC
It may be realized as a portable computing device such as a card.

The data held in the encrypted digital information holding means 102 is obtained by adding the redundancy to the digital information I encrypted by, for example, DES using the encryption key K with the plaintext digital information. It is. The redundancy is generated, for example, as follows. A predetermined bit pattern b ₁ b ₂ ... B _N is added to the head of the encrypted digital information I.
The bit string of the data after the redundancy is given is as follows.

[0071]

[Equation 19] This is a bit pattern obtained by adding a copy of the _first N bit patterns l ₁ l ₂ l ₃ ... L _N of the encrypted digital information to the top a fixed number of times. That is, assuming that the number of repetitions is k, the result is as follows.

[0072]

(Equation 20) The encryption K is performed using an RSA public key (E, n) registered in the center in advance.

[0073]

[Equation 21] Encrypted as K ^* = K ^E mod n to become key information K. The key information K is stored in the verification basic information storage unit 101 together with the RSA public key (E, n). Here, the encryption key K is not stored in the verification device 100.

The verification device 100 and the proving device 200 in the second embodiment operate in the same manner as in the first embodiment until the test value calculation means 104 calculates the test value.
Hereinafter, only the operation after the test value calculation means 104 calculates the test value L will be described.

The check value calculation means 104 delivers the check value L to the decryption means 107 as a decryption key. The decoding means 107
The encrypted digital information held in the encrypted digital information holding means 102 is decrypted by the obtained L and DES algorithms. Next, the decoded value redundancy check means 108 checks the preparation of the decoded digital information. The redundancy check is performed, for example, as follows. The _first N bits l ₁ l ₂ l of the decoded digital information
₃ ... L _N are removed and compared with the bit patterns b ₁ b ₂ ... B _N held in the decoded value redundancy check means 105. As a result of the comparison, if the two are completely equivalent, the inspection result is regarded as pass, and if not, the inspection is rejected. The _first N bits l ₁ l ₂ l of the decoded digital information
₃ ... 1 _N is removed and the first _N of the remaining digital information
Compare with bit. If the two are not equal as a result of the comparison, the test is rejected. This comparison work is repeated k-1 times,
If the test has never been rejected, the test result is regarded as pass.

If the result of the inspection by the decoded value redundancy inspection means 108 is rejected, the error processing means 106 is activated. The error processing means 106
To the server that the response information is incorrect, and performs necessary processing such as initialization of the verification device. If the test result passes, the digital information has been correctly decoded,
Processing continues.

In the first and second embodiments, the center may generate the auxiliary information for certification t as follows.

[0078]

T = D−d _U + w (p−1) (q−1) where p and q are two prime factors satisfying n = pq, w is an integer, and D is a public key of RSA encryption ( E, n) is a secret key corresponding to

[0079]

ED≡1 mod (p−1) (q−1) is satisfied. In this case, the second response information generation means 204
Uses the user unique information d _U in the user unique information holding means 201,

[0080]

[ ^Mathematical formula-see original document] R '= C ^dU mod n is calculated and passed to the first response information calculating means 203.
Even with this configuration, the user authentication device of the first embodiment and the user authentication device of the second embodiment operate in the same manner as described above. Further, in this configuration, it is not necessary to calculate the function F by the second response information generating means 204, so that the processing can be simplified.

Next, a third embodiment of the present invention will be described. FIG. 3 is a configuration diagram of a third embodiment of the present invention. In FIG. 3, the verification device 100 includes a verification basic information holding unit 101 and an encrypted digital information holding unit 102.
It has a test information generating means 103, a test value calculating means 104, a test value redundancy checking means 105, an error processing means 106, and a decoding means 107. The key information (K ^* ) 1010 and the random number (r) 10
11 and an RSA public key (E, n) 1012, and the encrypted digital information holding means 100 holds the encrypted digital information.

The certifying device 200 includes a user unique information holding unit 201, a proof auxiliary information holding unit 202, a first response information generating unit 203, a second response information generating unit 204, a use control information holding unit 205, and a use control Information verification means 2
06. The use control information holding unit 205 holds use control information 2050, and the use control information verification unit 206 holds a clock 2060 that returns the current date and time. The user-specific information holding unit 201, the second response information generation unit 204, and the use control information verification unit 206 may be implemented together as a portable computing device such as an IC card or a PC card.

In the third embodiment, the certification auxiliary information t held in the certification auxiliary information holding means 202 is generated by the center as follows.

[0084]

T = DF (d _U , n, I) where F is a function having d _U , n and usage control information I as arguments. In the present embodiment, the usage control information I is assumed to be a date and time indicating an expiration date. The use control information holding means 205 can receive the use control information I from the center in advance and store it. If a value different from the above I is held in the use control information holding means, the user authentication fails in this embodiment as described below.

The verification device 100 and the proving device 200 in the third embodiment operate in the same manner as in the first embodiment until the test information C calculated by the verification device 100 is transferred to the proving device 200 together with n. . Hereinafter, only the operation after the test information C and n are delivered to the proving device 200 will be described.

The proving device 200 delivers (C, n) to the first and second response information generating means 203 and 204. The second response information generation means 204 is used by the usage control information verification means 20
6 is started. Usage control information verification means 206
Verifies whether the use control information (I) 2050 held in the use control information holding means 205 is genuine.

In this embodiment, the usage control information verification means 20
6, the current date / time returned by the clock 2060 is compared with the usage control information I. If the current date / time / time is smaller than or equal to I, it is determined that the usage control information I is authentic.

If the usage control information verification unit 206 determines that the usage control information I is not authentic, the second response information generation unit 204 notifies the first response information generation unit 203 that the calculation has failed. I do. The first response information generation unit 203 notifies the check value calculation unit 104 that generation of the response information R has failed. The inspection value calculation unit 104 notifies the inspection site redundancy inspection unit 105 of the failure, and as a result,
The error processing means 106 is activated.

When the use control information verification means 206 determines that the use control information I is authentic, the second response information generation means 204 has already been delivered from the certification device 200 (C, n). , User specific information holding means 2
01 in using the user-specific information d _U and usage control information I in the usage control information holding means 205,

[0090]

R ′ = C ^{F (dU, n, I)} mod n is calculated and ^delivered to the first response information generating means 203.
On the other hand, the first response information generation means 203 uses t in the

[0091]

[Mathematical formula-see original document] R "= C ^t mod n is calculated in advance, and the second response information generating means 204 is calculated.
Using R 'received from

[0092]

[Mathematical formula-see original document] Response information R is calculated according to R = R'R "mod n. The proving device 200 compares the calculated response information R with the check value calculating means 1 in the verification device 100.
Return to 04.

The subsequent verification device 100 and certification device 200 operate in the same manner as in the first embodiment.

In the third embodiment, if the use control information 2050 in the use control information holding means 205 is not authentic, the error processing means 106 is activated. Also,
Even if the usage control information 2050 is replaced with a false value and the usage control information verification means 206 appears to be genuine, the second response information generation means 204 performs a calculation based on the false usage control information 2050. It is not possible to calculate the correct response information R to perform. As a result, the check value redundancy check unit 105 cannot detect the predetermined redundancy, and the error processing unit 106 is also activated.

As described above, in the third embodiment, fine-grained user authentication control based on the use control information 2050 can be performed. In this embodiment, the usage control information 2
050 as the expiration date, the usage control information verification means 2
This is achieved by placing a clock 2060 in 06. Realization by another configuration is also possible.

For example, by using the usage control information 2050 as the maximum value of the number of times of authentication and holding a counter in the usage control information verification means 206, the number of times of successful user authentication can be controlled.

[0097]

As described above, according to the present invention, whether the inspection value differs from the reference value without having the reference value in the verification device and without causing disadvantage such as runaway of the program. Can be detected.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a first embodiment of the present invention.

FIG. 2 is a block diagram showing a second embodiment of the present invention.

FIG. 3 is a block diagram showing a third embodiment of the present invention.

[Explanation of symbols]

 REFERENCE SIGNS LIST 100 verification device 101 verification basic information holding means 102 encrypted digital information holding means 103 test information generation means 104 check value calculation means 105 check value redundancy check means 106 error processing means 107 decoding means 108 decryption value redundancy check means 200 certification Apparatus 201 User specific information holding means 202 Certification auxiliary information holding means 203 First response information generating means 204 Second response information generating means 205 Usage control information holding means 206 Usage control information verification means

Claims (17)

[Claims] 1. A verification device for holding digital information,
In an authentication device comprising a certification device used by a user who attempts to access the digital information, the verification device includes a digital information holding unit, a test information generation unit, a check value calculation unit, a check value redundancy check unit, an error processing unit, Digital information processing means, the proving device comprises user-specific information holding means and response information generating means, and the test information generating means in the verification device generates test information and generates the response information in the proving device. Sent to the information generation means,
The response information generating means generates response information from the test information and the user unique information held in the user unique information holding means, sends the response information to the check value calculating means in the verification device, and Means for calculating a check value from the response information and delivering the check value to the check value redundancy check means; if the check value redundancy check means can detect a predetermined redundancy from the check value, the digital information The processing means is started to process the digital information held in the digital information holding means. If the predetermined redundancy cannot be detected, the error processing means is started and error processing is performed. A user authentication device characterized by the above-mentioned. 2. A verification device for holding digital information,
In the authentication device comprising a certification device used by a user who attempts to access the digital information, the verification device includes an encrypted digital information holding unit, a test information generation unit, a check value calculation unit, a check value redundancy check unit, and a decryption unit. And the error processing means and the digital information processing means. The proving device comprises a user unique information holding means and a response information generating means. The test information generating means in the verification device generates test information and generates the test information. The response information is sent to the response information generating means in the device, and the response information generating means generates response information from the test information and the user unique information held in the user unique information holding means, and performs a check in the verification device. The check value is sent to the check value calculating means, and the check value calculating means calculates a check value from the response information and delivers it to the check value redundancy checking means. The check value redundancy check means calculates a decryption key from the check value and delivers it to the decryption means when the predetermined redundancy can be detected from the check value. After decrypting the encrypted digital information held therein, the digital information processing means is called and the decrypted digital information is processed. If the predetermined redundancy cannot be detected, the error occurs. An authentication apparatus, wherein an error process is performed by calling processing means. 3. A verification device for holding digital information,
In an authentication device comprising a certification device used by a user who attempts to access the digital information, the verification device includes an encrypted digital information holding unit, a test information generation unit, a check value calculation unit, a decryption unit, and a decryption value redundancy check unit. The proving device comprises user-specific information holding means and response information generating means. The test information generating means in the verification device generates test information and generates test information in the proving device. The response information generating means generates response information from the test information and the user unique information held in the user unique information holding means, and generates the test value calculating means in the verification device. The check value calculation means calculates a decryption key as a check value from the response information and delivers it to the decryption means, and the decryption means The encrypted digital information held in the encrypted digital information holding means is decrypted by using the digital key, and the decrypted value redundancy check means can detect predetermined redundancy from the decrypted digital information. In this case, the digital information processing means is activated to process the decoded digital information. If the predetermined redundancy cannot be detected, the error processing means is activated and error processing is performed. A user authentication device characterized in that: 4. The certifying device has proof auxiliary information holding means, and the response information generating means includes the proof auxiliary information holding means together with the user unique information held in the user unique information holding means. 4. The user authentication device according to claim 1, wherein the response information is generated based on the proof auxiliary information held in the user authentication device. 5. The verification device has a verification basic information holding unit, and the test information generation unit has a key information K ^* , a random number r, an RSA public key (E) held in the verification basic information holding unit. , N) to obtain the test information (C, n) as C = r ^E K ^*
mod n, the proof auxiliary information t is given by t = D−d _U + w (p−1) (q−1), and the response information generating means is R = C ^t C ^dU mod n.
5. The user authentication apparatus according to claim 4, wherein the response information R is generated by the following, and the check value calculating means calculates the check value L according to L = r ^-1 Rmod n. 6. The verification device has a verification basic information holding unit, and the test information generation unit has a key information K ^* , a random number r, an RSA public key (E) held in the verification basic information holding unit. the test information from n) and (C, n) C = r E K *
mod n, and the proof auxiliary information t is calculated using at least the user specific information d _U and a predetermined function F (d _U , n) taking the n as an argument.
= D−F (d _U , n), and the response information generating means uses the function F (d _U , n) to calculate R = C ^t CF
The response information R is generated by ^{F (dU, n)} mod n, and the inspection value calculation means calculates the inspection value L as L = r ^-1 R
The user authentication device according to claim 4, wherein the calculation is performed using mod n. 7. The apparatus according to claim 1, wherein said user-specific information holding means and said response information calculating means in said certification device are stored in a tamper-resistant container resistant to physical intrusion such as a probe. 7. The user authentication device according to 5 or 6. 8. The response information generating means in the certification device comprises a first response information generating means and a second response information generating means, and the test information generating means comprises the test information (C,
n) is passed to the first response information generating means, and the first response information generating means calculates R ″ = C ^t mod n, and outputs the test information (C, n) to the second response information generating means. The second response information generating means calculates R '= C ^dU mod n and delivers it to the first response information generating means, and the first response information generating means calculates R = R'R '' The response information R
The user authentication device according to claim 5, wherein: 9. The response information generating means in the certification device comprises a first response information generating means and a second response information generating means, and the test information generating means includes the test information (C,
n) is passed to the first response information generating means, and the first response information generating means calculates R ″ = C ^t mod n, and outputs the test information (C, n) to the second response information generating means. The second response information generating means calculates R ′ = ^{CF (dU, n)} mod n and delivers it to the first response information generating means, and the first response information generating means 7. The user authentication device according to claim 6, wherein the response information R is calculated according to R = R'R "mod n. 10. The tamper-resistant container, wherein the user-specific information holding means and the second response information calculation means in the certification device are stored in a tamper-resistant container resistant to physical intrusion such as a probe. User authentication device. 11. The proving device includes a use control information holding unit and a use control information verifying unit. The use control information verifying unit verifies the use control information held in the use control information holding unit. 4. The method according to claim 1, wherein said response information generation means generates response information and sends it to said check value calculation means in said verification device when the usage control information is authentic.
Or the user authentication device according to 4. 12. The verification device includes a verification basic information holding unit, and the test information generation unit includes a key information K ^* , a random number r, and an RSA stored in the verification basic information holding unit.
The test information (C, n) is obtained from the public key (E, n) by C = r ^E K ^*
mod n, and the proof auxiliary information t is a predetermined function F taking at least the user specific information d _U , the n, and the use control information I as arguments.
(D _U, n, I) with _{t = D-F (d U} , n, I) is given by, the usage control information verification unit verifies the usage control information I, the usage control information I is In the case of authenticity, the response information generating means performs the function F (d _U , n,
With ^{I) R = C t C F} (dU, n, I) by mod n generates the response information R, the check value calculation means calculating the check value L by L = r ^-1 R mod n The user authentication device according to claim 11, wherein 13. The tamper-resistant container, wherein the user-specific information holding means, the response information generation means, and the use control information verification means in the certification device are stored in a tamper-resistant container resistant to physical intrusion such as a probe. 13. The user authentication device according to 11 or 12. 14. The response information generating means in the certification device comprises a first response information generating means and a second response information generating means, and the test information generating means transmits the test information (C, n). Hand over to the first response information generating means,
The use control information verification unit verifies the use control information I held in the use control information holding unit, and when the use control information I is authentic, the first response information generation unit sets R ″ = ^Ct mod n is calculated and the test information (C, n) is transferred to the second response information generating means. The use control information holding means transfers the use control information I to the second response information generating means. Delivery, the second response information generating means is R '= ^{CF (dU, n, I)} mod
n is calculated and passed to the first response information generating means,
The first response information generating means is R = R′R ″ mod
13. The user authentication device according to claim 12, wherein the response information R is calculated by n. 15. The user-specific information holding means, the second response information generation means, and the use control information verification means in the certification device are stored in a tamper-resistant container resistant to physical intrusion such as a probe. The user authentication device according to claim 14, wherein 16. Storing user specific information, receiving test information, generating response information according to the test information and the user specific information, and generating test information from the response information. A step of determining whether or not the inspection information includes a predetermined redundancy; a step of performing an error process if it is determined that the inspection information does not include the predetermined redundancy; Executing predetermined information processing when it is determined that the information includes predetermined redundancy. 17. A means for storing user-specific information, a means for receiving test information and generating response information according to the test information and the user-specific information, and a means for generating test information from the response information. Means for determining whether or not the inspection information includes predetermined redundancy; means for performing error processing when it is determined that the inspection information does not include predetermined redundancy; Means for executing predetermined information processing when it is determined that predetermined redundancy is included.