JPH07336348A - Authentication device and authentication method - Google Patents

Abstract

PURPOSE:To provide an authentication device and an authentication method having improved security and the less number of times of communication by confirming the validity of a random number and confirming the validity of certification data generated based on the random number in the case of performing an authentication processing between a testifier and a verifier. CONSTITUTION:When a testifier joins a system, initialization of information is ended and an authentication processing stage is started. The verifier performs arithmetic operations by (k) pieces of random number sequences qi, the open information and identification information of the testifier, prepares random number inspection data Qi and transmits them to the testifier. Confirmation data are prepared by the random number and the open information and identification information of the testifier and transmitted to the verifier. The verifier receives them and transmits the random number sequences used in the generation of the data Qi to the testifier and the testifier inspects the validity of the random number inspection data Qi. At the time of passing an inspection, corresponding to the property of the random number sequences, the certification data ri are prepared by the secret information and open information of the testifier and the random number and transmitted to the verifier. The verifier receives them and judges the validity of the certification data based on the open information and identification information of the testifier, the certification data and the confirmation data and zero knowledge authentication with less number of times of the communication is performed between both testifier and verifier.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an authentication device and an authentication method for confirming the authenticity of some type of identification and confirmation in a communication type electronic device such as an IC card. , An efficient user authentication method capable of saving communication traffic.

[0002]

2. Description of the Related Art Conventionally, in the field of cryptographic communication, authentication has been performed by confirming that a person (certifier) who knows certain secret information (password, etc.) is the person himself, and a confirmer. . As such an authentication method, many cryptographic communication methods based on the zero-knowledge proof technique have been proposed. As a typical method of this, there is a Fiat-Shamir method.

According to this method, a reliable center uses the following procedure for a user who uses an ID as personal identification information.
The individual secret information sj (1 ≦ j ≦ k: k is a parameter that determines the security and is a value of 1 or more) is generated. Step 1: Using the published one-way function f, vj = f
Calculate (ID, j) and (1 ≦ j ≦ k). Step 2: Calculate sj = √ (1 / vj); (mod N) using N prime factors p and q for each vj. That is, sj ² = 1 / vj; (mod N). Step 3: secretly issue k sj to the user and publish the composite number N. The calculation of the square root in (mod N) above can be performed only when the prime factors (p, q) of N are known. As the method, for example, Rabin M. O.
By "Digitalized Signature
s and Public Key Functions
as Intractables Factori
zation ”(Tech. Rep. MIT / LCS /
TR-212 MIT Lab. Comput. Sc
i. 1979). Further, the specific configuration of the square root calculation device is described in the public key cryptosystem (Japanese Patent Laid-Open No. 61-61160).
-169350).

Next, the user authentication method is shown below. The sender A proves to the authenticator B that A is the principal by the procedures of the following steps 1 to 6. Step 1: Sender A sends ID to Authenticator B. Step 2: The authenticator B has vj = f (ID, j), (1 ≦
Calculate j ≦ k). Next, i = 1, 2, ...
For t, the following steps 3 to 6 are repeated t times (t
Is a parameter that determines safety, and is a value of 1 or more). Step 3: A random number ri is generated and xi = ri ² (mo
Calculate d N) and send to Authenticator B. Step 4: The bit string in which the authenticator B is 0, 1 (ei1, e
i2, ..., Eik) is generated and sent to the sender A. Step 5: The sender A writes the signature text yi as yi = riΠs
j (eij = 1) (mod N), generated by certifier B
Send to. Step 6: The authenticator B uses xi = yi ² Πvj (eij
= 1) (mod N). From the method of making yi, yi ² Πvi (eij = 1) = ri ² Π (si ² × v
i) (eij = 1) = ri ² = xi (mod N). Therefore, when all the inspections of t times have passed, the authenticator B recognizes that the sender A is the principal.

At this time, the probability that the authenticator B recognizes a fake user as a genuine user is 1/2 ^kt . Here, k is the number of pieces of secret information sj that the user secretly manages, and t defines the number of times of communication of the communication text.

For details of the above, see Fiat A. et al.
and Shamir A. : "How to pro
ve yourself: Practical sol
motion to identification a
nd signatureproblems ”, pro
ceedings of Crypto '86, Sa
nta Barbara, Aug. 1986, pp. 1
8-1 to 18-7. This method has been proved to be a zero-knowledge proof, and if the user authentication method is a zero-knowledge proof, it is theoretically guaranteed that any fraudulent acts will be difficult.

[0007]

[Problems to be Solved by the Invention] This Fiat-Sha
In the mir method, it is necessary to increase the number of times of communication in order to enhance security, and it cannot be said that it is very efficient from the viewpoint of communication volume.

[0008]

SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and provides a user authentication device and method which solves the above problems in the prior art, reduces the number of communications, and is highly secure. The purpose is to provide.

[0009]

According to a first aspect of the present invention, as shown in FIG. 1, when a prover who is a user communicates with a verifier, the validity of the communication partner is confirmed. This is an authentication device for a user, which includes the following means (1) and (2) and obtains zero-knowledge authentication between a prover and a verifier. That is, “(1) When the system is subscribed, the user generates secret information based on the information peculiar to the user, and the user keeps this secret. The identification information of the user based on this secret information. (2) In the authentication processing stage after the initial information is set, (a) the verifier generates a random number sequence including a plurality of random numbers. Means for performing an operation based on this random number sequence, user identification information and public information, and sending random number check data, which is a sequence of operation results, to the prover.
The certifier that receives the random number inspection data stores the random number, generates a random number by itself, calculates confirmation data based on the random number, the identification information, and the public information, and sends it to the verifier. (C) A means for the verifier to send the random number sequence used when calculating the random number check data to the prover after receiving the confirmation data. (D) After receiving the random number sequence, the prover calculates random number collation data based on the user identification information, public information, and the received random number sequence, and reads the stored random number inspection data. Then, the legitimacy of the random number is confirmed by comparing the random number inspection data and the random number collation data. , Means for performing an operation based on the secret information of the prover to generate proof data, and sending the proof data to the verifier. (E) The verifier receives the proof data, performs an operation based on the random number used to generate the confirmation data, the certifier's identification information, the certifier's public information, and the proof data. And the above confirmation data sent to check the legitimacy of the proof data, if it passes the inspection, it is recognized as a valid certifier, and if it does not pass, it is regarded as unjust. It is.

According to the invention of claim 2, the certifier is
IC card, optical / IC card, mobile communication device, electronic notebook,
It is composed of a portable electronic device such as a portable information terminal, a portable computer system, etc., and the verifier is an IC card for exchanging data with the portable electronic device.
The authentication device according to claim 1, which is configured by an electronic device such as a C card, a mobile communication device, an electronic notebook, a personal digital assistant, a portable computer system, and a computer system.

The invention according to claim 3 is that the communication between the prover and the verifier is performed via an electric wire, an optical fiber cable, a radio wave, or an electromagnetic wave. Authentication device.

The invention according to claim 4 includes the following processes in a user authentication method for confirming the legitimacy of a communication partner when a prover who is a user communicates with a verifier. An authentication method that obtains zero-knowledge authentication between a prover and a verifier. That is, "(1) When the system is subscribed, the user
Confidential information is generated based on the information unique to the user, and the user keeps this secret. User identification information is generated based on this secret information, and this is registered as public information in the public information management list. (2) At the authentication processing stage after the initial information is set, (a) the verifier generates a random number sequence composed of a plurality of random numbers, and performs an operation based on the random number sequence, user identification information, and public information. Then, the random number check data, which is the sequence of the calculation results, is sent to the prover. (B) The prover receiving the random number inspection data stores the random number inspection data and generates a random number by itself. The prover calculates confirmation data based on the random number, the identification information, and the public information, and sends it to the verifier. (C) The verifier, after receiving the confirmation data, sends to the prover the random number sequence used when calculating the random number check data. (D) After receiving the random number sequence, the prover calculates random number collation data based on the user's identification information, public information, and the received random number sequence. Then, the stored random number inspection data is read and the validity of the random number is confirmed by comparing the random number inspection data with the random number collation data. If the validity is confirmed, the proof data is generated by performing an operation based on the random number used when generating the confirmation data and the secret information of the prover according to the property of the random number. Then, this proof data is sent to the verifier.
(E) The verifier receives the certification data. The calculation is performed based on the random number used to generate the confirmation data, the certifier's identification information, the certifier's public information, and the proof data. The result of this operation is collated with the confirmation data sent to check the validity of the proof data. If it passes the inspection, it is recognized as a valid certifier, and if it does not pass, it is considered unjust. It is.

In short, the authentication method according to the present invention uses the zero-knowledge proof method. An electro-optical device on the authenticated side,
It is composed of a device on the authentication side capable of communicating with this device and a device for managing them. This is a prover, a verifier, and a center. When joining the system, the center generates secret information, identification information, and public information of the prover. Confidential information is passed only to the prover and kept secret by the prover. The identification information is passed to the prover. The identification information and the public information are associated with each other and registered in the public information register to complete the initial information setting stage.

Next, the authentication processing stage is entered. First, the verifier generates a random number sequence. An operation is performed based on this random number sequence, the public information of the prover, and the identification information to create random number inspection data. This random number inspection data is sent to the prover. The prover generates a random number. Also, confirmation data is created based on this random number, the public information of the prover, and the identification information. Then, this confirmation data is sent to the verifier. After receiving the confirmation data, the verifier sends the prover the random number sequence used to generate the random number check data. The prover checks the validity of the random number check data based on the random number sequence sent from the verifier, the public information of the prover, and the identification information. If the inspection is passed, proof data is created based on the secret information of the prover, the public information, and the random number according to the property of the random number sequence. Then, this is sent to the verifier. The verifier judges the validity of the received proof data based on the certifier's public information, identification information, proof data, and confirmation data. I do.

[0015]

The authentication method according to the present invention is performed by a certifier, a verifier,
And a system that consists of a reliable center. The authenticity of the other party is confirmed by exchanging data between the prover and the verifier. First, when the system is subscribed, the center generates user secret information based on the unique information of the user and passes it to the user. The user keeps this secret. The center further generates user identification information based on the secret information and makes it public information.

At the subsequent authentication processing stage, the random number inspection data is constructed by performing an operation based on the random number sequence generated by the verifier, the user identification information and the public information. This random number inspection data is sent to the prover. The prover stores the received random number inspection data. It also generates random numbers by itself. Confirmation data is calculated based on the random number, the identification information, and the public information. Then, this confirmation data is sent to the verifier. After receiving the confirmation data, the verifier sends the random number sequence used when calculating the random number check data to the prover. The prover calculates random number collation data based on the identification information of the user, the public information, and the received random number sequence. Then, the validity of the random number is confirmed by comparing the stored random number inspection data with the random number collation data. If the validity cannot be confirmed, the operation is stopped. When the correctness is confirmed, an operation is performed based on the random number used when the confirmation data is generated and the secret information of the prover according to the property of the random number to create the proof data. Send this proof data to the verifier. The verifier performs an operation based on the received proof data, the random number used to generate the confirmation data, the certifier's identification information, the certifier's public information, and the proof data. Then, the validity of the proof data is checked by collating with the confirmation data that has been sent based on the result of the calculation.
That is, authentication is performed. In this way, the certifier and the verifier can perform authentication by communicating four times.

[0017]

Embodiments of the present invention will be described below with reference to the drawings. FIG. 2 shows the overall configuration of the authentication device of the present invention. As shown in this figure, this device is a certifier (user).
It comprises a device 1, a verifier (confirmer) device 2, and a reliable center device 3. Each of these is connected by a communication medium 4 such as an insecure communication path. As the communication medium 4, an electric wire, an optical fiber cable or the like is used.

FIG. 3 is a diagram showing the configuration of the initial information setting processing device according to the present invention. As shown in this figure, this device has a user public information generation device 5, a user secret information generation device 6, and a user identification information generation device 7. The public information generation device 5 of the user includes a prime number generation device 5a that generates a large prime number and an arithmetic device 5b that multiplies a plurality of large prime numbers.

The user secret information processing device 6 includes a user information input device 6a, a one-way function processing device 6b that outputs one value that is difficult to calculate backward from the user information, and outputs less than the user public information. Secret information conversion processing device 6 for converting to the value of
c and.

The user identification information processing device 7 inputs the outputs of the user public information generation device 5 and the user secret information generation device 6 respectively.
And a calculation device 7b that performs a calculation based on those inputs, and an identification information storage device 7c that stores the calculation result as user identification information.

FIG. 4 shows the structure of a prover (user) device in the authentication processing of the present invention. As shown in this figure, the prover device includes a random number generation device 8 for generating random numbers,
Storage devices 9a, 9 for storing the random number sequence sent from the verifier
b, a calculation device 10a that performs a calculation based on a random number, public information, and identification information, a verification device 11 that performs a verification calculation based on the random number sequence read from the storage device 9b, and the output of the calculation device 10a. If the collation is successful, it has a random number sequence read from the storage device 9a, secret information of the prover, and an arithmetic device 10b that performs an operation based on the random number of the prover.

FIG. 5 shows the structure of a verifier (confirmer) device in the authentication processing of the present invention. As shown in this figure, this verifier device includes a random number sequence generation device 12 that generates a random number sequence, an arithmetic device 13 that calculates random number calculation data,
From the random number sequence storage device 14 that stores the random number sequence generated by the random number sequence generation device 12, the storage device 15 that stores the data sent from the prover, the public information and identification information of the user, and the random number sequence storage device 14 described above. An arithmetic unit 16 that performs an arithmetic operation based on the read random number sequence, a collating unit 17 that collates the output of the arithmetic unit with the value read from the storage unit,
have.

In the above-mentioned configuration, for example, the prover and the verifier are identified by an IC card composed of I / O, CPU, ROM, RAM, etc., an optical / IC card, a mobile communication device, an electronic notebook, a portable information terminal. , A portable computer system or a computer system. Also,
These can be realized as a system capable of communicating with each other via electric wires, radio waves, or electromagnetic waves.

Next, the operation of the authentication device according to the present invention will be described. FIG. 6 is a flow chart for explaining the authentication processing and protocol according to the present invention.

When a user (certifier) joins this system, basically in the initial information setting process which is performed only once, the reliable center generates public information, identification information and secret information about the user. Then, the public information is registered in the public management list in association with the user identification information.

First, different large prime numbers p and q are generated as public information, and a product N = p × q of them is prepared.
In addition, s (

[Equation 1] ) Is created. That is, the one-way function f () is used to create the secret information S based on various information xi such as the user's name, address, and telephone number (s = f (x)). Then, based on this secret information s, the identification information ID of the user is calculated as ID = s
^It is generated as ² (mod N). After that, the center sends this secret information s to the user, and s is used as the secret information of the user.

Next, at the authentication processing stage, the prover and the verifier perform the following communication as shown in FIG. Step 1: The verifier generates k random number sequences qi and stores them in the random number sequence storage device. Together with Qi = ID ^qi
(Mod N) (1 ≦ i ≦ k) is calculated, and this sequence Qi
Is sent to the prover as random number inspection data. Step 2: The prover receives the random number check data from the verifier. This random number inspection data is stored in the storage device. Then, using the random number generator, the random number r (

[Equation 2] ) Is generated. Further, based on the public information and identification information of the user, α = ID × r ² (mod
Calculate N). The α obtained in this way is sent to the verifier. Step 3: The verifier stores the α transmitted from the prover in the storage device. After that, the random number sequence qi stored in the random number sequence storage device is read out and sent to the prover. Step 4: After receiving the qi sent from the verifier, the prover calculates Qi ′ = ID ^qi (mod N) using an arithmetic unit based on the identification information and public information of the prover. Then, the number sequence Qi stored in advance is read out from the storage device, and both (Qi ′ and Qi
Compare i). If they do not match, this operation ends. If they match, the proof data γi = r (qi: ev is used as the proof data by using the arithmetic unit according to the evenness of the random number sequence qi.
en) or γi = r · s (qi: odd) and send it to the verifier. Step 5: The verifier receives the γi sent from the prover.
And the public information of the prover and the identification information, the random number sequence q
According to i, α ′ is calculated using a calculation device. qi: e
When ven, α ′ = ID · γi ² (mod N)
And when qi: odd, α ′ = γi ² (mod
N). Then, this α'is collated with α using a collation device. If they do not match, the prover determines that they are unjust. If they match, the prover determines that they are valid.

[0028]

According to the present invention, it is possible to provide a highly reliable authentication method. At the same time, it is possible to reduce the redundancy in the number of communications in this authentication process.

[Brief description of drawings]

FIG. 1 is a block diagram showing an authentication device according to the present invention.

FIG. 2 is a block diagram showing an authentication device according to an embodiment of the present invention.

FIG. 3 is a block diagram showing a configuration of an initial information setting processing device according to an exemplary embodiment of the present invention.

FIG. 4 is a block diagram showing a configuration example of a prover device according to an embodiment of the present invention.

FIG. 5 is a block diagram showing a configuration example of a verifier device according to an embodiment of the present invention.

FIG. 6 is a flowchart showing an authentication process according to an embodiment of the present invention.

[Explanation of symbols]

 8 Random Number Generators 10a, 10b Arithmetic Device 11 Collating Device 12 Random Number Sequence Generating Device 13, 16 Arithmetic Device 17 Collating Device

Claims (4)

[Claims] 1. An authenticating device for a user, which verifies the authenticity of a communication partner when a certifier as a user communicates with a verifier, including the following means, between a certifier and a verifier: An authentication device characterized by obtaining zero knowledge authentication in. (1) A means for a user to generate confidential information based on information unique to the user when the system is subscribed, and the user keeps this secret. A means for generating user identification information based on this secret information and registering this as public information in a public information management book. (2) At the authentication processing stage after the initial information is set, (a) the verifier generates a random number sequence composed of a plurality of random numbers, and performs an operation based on this random number sequence, user identification information, and public information. A means for performing and sending to the prover the random number check data, which is a sequence of operation results. (B) Means for receiving the random number inspection data, storing it, generating a random number by itself, calculating confirmation data based on this random number, identification information, and public information, and sending this to the verifier. . (C) A means for the verifier to send the random number sequence used when calculating the random number check data to the prover after receiving the confirmation data. (D) After receiving the random number sequence, the prover calculates random number collation data based on the user identification information, public information, and the received random number sequence, and reads the stored random number inspection data. Then, the legitimacy of the random number is confirmed by comparing the random number inspection data and the random number collation data. , Means for performing an operation based on the secret information of the prover to generate proof data, and sending the proof data to the verifier. (E) The verifier receives the proof data, performs an operation based on the random number used to generate the confirmation data, the certifier's identification information, the certifier's public information, and the proof data. And the above confirmation data sent to check the legitimacy of the proof data, if it passes the inspection, it is recognized as a valid certifier, and if it does not pass, it is regarded as unjust. 2. The certifier comprises a portable electronic device such as an IC card, an optical / IC card, a mobile communication device, an electronic organizer, a portable information terminal, a portable computer system, and the verifier. IC cards for exchanging data with portable electronic devices, optical / IC cards, mobile communication devices,
The authentication device according to claim 1, wherein the authentication device comprises an electronic device such as an electronic notebook, a personal digital assistant, a portable computer system, and a computer system. 3. The communication between the prover and the verifier is performed by using an electric wire, an optical fiber cable, a radio wave, or
The authentication device according to claim 1, wherein the authentication device is performed via electromagnetic waves. 4. A user authentication method for confirming the validity of a communication partner when a certifier as a user communicates with a verifier. An authentication method characterized by obtaining zero-knowledge authentication in. (1) At the time of joining the system, the user generates secret information based on the information unique to the user, and the user keeps this secret. User identification information is generated based on this secret information, and this is registered as public information in the public information management list. (2) At the authentication processing stage after the initial information is set, (a) the verifier generates a random number sequence composed of a plurality of random numbers, and performs an operation based on this random number sequence, user identification information, and public information. Then, the random number check data, which is the sequence of the calculation results, is sent to the prover. (B) The prover receiving the random number inspection data stores the random number inspection data and generates a random number by itself. The prover calculates confirmation data based on the random number, the identification information, and the public information, and sends it to the verifier. (C) The verifier, after receiving the confirmation data, sends to the prover the random number sequence used when calculating the random number check data. (D) After receiving the random number sequence, the prover calculates random number collation data based on the user's identification information, public information, and the received random number sequence. Then, the stored random number inspection data is read and the validity of the random number is confirmed by comparing the random number inspection data with the random number collation data.
If the validity is confirmed, the proof data is generated by performing an operation based on the random number used when generating the confirmation data and the secret information of the prover according to the property of the random number.
Then, this proof data is sent to the verifier. (E) The verifier receives the certification data. The calculation is performed based on the random number used to generate the confirmation data, the certifier's identification information, the certifier's public information, and the proof data. The result of this operation is collated with the confirmation data sent to check the validity of the proof data. If it passes the inspection, it is recognized as a valid certifier, and if it does not pass, it is considered unjust.