Communication device, communication method, and program
The communication device and method address inefficiencies in key generation by switching between advanced and simplified authentication procedures using ECDH calculations and stored secret information, enhancing processing speed and efficiency in device authentication.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Patents
- Current Assignee / Owner
- DAI NIPPON PRINTING CO LTD
- Filing Date
- 2021-11-18
- Publication Date
- 2026-06-23
AI Technical Summary
Existing authentication systems for devices like smartphones and door locks face inefficiencies in key generation processes, particularly when using Diffie-Hellman key exchange, which is time-consuming and requires significant computational resources, and there is a need for a system that can switch between advanced and simplified authentication procedures based on stored secret information.
A communication device and method that selects between advanced and simplified authentication procedures by generating secret information and using Elliptic Curve Diffie-Hellman (ECDH) calculations, with the option to store secret information for faster key generation without relying on DH, allowing for faster processing.
The system achieves faster key generation by selectively using ECDH calculations and stored secret information, reducing computational burden and processing time, especially in scenarios where devices like smartphones and door locks need to authenticate securely.
Smart Images

Figure 0007877664000001 
Figure 0007877664000002 
Figure 0007877664000003
Abstract
Description
Technical Field
[0001] The present invention relates to the technical field of communication devices and the like that can select either an advanced authentication procedure that requires a large amount of computation with a communication partner or a simple authentication procedure that requires less computation with the communication partner.
Background Art
[0002] Among the roles of smartphones, which are increasing year by year, the role as a key for locking and unlocking doors has been attracting attention. In an authentication system that unlocks the front door of a house or the opening / closing door of a delivery locker with a device such as a smartphone, mutual authentication is performed in the authentication procedure between the lock (communication device) and the device (communication partner), and then processing such as unlocking is executed. Before a smartphone can be used as a door key, it is necessary to determine a combination between the lock installed on the door and the smartphone, which is the same situation as when an unspecified number of computers on the network authenticate with each other. That is, the door lock and the smartphone authenticate with each other starting from a state where they are not previously informed that they can be combined with each other.
[0003] The authentication procedure used in this situation is certificate verification using public-key cryptography. In this authentication, techniques for secretly sharing information (such as Diffie-Hellman) are also used in combination, and the secret information shared by this technique is used as the key of symmetric-key cryptography for realizing secure communication after authentication or the input information for generating the key. Therefore, the authentication procedure for verifying a certificate using public-key cryptography can be said to be an advanced authentication procedure that requires a large amount of computation and computer resources until the verification result is obtained. In such authentication, for example, signature verification and key exchange using an elliptic curve are performed. However, since cryptographic operation processing generates keys in both the lock and the device, there is a problem that the processing takes time. Patent Document 1 discloses a key generation method for elliptic curve cryptography that can minimize the prime number determination process performed when generating a key and can generate the key used in elliptic curve cryptography at high speed.
Prior Art Documents
Patent Documents
[0004] [Patent Document 1] Japanese Patent Publication No. 2000-181351 [Overview of the project] [Problems that the invention aims to solve]
[0005] Incidentally, while the key generation method disclosed in Patent Document 1 can speed up key generation, it does not eliminate the key generation process itself, and requires dedicated equipment. Therefore, in communication between an unspecified number of computers, instead of using an advanced authentication procedure at the start of each communication, a simplified authentication procedure can be used, which stores secret information generated when authentication is successful once and reuses that secret information at the start of the next communication. This simplified authentication procedure is composed of symmetric-key cryptography, which requires less computation and computing resources than public-key cryptography, but it is necessary to store the secret information and information identifying the authentication procedure used to generate that secret information in pairs, and it is difficult to individually store the secret information of all communication partners, so it is only stored for a certain period of time. However, in the case of a door lock and a smartphone, since the parties to be authenticated are limited, the door lock can store the secret information and information identifying the authentication procedure used to generate that secret information in pairs. Therefore, it is envisioned that an advanced authentication procedure, which requires a lot of computation with the communication partner, and a simplified authentication procedure, which requires less computation with the communication partner, will be used interchangeably.
[0006] However, if encrypted communication is to continue after authentication, even the simplified authentication procedure requires sharing confidential information via DH (Diffie-Hellman key exchange), which presents the problem of time-consuming key generation.
[0007] Therefore, the present invention has been made in view of the above points, and aims to provide a communication device, a communication method, and a program that can achieve faster processing even when using secret sharing instructions by DH for key generation. [Means for solving the problem]
[0008] To solve the above problems, the invention described in claim 1 is a communication device that can select either an advanced authentication procedure that requires a large amount of computation with respect to a communication partner, or a simplified authentication procedure that requires less computation with respect to secret Using a key ECDH calculation The system is characterized by comprising: a third generation means that generates secret information and generates a session key using the generated secret information, and if the secret information is stored in the storage means, selects the simplified authentication procedure and generates a session key using the secret information and the pseudo-public key.
[0009] The invention described in claim 2 is characterized in that a computer included in a device that is a communication partner of the communication device described in claim 1 is made to perform the steps of: storing secret information generated in the advanced authentication procedure; receiving a command from the communication device including the pseudo-public key; generating encrypted data to verify the validity of a key value generated using the secret information and the pseudo-public key in response to the received command; and sending a response including the encrypted data to the communication device.
[0010] The invention described in claim 3 is a communication device capable of selecting either an advanced authentication procedure requiring a large amount of computation with respect to a communication partner, or a simplified authentication procedure requiring less computation with respect to the communication partner, wherein the communication device is equipped with a storage means for storing secret information generated in the advanced authentication procedure, and the communication method performed by the communication device comprises the steps of: generating a random number; generating a pseudo-public key by shaping the random number into a public key format according to the ECDH (Elliptic curve Diffie-Hellman key exchange) protocol; and, if the secret information is not stored in the storage means when communication is performed with the communication partner, selecting the advanced authentication procedure and performing a key exchange with the communication partner using ECDH to obtain the communication partner's temporary public key, and the communication device's temporary public key and the obtained temporary public key secret Using a key ECDH calculation The method is characterized by including the steps of generating secret information, generating a session key using the generated secret information, and, if the secret information is stored in the storage means, selecting the simplified authentication procedure and generating a session key using the secret information and the pseudo-public key.
[0011] The invention described in claim 4 relates to a computer included in a communication device that can select between an advanced authentication procedure requiring a large amount of computation and a simplified authentication procedure requiring less computation with respect to the communication partner, the computer comprising: a storage means for storing secret information generated in the advanced authentication procedure; a first generation means for generating random numbers; a second generation means for generating a pseudo-public key by shaping the random numbers into a public key format according to the ECDH (Elliptic curve Diffie-Hellman key exchange) protocol; and, when communication is performed with the communication partner and the secret information is not stored in the storage means, the advanced authentication procedure is selected and a key exchange using ECDH is performed with the communication partner to obtain the communication partner's temporary public key, and the obtained temporary public key and the temporary public key of the communication device secret Using a key ECDH calculationThe system is characterized by generating secret information and using the generated secret information to generate a session key, while also functioning as a third generation means that, if the secret information is stored in the storage means, selects the simplified authentication procedure and generates a session key using the secret information and the pseudo-public key. [Effects of the Invention]
[0012] According to the present invention, even when an instruction is received that means the use of DH for key generation, it is possible to achieve a faster key generation process that does not actually use DH. [Brief explanation of the drawing]
[0013] [Figure 1] This figure shows an example of the overview configuration of the authentication system S according to this embodiment. [Figure 2] This is a flowchart showing an example of the authentication procedure selection process of the control unit 13 in host H. [Figure 3] This is a sequence diagram illustrating an example of an advanced authentication procedure performed between host H and device D. [Figure 4] This is a sequence diagram showing an example of a simplified authentication procedure 1 performed between host H and device D. [Figure 5] This figure shows an example of the public key format according to ECDH (A), the data structure of the pseudo-public key H generated by host H (B), and the data structure of the pseudo-public key D generated by device D (C). [Figure 6] This is a sequence diagram showing an example of the simplified authentication procedure 2 performed between host H and device D. [Modes for carrying out the invention]
[0014] Embodiments of the present invention will now be described in detail with reference to the drawings. The embodiments described below are examples of how the present invention is applied to authentication systems used, for example, for unlocking car doors, starting car engines, unlocking the front doors of houses, or unlocking the opening and closing doors of delivery lockers.
[0015] [1. Overview of the Authentication System S] First, referring to FIG. 1, the overview of the authentication system S according to this embodiment will be described. FIG. 1 is a diagram showing an example of the overview configuration of the authentication system S according to this embodiment. As shown in FIG. 1, the authentication system S includes a device D and a host (host computer) H. Here, the host H is an example of the communication device of the present invention, and the communication partner of the host H is the device D. The host H and the device D can perform contactless communication using, for example, NFC (Near Field Communication) technology. Also, for the communication between the host H and the device D, Bluetooth (registered trademark), ZigBee, LoRa, or UWB (Ultra Wide Band) may be used.
[0016] The host H and the device D can selectively execute a highly secure authentication procedure (hereinafter referred to as the "highly secure authentication procedure") that requires a large amount of computational power and a simple authentication procedure (hereinafter referred to as the "simple authentication procedure") that requires less computational power. In the highly secure authentication procedure, authentication by signature generation and signature verification, and key sharing by public key cryptography are performed. In this embodiment, as an example, in the highly secure authentication procedure, authentication by signature generation and signature verification in ECDSA (Elliptic Curve Digital Signature Algorithm) and key exchange by ECDH (Elliptic Curve Diffie-Hellman key exchange) are performed.
[0017] On the other hand, in the simple authentication procedure, mutual authentication using a common key cryptography method is performed using the secret information generated in the highly secure authentication procedure and stored in the host H and the device D and a random number (in other words, based on the secret information). Here, one-sided authentication in which the host H authenticates the device D may also be used. The secret information is, for example, information that only the host H and the device D share when the host H and the device D perform the highly secure authentication procedure. In ECDH, it is called the secret information (Shared-secret).
[0018] In addition, when the authentication system S is used for unlocking the front door of a house or the opening / closing door of a delivery locker, the host H is applied to a door control device. Alternatively, when the authentication system S is used for unlocking a car door or starting an engine, the host H is applied to an in-vehicle computer. On the other hand, when the authentication system S is used for unlocking the front door of a house, the opening / closing door of a delivery locker, or a car door, the device D is applied to a portable terminal (e.g., a smartphone), an IC card, or a key holder carried by a user.
[0019] As shown in FIG. 1, the device D includes a communication module 1, a control module 2, an IC (Integrated Circuit) module 3, and the like. Note that the control module 2 and the IC module 3 may be integrated. The communication module 1 is, for example, a non-contact IC chip (e.g., CLF (ContactLess Front-end)) that performs non-contact communication using NFC technology, and communicates with a non-contact reader / writer provided in the host H within a non-contact field.
[0020] Although not shown, the control module 2 includes a CPU (Central Processing Unit), a RAM (Random Access Memory), a ROM (Read Only Memory), an NVM (Nonvolatile Memory), and the like, and executes various processes according to a program (including the program of the present invention) stored in the ROM or the NVM. For example, in each of the simple authentication procedure and the advanced authentication procedure with the host H, the control module 2 executes arithmetic processing such as key generation in response to a command from the host H, and transmits a response indicating the processing result to the host H.
[0021] IC module 3 is, for example, a secure element with high tamper resistance. IC module 3 may be mounted on device D as a small, detachable IC card, or it may be mounted on an embedded circuit board as an eSIM (Subscriber Identity Module) so that it cannot be easily removed or replaced from device D. The secure memory within IC module 3 stores a key pair of public and private keys unique to device D, as well as confidential information generated in the advanced authentication procedure. Furthermore, the secure memory also stores a device ID unique to device D. Here, the public key included in the key pair, and the key ID for identifying the public key, are shared with host H in advance. The device ID unique to device D may be a unique value assigned by a server or the like, or it may be a hash value obtained by hashing the public and private keys of device D.
[0022] As shown in Figure 1, host H is configured to include a communication unit 11, a storage unit 12 (an example of a storage means), and a control unit 13, etc. The communication unit 11 is a contactless reader / writer that performs contactless communication using, for example, NFC technology, and communicates with a contactless IC chip provided on device D within a contactless field. When device D enters the contactless field of the communication unit 11, an initial response sequence is performed between host H and device D. In the initial response sequence, the communication unit 11 sends a request command from host H to device D, and receives a response from device D, thereby identifying device D and transitioning to an active state. Subsequently, an advanced authentication procedure or a simple authentication procedure is performed between host H and device D. Before transitioning to the active state, parameters may be exchanged between host H and device D as needed, and communication conditions such as communication speed may be mutually confirmed.
[0023] Incidentally, when multiple devices D enter the contactless field of the communication unit 11, multiple devices D simultaneously send responses to the request command, resulting in a state where the communication unit 11 cannot correctly recognize the device D it is communicating with (collision). Anti-collision is implemented as a countermeasure to prevent this. For example, in time-slot type anti-collision, each device D sends a response containing an anti-collision ID during a response time period determined by a random number. This allows the communication unit 11 to recognize each device D. In addition, in bit collision type anti-collision, an anti-collision ID (hereinafter referred to as "anti-collision ID") is also sent from device D to host H.
[0024] The storage unit 12 is composed of, for example, non-volatile memory, an HDD (Hard Disk Drive), or an SSD (Solid State Drive), and stores various programs such as the operating system and applications (including the program of the present invention). The storage unit 12 also stores a key pair of a public key and a private key unique to the host H. Here, the public key included in the key pair and the key ID for identifying the public key are shared with device D in advance. Furthermore, the storage unit 12 stores identification information unique to device D that has communicated with host H, and secret information generated in the advanced authentication procedure, in association with each other. Here, the identification information unique to device D may be an anti-collision ID or a device ID unique to device D. It is preferable that the public key and key ID of device D are managed in association with the identification information unique to device D.
[0025] The control unit 13 (an example of a computer) is composed of a CPU, RAM, ROM, etc., and functions as the first generation means, second generation means, and third generation means in this invention, according to a program stored in, for example, the memory unit 12. Specifically, the control unit 13 generates random numbers using, for example, a random number generation algorithm, and formats the generated random numbers into the public key format according to the ECDH protocol to generate a pseudo-public key. Here, the format of a temporary public key according to the ECDH protocol consists of X coordinate values and Y coordinate values on an elliptic curve according to ECDH, and is expressed in a format such as (x,y). The control unit 13 generates a pseudo-public key by setting random numbers for each of the X coordinate values and Y coordinate values, for example. For this reason, the X coordinate values and Y coordinate values do not need to be coordinates on an elliptic curve according to ECDH.
[0026] When contactless communication is performed with device D, the control unit 13 obtains identification information unique to device D from the response transmitted by device D. Subsequently, before the authentication procedure is initiated with device D, the control unit 13 determines whether or not secret information is stored in the storage unit 12 in association with the identification information obtained from device D. If the control unit 13 determines that secret information is not stored in association with the obtained identification information, it selects an advanced authentication procedure, performs key exchange using ECDH, and generates a session key.
[0027] On the other hand, if the control unit 13 determines that secret information is stored in association with the acquired identification information, it selects a simplified authentication procedure and generates a session key using the secret information and the pseudo-public key. For example, when the first communication with device D takes place, the control unit 13 selects an advanced authentication procedure and performs authentication, storing the secret information generated in the advanced authentication procedure in association with the identification information unique to device D. When the second or subsequent communication with device D takes place, it selects a simplified authentication procedure and performs authentication (mutual authentication or one-sided authentication) using the secret information and pseudo-public key associated with the identification information unique to device D.
[0028] [2. Operation of Authentication System S] Next, the operation of the authentication system S will be described with reference to Figures 2 to 6. Figure 2 is a flowchart showing an example of the authentication procedure selection process of the control unit 13 on host H. Figure 3 is a sequence diagram showing an example of an advanced authentication procedure performed between host H and device D. Figure 4 is a sequence diagram showing an example of a simplified authentication procedure 1 performed between host H and device D. Figure 5 is a diagram showing an example of a public key format by ECDH (A), a data structure of a pseudo-public key H generated by host H (B), and a data structure of a pseudo-public key D generated by device D (C). Figure 6 is a sequence diagram showing an example of a simplified authentication procedure 2 performed between host H and device D.
[0029] The process shown in Figure 2 is initiated, for example, when the user holds device D over the communication unit 11 (contactless reader / writer), causing device D to enter the contactless field of the communication unit 11 of host H. When the process shown in Figure 3 is initiated, the control unit 13 of host H sends a request command to device D via the communication unit 11 (step S1).
[0030] Note that multiple devices D may respond with anti-collision IDs simultaneously. In this case, the process in step S1 is repeated until only one anti-collision ID is read. When the control module 2 of device D receives a request command from host H via the communication module 1, it sends a response containing the anti-collision ID to host H via the communication module 1 in accordance with the request command (step S2).
[0031] Next, when the control unit 13 of host H receives a response from device D via the communication unit 11, it sends a device selection command containing the anti-collision ID to device D via the communication unit 11 (step S3). Note that when the control unit 13 of host H receives responses sent from multiple devices D in step S2, there may be times when it is unable to read the 0 / 1 bits of the anti-collision ID due to collision. In this case, in step S3, the control unit 13 of host H sends a device selection containing an identifier consisting of the bit sequence that was read to all devices D. Then, the control module 2 of each device D sends a response containing the anti-collision ID to host H again if its own anti-collision ID matches the identifier included in the device selection (it does not respond if there is no match). This is repeated so that only device D whose identifier included in the device selection matches its own anti-collision ID continues to respond. As a result, one device D is selected from multiple devices D.
[0032] Next, when the control module 2 of device D receives a device selection from host H via the communication module 1, it sends a response including communication conditions to host H via the communication module 1 according to the device selection (step S4). Next, when the control unit 13 of host H receives the response from device D via the communication unit 11, it sends a SELECT command (including the Application ID) to device D via the communication unit 11 (step S5).
[0033] Next, when the control module 2 of device D receives a SELECT command from host H via the communication module 1, it selects an application according to the SELECT command and sends a response to the SELECT command to host H via the communication module 1 (step S6). Such a response includes, for example, SW (Status Word) "9000" and FCI (File Control Information) in TLV format.
[0034] Next, when the control unit 13 of host H receives a response from device D via the communication unit 11, it sends a read command to device D via the communication unit 11 (step S7). Next, when the control module 2 of device D receives a read command from host H via the communication module 1, it reads the device ID (an example of identification information unique to device D) from the IC module 3 in response to the read command, and sends a response including the device ID to host H via the communication module 1 (step S8).
[0035] Alternatively, the control module 2 of device D may read the device ID from the IC module 3 in response to the SELECT command sent from the host H in step S5, and send a response including the device ID to the host H in step S6. In this case, the processing in steps S7 and S8 becomes unnecessary. Furthermore, if an anti-collision ID is used as the unique identification information for device D, the processing in steps S7 and S8 also becomes unnecessary.
[0036] Next, when the control unit 13 of the host H receives a response from device D via the communication unit 11, it acquires the device ID or anti-collision ID as identification information unique to device D (step S9).
[0037] Next, the control unit 13 of host H determines whether or not the secret information is stored in the storage unit 12 in association with the identification information obtained in step S9 (step S10). If the control unit 13 of host H determines that the identification information obtained in step S9 is not stored in association with the secret information (step S10: NO), it selects an advanced authentication procedure and starts the advanced authentication procedure (step S11).
[0038] On the other hand, if the control unit 13 of host H determines that the identification information obtained in step S9 is stored in association with secret information (step S10: YES), it obtains the secret information associated with the identification information from the storage unit 12 (step S12). Next, the control unit 13 of host H selects a simplified authentication procedure and starts the simplified authentication procedure using the secret information obtained in step S12 (step S13).
[0039] (2.1 Advanced Authentication Procedures) In the advanced authentication procedure, as shown in Figure 3, the control unit 13 of host H generates a random number H (step S21). Next, the control unit 13 of host H sends an authentication start command to device D via the communication unit 11 (step S22). This authentication start command includes a host ID unique to host H, the random number H generated in step S21, and information indicating that it is for the advanced authentication procedure.
[0040] Next, the control module 2 of device D receives an authentication start command from host H via communication module 1. If it determines that this is an authentication start command for an advanced authentication procedure, it obtains the host ID and random number H from the authentication start command and generates a random number D (step S23). Next, the control module 2 of device D signs random number H and random number D with the private key of device D (step S24). In other words, signature D is generated by ECDSA (signature generation). Next, the control module 2 of device D sends a response to the authentication start command to host H via communication module 1 (step S25). This response includes signature D and random number D.
[0041] Next, when the control unit 13 of host H receives a response from device D via the communication unit 11, it obtains signature D and random number D from the response and verifies signature D with device D's public key (step S26). In other words, signature D is verified by ECDSA (signature verification). If the verification of signature D is successful (authentication successful), the control unit 13 of host H signs random number D and random number H with host H's private key (step S27). In other words, signature H is generated by ECDSA. Next, the control unit 13 of host H sends an authentication completion command to device D via the communication unit 11 (step S28). This authentication completion command includes signature H.
[0042] Next, when the control module 2 of device D receives an authentication completion command from host H via the communication module 1, it obtains signature H from the authentication completion command and verifies signature H with host H's public key (step S29). In other words, signature H is verified by ECDSA. When the verification of signature H is successful (authentication successful), mutual authentication is completed, and the control module 2 of device D sends a response to the authentication completion command to host H via the communication module 1 (step S30).
[0043] Next, when the control unit 13 of host H receives a response from device D via the communication unit 11, it generates a temporary key pair of a temporary public key H and a temporary private key H unique to host H (step S31). Here, the temporary public key H is a temporary public key and is distinguished from a public key that has been shared and managed in advance. Similarly, the temporary private key H is a temporary private key and is distinguished from a private key that has been shared and managed in advance. The temporary public key H is generated by an ECDH operation based on a point on an elliptic curve according to the ECDH protocol and the previously generated temporary private key H (e.g., a random number). In the ECDH operation, for example, the temporary public key H is generated from the temporary private key H by performing a scalar multiplication that calculates k times the point p on the elliptic curve, kp. The parameters of the elliptic curve are known between host H and device D. Next, the control unit 13 of host H sends a key sharing command to device D via the communication unit 11 (step S32). Such a key sharing command includes the temporary public key H.
[0044] Next, when the control module 2 of device D receives a key sharing command from host H via communication module 1, it obtains the temporary public key H from the key sharing command and, similar to host H, generates a temporary key pair of temporary public key D and temporary private key D unique to device D using ECDH calculation (step S33). The temporary public key D is generated by ECDH calculation based on the previously generated temporary private key D (e.g., a random number) and a point on an elliptic curve according to the ECDH protocol. Next, the control module 2 of device D obtains the temporary public key H and temporary private key D using ECDH calculation. secret A shared secret (an example of secret information) is generated from key D (step S34).
[0045] Next, the control module 2 of device D records the host ID and the shared secret generated in step S34 in non-volatile memory (step S35). Next, the control module 2 of device D generates a session key used for the secure session between host H and device D from the random number H, random number D, and the shared secret generated in step S34 (step S36). Next, the control module 2 of device D sends a response to the key exchange command to host H via the communication module 1 (step S37). This response includes the temporary public key D.
[0046] Next, when the control unit 13 of host H receives a response from device D via the communication unit 11, it obtains a temporary public key D from the response and performs an ECDH operation to obtain a temporary public key D. secret A shared secret is generated from key H and temporary public key D (step S38). The shared secret generated here is generated using the same generation method as the shared secret generated in step S34, so the two will match. Next, the control unit 13 of host H records the device ID and the shared secret generated in step S38 in memory (e.g., RAM or non-volatile memory) in association (step S39). For example, the device ID (an example of identification information) and the shared secret (an example of secret information) are associated and registered in a table. Next, the control unit 13 of host H generates a session key from random number H, random number D, and the shared secret generated in step S38 (step S40). The session key generated here is generated using the same generation method as the session key generated in step S36, so the two will match.
[0047] Next, the control unit 13 of host H initiates a secure session with device D using the session key generated in step S40. Once the secure session is initiated, read commands and their responses are sent and received between host H and device D, for example, through the encrypted path using the session key. This enables data exchange and other operations.
[0048] (2.2 Simple Authentication Procedure 1) In the simplified authentication procedure 1, as shown in Figure 4, the control unit 13 of host H generates a random number H (step S51). Next, the control unit 13 of host H sends an authentication start command to device D via the communication unit 11 (step S52). This authentication start command includes a host ID unique to host H, the random number H generated in step S51, and information indicating that it is for the simplified authentication procedure 1.
[0049] Next, the control module 2 of device D receives an authentication start command from host H via communication module 1. If it determines that this is an authentication start command for simplified authentication procedure 1, it obtains the host ID and random number H from the authentication start command and generates a random number D (step S53). Next, the control module 2 of device D obtains the shared secret recorded in association with the host ID of host H and generates an authentication key from the random number H, random number D, and the shared secret using AES (Advanced Encryption Standard) calculation (step S54). Next, the control module 2 of device D generates an authentication code D by encrypting the random number H, random number D, and a predetermined specific value using the authentication key using AES calculation (step S55). Next, the control module 2 of device D sends a response to the authentication start command to host H via communication module 1 (step S56). This response includes the authentication code D and random number D.
[0050] Next, when the control unit 13 of host H receives a response from device D via the communication unit 11, it obtains the authentication code D and random number D from the response, and further obtains the shared secret recorded in association with the device ID of device D, and generates an authentication key from the random number H, random number D, and the shared secret using AES calculation (step S57). Next, the control unit 13 of host H verifies the authentication code D with the authentication key (step S58). In this verification, the control unit 13 decrypts the authentication code D with the authentication key using AES calculation, and determines whether the decrypted authentication code D matches "random number D (i.e., the random number D obtained from the above response), random number H, and a specific value agreed upon in advance". If the verification of the authentication code D is successful (authentication successful), the control unit 13 of host H generates an authentication code H by encrypting the random number D, random number H, and the specific value agreed upon in advance using the authentication key using AES calculation (step S59). Next, the control unit 13 of host H sends an authentication completion command to device D via the communication unit 11 (step S60). This authentication completion command includes the authentication code H.
[0051] Next, when the control module 2 of device D receives an authentication completion command from host H via the communication module 1, it obtains an authentication code H from the authentication completion command and verifies the authentication code H with the authentication key generated in step S54 (step S61). In this verification, the control unit 13 decrypts the authentication code H with the authentication key using AES calculation and determines whether the decrypted authentication code H matches "random number D, random number H, and a specific value agreed upon in advance". If the verification of the authentication code H is successful (authentication successful), the control unit 13 of host H sends a response to the authentication completion command to host H via the communication module 1 (step S62).
[0052] Next, the control unit 13 of host H receives a response from device D via the communication unit 11 and generates a random number Rh (step S63). Then, the control unit 13 of host H formats the random number Rh into a pseudo-public key H as shown in Figure 5(B) according to the ECDH public key format shown in Figure 5(A) (i.e., generates a pseudo-public key H) (step S64). Here, in the public key format shown in Figure 5(A), "xx" and "yy" are not all the same value, but rather some 1-byte numerical value (hexadecimal). Also, if the X coordinate is "x" and the Y coordinate is "y", then the following equation (1) must be satisfied.
[0053] y^2 ≡ x^3 + ax + b(mod p)...(1)
[0054] Here, “a” and “b” are constants predetermined as curve parameters, respectively, and “p” is an arbitrary prime number predetermined as a curve parameter. Also, in the pseudo-public key H shown in Figure 5(B), “rh” is not all the same value; it may be any 1-byte numerical value (hexadecimal), or it may be '00' '00' .. '00'. Note that in the pseudo-public key H, the numerical value representing the X coordinate and the numerical value representing the Y coordinate do not need to satisfy the relationship in (1) above. Next, the control unit 13 of the host H sends a key sharing command to the device D via the communication unit 11 (step S65). This key sharing command includes the pseudo-public key H generated in step S64.
[0055] Next, when the control module 2 of device D receives a key sharing command from host H via the communication module 1, it obtains a pseudo-public key H from the key sharing command and generates a random number Rd (step S66). Next, the control module 2 of device D obtains the shared secret recorded in association with the host ID of host H and generates a session key (an example of a key value generated using the secret information and the pseudo-public key) from the pseudo-public key H, the random number Rd, and the shared secret using AES calculation (step S67). Next, the control module 2 of device D generates encrypted data D to verify the validity of the session key (key value) from the session key and a fixed value using AES calculation (step S68). Next, the control module 2 of device D formats the random number Rd and the encrypted data D into a pseudo-public key D as shown in Figure 5(C) according to the ECDH public key format shown in Figure 5(A) (i.e., generates a pseudo-public key D) (step S69). Note that in the pseudo-public key D shown in Figure 5(B), "rd" and "ct" do not necessarily have to be the same value; they may be any single-byte numerical value (hexadecimal). Next, the control module 2 of device D sends a response to the key sharing command to the host H via the communication module 1 (step S70). This response includes the pseudo-public key D.
[0056] Next, when the control unit 13 of host H receives a response from device D via the communication unit 11, it obtains a pseudo-public key D from the response, and further obtains a shared secret recorded in association with the device ID of device D, and generates a session key from the random number Rh, the pseudo-public key D, and the shared secret using AES calculation (step S71). Next, the control unit 13 of host H generates encrypted data H from the session key and fixed values using AES calculation (step S72). Next, the control unit 13 of host H verifies the pseudo-public key D with the encrypted data H (in other words, verifies the encrypted data D) and determines whether encrypted communication can be performed (step S73). In this verification, it is confirmed whether the encrypted data H and the encrypted data D contained in the pseudo-public key D match. If the verification of the pseudo-public key D is successful, the control unit 13 of host H determines that it can be performed and starts a secure session with device D using the session key generated in step S71. On the other hand, if the verification of the pseudo-public key D fails, the control unit 13 of host H determines that the procedure should not be performed and executes error processing.
[0057] (2.3 Simple Authentication Procedure 2) In the simplified authentication procedure 2, as shown in Figure 6, the control unit 13 of host H generates a random number H (step S81). Next, the control unit 13 of host H sends an authentication start command to device D via the communication unit 11 (step S82). This authentication start command includes a host ID unique to host H, the random number H generated in step S81, and information indicating that it is for the simplified authentication procedure 2.
[0058] Next, the control module 2 of device D receives an authentication start command from host H via the communication module 1. If it determines that this is an authentication start command for the simplified authentication procedure 2, it obtains the host ID and random number H from the authentication start command and generates a random number D (step S83). Next, the control module 2 of device D obtains the shared secret recorded in association with the host ID of host H and generates an authentication key from the random number H, random number D, and the shared secret using AES calculation (step S84). Next, the control module 2 of device D generates an authentication code D by encrypting the random number H, random number D, and a predetermined specific value using the authentication key using AES calculation (step S85). Next, the control module 2 of device D sends a response to the authentication start command to host H via the communication module 1 (step S86). This response includes the authentication code D and random number D.
[0059] Next, when the control unit 13 of host H receives a response from device D via the communication unit 11, it obtains the authentication code D and random number D from the response, and further obtains the shared secret recorded in association with the device ID of device D, and generates an authentication key from the random number H, random number D, and the shared secret using AES calculation (step S87). Next, the control unit 13 of host H verifies the authentication code D with the authentication key using AES calculation, similar to step S58 described above (step S88). If the verification of the authentication code D is successful (authentication successful), the control unit 13 of host H generates a random number Rh (step S89). Next, the control unit 13 of host H formats the random number Rh into a pseudo-public key H according to the ECDH public key format (step S90). Next, the control unit 13 of host H sends a key sharing command to device D via the communication unit 11 (step S91). Such a key sharing command includes the pseudo-public key H generated in step S90.
[0060] Next, when the control module 2 of device D receives a key sharing command from host H via the communication module 1, it obtains a pseudo-public key H from the key sharing command and generates a random number Rd (step S92). Next, the control module 2 of device D obtains the shared secret recorded in association with the host ID of host H and generates a session key from the pseudo-public key H, the random number Rd, and the shared secret using AES calculation (step S93). Next, the control module 2 of device D generates encrypted data D from the session key and a fixed value using AES calculation to verify the validity of the session key (key value) (step S94). Next, the control module 2 of device D formats the random number Rd and the encrypted data D into a pseudo-public key D according to the public key format of ECDH (step S95). Next, the control module 2 of device D sends a response to the key sharing command to host H via the communication module 1 (step S96). This response includes the pseudo-public key D.
[0061] Next, when the control unit 13 of host H receives a response from device D via the communication unit 11, it obtains a pseudo-public key D from the response, and further obtains a shared secret recorded in association with the device ID of device D. Using AES calculations, it generates a session key from the random number Rh, the pseudo-public key D, and the shared secret (step S97). Next, the control unit 13 of host H generates encrypted data H from the session key and fixed values using AES calculations (step S98). Next, the control unit 13 of host H verifies the pseudo-public key D with the encrypted data H (in other words, verifies the encrypted data D) and determines whether encrypted communication can be performed (step S99). In this verification, it is confirmed whether the encrypted data H and the encrypted data D contained in the pseudo-public key D match. If the verification of the pseudo-public key D is successful, the control unit 13 of host H determines that it can be performed and starts a secure session with device D using the session key generated in step S97. On the other hand, if the verification of the pseudo-public key D fails, the control unit 13 of host H determines that the procedure should not be performed and executes error processing.
[0062] As described above, according to the above embodiment, host H is configured to generate a random number, format the generated random number into a public key format according to the ECDH protocol to generate a pseudo-public key, and generate a session key using the secret information shared in the advanced authentication procedure and the pseudo-public key. Therefore, even when an instruction is received that means the use of DH for key generation, it is possible to achieve a faster key generation process that does not actually use DH.
[0063] In the above-described embodiment, an authentication method with two types of authentication processes, an advanced authentication procedure and a simplified authentication procedure, was used as an example. However, the present invention can also be applied to authentication methods with three or more types of authentication processes. Furthermore, in the above embodiment, the case where contactless communication is performed between host H and device D was used as an example. However, the present invention can also be applied when contact communication is performed between host H and device D. In addition, in the above embodiment, Figures 2 to 6 show the processing of the control unit 13 of host H and the control module 2 of device D. However, the processing of the control module 2 of device D may be performed by the IC module 3. [Explanation of Symbols]
[0064] 1. Communication module 2 Control Module 3 IC modules 11 Communications Department 12 Storage section 13 Control Unit D Device H Host S Authentication System
Claims
1. A communication device that can select between an advanced authentication procedure requiring a large amount of computation between the communication partner and a simplified authentication procedure requiring less computation between the communication partner, A storage means for storing confidential information generated in the aforementioned advanced authentication procedure, A first generation means for generating random numbers, A second generation means that generates a pseudo-public key by shaping the aforementioned random number into a public key format according to the ECDH (Elliptic curve Diffie-Hellman key exchange) protocol, A third generation means that, when communication is performed with the aforementioned communication partner and the secret information is not stored in the storage means, selects the advanced authentication procedure and performs key exchange with the communication partner using ECDH to obtain the communication partner's temporary public key, generates secret information by ECDH calculation using the obtained temporary public key and the communication device's temporary private key, and generates a session key using the generated secret information; on the other hand, when the secret information is stored in the storage means, selects the simplified authentication procedure and generates a session key using the secret information and the pseudo-public key, A communication device characterized by comprising:
2. A computer included in the device that is the communication partner of the communication device described in claim 1, The steps include storing the secret information generated in the aforementioned advanced authentication procedure, The steps include receiving a command from the communication device that includes the pseudo-public key, The steps include generating encrypted data to verify the validity of the key value generated using the secret information and the pseudo-public key in response to the received command, The steps include sending a response containing the encrypted data to the communication device, A program characterized by causing the execution of a specific action.
3. A communication device capable of selecting either an advanced authentication procedure requiring a large amount of computation with respect to the communication partner, or a simplified authentication procedure requiring less computation with respect to the communication partner, wherein the communication device is equipped with storage means for storing secret information generated in the advanced authentication procedure, and the communication method is performed by the communication device, The steps for generating random numbers, The steps include: generating a pseudo-public key by shaping the aforementioned random number into a public key format according to the ECDH (Elliptic curve Diffie-Hellman key exchange) protocol; If the secret information is not stored in the storage means when communication is performed with the communication partner, the advanced authentication procedure is selected to perform a key exchange with the communication partner using ECDH to obtain the communication partner's temporary public key, secret information is generated by ECDH calculation using the obtained temporary public key and the communication device's temporary private key, and a session key is generated using the generated secret information. On the other hand, if the secret information is stored in the storage means, the simple authentication procedure is selected to generate a session key using the secret information and the pseudo-public key. A communication method characterized by including
4. A computer included in a communication device that can select between an advanced authentication procedure requiring a large amount of computation between the communication partner and a simplified authentication procedure requiring less computation between the communication partner, A storage means for storing confidential information generated in the aforementioned advanced authentication procedure, A first generation means for generating random numbers, A second generation means that generates a pseudo-public key by shaping the aforementioned random number into a public key format according to the ECDH (Elliptic curve Diffie-Hellman key exchange) protocol, A program characterized in that, when communication is performed with the aforementioned communication partner and the secret information is not stored in the storage means, the advanced authentication procedure is selected and a key exchange using ECDH is performed with the communication partner to obtain the communication partner's temporary public key, secret information is generated by ECDH calculation using the obtained temporary public key and the communication device's temporary private key, and a session key is generated using the generated secret information; on the other hand, when the secret information is stored in the storage means, the simple authentication procedure is selected and a session key is generated using the secret information and the pseudo-public key, and the program is configured to function as a third generation means.