Communication device, communication method, and communication program
The communication device and method generate a secret key using a pre-registered password and time information to address the inefficiencies of long-term secret keys, enabling easy and secure mobile communication initiation without security devices.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Patents
- Current Assignee / Owner
- KDDI CORP
- Filing Date
- 2023-02-24
- Publication Date
- 2026-06-24
Smart Images

Figure 0007879825000001 
Figure 0007879825000002
Abstract
Description
Technical Field
[0001] The present invention relates to an authentication method for terminals in a mobile communication network.
Background Art
[0002] Conventionally, mobile terminals such as mobile phones or smartphones have security devices such as SIMs or eSIMs, in which long-term secret keys are stored. This long-term secret key is used when performing authentication and key exchange (AKA: Authentication and Key Agreement) with a communication carrier network in order to realize a mobile communication service, whereby an encryption key and a message authentication key are derived (for example, see Non-Patent Document 1).
Prior Art Documents
Non-Patent Documents
[0003]
Non-Patent Document 1
Summary of the Invention
Problems to be Solved by the Invention
[0004] However, in the conventional method of holding a long-term secret key in a security device, for example, when using a terminal under a short-term (one day, one week, etc.) usage contract for purposes such as travel or business, procedures such as SIM replacement or eSIM rewriting are required, and time and cost are involved until the start of use. Therefore, a method that can more easily start using a mobile terminal is desired.
[0005] An object of the present invention is to provide a communication device, a communication method, and a communication program that do not require storing a long-term secret key in a security device. [Means for solving the problem]
[0006] The communication device according to the present invention includes a password input unit that receives input from a user for a password that has been pre-registered on the communication carrier's server; a key generation unit that generates a secret key common to the communication carrier by performing a predetermined calculation defined by the communication carrier using the password as input; and an authentication processing unit that performs a predetermined authentication procedure with the server based on the secret key.
[0007] The key generation unit may generate the secret key by taking the current time information along with the password as input.
[0008] The current time information may also be a value with a granularity indicating the validity period of the password.
[0009] The aforementioned password may be biometric information or confidential information linked to such biometric information.
[0010] The aforementioned predetermined operation may be a hash operation.
[0011] The communication method according to the present invention is a communication method in which a communication device is authenticated by a server of a telecommunications carrier, wherein the server registers a user's password in association with an identifier of the communication device, generates a secret key by performing a predetermined calculation defined by the telecommunications carrier using the password as input, the communication device receives the input of the password from the user, generates the secret key common to the telecommunications carrier by performing the predetermined calculation using the password as input, and performs a predetermined authentication procedure with the server based on the secret key.
[0012] The communication program according to the present invention is for causing a computer to function as the aforementioned communication device. [Effects of the Invention]
[0013] According to the present invention, it becomes unnecessary to store long-term secret keys in security devices. [Brief explanation of the drawing]
[0014] [Figure 1] This figure shows the functional configuration for generating a secret key in a mobile device according to the embodiment. [Figure 2] This is a sequence diagram illustrating the communication method in the embodiment. [Modes for carrying out the invention]
[0015] An example of an embodiment of the present invention will be described below. In this embodiment, the communication method, when performing authentication and key exchange using AKA in mobile communication, dynamically generates a common key on both the mobile terminal and the server based on the user's password input, without using the private key stored in the mobile terminal's security device.
[0016] Figure 1 is a diagram showing the functional configuration related to the generation of a secret key in the mobile terminal 1 (communication device) in this embodiment. Mobile terminal 1 is an information processing device (computer) such as a mobile phone or smartphone that participates in a mobile communication network provided by a telecommunications carrier, and comprises a control unit 10 and a storage unit 20.
[0017] The control unit 10 is the part that controls the entire mobile terminal 1, and realizes each function in this embodiment by appropriately reading and executing various programs stored in the memory unit 20. The control unit 10 may be a CPU, but it may also be implemented as a dedicated hardware circuit to realize each function. The control unit 10 comprises a password input unit 11, a key generation unit 12, and an authentication processing unit 13.
[0018] The memory unit 20 is a storage area for various programs and data necessary for the hardware group to function as a mobile terminal 1, and may be ROM, RAM, flash memory, etc.
[0019] The password input unit 11 accepts the input of a password registered in advance in the server of the communication carrier from the user. The password may be a character string determined by the user or automatically generated, but is not limited thereto. For example, the password may be biometric information, or may be secret information that becomes usable upon successful authentication, linked to the biometric information, or the like.
[0020] The key generation unit 12 generates a secret key common to this communication carrier by a predetermined operation defined by the communication carrier using the password as an input. At this time, the key generation unit 12 may generate a secret key using the current time information as an input together with the password. The predetermined operation may be, for example, a hash operation. In this case, the key generation unit 12 may operate a hash function with the current time information as a salt.
[0021] Here, the current time information is a value with a granularity indicating the valid period of the password. For example, if it is information in units of months such as "○ year △ month", the mobile terminal 1 can generate a secret key common to the server with the within-the-month period as the expiration date as long as it is within the current month. Similarly, if it is information in units of days such as "○ year △ month □ day", an expiration date of one day is set, and if it is information in units of weeks such as "○ year ▽ week", an expiration date of one week is set. Note that, for example, even if it is information in units of days, it is possible to handle a longer expiration date such as one week by generating a secret key again in response to the input of the password every day.
[0022] The authentication processing unit 13 performs a predetermined authentication procedure with the server of the communication carrier based on the secret key generated by the key generation unit 12. Specifically, the authentication processing unit 13 uses the generated secret key as a substitute for the long-term secret key stored in the conventional SIM and executes the procedure of AKA authentication.
[0023] In this case, for example, if the aforementioned current time information is on a daily basis, the secret key generated will also change when the date changes, and since it will not match the secret key held by the server, authentication will automatically fail. In other words, a common secret key is generated and can be verified between the mobile device 1 and the server only within the validity period. The secret key, once authenticated by password input, may be cached in the storage unit 20, but will be deleted when the validity period expires.
[0024] Figure 2 is a sequence diagram illustrating the communication method in this embodiment. This section outlines the steps taken to authenticate mobile device 1 before communication can begin.
[0025] In step S1, the user registers a password with the telecommunications carrier's server, linking it to the identifier (IMSI) of mobile device 1. In step S2, the mobile terminal 1 requests a communication service from the server in response to user operation. In step S3, the server requests mobile device 1 to perform an authentication procedure. In step S4, the server generates a secret key with an expiration date by performing a predetermined calculation using the password registered in step S1.
[0026] In step S5, mobile device 1 prompts the user to enter a password. In step S6, the user enters the password registered in step S1 into mobile device 1. In step S7, the mobile terminal 1 generates a secret key using the password received in step S6 through a common operation with the server. In step S8, the mobile terminal 1 and the server complete authentication and key exchange in accordance with the standard AKA protocol using a common secret key generated by both parties.
[0027] According to this embodiment, the mobile terminal 1 receives a password from the user that has been pre-registered on the telecommunications carrier's server, and generates a secret key shared with the server through a predetermined calculation. Then, the mobile terminal 1 and the server perform an authentication procedure based on this secret key.
[0028] Therefore, by using a secret key dynamically generated from a password instead of the long-term secret key that was conventionally stored on the SIM card, the mobile device 1 eliminates the need to store the long-term secret key on a security device, allowing users to start using the mobile device 1 more easily. For example, even for short-term use such as one day or one week, users can start using the mobile device 1 simply by setting a password, without having to go through complicated procedures such as replacing the SIM card or rewriting the eSIM. Furthermore, this embodiment does not involve any changes to the authentication procedure protocol (AKA), and since it minimizes modifications to the existing system, it can be easily implemented.
[0029] Mobile device 1 and the server generate a secret key using the password and current time information as input. Authentication is only successful within the validity period by verifying the secret key. Therefore, it is easy to set an expiration date for the password. This current time information can be set appropriately according to the length of time the mobile device 1 has been in use, by using a granular value that indicates the password's validity period.
[0030] The password set may be biometric information or confidential information linked to biometric information, which simplifies password entry for the user and improves convenience.
[0031] The predetermined operation for generating the secret key may be a hash operation, which allows for efficient generation of the secret key and also allows for easy input of the current time information as a hash salt.
[0032] Furthermore, this embodiment eliminates the need for security devices such as SIM cards in mobile communications, for example, and thus contributes to Goal 9 of the United Nations-led Sustainable Development Goals (SDGs), "Build resilient infrastructure, promote sustainable industrialization and foster innovation."
[0033] Although embodiments of the present invention have been described above, the present invention is not limited to the embodiments described above. Furthermore, the effects described in the embodiments described above are merely a list of the most preferred effects resulting from the present invention, and the effects of the present invention are not limited to those described in the embodiments.
[0034] The communication method used by mobile terminal 1 is implemented by software. When implemented by software, the programs constituting this software are installed on an information processing device (computer). These programs may be distributed to users by being recorded on removable media such as a CD-ROM, or by being downloaded to the user's computer via a network. Furthermore, these programs may be provided to the user's computer as a web service via a network without being downloaded. [Explanation of symbols]
[0035] 1. Mobile device (communication device) 10 Control Unit 11 Password input section 12 Key generation section 13 Authentication Processing Unit 20 Memory section
Claims
1. A password input section that accepts passwords from the user that are pre-registered on the telecommunications carrier's server, A key generation unit that, taking the aforementioned password as input, generates a secret key common to the telecommunications carrier by performing a predetermined calculation specified by the telecommunications carrier, A communication device comprising: an authentication processing unit that performs a predetermined authentication procedure with the server based on the common secret key in order to initiate mobile communication on the network provided by the telecommunications carrier.
2. The communication device according to claim 1, wherein the key generation unit generates the common secret key using the password and current time information as input.
3. The communication device according to claim 2, wherein the current time information is a granular value indicating the validity period of the password.
4. The communication device according to claim 1, wherein the password is biometric information or confidential information associated with said biometric information.
5. The communication device according to claim 1, wherein the predetermined operation is a hash operation.
6. A communication method in which a communication device is authenticated by a communication carrier's server, The aforementioned server, The user's password is registered in association with the identifier of the aforementioned communication device. Using the aforementioned password as input, a secret key is generated by a predetermined calculation specified by the telecommunications carrier. The aforementioned communication device The user enters the aforementioned password, Using the aforementioned password as input, a secret key shared with the telecommunications carrier is generated by the predetermined calculation, A communication method for performing a predetermined authentication procedure with the server based on the aforementioned common secret key.
7. A communication program for causing a computer to function as a communication device according to any one of claims 1 to 5.