WO2015041139A1 - 情報処理装置、情報処理方法及びコンピュータプログラム - Google Patents
情報処理装置、情報処理方法及びコンピュータプログラム Download PDFInfo
- Publication number
- WO2015041139A1 WO2015041139A1 PCT/JP2014/074095 JP2014074095W WO2015041139A1 WO 2015041139 A1 WO2015041139 A1 WO 2015041139A1 JP 2014074095 W JP2014074095 W JP 2014074095W WO 2015041139 A1 WO2015041139 A1 WO 2015041139A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- public key
- information processing
- authentication
- processing apparatus
- key
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Definitions
- the present disclosure relates to an information processing apparatus, an information processing method, and a computer program.
- the present disclosure provides an information processing apparatus, an information processing method, and a computer program that realize a safe and simple user authentication mechanism by a public key authentication method.
- a processor that requests a change in the usage state of the second public key registered in one device by authentication using the first public key and the first secret key associated with the second public key.
- At least a memory that holds a public key in a set of a secret key and a public key generated by the first device and the second device, and a first key that is generated by the first device.
- the second public key generated by the second device is associated with one public key and held in the memory, and a request for changing the usage state of the second public key from the first device is made.
- a processor that changes a usage state of the second public key in response.
- a change in the usage state of the second public key registered in the first device is requested by authentication using the first public key and the first secret key associated with the second public key.
- an information processing method comprising the steps.
- a step of associating and holding the second public key generated by the second device with one public key And changing the usage state of the second public key.
- the computer stores the first secret key corresponding to the first public key
- the second apparatus holds the second secret key corresponding to the first public key.
- a change in the usage state of the second public key registered in the first device by the device is authenticated using the first public key and the first secret key associated with the second public key.
- a computer program is provided for executing the steps requested by.
- the computer at least a step of holding a public key out of a set of a secret key and a public key generated by the first device and the second device, and the first device A step of associating and holding the second public key generated by the second device in association with the first public key thus generated, and changing the usage state of the second public key from the first device. And a step of changing a usage state of the second public key in response to a request.
- FIG. 1 is an explanatory diagram illustrating an example of an overall configuration of an information processing system 1 according to a first embodiment of the present disclosure.
- 3 is an explanatory diagram illustrating a functional configuration example of an authentication device 300 according to a first embodiment of the present disclosure.
- FIG. 4 is an explanatory diagram illustrating a functional configuration example of an information processing apparatus 100 (authentication device) according to the first embodiment of the present disclosure.
- FIG. FIG. 3 is an explanatory diagram illustrating a functional configuration example of an information processing apparatus 200 (master device) according to the first embodiment of the present disclosure.
- 5 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- 5 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- 5 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- 5 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- It is an example of the user interface which the information processing apparatus 200 outputs from the output part 225.
- 5 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- 5 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- 5 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- 12 is a flowchart illustrating an operation example of the information processing system 1 according to the second embodiment of the present disclosure.
- 12 is a flowchart illustrating an operation example of the information processing system 1 according to the second embodiment of the present disclosure.
- 12 is a flowchart illustrating an operation example of the information processing system 1 according to the second embodiment of the present disclosure.
- 12 is a flowchart illustrating an operation example of the information processing system 1 according to the second embodiment of the present disclosure.
- FIG. 1 is an explanatory diagram illustrating an overall configuration example of the information processing system 1 according to the first embodiment of the present disclosure.
- FIG. 1 is an explanatory diagram illustrating an overall configuration example of the information processing system 1 according to the first embodiment of the present disclosure.
- FIG. 1 is an explanatory diagram illustrating an overall configuration example of the information processing system 1 according to the first embodiment of the present disclosure.
- FIG. 1 is an explanatory diagram illustrating an overall configuration example of the information processing system 1 according to the first embodiment of the present disclosure.
- FIG. 1 is an explanatory diagram illustrating an overall configuration example of the information processing system 1 according to the first embodiment of the present disclosure.
- the information processing system 1 includes information processing apparatuses 100 and 200 and an authentication apparatus 300.
- Both the information processing apparatuses 100 and 200 are apparatuses that authenticate to the authentication apparatus 300 by the public key authentication method.
- An information processing system 1 according to an embodiment of the present disclosure is a system that authenticates a user who intends to use a public key authentication method or an electronic signature method when a user uses a service provided by the authentication device 300. is there.
- the information processing apparatuses 100 and 200 are apparatuses that generate a key pair including a public key PKey and a secret key SKey.
- the information processing apparatuses 100 and 200 transmit only the public key PKey of the generated key pair to the authentication apparatus 300 when using the service provided by the authentication apparatus 300.
- the information processing apparatus 100 is an apparatus that is normally used by the user, and the user receives authentication of the authentication apparatus 300 using the information processing apparatus 100.
- the information processing apparatus 100 that is authenticated by the authentication apparatus 300 is referred to as “authentication device”, and the information processing apparatus 200 that requests the authentication apparatus 300 to change the usage state of the public key PKey of the information processing apparatus 100. Is also referred to as “master device”.
- Examples of the information processing apparatuses 100 and 200 include PCs (Personal Computers), smartphones (high-function mobile phones), tablet portable terminals, portable music players, portable game machines, wearable devices such as wristwatches and glasses. Can be taken.
- the information processing apparatus 100 as an authentication device may be an apparatus such as a smart phone (high function mobile phone), a tablet mobile terminal, a mobile music player, or a mobile game machine that is carried and used by a user.
- a server device, a PC, or the like can be adopted as a form of the authentication device 300.
- Examples of services provided by the authentication device 300 include a social networking service (SNS) and an online storage service. If the authentication device 300 is a PC, the login to the PC can be included in the service provided by the authentication device 300.
- the user of the information processing device 100 transmits the public key generated by the information processing device 100 to the authentication device 300, and authenticates the authentication device 300 using the public key authentication method. receive.
- the user can save the trouble of inputting the ID and password, and does not need to remember the password. Since the authentication is performed by the public key authentication method, the information processing system 1 has no risk of password leakage and has stronger security than the password authentication method.
- the public key registered in the authentication apparatus 300 may be used by another user who has picked up the information processing apparatus 100. For this reason, when the user of the information processing apparatus 100 loses the information processing apparatus 100 or cannot authenticate the authentication apparatus 300 using the information processing apparatus 100, the public key registered in the authentication apparatus 300 is used. It is highly desirable to be able to quickly stop using the service.
- the information processing apparatus 200 that is a master device is Then, the authentication apparatus 300 is requested to stop using the public key PKey generated by the information processing apparatus 100 or to restart using the public key PKey whose use has been stopped.
- the public key generated by the information processing apparatus 100 and the public key generated by the information processing apparatus 200 are managed in association with the information processing apparatus 200 that is a master device.
- the information processing apparatus 200 requests the authentication apparatus 300 to change the usage state of the public key generated by the information processing apparatus 100.
- the information processing apparatus 200 requests a change in the usage state of the public key generated by the information processing apparatus 100, for example, as described above, the user loses the information processing apparatus 100 that is an authentication device, and the information In some cases, the authentication of the authentication device 300 cannot be performed using the processing device 100.
- the information processing apparatuses 100 and 200 may be owned by the same user or may be owned by different users.
- the user who owns the information processing apparatus 200 that is the master device is a user that is trusted by the user who owns the information processing apparatus 100 that is the authentication device (for example, father Or a mother). Further, it is more desirable that the information processing apparatus 200 that is a master device is not usually carried but stored in a safe place in the house.
- the authentication device 300 is a device that authenticates the information processing devices 100 and 200. Specifically, the authentication apparatus 300 holds the public key pkey generated by the information processing apparatuses 100 and 200, executes the public key authentication protocol with the information processing apparatuses 100 and 200, and holds the public key It is authenticated that the information processing apparatuses 100 and 200 hold the secret key sky corresponding to the key PKey.
- the authentication apparatus 300 receives the public key generated by the information processing apparatus 100 that is associated with the public key generated by the information processing apparatus 200 in response to a request from the information processing apparatus 200 that is a master device.
- Change usage status The change of the usage state of the public key generated by the information processing apparatus 100 includes stop of use of the public key and restart of use of the stopped public key.
- the information processing system 1 has the configuration illustrated in FIG. 1, so that the authentication device 300 executes a change in the usage state of the public key generated by the information processing device 100. I can do it.
- FIG. 2 is an explanatory diagram illustrating a functional configuration example of the authentication device 300 according to the first embodiment of the present disclosure.
- a functional configuration example of the authentication device 300 according to the first embodiment of the present disclosure will be described with reference to FIG.
- the authentication device 300 includes a transmission / reception unit 310, a control unit 320, a storage unit 330, and a communication unit 340.
- the transmission / reception unit 310 executes reception processing for data received by the communication unit 340 from another device and transmission processing for data transmitted from the communication unit 340 to the other device.
- the transmission / reception unit 310 can execute, for example, demodulation processing, A / D conversion processing, error correction processing, and the like as reception processing, and can execute, for example, D / A conversion processing and modulation processing as transmission processing.
- the control unit 320 controls the operation of the authentication device 300.
- the control unit 320 executes, for example, various protocols with the information processing devices 100 and 200 via the transmission / reception unit 310, and the public key generated by the information processing devices 100 and 200 to the storage unit 330. Management of public keys such as storage and change of the usage state of public keys generated by the information processing apparatus 100 can be performed.
- the storage unit 330 is a storage area for storing various data.
- the storage unit 330 holds the public key generated by the information processing apparatuses 100 and 200.
- the storage unit 330 holds information regarding the usage state of the public key generated by the information processing apparatus 100.
- the storage unit 330 may hold a computer program that is read and executed by the control unit 320.
- Pkey 1 , PKey 2 ,... are indicated as public keys generated by the information processing apparatuses 100 and 200.
- the communication unit 340 communicates with other devices, in particular, the information processing devices 100 and 200 through the network. Communication between the authentication apparatus 300 and the information processing apparatuses 100 and 200 can be performed by either wired or wireless. In FIG. 2, the communication unit 340 is illustrated in the form of an antenna that performs wireless communication, but the communication unit 340 is not limited to such an example.
- the function configuration example of the authentication device 300 according to the first embodiment of the present disclosure has been described above with reference to FIG. Subsequently, a functional configuration example of the information processing apparatus 100 (authentication device) according to the first embodiment of the present disclosure will be described.
- FIG. 3 is an explanatory diagram illustrating a functional configuration example of the information processing apparatus 100 (authentication device) according to the first embodiment of the present disclosure.
- authentication device authentication device
- FIG. 3 a functional configuration example of the information processing apparatus 100 according to the first embodiment of the present disclosure will be described using FIG. 3.
- the information processing apparatus 100 includes a transmission / reception unit 110, a key generation unit 115, a control unit 120, a storage unit 130, a communication unit 140, It is comprised including.
- the transmission / reception unit 110 executes a reception process for data received by the communication unit 140 from another device and a transmission process for data transmitted from the communication unit 140 to the other device.
- the transmission / reception unit 110 can execute, for example, demodulation processing, A / D conversion processing, error correction processing, and the like as reception processing, and can execute, for example, D / A conversion processing, modulation processing, and the like as transmission processing.
- the key generation unit 115 generates a key pair including a public key and a secret key.
- the public key authentication method is not limited to a specific one.
- an RSA cipher may be used, or an elliptic curve cipher may be used.
- a public key authentication method disclosed in, for example, Japanese Patent Application Laid-Open No. 2012-98690 and the like, which bases security on the difficulty of solving a multi-order multivariable simultaneous equation, may be used. .
- the control unit 120 controls the operation of the information processing apparatus 100.
- the control unit 120 executes, for example, various protocols between the information processing device 200 and the authentication device 300 through the transmission / reception unit 110, the public key generated by the key generation unit 115 to the storage unit 130, and For example, a secret key can be stored.
- the storage unit 130 is a storage area for storing various data.
- the storage unit 130 holds the public key and secret key generated by the key generation unit 115.
- the storage unit 130 may hold a computer program that is read and executed by the control unit 120.
- the public key generated by the key generation unit 115 is expressed as PKey
- the secret key is expressed as SKey.
- the secret key generated by the key generation unit 115 is desirably stored in the tamper resistant area. This is because the secret key is a key for certifying the validity of the public key generated by itself as described later, and thus leakage of the secret key should be avoided.
- the communication unit 140 communicates with other devices, in particular, the information processing device 200 and the authentication device 300 through the network. Communication between the information processing apparatus 100, the information processing apparatus 200, and the authentication apparatus 300 can be performed either by wire or wireless. Although FIG. 3 illustrates the communication unit 140 in the form of an antenna that performs wireless communication, the communication unit 140 is not limited to such an example.
- communication between the information processing apparatus 100 and the authentication apparatus 300 may be performed directly or may be performed via another apparatus.
- the function configuration example of the information processing apparatus 100 (authentication device) according to the first embodiment of the present disclosure has been described above. Subsequently, a functional configuration example of the information processing apparatus 200 (master device) according to the first embodiment of the present disclosure will be described.
- FIG. 4 is an explanatory diagram illustrating a functional configuration example of the information processing apparatus 200 (master device) according to the first embodiment of the present disclosure.
- the functional configuration example of the information processing apparatus 200 according to the first embodiment of the present disclosure will be described with reference to FIG.
- the information processing apparatus 200 includes a transmission / reception unit 210, a key generation unit 215, a control unit 220, an output unit 225, a storage unit 230, And a communication unit 240.
- the transmission / reception unit 210 performs a reception process on data received by the communication unit 240 from another device and a transmission process on data transmitted from the communication unit 240 to the other device.
- the transmission / reception unit 110 can execute, for example, demodulation processing, A / D conversion processing, error correction processing, and the like as reception processing, and can execute, for example, D / A conversion processing, modulation processing, and the like as transmission processing.
- the key generation unit 215 generates a key pair composed of a public key and a secret key.
- the public key authentication method is not limited to a specific one.
- an RSA cipher may be used, or an elliptic curve cipher may be used.
- a public key authentication method disclosed in, for example, Japanese Patent Application Laid-Open No. 2012-98690 and the like, which bases security on the difficulty of solving a multi-order multivariable simultaneous equation, may be used. .
- the control unit 220 controls the operation of the information processing apparatus 200.
- the control unit 220 executes, for example, various protocols between the information processing apparatus 100 and the authentication apparatus 300 through the transmission / reception unit 210, the public key generated by the key generation unit 215 to the storage unit 230, and For example, a secret key can be stored.
- the output unit 225 outputs various information.
- the output unit 225 may be a display device such as a liquid crystal display panel or an organic EL display panel, and displays information on a display device such as a liquid crystal display panel or organic EL display panel outside the information processing device 200. It may be an interface.
- the storage unit 230 is a storage area for storing various data.
- the storage unit 230 holds the public key and secret key generated by the key generation unit 215.
- the storage unit 230 may hold a computer program that is read and executed by the control unit 220.
- the public key generated by the key generation unit 215 is expressed as MPKey
- the secret key is expressed as MSKey.
- the storage unit 230 holds the public key PKey generated by the key generation unit 115 of the information processing apparatus 100 and the public key MPKey generated by the key generation unit 215 of the information processing apparatus 200 in an associated state. A method for associating the public key PKey with the public key MPKey will be described in detail later.
- the secret key generated by the key generation unit 215 is desirably stored in the tamper resistance area. This is because the secret key is a key for certifying the validity of the public key generated by itself as described later, and thus leakage of the secret key should be avoided.
- the communication unit 240 communicates with other devices, in particular, the information processing device 100 and the authentication device 300 through the network. Communication between the information processing apparatus 200, the information processing apparatus 100, and the authentication apparatus 300 can be performed either by wire or wireless.
- FIG. 4 illustrates the communication unit 240 in the form of an antenna that performs wireless communication, the communication unit 240 is not limited to such an example.
- communication between the information processing device 200 and the authentication device 300 may be performed directly or via another device.
- the public key authentication method is an authentication method in which a certain person (certifier) uses the public key pk and the secret key sk to convince another person (verifier) that the person is the principal.
- the prover A's public key pk A is disclosed to the verifier.
- the secret key sk A of the prover A is secretly managed by the prover.
- the person who knows the secret key sk A corresponding to the public key pk A is regarded as the prover A himself.
- the prover A If the prover A is trying to prove their identity to the verifier B, the prover A is to perform an interactive protocol with the verifier B, the secret key itself corresponding to the public key pk A sk A Prove that you know.
- the verifier B proves that the prover A knows the secret key sk A by the interactive protocol, the authenticity of the prover A (identity) is proved.
- the first condition is to reduce as much as possible the probability that a falsification is established by a falsifier who does not have the secret key sk when the interactive protocol is executed.
- the fact that this first condition is satisfied is called “soundness”.
- soundness In other words, in a dialogue protocol having soundness, it is paraphrased that a falsification cannot be established with a probability that cannot be ignored by a falsifier who does not have the secret key sk.
- the second condition is that even if the interactive protocol is executed, the information on the secret key sk A possessed by the prover A is not leaked to the verifier B at all. The fact that this second condition is satisfied is called “zero knowledge”.
- the security of the public key authentication method is ensured by using the dialogue protocol having the above soundness and zero knowledge.
- the prover uses a key generation algorithm Gen to generate a pair of a secret key sk and a public key pk unique to the prover.
- the prover executes an interactive protocol with the verifier using the set of the secret key sk and the public key pk generated using the key generation algorithm Gen.
- the prover uses the prover algorithm P to execute the interactive protocol.
- the prover uses the prover algorithm P to prove to the verifier that the secret key sk is held.
- the verifier executes the interactive protocol by using the verifier algorithm V, and verifies whether or not the prover has a secret key corresponding to the public key published by the prover. That is, the verifier is an entity that verifies whether the prover has a secret key corresponding to the public key.
- the public key authentication method model includes two entities, a prover and a verifier, and three algorithms, a key generation algorithm Gen, a prover algorithm P, and a verifier algorithm V.
- the expressions “prover” and “verifier” are used, but these expressions only mean entities. Therefore, the subject that executes the key generation algorithm Gen and the prover algorithm P is an information processing apparatus corresponding to the entity of the “certifier”. Similarly, the subject that executes the verifier algorithm V is an information processing apparatus.
- the key generation algorithm Gen is used by the prover.
- the key generation algorithm Gen is an algorithm for generating a set of a secret key sk and a public key pk unique to the prover.
- the public key pk generated by the key generation algorithm Gen is made public.
- the public key pk that is made public is used by the verifier.
- the secret key sk managed secretly is used to prove to the verifier that the secret key sk corresponding to the public key pk is held.
- the key generation algorithm Gen is expressed as the following equation (1) as an algorithm that inputs a security parameter 1 ⁇ ( ⁇ is an integer of 0 or more) and outputs a secret key sk and a public key pk.
- the prover algorithm P is used by the prover.
- the prover algorithm P is an algorithm for proving that the secret key sk corresponding to the public key pk is held.
- the prover algorithm P is defined as an algorithm that receives the prover's private key sk and public key pk as input and executes an interactive protocol with the verifier.
- the verifier algorithm V is used by the verifier.
- the verifier algorithm V is an algorithm for verifying whether or not the prover has a secret key sk corresponding to the public key pk in the interactive protocol.
- the verifier algorithm V is defined as an algorithm that takes the public key pk of the prover as an input, outputs a 0 or 1 (1 bit) after executing a dialogue protocol with the prover. In the case of output 0, it is assumed that the prover is invalid, and in the case of output 1, the prover is valid.
- the verifier algorithm V is expressed as the following equation (2).
- the public key authentication method is required to satisfy the two conditions of soundness and zero knowledge to ensure safety.
- the prover executes a procedure depending on the secret key sk, notifies the verifier of the result, and notifies It is necessary to have the verifier perform verification based on the contents.
- the execution of the procedure depending on the secret key sk is necessary to ensure soundness.
- FIG. 19 is an explanatory diagram for explaining the outline of the algorithm of the electronic signature method.
- the electronic signature refers to a mechanism in which signature data known only to the creator of the data is provided to the recipient in association with the data, and the signature data is verified on the recipient side.
- the digital signature scheme model has two entities, a signer and a verifier.
- the model of the electronic signature scheme is composed of three algorithms: a key generation algorithm Gen, a signature generation algorithm Sig, and a signature verification algorithm Ver.
- the signer uses a key generation algorithm Gen to generate a pair of a signer-specific signature key sk and a verification key pk. Further, the signer generates an electronic signature ⁇ to be given to the document M using the signature generation algorithm Sig. That is, the signer is an entity that gives an electronic signature to the document M.
- the verifier verifies the electronic signature ⁇ attached to the document M using the signature verification algorithm Ver. That is, the verifier is an entity that verifies the electronic signature ⁇ in order to confirm whether or not the creator of the document M is a signer.
- the expressions “signer” and “verifier” are used, but these expressions only mean entities. Accordingly, the subject that executes the key generation algorithm Gen and the signature generation algorithm Sig is an information processing apparatus corresponding to the entity of the “signer”. Similarly, the subject that executes the signature verification algorithm Ver is an information processing apparatus.
- the key generation algorithm Gen is used by the signer.
- the key generation algorithm Gen is an algorithm for generating a set of a signer-specific signature key sk and a verification key pk.
- the verification key pk generated by the key generation algorithm Gen is made public.
- the signature key sk generated by the key generation algorithm Gen is secretly managed by the signer.
- the signature key sk is used to generate an electronic signature ⁇ given to the document M.
- the key generation algorithm Gen receives the security parameter 1 ⁇ ( ⁇ is an integer greater than or equal to 0), and outputs the signature key sk and the public key pk.
- the key generation algorithm Gen can be formally expressed as the following equation (3).
- the signature generation algorithm Sig is used by the signer.
- the signature generation algorithm Sig is an algorithm for generating an electronic signature ⁇ given to the document M.
- the signature generation algorithm Sig is an algorithm that receives the signature key sk and the document M and outputs an electronic signature ⁇ .
- This signature generation algorithm Sig can be formally expressed as the following formula (4).
- the signature verification algorithm Ver is used by a verifier.
- the signature verification algorithm Ver is an algorithm for verifying whether or not the electronic signature ⁇ is a valid electronic signature for the document M.
- the signature verification algorithm Ver is an algorithm that inputs the verification key pk of the signer, the document M, and the electronic signature ⁇ , and outputs 0 or 1 (1 bit).
- This signature verification algorithm Ver can be formally expressed as the following formula (5).
- the verifier determines that the electronic signature ⁇ is invalid when the signature verification algorithm Ver outputs 0 (when the public key pk rejects the document M and the electronic signature ⁇ ), and outputs 1 ( When the public key pk accepts the document M and the electronic signature ⁇ , it is determined that the electronic signature ⁇ is valid.
- the public key authentication method and the electronic signature method are not limited to specific ones.
- an RSA cipher may be used, or an elliptic curve cipher may be used.
- a public key authentication method or a digital signature method that is based on the difficulty of solving a multi-order multivariable simultaneous equation disclosed in JP 2012-98690 A or the like may be used.
- the function used in the above document is a function composed of m n-variable quadratic polynomials (m and n are both integers of 2 or more).
- the key length for ensuring 80-bit security is 80 bits. Therefore, when a user registers a public key or is authenticated using a secret key in a service such as a Web service, the number of characters input by the user is reduced. It is more desirable to use a public key authentication method that bases security on the difficulty of solving problems for simultaneous equations.
- the public key size is small when using a public key authentication method or an electronic signature method that is based on the difficulty of solving a multi-dimensional multivariable simultaneous equation disclosed in Japanese Patent Application Laid-Open No. 2012-98690. Therefore, it can be expected to further reduce the operational and administrative effort and improve the long-term safety level. For example, in terms of operation, there are few restrictions on the display of the public key, and the effect that the length that can be input and transmitted can be shortened can be expected. In terms of management, since the public key size is short, the database size can be reduced, and the key can be set only by copying the character string. Furthermore, in terms of safety, the system depends on mathematical difficulties of the NP complete class, so long-term safety can be expected.
- FIG. 5 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- FIG. 5 illustrates the generated public key by the information processing apparatuses 100 and 200 as the authentication apparatus 300. It is an operation example at the time of registering.
- an operation example of the information processing system 1 according to the first embodiment of the present disclosure will be described with reference to FIG.
- the information processing apparatuses 100 and 200 register the public key in the authentication apparatus 300 in order to use the service provided by the authentication apparatus 300.
- the information processing apparatuses 100 and 200 first generate a key pair composed of a pair of a secret key and a public key by the key generation units 115 and 215, respectively (step S101).
- FIG. 5 shows a case where the key generation unit 115 generates a secret key SKey and a public key PKey.
- the key generation units 115 and 215 use a public key authentication method disclosed in JP 2012-98690 A and the like, which bases security on the difficulty of solving a multi-order multivariable simultaneous equation. Generate a key pair.
- the information processing apparatuses 100 and 200 When the information processing apparatuses 100 and 200 generate the key pair in step S101, the information processing apparatuses 100 and 200 hold the secret keys in the storage units 130 and 230, respectively, among the generated key pairs (step S102).
- the storage of the secret key in the storage units 130 and 230 can be performed by control by the control units 120 and 220, for example. At this time, as described above, it is desirable that the control units 120 and 220 store the secret key in a tamper-resistant area provided in at least a part of the storage units 130 and 230.
- the information processing apparatuses 100 and 200 When the information processing apparatuses 100 and 200 hold the secret key in step S102, the information processing apparatuses 100 and 200 subsequently transmit the public key in the key pair generated in step S101 to the authentication apparatus 300 (step S103).
- the transmission of the public key to the authentication device 300 can be performed by the transmission / reception units 110 and 210 transmitting the public key to the authentication device 300 under the control of the control units 120 and 220, for example.
- Step S104 When the information processing apparatuses 100 and 200 transmit the public key to the authentication apparatus 300, the authentication apparatus 300 that has received the public key confirms whether or not the same public key that has been received is already stored in the storage unit 330 ( Step S104). This confirmation process can be executed by the control unit 330, for example.
- step S104 If the same public key as the received public key is already stored in the storage unit 330 (step S104, Yes), the authentication apparatus 300 rejects registration of the public key transmitted by the information processing apparatuses 100 and 200. On the other hand, if the same public key as received is not stored in the storage unit 330 (No in step S104), the authentication device 300 uses the public key transmitted by the information processing devices 100 and 200 as the public key of the device. The data is stored in the storage unit 330 (step S105). The public key holding process can be executed by the control unit 330, for example.
- the authentication apparatus 300 When the public key transmitted by the information processing apparatus 100 or 200 is held in the storage unit 330 as the public key of the apparatus, the authentication apparatus 300 includes predetermined information for uniquely identifying the information processing apparatus 100 or 200, for example.
- the public key generated by each information processing apparatus 100 or 200 is stored in the storage unit 330 in association with the public key.
- the information processing apparatuses 100 and 200 and the authentication apparatus 300 execute the series of operations illustrated in FIG. 5, so that the information processing apparatuses 100 and 200 use the service provided by the authentication apparatus 300.
- a public key can be registered in 300. Then, by registering the public key in the authentication device 300, the information processing devices 100 and 200 can be authenticated by the public key authentication method using the registered public key when using the service provided by the authentication device 300. .
- FIG. 6 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- FIG. 6 illustrates an operation at the time of public key association processing in the information processing apparatus 200. It is an example.
- an operation example of the information processing system 1 according to the first embodiment of the present disclosure will be described with reference to FIG.
- the information processing apparatus 200 When associating the public key MPKey generated by the information processing apparatus 200 with the public key PKey generated by the information processing apparatus 100, the information processing apparatus 200 first transmits the public key MPKey to the information processing apparatus 100 (step S111). ).
- the transmission of the public key MPKey to the information processing apparatus 100 can be performed by the transmission / reception unit 210 transmitting the public key MPKey to the information processing apparatus 100 under the control of the control unit 220, for example.
- the reason why the information processing apparatus 200 transmits the public key MPKey to the information processing apparatus 100 is that the information processing apparatus 100 gives a reply to the public key MPKey with a signature.
- the information processing apparatus 100 When the information processing apparatus 100 receives the public key MPKey of the information processing apparatus 200 from the information processing apparatus 200, the information processing apparatus 100 executes a predetermined signature protocol using the secret key SKey generated by the information processing apparatus 100, and discloses the information processing apparatus 200.
- An electronic signature is given to the key MPKey (step S112).
- the control unit 120 can execute the electronic signature.
- the signature protocol executed in step S112 may be based on an electronic signature method disclosed in, for example, Japanese Patent Laid-Open No. 2012-98690.
- the fact that the information processing apparatus 100 gives an electronic signature to the public key MPKey of the information processing apparatus 200 means that the information processing apparatus 100 has delegated the handling of the public key PKey generated by the information processing apparatus 100 to the information processing apparatus 200. It has the meaning equivalent to.
- the information processing apparatus 100 gives an electronic signature to the public key MPKey of the information processing apparatus 200 and sends it back together with the public key PKey
- the information processing apparatus 200 authenticates the suspension of use of the public key PKey generated by the information processing apparatus 100 Requests can be made to the device 300.
- the information processing apparatus 100 When the information processing apparatus 100 gives an electronic signature to the public key MPKey of the information processing apparatus 200, the information processing apparatus 100 subsequently uses the electronic signature generated in step S112 and the public key PKey of the information processing apparatus 100 as information. It returns to the processing apparatus 200 (step S113).
- the transmission of the electronic signature and the public key PKey can be performed by the transmission / reception unit 110 transmitting the electronic signature and the public key PKey to the information processing apparatus 200 under the control of the control unit 120, for example.
- step S114 When the information processing apparatus 200 receives the electronic signature and public key PKey transmitted by the information processing apparatus 100, the information processing apparatus 200 holds the received electronic signature and the public key PKey of the information processing apparatus 100 in the storage unit 230 (step S114). This process can be executed by the control unit 220, for example.
- the information processing apparatuses 100 and 200 can associate the public key PKey generated by the information processing apparatus 100 with the public key MPKey generated by the information processing apparatus 200 by executing such a series of operations. By associating the public key PKey with the public key MPKey, the information processing apparatus 200 can request the authentication apparatus 300 to stop using the public key PKey generated by the information processing apparatus 100.
- FIG. 7 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- FIG. 7 illustrates a public key authentication between the information processing apparatus 100 and the authentication apparatus 300. It is an operation example when the authentication process by a method is executed.
- an operation example of the information processing system 1 according to the first embodiment of the present disclosure will be described with reference to FIG.
- the information processing apparatus 100 When an authentication process using the public key authentication method is performed between the information processing apparatus 100 and the authentication apparatus 300, the information processing apparatus 100 first transmits an authentication request to the authentication apparatus 300 (step S121). This process can be performed by the transmission / reception unit 110 transmitting a predetermined authentication request to the authentication device 300 under the control of the control unit 120, for example.
- the information processing apparatus 100 transmits an authentication request to the authentication apparatus 300 and the authentication apparatus 300 receives the authentication request, the information processing apparatus 100 establishes a secure session with the authentication apparatus 300 (step S122).
- the process of establishing the secure session can be executed by the control units 120 and 320, for example.
- SSL Secure Sockets Layer
- TLS Transport Layer Security
- the method is limited to a specific method. It is not something.
- Step S123 This process can be performed by the transmission / reception unit 110 transmitting the public key PKey to the authentication device 300 under the control of the control unit 120, for example.
- the authentication apparatus 300 Upon receiving the public key PKey transmitted from the information processing apparatus 100, the authentication apparatus 300 confirms whether or not the public key PKey is already held in the storage unit 330 (step S124). This confirmation can be executed, for example, when the control unit 320 searches the storage unit 330.
- step S124 if the public key PKey transmitted from the information processing apparatus 100 is already held in the storage unit 330 (step S124, Yes), the authentication apparatus 300 communicates with the information processing apparatus 100.
- a public key authentication process by a public key authentication method is executed (step S125).
- the information processing apparatus 100 and the authentication apparatus 300 use, for example, a public key authentication method that is based on the difficulty of solving problems for multi-order multivariable simultaneous equations, as disclosed in JP 2012-98690 A and the like.
- the public key authentication process is executed.
- step S124 if the public key PKey transmitted from the information processing apparatus 100 is not held in the storage unit 330 (No in step S124), the authentication apparatus 300 uses the public key PKey for public key authentication. The process ends without executing the process.
- FIG. 8 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- FIG. 8 illustrates information processing between the information processing apparatus 200 and the authentication apparatus 300. It is an operation example when the use stop processing of the public key PKey generated by the device 100 is executed.
- an operation example of the information processing system 1 according to the first embodiment of the present disclosure will be described with reference to FIG.
- the information processing apparatus 200 executes an authentication process using the public key authentication method with the authentication apparatus 300 (step S131).
- the information processing apparatus 200 transmits the public key MPKey generated by the information processing apparatus 200 to the authentication apparatus 300 when executing authentication processing by the public key authentication method with the authentication apparatus 300. Further, since the authentication process by the public key authentication method executed between the information processing apparatus 200 and the authentication apparatus 300 is executed by a series of processes as shown in FIG. 7, detailed description is omitted here. To do.
- the authentication apparatus 300 determines whether the information processing apparatus 200 has been successfully authenticated (step S132). If the authentication apparatus 300 fails to authenticate the information processing apparatus 200 (No in step S132), the authentication apparatus 300 ends the process without executing the public key authentication process using the public key MPKey. On the other hand, if the authentication apparatus 300 succeeds in the authentication of the information processing apparatus 200 (step S132, Yes), then, the information processing apparatus 200 is held in the storage unit 230 to the authentication apparatus 300. A list of pairs of the generated public key PKey and electronic signature is transmitted (step S133). If there are a plurality of public keys PKey associated with the public key MPKey (generated by the authentication device), the information processing apparatus 200 transmits all of them to the authentication apparatus 300.
- the authentication device 300 When the authentication device 300 receives the list of pairs of the public key PKey and the electronic signature from the information processing device 200, the authentication device 300 confirms whether or not the received public key PKey is already held in the storage unit 330 (step S134). This confirmation can be executed by the control unit 320, for example.
- step S134 if the public key PKey transmitted from the information processing device 200 is not held in the storage unit 330 (No in step S134), the authentication device 300 does not perform the use stop processing of the public key PKey. The process ends.
- the authentication apparatus 300 executes the verification process of the electronic signature transmitted in step S133. (Step S135).
- the authentication apparatus 300 can verify whether or not the electronic signature is actually generated by the information processing apparatus 100 by verifying the electronic signature transmitted from the information processing apparatus 200.
- step S135 if the electronic signature transmitted from the information processing apparatus 200 is valid (step S135, Pass), the authentication apparatus 300 executes a use stop process for the received public key PKey (step S135). S136).
- This use stop process can be executed by the control unit 320, for example.
- the public key PKey use stop process for example, the public key PKey itself is deleted from the storage unit 330, a flag indicating that the public key PKey is in a use stop state is set in the storage unit 330, or the public key PKey is used.
- a process of moving to a predetermined use suspension list can be stored in the storage unit 330, for example.
- the authentication device 300 confirms that there has been an attempt to use the public key PKey. It can be detected and it can be recorded that there was an attempt.
- step S135 determines whether the electronic signature transmitted from the information processing apparatus 200 is valid (step S135, Reject). If the result of determination in step S135 is that the electronic signature transmitted from the information processing apparatus 200 is not valid (step S135, Reject), the authentication apparatus 300 performs processing without performing use stop processing of the public key PKey. Exit.
- the information processing apparatus 200 and the authentication apparatus 300 cannot receive authentication of the authentication apparatus 300 using the information processing apparatus 100 because the user loses the information processing apparatus 100 or the like. In this case, the use of the public key PKey generated by the information processing apparatus 100 can be stopped.
- the present disclosure is not limited to such an example.
- the information processing apparatuses 100 and 200 may be owned by different users.
- the public key PKey generated by the information processing apparatus 100 is associated with the public key MPKey generated by the information processing apparatus 200 owned by the same user.
- the public key PKey generated by the information processing apparatus 100 owned by () may be associated with the public key MPKey of the information processing apparatus 200 owned by another user (user B).
- the user A requests the user B to stop using the public key PKey when the information processing apparatus 100 is lost or the authentication apparatus 300 cannot be authenticated using the information processing apparatus 100.
- the user B requests the authentication apparatus 300 to stop using the public key PKey from the information processing apparatus 200 owned by the user B.
- the public key PKey generated by the information processing apparatus 100 is associated with the public key MPKey generated by the information processing apparatus 200 owned by another user, and the public key PKey is transmitted to the other user at a remote location, for example. It is possible to promptly prevent damage when the information processing apparatus 100 is lost.
- the information processing apparatus 200 transmits all of them to the authentication apparatus 300.
- the disclosure is not limited to such examples.
- the user may select a public key PKey whose use is to be stopped.
- the information processing apparatus 200 may output a user interface for allowing the user to select a public key PKey whose use is to be stopped.
- FIG. 9 shows an example of a user interface for allowing the user to select the public key PKey that is to be stopped from use, which is output from the output unit 225 by the information processing apparatus 200.
- the user interface shown in FIG. 9 may be displayed on a display device such as a liquid crystal display panel or an organic EL display panel provided in the information processing device 200, or displayed on a display device different from the information processing device 200. Also good.
- FIG. 9 shows a column U11 for displaying a list of public keys (generated by the authentication device) associated with the public key MPKey of the information processing apparatus 200, and for allowing the user to set whether to stop using each public key.
- a column U12 in which a check box is displayed is shown.
- FIG. 9 shows that the information processing apparatus 200 has selected the user to stop using the checked PKey1, PKey2, PKey4, and PKey6 among the six public keys displayed in the column U11. It is shown.
- the user can select the public key whose use is to be stopped (generated by the authentication device).
- the information processing apparatus 200 transmits a public key selected by the user and a pair of electronic signatures corresponding to the public key to the authentication apparatus 300.
- the authentication device 300 executes the public key use stop process described above based on the transmitted pair information.
- the user interface for allowing the user to select the public key PKey whose use is to be stopped may be output by the authentication device 300 instead of the information processing device 200 that is the master device.
- the authentication apparatus 300 When the authentication apparatus 300 outputs a user interface for allowing the user to select a public key PKey whose use is to be stopped, a pair of a public key transmitted by the information processing apparatus 200 and a digital signature corresponding to the public key is sent. Based on the information, the authentication apparatus 300 outputs a user interface as shown in FIG. 9, for example.
- the authentication apparatus 300 uses the public key selected by the user to stop using the public key. Execute.
- the authentication device 300 executes a process of moving the public key PKey to a predetermined use stop list as the public key PKey use stop process
- the public key is transmitted from the information processing apparatus 100 or 200. It is possible to determine whether the same public key as the public key registered in the use suspension list has been transmitted.
- FIG. 10 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- FIG. 10 illustrates the generated public key that the information processing apparatuses 100 and 200 use as the authentication apparatus 300.
- the authentication device 300 determines whether or not the same public key as the public key registered in the use suspension list has been transmitted from the information processing devices 100 and 200.
- an operation example of the information processing system 1 according to the first embodiment of the present disclosure will be described with reference to FIG.
- the information processing apparatuses 100 and 200 In order to register the public key in the authentication apparatus 300, the information processing apparatuses 100 and 200 first generate a key pair composed of a secret key and a public key in the key generation units 115 and 215, respectively (step S151). When the information processing apparatuses 100 and 200 generate the key pair in step S151, the information processing apparatuses 100 and 200 hold the secret keys in the storage units 130 and 230, respectively, among the generated key pairs (step S152).
- the information processing apparatuses 100 and 200 When the information processing apparatuses 100 and 200 hold the secret key in step S152, the information processing apparatuses 100 and 200 subsequently transmit the public key in the key pair generated in step S151 to the authentication apparatus 300 (step S153).
- the transmission of the public key to the authentication device 300 can be performed by the transmission / reception units 110 and 210 transmitting the public key to the authentication device 300 under the control of the control units 120 and 220, for example.
- the authentication apparatus 300 When the information processing apparatuses 100 and 200 transmit the public key to the authentication apparatus 300, the authentication apparatus 300 that has received the public key confirms whether or not the same public key that has been received is already stored in the storage unit 330 ( Step S154). If the same public key as the received public key is already stored in the storage unit 330, the authentication apparatus 300 rejects registration of the public key transmitted by the information processing apparatuses 100 and 200.
- the authentication apparatus 300 confirms whether the same public key as the received public key is registered in the use suspension list (step S155). .
- This confirmation process can be executed by the control unit 330, for example. If the same public key as the received public key is registered in the use suspension list, the authentication device 300 rejects registration of the public key transmitted by the information processing devices 100 and 200.
- the public key transmitted by the information processing apparatuses 100 and 200 is held in the storage unit 330 as the public key of the apparatus (step S156). .
- the public key holding process can be executed by the control unit 330, for example.
- the authentication apparatus 300 includes predetermined information for uniquely identifying the information processing apparatus 100 or 200, for example.
- the public key generated by each information processing apparatus 100 or 200 is stored in the storage unit 330 in association with the public key.
- the operation example when the public key generated by the information processing apparatuses 100 and 200 is registered in the authentication apparatus 300 has been described above with reference to FIG.
- the authentication apparatus 300 executes the process of moving the public key PKey to a predetermined use stop list as the use stop process of the public key PKey, the public key has been transmitted from the information processing apparatuses 100 and 200. In this case, it can be determined whether or not the same public key as the public key registered in the use suspension list has been transmitted.
- an example of authentication processing performed by the public key authentication method that is executed between the information processing apparatus 100 and the authentication apparatus 300 will be described.
- FIG. 11 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- FIG. 11 illustrates public key authentication between the information processing apparatus 100 and the authentication apparatus 300. It is an operation example when the authentication process by a method is executed.
- an operation example of the information processing system 1 according to the first embodiment of the present disclosure will be described with reference to FIG.
- the information processing apparatus 100 When an authentication process using the public key authentication method is performed between the information processing apparatus 100 and the authentication apparatus 300, the information processing apparatus 100 first transmits an authentication request to the authentication apparatus 300 (step S161). When the information processing apparatus 100 transmits an authentication request to the authentication apparatus 300 and the authentication apparatus 300 receives the authentication request, the information processing apparatus 100 establishes a secure session with the authentication apparatus 300 (step S162).
- the information processing apparatus 100 transmits the public key PKey generated by the information processing apparatus 100 to the authentication apparatus 300 in the established session. (Step S163).
- This process can be performed by the transmission / reception unit 110 transmitting the public key PKey to the authentication device 300 under the control of the control unit 120, for example.
- the authentication apparatus 300 Upon receiving the public key PKey transmitted from the information processing apparatus 100, the authentication apparatus 300 confirms whether or not the public key PKey is already held in the storage unit 330 (Step S164). This confirmation can be executed by the control unit 320, for example.
- step S164 if the public key PKey transmitted from the information processing apparatus 100 is already held in the storage unit 330 (step S164, Yes), the authentication apparatus 300 uses the same public key as the received public key. Is registered in the use suspension list (step S165).
- step S124 if the public key PKey transmitted from the information processing apparatus 100 is not held in the storage unit 330 (No in step S124), the authentication apparatus 300 uses the public key PKey for public key authentication. The process ends without executing the process.
- the confirmation process in step S165 can be executed by the control unit 330, for example. If the same public key as the received public key is registered in the use suspension list (No in step S165), authentication apparatus 300 rejects registration of the public key transmitted by information processing apparatuses 100 and 200.
- step S165 if the same public key as the received public key is not registered in the use suspension list (step S165, Yes), the authentication device 300 communicates with the information processing device 100 using the public key authentication method. Is executed (step S166).
- FIG. 12 is a flowchart illustrating an operation example of the information processing system 1 according to the first embodiment of the present disclosure.
- FIG. 12 illustrates information processing between the information processing apparatus 200 and the authentication apparatus 300. It is an operation example when the use stop processing of the public key PKey generated by the device 100 is executed.
- an operation example of the information processing system 1 according to the first embodiment of the present disclosure will be described with reference to FIG.
- the information processing apparatus 200 executes an authentication process using the public key authentication method with the authentication apparatus 300 (step S171).
- the authentication apparatus 300 determines whether or not the information processing apparatus 200 has been successfully authenticated (step S172). If the authentication apparatus 300 fails to authenticate the information processing apparatus 200 (No in step S172), the authentication apparatus 300 ends the process without executing the public key authentication process using the public key MPKey.
- step S172 if the authentication apparatus 300 succeeds in authentication of the information processing apparatus 200 (step S172, Yes), then, the information processing apparatus 200 is held in the storage unit 230 and the information processing apparatus 100 is held in the storage unit 230 A list of pairs of the generated public key PKey and electronic signature is transmitted (step S173). If there are a plurality of public keys PKey associated with the public key MPKey (generated by the authentication device), the information processing apparatus 200 transmits all of them to the authentication apparatus 300.
- the authentication apparatus 300 When the authentication apparatus 300 receives the list of pairs of the public key PKey and the electronic signature from the information processing apparatus 200, the authentication apparatus 300 confirms whether or not the received public key PKey is already held in the storage unit 330 (step S174). As a result of the determination in step S174, if the public key PKey transmitted from the information processing apparatus 200 is not held in the storage unit 330 (No in step S134), the authentication apparatus 300 does not perform the use stop process for the public key PKey. The process ends. On the other hand, if the result of the determination in step S174 is that the public key PKey transmitted from the information processing device 200 is held in the storage unit 330, the authentication device 300 executes a verification process for the received electronic signature (step S175). .
- step S175, Pass If the electronic signature transmitted from the information processing device 200 is valid as a result of the determination in step S175 (step S175, Pass), the authentication device 300 stops using the public key PKey for the received public key PKey for a predetermined period. Processing for moving to the list is executed (step S176). The process of moving the public key PKey to a predetermined use suspension list can be executed by the control unit 320, for example. On the other hand, if the result of determination in step S175 is that the electronic signature transmitted from the information processing apparatus 200 is not valid (step S175, Reject), the authentication apparatus 300 performs processing without performing use stop processing of the public key PKey. Exit.
- the authentication apparatus 300 can execute a process of moving the public key PKey to a predetermined use stop list as the use stop process of the public key PKey.
- a process of associating the public key PKey generated by the information processing apparatus 100 with the public key MPKey generated by the information processing apparatus 200 is executed between the information processing apparatus 100 and the information processing apparatus 200. Showed the case.
- This association process may be performed in advance at the time of factory shipment, for example. The user can more easily stop using the public key PKey by purchasing a pair of information processing apparatuses 100 and 200 that have been previously associated with the public key.
- the operation example of the information processing system 1 according to the first embodiment of the present disclosure has been described above.
- the information processing system 1 according to the first embodiment of the present disclosure performs the operation as described above, thereby generating the public key PKey generated by the information processing apparatus 100 that is an authentication device and the information processing apparatus 200 that is a master device. Can be associated with the public key MPKey generated by the information processing apparatus 200.
- the information processing system 1 according to the first embodiment of the present disclosure requests the authentication device 300 to stop using the public key PKey generated by the information processing device 100 that is the authentication device from the information processing device 200 that is the master device. I can do it.
- Second Embodiment> In the information processing system 1 according to the first embodiment of the present disclosure described above, the public key PKey generated by the information processing apparatus 100 that is an authentication device and the public key MPKey generated by the information processing apparatus 200 that is a master device are The information processing apparatus 200 associates them. In the above-described second embodiment of the present disclosure described below, the public key PKey generated by the information processing apparatus 100 that is the authentication device and the public key MPKey generated by the information processing apparatus 200 that is the master device are used as the authentication apparatus. The case of associating with 300 is shown.
- FIG. 13 is a flowchart illustrating an operation example of the information processing system 1 according to the second embodiment of the present disclosure.
- FIG. 13 illustrates an operation example when the authentication apparatus 300 performs public key association processing. It is.
- an operation example of the information processing system 1 according to the second embodiment of the present disclosure will be described with reference to FIG.
- the information processing apparatus 200 executes an authentication process using the public key authentication method with the authentication apparatus 300 (step S201).
- the authentication apparatus 300 determines whether the information processing apparatus 200 has been successfully authenticated (step S202).
- the authentication apparatus 300 fails to authenticate the information processing apparatus 200 (No in step S202), the authentication apparatus 300 ends the process without executing the public key authentication process using the public key MPKey. On the other hand, if the authentication apparatus 300 succeeds in the authentication of the information processing apparatus 200 (step S202, Yes), then the information processing apparatus 100 transmits the public key PKey among the key pairs generated in advance to the authentication apparatus 300 ( Step S203).
- the public key PKey is transmitted from the information processing apparatus 100 to the authentication apparatus 300, but the present disclosure is not limited to such an example.
- the key length is about 80 bytes. is there. Therefore, when this public key authentication method is used, the public key PKey is not transmitted to the authentication device 300, but the public key PKey is manually entered by the user and the public key PKey is registered in the authentication device 300. Good.
- the authentication device 300 When the authentication device 300 receives the public key PKey from the information processing device 100 in step S203, the authentication device 300 subsequently executes authentication processing with the authentication device 300 using the public key authentication method again (step S204). When the authentication process by the public key authentication method is executed between the information processing apparatus 200 and the authentication apparatus 300, the authentication apparatus 300 determines whether or not the information processing apparatus 200 has been successfully authenticated (step S205).
- the authentication apparatus 300 performs authentication before and after receiving the public key PKey of the information processing apparatus 100 as a master device, and the public key MPKey held by the information processing apparatus 200, and the information processing apparatus 100. Can be securely associated with the public key PKey.
- the authentication apparatus 300 fails to authenticate the information processing apparatus 200 (No in step S205), the authentication apparatus 300 ends the process without executing the public key authentication process using the public key MPKey. On the other hand, if the authentication apparatus 300 succeeds in the authentication of the information processing apparatus 200 (step S205, Yes), the information processing apparatus 100 must register the public key PKey transmitted by the information processing apparatus 100 in step S203. For example, the public key PKey is registered as the public key of the information processing apparatus 100 that is the authentication device (step S206).
- step S206 the authentication apparatus 300 registers the public key PKey as the public key of the information processing apparatus 100 that is the authentication device. Subsequently, the authentication device 300 uses the public key MPKey of the information processing apparatus 200 that is the master device as information that is the authentication device. The data is stored in a format associated with a pair with the public key PKey of the processing device 100 (step S207).
- the information processing system 1 performs a series of operations as illustrated in FIG. 13 to obtain the public key MPKey of the information processing apparatus 200 that is a master device as information that is an authentication device.
- the authentication apparatus 300 can hold the authentication apparatus 300 in a format associated with a pair with the public key PKey of the processing apparatus 100.
- the information processing apparatuses 100 and 200 may be owned by different users, as in the first embodiment.
- the user When there are a plurality of public keys PKey associated with the public key MPKey (generated by the authentication device), the user may be allowed to select a public key PKey whose use is to be stopped as in the first embodiment.
- the association between the public keys PKey and MPKey may be performed in advance, for example, at the time of factory shipment, as in the first embodiment.
- FIG. 14 is a flowchart illustrating an operation example of the information processing system 1 according to the second embodiment of the present disclosure.
- FIG. 14 illustrates information processing between the information processing apparatus 200 and the authentication apparatus 300. It is an operation example when the use stop processing of the public key PKey generated by the device 100 is executed.
- an operation example of the information processing system 1 according to the second embodiment of the present disclosure will be described with reference to FIG.
- the information processing apparatus 200 When the information processing apparatus 200 requests the information processing apparatus 200 to stop using the public key PKey generated by the information processing apparatus 100, the information processing apparatus 200 first performs authentication processing with the authentication apparatus 300 using the public key authentication method (step S211). ). When the authentication process by the public key authentication method is executed between the information processing apparatus 200 and the authentication apparatus 300, the authentication apparatus 300 determines whether or not the information processing apparatus 200 has been successfully authenticated (step S212).
- step S212 If the authentication apparatus 300 fails to authenticate the information processing apparatus 200 (No in step S212), the authentication apparatus 300 ends the process without executing the public key authentication process using the public key MPKey. On the other hand, if the authentication apparatus 300 succeeds in the authentication of the information processing apparatus 200 (step S212, Yes), the information processing apparatus 200 is associated with the public key MPKey of the information processing apparatus 200 with respect to the authentication apparatus 300. A request for stopping the public key PKey of the information processing apparatus 100 is transmitted (step S213).
- the authentication apparatus 300 Upon receiving the request for stopping the public key PKey of the information processing apparatus 100 transmitted from the information processing apparatus 200, the authentication apparatus 300 subsequently executes authentication processing with the information processing apparatus 200 using the public key authentication method. (Step S214). When the authentication process by the public key authentication method is executed between the information processing apparatus 200 and the authentication apparatus 300, the authentication apparatus 300 determines whether or not the information processing apparatus 200 has been successfully authenticated (step S215).
- step S215 If the authentication apparatus 300 fails to authenticate the information processing apparatus 200 (No in step S215), the authentication apparatus 300 ends the process without executing the public key authentication process using the public key MPKey. On the other hand, if the authentication apparatus 300 succeeds in the authentication of the information processing apparatus 200 (Yes in step S215), the use stop processing of the public key PKey of the information processing apparatus 100 associated with the public key MPKey of the information processing apparatus 200 will be described. Is executed (step S216).
- the public key PKey use stop process for example, the public key PKey itself is deleted from the storage unit 330, a flag indicating that the public key PKey is in a use stop state is set in the storage unit 330, or the public key PKey is used. For example, a process of moving to a predetermined use suspension list.
- the predetermined use suspension list can be stored in the storage unit 330, for example.
- the information processing apparatus 200 and the authentication apparatus 300 cannot receive authentication of the authentication apparatus 300 using the information processing apparatus 100 because the user loses the information processing apparatus 100 or the like. In this case, the use of the public key PKey generated by the information processing apparatus 100 can be stopped.
- Third Embodiment> There may be a case where after the use of the public key PKey generated by the information processing apparatus 100 is stopped, the information processing apparatus 100 is found and the use of the stopped public key PKey is resumed. Below, the example of the use resumption process of the public key PKey which once stopped use is demonstrated.
- FIG. 15 is a flowchart illustrating an operation example of the information processing system 1 according to the second embodiment of the present disclosure.
- FIG. 15 illustrates an operation between the information processing apparatuses 100 and 200 and the authentication apparatus 300. It is an operation example when the use resumption process of the public key PKey generated by the information processing apparatus 100 is executed. The example shown below is an operation example when the information processing apparatus 200 associates the public keys PKey and MPKey with each other.
- FIG. 15 illustrates an operation example of the information processing system 1 according to the second embodiment of the present disclosure.
- the public key PKey In order to resume the use of the public key PKey whose use has been stopped, the public key PKey itself is not deleted from the storage unit 330, but the use of the public key PKey is suspended. It is desirable that a process of setting a meaning flag in the storage unit 330 or moving the public key PKey to a predetermined use stop list is performed.
- the information processing apparatus 200 When the information processing apparatus 200 requests a process for resuming the use of the public key PKey whose use has been stopped, the information processing apparatus 200 first executes an authentication process using the public key authentication method with the authentication apparatus 300 (Ste S221). When the authentication process by the public key authentication method is executed between the information processing apparatus 200 and the authentication apparatus 300, the authentication apparatus 300 determines whether the information processing apparatus 200 has been successfully authenticated (step S222).
- step S222 If the authentication apparatus 300 fails to authenticate the information processing apparatus 200 (No in step S222), the authentication apparatus 300 ends the process without executing the use resumption process of the public key PKey. On the other hand, if the authentication apparatus 300 succeeds in the authentication of the information processing apparatus 200 (step S222, Yes), the information processing apparatus 200 is open to the authentication apparatus 300 and the disclosure generated by the information processing apparatus 100 held in the storage unit 230. A list of pairs of the key PKey and the electronic signature is transmitted (step S223).
- the authentication apparatus 300 Upon receiving the list of public key PKey and electronic signature pairs from the information processing apparatus 200, the authentication apparatus 300 confirms whether or not the received public key PKey is already stored in the storage unit 330 (step S224). As a result of the determination in step S224, if the public key PKey transmitted from the information processing apparatus 200 is not held in the storage unit 330 (No in step S224), the authentication apparatus 300 does not perform the use resumption process of the public key PKey. The process ends.
- step S224 determines whether or not the public key PKey transmitted from the information processing apparatus 200 is held in the storage unit 330.
- the authentication apparatus 300 executes the verification process for the electronic signature transmitted in step S223. (Step S225).
- the authentication apparatus 300 can verify whether or not the electronic signature is actually generated by the information processing apparatus 100 by verifying the electronic signature transmitted from the information processing apparatus 200.
- step S225, Reject If the electronic signature transmitted from the information processing apparatus 200 is not valid as a result of the determination in step S225 (step S225, Reject), the authentication apparatus 300 ends the process without performing the use resumption process of the public key PKey. To do.
- the authentication apparatus 300 if the result of the determination in step S5 is that the electronic signature transmitted from the information processing apparatus 200 is valid (step S225, Pass), the authentication apparatus 300 then generates a public key PKey whose use is to be resumed.
- the authentication processing by the public key authentication method is executed with the information processing apparatus 100 that has performed (step S226).
- the authentication apparatus 300 can confirm whether or not the information processing apparatus 100 has the secret key SKey corresponding to the public key PKey whose use is to be resumed by the authentication process in step S226.
- the authentication apparatus 300 determines whether the information processing apparatus 100 has been successfully authenticated (step S227). If the authentication apparatus 300 fails to authenticate the information processing apparatus 100 (No at Step S227), the authentication apparatus 300 ends the process without executing the use resumption process of the public key PKey. On the other hand, if the authentication device 300 succeeds in the authentication of the information processing device 100 (step S227, Yes), the authentication device 300 subsequently executes the authentication process with the information processing device 200 again by the public key authentication method ( Step S228). When the authentication process by the public key authentication method is executed between the information processing apparatus 200 and the authentication apparatus 300, the authentication apparatus 300 determines whether or not the information processing apparatus 200 has been successfully authenticated (step S229).
- the authentication apparatus 300 fails to authenticate the information processing apparatus 200 (No in step S229), the authentication apparatus 300 ends the process without executing the public key PKey resumption process. On the other hand, if the authentication apparatus 300 succeeds in the authentication of the information processing apparatus 200 (step S229, Yes), the authentication apparatus 300 executes a use resumption process of the public key PKey that has been once stopped (step S230). For example, the authentication device 300 deletes the flag indicating that the public key PKey is in a use suspension state from the storage unit 330 or the public key PKey is suspended for a predetermined use as the resumption processing of the public key PKey once stopped. Execute processing to move from the list.
- the information processing apparatuses 100 and 200 and the authentication apparatus 300 can resume the use of the public key generated by the information processing apparatus 100 once stopped by the authentication apparatus 300. I can do it.
- the user can re-create the key when the lost information processing apparatus 100 is discovered, or register the re-created public key in the authentication apparatus 300. You don't have to.
- step S228 After authentication of the information processing apparatus 100 that is the authentication device in step S226, authentication of the information processing apparatus 200 that is the master device is performed in step S228.
- the present disclosure is limited to such an example. It is not a thing.
- Authentication of the information processing apparatus 100 that is an authentication device may be performed after authentication of the information processing apparatus 200 that is a master device.
- FIG. 16 is a flowchart illustrating an operation example of the information processing system 1 according to the second embodiment of the present disclosure.
- FIG. 16 illustrates an operation between the information processing apparatuses 100 and 200 and the authentication apparatus 300. It is an operation example when the use resumption process of the public key PKey generated by the information processing apparatus 100 is executed.
- an operation example of the information processing system 1 according to the second embodiment of the present disclosure will be described with reference to FIG.
- the information processing apparatus 200 When the information processing apparatus 200 requests a process for resuming the use of the public key PKey whose use has been stopped, the information processing apparatus 200 first executes an authentication process using the public key authentication method with the authentication apparatus 300 (Ste S231). When the authentication process by the public key authentication method is executed between the information processing apparatus 200 and the authentication apparatus 300, the authentication apparatus 300 determines whether or not the information processing apparatus 200 has been successfully authenticated (step S232).
- the authentication device 300 fails to authenticate the information processing device 200 (No in step S232), the authentication device 300 ends the process without executing the public key PKey resumption process. On the other hand, if the authentication apparatus 300 succeeds in the authentication of the information processing apparatus 200 (step S232, Yes), then the information processing apparatus 100 authenticates to the authentication apparatus 300 the same public key PKey as the public key whose use is to be resumed. It transmits to the apparatus 300 (step S233).
- the authentication device 300 executes an authentication process using the public key authentication method with the information processing device 100 that has generated the public key PKey whose use is to be resumed (step S234).
- the authentication apparatus 300 can confirm whether or not the information processing apparatus 100 has the secret key SKey corresponding to the public key PKey whose use is to be resumed by the authentication process in step S234.
- the authentication apparatus 300 determines whether the information processing apparatus 100 has been successfully authenticated (step S235). If the authentication apparatus 300 fails to authenticate the information processing apparatus 100 (No in step S235), the authentication apparatus 300 ends the process without executing the use resumption process of the public key PKey. On the other hand, if the authentication apparatus 300 succeeds in the authentication of the information processing apparatus 100 (step S235, Yes), the authentication apparatus 300 subsequently verifies the public key PKey and public key MPKey pair (step S236).
- step S236, No If the authentication apparatus 300 is not associated with each other as a result of verification of the public key PKey and public key MPKey pair (step S236, No), the authentication apparatus 300 executes the public key PKey use resumption process. The process ends without On the other hand, if the authentication apparatus 300 is associated with each other as a result of the verification of the public key PKey and public key MPKey pair (step S236, Yes), the authentication apparatus 300 then makes public with the information processing apparatus 200. The authentication process by the key authentication method is executed again (step S237). When the authentication process by the public key authentication method is executed between the information processing apparatus 200 and the authentication apparatus 300, the authentication apparatus 300 determines whether or not the information processing apparatus 200 has been successfully authenticated (step S238).
- step S238 If the authentication apparatus 300 fails to authenticate the information processing apparatus 200 (No in step S238), the authentication apparatus 300 ends the process without executing the public key PKey resumption process. On the other hand, if the authentication apparatus 300 succeeds in the authentication of the information processing apparatus 200 (step S238, Yes), the authentication apparatus 300 executes a use resumption process of the public key PKey that has been stopped (step S239). For example, the authentication device 300 deletes the flag indicating that the public key PKey is in a use suspension state from the storage unit 330 or the public key PKey is suspended for a predetermined use as the resumption processing of the public key PKey once stopped. Execute processing to move from the list.
- the information processing apparatuses 100 and 200 and the authentication apparatus 300 can resume the use of the public key generated by the information processing apparatus 100 once stopped by the authentication apparatus 300. I can do it.
- the user can re-create the key when the lost information processing apparatus 100 is discovered, or register the re-created public key in the authentication apparatus 300. You don't have to.
- Each of the above algorithms can be executed using, for example, the hardware configuration of the information processing apparatus shown in FIG. That is, the processing of each algorithm is realized by controlling the hardware shown in FIG. 15 using a computer program.
- the form of this hardware is arbitrary, for example, personal information terminals such as personal computers, mobile phones, PHS, PDAs, game machines, contact or non-contact IC chips, contact or non-contact ICs This includes cards or various information appliances.
- PHS is an abbreviation of Personal Handy-phone System.
- the PDA is an abbreviation for Personal Digital Assistant.
- the hardware mainly includes a CPU 902, a ROM 904, a RAM 906, a host bus 908, and a bridge 910. Further, this hardware includes an external bus 912, an interface 914, an input unit 916, an output unit 918, a storage unit 920, a drive 922, a connection port 924, and a communication unit 926.
- the CPU is an abbreviation for Central Processing Unit.
- the ROM is an abbreviation for Read Only Memory.
- the RAM is an abbreviation for Random Access Memory.
- the CPU 902 functions as, for example, an arithmetic processing unit or a control unit, and controls the overall operation of each component or a part thereof based on various programs recorded in the ROM 904, the RAM 906, the storage unit 920, or the removable recording medium 928.
- the ROM 904 is a means for storing a program read by the CPU 902, data used for calculation, and the like.
- a program read by the CPU 902 various parameters that change as appropriate when the program is executed, and the like are temporarily or permanently stored.
- a host bus 908 capable of high-speed data transmission.
- the host bus 908 is connected to an external bus 912 having a relatively low data transmission speed via a bridge 910, for example.
- a bridge 910 for example.
- the input unit 916 for example, a mouse, a keyboard, a touch panel, a button, a switch, a lever, or the like is used.
- a remote controller capable of transmitting a control signal using infrared rays or other radio waves may be used.
- a display device such as a CRT, LCD, PDP, or ELD
- an audio output device such as a speaker or a headphone, a printer, a mobile phone, or a facsimile, etc.
- the above CRT is an abbreviation of Cathode Ray Tube.
- the LCD is an abbreviation for Liquid Crystal Display.
- the PDP is an abbreviation for Plasma Display Panel.
- the above ELD is an abbreviation for Electro-Luminescence Display.
- the storage unit 920 is a device for storing various data.
- a magnetic storage device such as a hard disk drive (HDD), a semiconductor storage device, an optical storage device, a magneto-optical storage device, or the like is used.
- HDD hard disk drive
- the above HDD is an abbreviation for Hard Disk Drive.
- the drive 922 is a device that reads information recorded on a removable recording medium 928 such as a magnetic disk, an optical disk, a magneto-optical disk, or a semiconductor memory, or writes information to the removable recording medium 928.
- the removable recording medium 928 is, for example, a DVD medium, a Blu-ray medium, an HD DVD medium, various semiconductor storage media, or the like.
- the removable recording medium 928 may be, for example, an IC card on which a non-contact type IC chip is mounted, an electronic device, or the like.
- the above IC is an abbreviation for Integrated Circuit.
- the connection port 924 is a port for connecting an external connection device 930 such as a USB port, an IEEE 1394 port, a SCSI, an RS-232C port, or an optical audio terminal.
- the external connection device 930 is, for example, a printer, a portable music player, a digital camera, a digital video camera, or an IC recorder.
- the USB is an abbreviation for Universal Serial Bus.
- the SCSI is an abbreviation for Small Computer System Interface.
- the communication unit 926 is a communication device for connecting to the network 932.
- a wired or wireless LAN for example, a wired or wireless LAN, Bluetooth (registered trademark), or a WUSB communication card, an optical communication router, an ADSL router, or a contact Or a device for non-contact communication.
- the network 932 connected to the communication unit 926 is configured by a wired or wireless network, such as the Internet, home LAN, infrared communication, visible light communication, broadcast, or satellite communication.
- the above LAN is an abbreviation for Local Area Network.
- the WUSB is an abbreviation for Wireless USB.
- the above ADSL is an abbreviation for Asymmetric Digital Subscriber Line.
- the functions of the key generation unit 115 and the control unit 120 can be performed by the CPU 902.
- the function of the storage unit 130 can be performed by the ROM 904, the RAM 906, the storage unit 920, or the removable recording medium 928.
- the communication unit 926 can take on the functions of the transmission / reception unit 110 and the antenna 140.
- the functions of the key generation unit 215 and the control unit 220 can be performed by the CPU 902.
- the function of the output unit 225 can be performed by the output unit 918.
- the function of the storage unit 230 can be performed by the ROM 904, the RAM 906, the storage unit 920, or the removable recording medium 928.
- the function of the transmission / reception unit 210 and the antenna 240 can be performed by the communication unit 926.
- the function of the control unit 320 can be performed by the CPU 902.
- the function of the storage unit 330 can be performed by the ROM 904, the RAM 906, the storage unit 920, or the removable recording medium 928.
- the communication unit 926 can take on the functions of the transmission / reception unit 310 and the antenna 340.
- the information processing apparatuses 100 and 200 that implement a user authentication mechanism that is safer and simpler than the existing technology using the public key authentication method and the authentication An apparatus 300 is provided.
- Each embodiment of the present disclosure can ensure strong safety by performing authentication processing by the public key authentication method between the information processing apparatuses 100 and 200 and the authentication apparatus 300.
- the public key PKey generated by the information processing apparatus 100 that is the authentication device is associated with the MPKey generated by the information processing apparatus 200.
- the information processing apparatus 100 when the information processing apparatus 100 is lost, the user can no longer execute the authentication process with the authentication apparatus 300 using the information processing apparatus 100. Then, the information processing apparatus 200 as a master device requests the authentication apparatus 300 to stop using the public key PKey.
- the public key PKey generated by the information processing device 100 and the MPKey generated by the information processing device 200 are associated with each other. Even in the second embodiment of the present disclosure, when the user cannot perform authentication processing with the authentication apparatus 300 using the information processing apparatus 100, such as when the information processing apparatus 100 is lost. Then, the information processing apparatus 200 as a master device requests the authentication apparatus 300 to stop using the public key PKey.
- the information processing system 1 has an operation cost of the system. Can be suppressed.
- the information processing apparatus 100 when the public key PKey generated by the information processing apparatus 100 is associated with the MPKey generated by the information processing apparatus 200, the information processing apparatus 100 generates a signature to process the information processing apparatus 200. Send to. In this way, by transferring the right to handle the public key PKey from the information processing apparatus 100 to the information processing apparatus 200, when the information processing apparatus 100 is lost, the user of the information processing apparatus 100 immediately receives the information processing apparatus. Even when the user 200 cannot be used, the user of the information processing apparatus 200 can invalidate the public key PKey instead.
- the user of the information processing device 200 is a user who is trusted by the user of the information processing device 100. When the information processing device 100 is lost, it is better to request the user of the information processing device 200 to invalidate the information processing device 200 than to inquire the operator. Operational efficiency is good.
- the information processing apparatus 200 when the public key PKey generated by the information processing apparatus 100 is invalidated and there are a plurality of public keys associated with the MPKey generated by the information processing apparatus 200, the information processing apparatus 200 Outputs a user interface that allows the user to select a public key to be revoked.
- the authentication system according to each of the above embodiments enables flexible key management.
- the public key PKey generated by the information processing apparatus 100 is associated with the MPKey generated by the information processing apparatus 200 in the information processing apparatus 200 that is the master device. The influence which it gives can be suppressed.
- the authentication apparatus 300 stores, for example, the public key PKey as a use stop process by deleting the public key PKey itself from the storage unit 330 or storing a flag indicating that the public key PKey is in a use stop state.
- a process of setting in the unit 330 or moving the public key PKey to a predetermined use stop list is executed.
- the authentication device 300 has received the attempt. Can be detected, and the fact that the attempt has been made can be recorded.
- the public key PKey generated by the information processing apparatus 100 in advance at the time of factory shipment can be associated with the MPKey generated by the information processing apparatus 200.
- the user does not need to perform this association.
- the public key PKey of the information processing apparatus 100 that has been once stopped can be made available again.
- the authentication apparatus 300 authenticates not only the information processing apparatus 100 that is the authentication device but also the information processing apparatus 200 that is the master device, thereby performing information processing. It can be determined whether or not the public key PKey of the device 100 should be changed to the usable state again.
- each step in the processing executed by each device in this specification does not necessarily have to be processed in chronological order in the order described as a sequence diagram or flowchart.
- each step in the processing executed by each device may be processed in an order different from the order described as the flowchart, or may be processed in parallel.
- a storage medium storing the computer program can also be provided.
- the present technology can be executed by distributing software (applications) from an application software distribution server to information processing apparatuses such as smartphones and tablets and installing the distributed software (applications) by the information processing apparatus.
- the application software distribution server includes a network interface for distributing software (application) to the information processing apparatus, and a storage device for storing software (application).
- a series of processes can also be realized by hardware by configuring each functional block shown in the functional block diagram with hardware.
- a memory holding a first secret key corresponding to the first public key; For the first device holding the public key corresponding to the secret key, the second public key changes the usage state of the second public key registered in the first device to the second public key.
- a processor that requests by authentication using the associated first public key and the first secret key;
- An information processing apparatus comprising: (2) The processor receives the second public key from the second device and signature information generated using a second private key corresponding to the second public key, and receives the first public key.
- the information processing apparatus according to (1), wherein a key is associated with the second public key.
- the processor according to any one of (1) to (4), wherein the processor makes a request to the first device to change the usage state of the second public key from the unusable state to the usable state.
- Information processing device At least a memory that holds a public key in a set of a secret key and a public key generated by the first device and the second device; The second public key generated by the second device is associated with the first public key generated by the first device and held in the memory, and the second public key generated from the first device is stored in the memory.
- a processor for changing the usage state of the second public key in response to a request for changing the usage state of the public key An information processing apparatus comprising: (8) The processor associates the second public key with the first public key by receiving the second public key after authenticating the first device with the first public key; The information processing apparatus according to (7). (9) The information processing apparatus according to (8), wherein the processor authenticates the first apparatus using the first public key again after receiving the second public key. (10) When the processor receives a request for changing the usage state of the second public key from the first device, the processor authenticates the first device with the first public key and then performs the second public key. The information processing apparatus according to any one of (7) to (9), wherein the usage state of the information processing apparatus is changed.
- the processor In response to receiving a request to change the usage state of the second public key from the available state to the unavailable state, the processor changes the usage state of the second public key from the available state to the unavailable state.
- the information processing apparatus according to any one of (7) to (10), wherein the information processing apparatus is changed to: (12) In response to receiving a request to change the usage state of the second public key from the unavailable state to the available state, the processor changes the usage state of the second public key from the unavailable state to the available state.
- the information processing apparatus according to any one of (7) to (11), wherein the information processing apparatus is changed to: (13) Holding a first secret key corresponding to the first public key; For the first device holding the public key corresponding to the secret key, the second public key changes the usage state of the second public key registered in the first device to the second public key.
- An information processing method comprising: (14) At least holding a public key from a set of a private key and a public key generated by the first device and the second device; Associating and holding the second public key generated by the second device to the first public key generated by the first device; Changing the usage state of the second public key in response to a request for changing the usage state of the second public key from the first device; An information processing method comprising: (15) On the computer, Holding a first secret key corresponding to the first public key; For the first device holding the public key corresponding to the secret key, the second public key changes the usage state of the second public key registered in the first device to the second public key.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
1.第1の実施形態(マスターデバイスでひもづける例)
1.1.システム構成例
1.2.認証装置の機能構成例
1.3.認証デバイスの機能構成例
1.4.マスターデバイスの機能構成例
1.5.公開鍵認証方式及び秘密鍵の説明
1.6.システムの動作例
2.第2の実施形態(認証装置でひもづける例)
2.1.システムの動作例
3.第3の実施形態(公開鍵の利用再開)
3.1.マスターデバイスで関連付けた場合
3.2.認証装置で関連付けた場合
4.ハードウェア構成例
5.まとめ
[1.1.システム構成例]
まず、本開示の第1の実施形態に係る情報処理システムの全体構成例について説明する。図1は本開示の第1の実施形態に係る情報処理システム1の全体構成例を示す説明図である。以下、図1を用いて本開示の第1の実施形態に係る情報処理システム1の全体構成例について説明する。
図2は、本開示の第1の実施形態に係る認証装置300の機能構成例を示す説明図である。以下、図2を用いて本開示の第1の実施形態に係る認証装置300の機能構成例について説明する。
図3は、本開示の第1の実施形態に係る情報処理装置100(認証デバイス)の機能構成例を示す説明図である。以下、図3を用いて、本開示の第1の実施形態に係る情報処理装置100の機能構成例について説明する。
図4は、本開示の第1の実施形態に係る情報処理装置200(マスターデバイス)の機能構成例を示す説明図である。以下、図4を用いて、本開示の第1の実施形態に係る情報処理装置200の機能構成例について説明する。
続いて、公開鍵認証方式及び秘密鍵の説明を行なう。公開鍵認証方式とは、ある人(証明者)が、公開鍵pk及び秘密鍵skを利用して、他の人(検証者)に本人であることを納得させるための認証方式である。例えば、証明者Aの公開鍵pkAは、検証者に公開される。一方、証明者Aの秘密鍵skAは、証明者により秘密に管理される。公開鍵認証方式では、公開鍵pkAに対応する秘密鍵skAを知る者が証明者A本人であるとみなされる。
鍵生成アルゴリズムGenは、証明者により利用される。そして、鍵生成アルゴリズムGenは、証明者に固有の秘密鍵skと公開鍵pkの組を生成するアルゴリズムである。鍵生成アルゴリズムGenにより生成された公開鍵pkは公開される。そして、公開された公開鍵pkは、検証者により利用される。一方、鍵生成アルゴリズムGenにより生成された秘密鍵skは、証明者が秘密に管理する。そして、秘密に管理される秘密鍵skは、検証者に対して公開鍵pkに対応する秘密鍵skを保有していることを証明するために利用される。形式的に、鍵生成アルゴリズムGenは、セキュリティパラメータ1λ(λは0以上の整数)を入力とし、秘密鍵skと公開鍵pkを出力するアルゴリズムとして、下記の式(1)のように表現される。
証明者アルゴリズムPは、証明者により利用される。そして、証明者アルゴリズムPは、公開鍵pkに対応する秘密鍵skを保有していることを証明するアルゴリズムである。証明者アルゴリズムPは、証明者の秘密鍵skと公開鍵pkを入力とし、検証者との対話プロトコルを実行するアルゴリズムとして定義される。
検証者アルゴリズムVは、検証者により利用される。そして、検証者アルゴリズムVは、対話プロトコルの中で、公開鍵pkに対応する秘密鍵skを証明者が保有しているか否かを検証するアルゴリズムである。検証者アルゴリズムVは、証明者の公開鍵pkを入力とし、証明者との間で対話プロトコルを実行した後、0又は1(1bit)を出力するアルゴリズムとして定義される。なお、出力0の場合には証明者が不正なものであり、出力1の場合には証明者が正当なものであるとする。形式的に、検証者アルゴリズムVは、下記の式(2)のように表現される。
電子署名方式のモデルには、図19に示すように、署名者及び検証者という2つのエンティティが存在する。そして、電子署名方式のモデルは、鍵生成アルゴリズムGen、署名生成アルゴリズムSig、署名検証アルゴリズムVerという3つのアルゴリズムにより構成される。
鍵生成アルゴリズムGenは、署名者により利用される。鍵生成アルゴリズムGenは、署名者固有の署名鍵skと検証鍵pkとの組を生成するアルゴリズムである。鍵生成アルゴリズムGenにより生成された検証鍵pkは公開される。一方、鍵生成アルゴリズムGenにより生成された署名鍵skは、署名者により秘密に管理される。そして、署名鍵skは、文書Mに付与される電子署名σの生成に利用される。例えば、鍵生成アルゴリズムGenは、セキュリティパラメータ1λ(λは0以上の整数)を入力とし、署名鍵sk及び公開鍵pkを出力する。この場合、鍵生成アルゴリズムGenは、形式的に、下記の式(3)のように表現することができる。
署名生成アルゴリズムSigは、署名者により利用される。署名生成アルゴリズムSigは、文書Mに付与される電子署名σを生成するアルゴリズムである。署名生成アルゴリズムSigは、署名鍵skと文書Mとを入力とし、電子署名σを出力するアルゴリズムである。この署名生成アルゴリズムSigは、形式的に、下記の式(4)のように表現することができる。
署名検証アルゴリズムVerは、検証者により利用される。署名検証アルゴリズムVerは、電子署名σが文書Mに対する正当な電子署名であるか否かを検証するアルゴリズムである。署名検証アルゴリズムVerは、署名者の検証鍵pk、文書M、電子署名σを入力とし、0又は1(1bit)を出力するアルゴリズムである。この署名検証アルゴリズムVerは、形式的に、下記の式(5)のように表現することができる。なお、検証者は、署名検証アルゴリズムVerが0を出力した場合(公開鍵pkが文書Mと電子署名σを拒否する場合)に電子署名σが不当であると判断し、1を出力した場合(公開鍵pkが文書Mと電子署名σを受理する場合)に電子署名σが正当であると判断する。
続いて、本開示の第1の実施形態に係る情報処理システム1の動作例について説明する。また以下の説明では、情報処理装置100、200は同一のユーザが所有するものとして説明する。図5は、本開示の第1の実施形態に係る情報処理システム1の動作例を示す流れ図であり、図5に示したのは、生成した公開鍵を情報処理装置100、200が認証装置300に登録する際の動作例である。以下、図5を用いて本開示の第1の実施形態に係る情報処理システム1の動作例について説明する。
上述した本開示の第1の実施形態に係る情報処理システム1では、認証デバイスである情報処理装置100が生成した公開鍵PKeyと、マスターデバイスである情報処理装置200が生成した公開鍵MPKeyとを、情報処理装置200で関連付けていた。以下で説明する上述した本開示の第2の実施形態では、認証デバイスである情報処理装置100が生成した公開鍵PKeyと、マスターデバイスである情報処理装置200が生成した公開鍵MPKeyとを、認証装置300で関連付ける場合を示す。
装置の構成や、各装置の機能構成例は、本開示の第1の実施形態に係る情報処理システム1と同様であるために、構成については説明を省略する。以下では、本開示の第2の実施形態に係る情報処理システム1の動作例について詳細に説明する。
情報処理装置100が生成した公開鍵PKeyの利用を停止した後に、情報処理装置100が見つかるなどして、その停止した公開鍵PKeyの利用を再開させたい場合が考えられる。以下では、一度利用を停止させた公開鍵PKeyの利用再開処理の例について説明する。
図15は、本開示の第2の実施形態に係る情報処理システム1の動作例を示す流れ図であり、図15に示したのは、情報処理装置100、200と認証装置300との間で、情報処理装置100が生成した公開鍵PKeyの利用再開処理が実行される際の動作例である。また以下で示す例は、情報処理装置200で公開鍵PKey、MPKey同士の関連付けが行われている場合の動作例である。以下、図15を用いて本開示の第2の実施形態に係る情報処理システム1の動作例について説明する。
公開鍵の利用再開処理の別の例を示す。以下で示す例は、認証装置300で公開鍵PKey、MPKey同士の関連付けが行われている場合に、署名を使用せずに公開鍵の利用を再開させる場合の動作例である。
上記の各アルゴリズムは、例えば、図15に示す情報処理装置のハードウェア構成を用いて実行することが可能である。つまり、当該各アルゴリズムの処理は、コンピュータプログラムを用いて図15に示すハードウェアを制御することにより実現される。なお、このハードウェアの形態は任意であり、例えば、パーソナルコンピュータ、携帯電話、PHS、PDA等の携帯情報端末、ゲーム機、接触式又は非接触式のICチップ、接触式又は非接触式のICカード、又は種々の情報家電がこれに含まれる。但し、上記のPHSは、Personal Handy-phone Systemの略である。また、上記のPDAは、Personal Digital Assistantの略である。
以上説明したように、本開示の各実施形態によれば、公開鍵認証方式を用いて、既存の技術よりも安全で、かつ簡便なユーザ認証の仕組みを実現する情報処理装置100、200及び認証装置300が提供される。本開示の各実施形態は、情報処理装置100、200と認証装置300との間で公開鍵認証方式による認証処理が実行されることで、強固な安全性を保証することが出来る。
(1)
第1の公開鍵に対応する第1の秘密鍵を保持するメモリと、
秘密鍵に対応する公開鍵を保持する第1の装置に対して、第2の装置が前記第1の装置に登録した第2の公開鍵の利用状態の変更を、前記第2の公開鍵に関連付けられた前記第1の公開鍵と前記第1の秘密鍵とを用いた認証により要求するプロセッサと、
を備える、情報処理装置。
(2)
前記プロセッサは、前記第2の装置から前記第2の公開鍵と、前記第2の公開鍵に対応する第2の秘密鍵を用いて生成された署名情報とを受信し、前記第1の公開鍵と前記第2の公開鍵とを関連付ける、前記(1)に記載の情報処理装置。
(3)
前記プロセッサは、前記第2の公開鍵の利用状態の変更の要求の際に、前記第2の公開鍵と前記署名情報とを前記第1の装置に送信する、前記(2)に記載の情報処理装置。
(4)
前記プロセッサは、利用状態を変更する前記第2の公開鍵をユーザに選択させるためのインターフェースを表示部に表示させる、前記(1)~(3)のいずれかに記載の情報処理装置。
(5)
前記プロセッサは、前記第2の公開鍵の利用状態を利用可能状態から利用不可状態に変更する要求を前記第1の装置に対して行なう、前記(1)~(4)のいずれかにに記載の情報処理装置。
(6)
前記プロセッサは、前記第2の公開鍵の利用状態を利用不可状態から利用可能状態に変更する要求を前記第1の装置に対して行なう、前記(1)~(4)のいずれかにに記載の情報処理装置。
(7)
少なくとも、第1の装置及び第2の装置で生成された秘密鍵と公開鍵の組の内、公開鍵を保持するメモリと、
前記第1の装置で生成された第1の公開鍵に、前記第2の装置で生成された第2の公開鍵を関連付けて前記メモリに保持させ、前記第1の装置からの前記第2の公開鍵の利用状態の変更の要求に応じて前記第2の公開鍵の利用状態を変更するプロセッサと、
を備える、情報処理装置。
(8)
前記プロセッサは、前記第1の公開鍵による前記第1の装置の認証の後に、前記第2の公開鍵を受信することにより、前記第1の公開鍵に前記第2の公開鍵を関連付ける、前記(7)に記載の情報処理装置。
(9)
前記プロセッサは、前記第2の公開鍵を受信した後に、前記第1の公開鍵による前記第1の装置を再度認証する、前記(8)に記載の情報処理装置。
(10)
前記プロセッサは、前記第1の装置から前記第2の公開鍵の利用状態の変更の要求を受信すると、前記第1の公開鍵による前記第1の装置を認証してから前記第2の公開鍵の利用状態を変更する、前記(7)~(9)のいずれかに記載の情報処理装置。
(11)
前記プロセッサは、前記第2の公開鍵の利用状態を利用可能状態から利用不可状態に変更する要求を受信したことに応じて、前記第2の公開鍵の利用状態を利用可能状態から利用不可状態に変更する、前記(7)~(10)のいずれかにに記載の情報処理装置。
(12)
前記プロセッサは、前記第2の公開鍵の利用状態を利用不可状態から利用可能状態に変更する要求を受信したことに応じて、前記第2の公開鍵の利用状態を利用不可状態から利用可能状態に変更する、前記(7)~(11)のいずれかにに記載の情報処理装置。
(13)
第1の公開鍵に対応する第1の秘密鍵を保持するステップと、
秘密鍵に対応する公開鍵を保持する第1の装置に対して、第2の装置が前記第1の装置に登録した第2の公開鍵の利用状態の変更を、前記第2の公開鍵に関連付けられた前記第1の公開鍵と前記第1の秘密鍵とを用いた認証により要求するステップと、
を備える、情報処理方法。
(14)
少なくとも、第1の装置及び第2の装置で生成された秘密鍵と公開鍵の組の内、公開鍵を保持するステップと、
前記第1の装置で生成された第1の公開鍵に、前記第2の装置で生成された第2の公開鍵を関連付けて保持するステップと、
前記第1の装置からの前記第2の公開鍵の利用状態の変更の要求に応じて前記第2の公開鍵の利用状態を変更するステップと、
を備える、情報処理方法。
(15)
コンピュータに、
第1の公開鍵に対応する第1の秘密鍵を保持するステップと、
秘密鍵に対応する公開鍵を保持する第1の装置に対して、第2の装置が前記第1の装置に登録した第2の公開鍵の利用状態の変更を、前記第2の公開鍵に関連付けられた前記第1の公開鍵と前記第1の秘密鍵とを用いた認証により要求するステップと、
を実行させる、コンピュータプログラム。
(16)
コンピュータに、
少なくとも、第1の装置及び第2の装置で生成された秘密鍵と公開鍵の組の内、公開鍵を保持するステップと、
前記第1の装置で生成された第1の公開鍵に、前記第2の装置で生成された第2の公開鍵を関連付けて保持するステップと、
前記第1の装置からの前記第2の公開鍵の利用状態の変更の要求に応じて前記第2の公開鍵の利用状態を変更するステップと、
を実行させる、コンピュータプログラム。
100、200 情報処理装置
300 認証装置
Claims (16)
- 第1の公開鍵に対応する第1の秘密鍵を保持するメモリと、
秘密鍵に対応する公開鍵を保持する第1の装置に対して、第2の装置が前記第1の装置に登録した第2の公開鍵の利用状態の変更を、前記第2の公開鍵に関連付けられた前記第1の公開鍵と前記第1の秘密鍵とを用いた認証により要求するプロセッサと、
を備える、情報処理装置。 - 前記プロセッサは、前記第2の装置から前記第2の公開鍵と、前記第2の公開鍵に対応する第2の秘密鍵を用いて生成された署名情報とを受信し、前記第1の公開鍵と前記第2の公開鍵とを関連付ける、請求項1に記載の情報処理装置。
- 前記プロセッサは、前記第2の公開鍵の利用状態の変更の要求の際に、前記第2の公開鍵と前記署名情報とを前記第1の装置に送信する、請求項2に記載の情報処理装置。
- 前記プロセッサは、利用状態を変更する前記第2の公開鍵をユーザに選択させるためのインターフェースを表示部に表示させる、請求項1に記載の情報処理装置。
- 前記プロセッサは、前記第2の公開鍵の利用状態を利用可能状態から利用不可状態に変更する要求を前記第1の装置に対して行なう、請求項1に記載の情報処理装置。
- 前記プロセッサは、前記第2の公開鍵の利用状態を利用不可状態から利用可能状態に変更する要求を前記第1の装置に対して行なう、請求項1に記載の情報処理装置。
- 少なくとも、第1の装置及び第2の装置で生成された秘密鍵と公開鍵の組の内、公開鍵を保持するメモリと、
前記第1の装置で生成された第1の公開鍵に、前記第2の装置で生成された第2の公開鍵を関連付けて前記メモリに保持させ、前記第1の装置からの前記第2の公開鍵の利用状態の変更の要求に応じて前記第2の公開鍵の利用状態を変更するプロセッサと、
を備える、情報処理装置。 - 前記プロセッサは、前記第1の公開鍵による前記第1の装置の認証の後に、前記第2の公開鍵を受信することにより、前記第1の公開鍵に前記第2の公開鍵を関連付ける、請求項7に記載の情報処理装置。
- 前記プロセッサは、前記第2の公開鍵を受信した後に、前記第1の公開鍵による前記第1の装置を再度認証する、請求項8に記載の情報処理装置。
- 前記プロセッサは、前記第1の装置から前記第2の公開鍵の利用状態の変更の要求を受信すると、前記第1の公開鍵による前記第1の装置を認証してから前記第2の公開鍵の利用状態を変更する、請求項7に記載の情報処理装置。
- 前記プロセッサは、前記第2の公開鍵の利用状態を利用可能状態から利用不可状態に変更する要求を受信したことに応じて、前記第2の公開鍵の利用状態を利用可能状態から利用不可状態に変更する、請求項7に記載の情報処理装置。
- 前記プロセッサは、前記第2の公開鍵の利用状態を利用不可状態から利用可能状態に変更する要求を受信したことに応じて、前記第2の公開鍵の利用状態を利用不可状態から利用可能状態に変更する、請求項7に記載の情報処理装置。
- 第1の公開鍵に対応する第1の秘密鍵を保持することと、
秘密鍵に対応する公開鍵を保持する第1の装置に対して、第2の装置が前記第1の装置に登録した第2の公開鍵の利用状態の変更を、前記第2の公開鍵に関連付けられた前記第1の公開鍵と前記第1の秘密鍵とを用いた認証により要求することと、
を備える、情報処理方法。 - 少なくとも、第1の装置及び第2の装置で生成された秘密鍵と公開鍵の組の内、公開鍵を保持することと、
前記第1の装置で生成された第1の公開鍵に、前記第2の装置で生成された第2の公開鍵を関連付けて保持することと、
前記第1の装置からの前記第2の公開鍵の利用状態の変更の要求に応じて前記第2の公開鍵の利用状態を変更することと、
を備える、情報処理方法。 - コンピュータに、
第1の公開鍵に対応する第1の秘密鍵を保持することと、
秘密鍵に対応する公開鍵を保持する第1の装置に対して、第2の装置が前記第1の装置に登録した第2の公開鍵の利用状態の変更を、前記第2の公開鍵に関連付けられた前記第1の公開鍵と前記第1の秘密鍵とを用いた認証により要求することと、
を実行させる、コンピュータプログラム。 - コンピュータに、
少なくとも、第1の装置及び第2の装置で生成された秘密鍵と公開鍵の組の内、公開鍵を保持することと、
前記第1の装置で生成された第1の公開鍵に、前記第2の装置で生成された第2の公開鍵を関連付けて保持することと、
前記第1の装置からの前記第2の公開鍵の利用状態の変更の要求に応じて前記第2の公開鍵の利用状態を変更することと、
を実行させる、コンピュータプログラム。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/021,177 US10587607B2 (en) | 2013-09-19 | 2014-09-11 | Information processing apparatus and information processing method for public key scheme based user authentication |
JP2015537886A JP6439695B2 (ja) | 2013-09-19 | 2014-09-11 | 情報処理装置、情報処理方法及びコンピュータプログラム |
CN201480050319.3A CN105531962A (zh) | 2013-09-19 | 2014-09-11 | 信息处理设备、信息处理方法以及计算机程序 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2013193995 | 2013-09-19 | ||
JP2013-193995 | 2013-09-19 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015041139A1 true WO2015041139A1 (ja) | 2015-03-26 |
Family
ID=52688790
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2014/074095 WO2015041139A1 (ja) | 2013-09-19 | 2014-09-11 | 情報処理装置、情報処理方法及びコンピュータプログラム |
Country Status (4)
Country | Link |
---|---|
US (1) | US10587607B2 (ja) |
JP (1) | JP6439695B2 (ja) |
CN (1) | CN105531962A (ja) |
WO (1) | WO2015041139A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019176060A1 (ja) * | 2018-03-15 | 2019-09-19 | Necディスプレイソリューションズ株式会社 | 表示装置、制御方法およびプログラム |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6918576B2 (ja) * | 2017-05-24 | 2021-08-11 | キヤノン株式会社 | システム、情報処理装置、方法及びプログラム |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001290912A (ja) * | 2000-04-06 | 2001-10-19 | Ntt Data Corp | 電子委任方法、電子委任状システム、およびそのプログラム記録媒体 |
WO2006018874A1 (ja) * | 2004-08-19 | 2006-02-23 | Mitsubishi Denki Kabushiki Kaisha | 管理サービス装置、バックアップサービス装置、通信端末装置及び記憶媒体 |
US20060150241A1 (en) * | 2004-12-30 | 2006-07-06 | Samsung Electronics Co., Ltd. | Method and system for public key authentication of a device in home network |
JP2007166538A (ja) * | 2005-12-16 | 2007-06-28 | Canon Inc | 通信装置およびその制御方法及び通信システム |
JP2008042469A (ja) * | 2006-08-04 | 2008-02-21 | Canon Inc | 通信暗号化処理装置 |
Family Cites Families (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001320356A (ja) * | 2000-02-29 | 2001-11-16 | Sony Corp | 公開鍵系暗号を使用したデータ通信システムおよびデータ通信システム構築方法 |
JP2002237812A (ja) * | 2001-02-08 | 2002-08-23 | Sega Corp | 秘匿データ通信方法 |
JP2002245427A (ja) * | 2001-02-20 | 2002-08-30 | Toshiba Corp | Icカード、icカード端末装置およびicカード複製方法 |
JP2003085143A (ja) | 2001-09-11 | 2003-03-20 | Sony Corp | パスワード管理システム、パスワード管理方法、および情報処理装置、並びにコンピュータ・プログラム |
JP2004206435A (ja) * | 2002-12-25 | 2004-07-22 | Victor Co Of Japan Ltd | ライセンス管理方法、およびライセンス管理システム |
US20060015716A1 (en) * | 2003-08-15 | 2006-01-19 | Imcentric, Inc. | Program product for maintaining certificate on client network devices1 |
US7673046B2 (en) * | 2003-11-14 | 2010-03-02 | Microsoft Corporation | Trusted network transfer of content using off network input code |
US20060075222A1 (en) * | 2004-10-06 | 2006-04-06 | Seamus Moloney | System for personal group management based on subscriber certificates |
JP4652842B2 (ja) * | 2005-02-21 | 2011-03-16 | 株式会社エヌ・ティ・ティ・ドコモ | Icカード |
JP5034227B2 (ja) * | 2005-11-29 | 2012-09-26 | ソニー株式会社 | 情報処理装置、情報記録媒体製造装置、情報記録媒体、および方法、並びにコンピュータ・プログラム |
US20080052539A1 (en) * | 2006-07-29 | 2008-02-28 | Macmillan David M | Inline storage protection and key devices |
US20080123842A1 (en) * | 2006-11-03 | 2008-05-29 | Nokia Corporation | Association of a cryptographic public key with data and verification thereof |
US20100217975A1 (en) * | 2009-02-25 | 2010-08-26 | Garret Grajek | Method and system for secure online transactions with message-level validation |
US20100269179A1 (en) * | 2009-04-16 | 2010-10-21 | Comcast Cable Communications, Llc | Security Client Translation System and Method |
US8649519B2 (en) * | 2009-09-04 | 2014-02-11 | Rgb Systems, Inc. | Method and apparatus for secure distribution of digital content |
CN102196422B (zh) * | 2010-03-11 | 2015-07-08 | 北京明朝万达科技有限公司 | 一种手持通信终端丢失后文件防泄密方法 |
-
2014
- 2014-09-11 WO PCT/JP2014/074095 patent/WO2015041139A1/ja active Application Filing
- 2014-09-11 CN CN201480050319.3A patent/CN105531962A/zh active Pending
- 2014-09-11 JP JP2015537886A patent/JP6439695B2/ja active Active
- 2014-09-11 US US15/021,177 patent/US10587607B2/en not_active Expired - Fee Related
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001290912A (ja) * | 2000-04-06 | 2001-10-19 | Ntt Data Corp | 電子委任方法、電子委任状システム、およびそのプログラム記録媒体 |
WO2006018874A1 (ja) * | 2004-08-19 | 2006-02-23 | Mitsubishi Denki Kabushiki Kaisha | 管理サービス装置、バックアップサービス装置、通信端末装置及び記憶媒体 |
US20060150241A1 (en) * | 2004-12-30 | 2006-07-06 | Samsung Electronics Co., Ltd. | Method and system for public key authentication of a device in home network |
JP2007166538A (ja) * | 2005-12-16 | 2007-06-28 | Canon Inc | 通信装置およびその制御方法及び通信システム |
JP2008042469A (ja) * | 2006-08-04 | 2008-02-21 | Canon Inc | 通信暗号化処理装置 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019176060A1 (ja) * | 2018-03-15 | 2019-09-19 | Necディスプレイソリューションズ株式会社 | 表示装置、制御方法およびプログラム |
US11546152B2 (en) | 2018-03-15 | 2023-01-03 | Sharp Nec Display Solutions, Ltd. | Display device, control method and program |
Also Published As
Publication number | Publication date |
---|---|
US10587607B2 (en) | 2020-03-10 |
JP6439695B2 (ja) | 2018-12-19 |
CN105531962A (zh) | 2016-04-27 |
JPWO2015041139A1 (ja) | 2017-03-02 |
US20160226856A1 (en) | 2016-08-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11711219B1 (en) | PKI-based user authentication for web services using blockchain | |
US10972290B2 (en) | User authentication with self-signed certificate and identity verification | |
US11621855B2 (en) | Electronic device and method for managing blockchain address using the same | |
US10050787B1 (en) | Authentication objects with attestation | |
US9652604B1 (en) | Authentication objects with delegation | |
EP3061027B1 (en) | Verifying the security of a remote server | |
EP3864551B1 (en) | Distributed ledger-based profile verification | |
CN110892672A (zh) | 提供设备匿名性的密钥认证声明生成 | |
US10049202B1 (en) | Strong authentication using authentication objects | |
US10270757B2 (en) | Managing exchanges of sensitive data | |
US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
US10609070B1 (en) | Device based user authentication | |
WO2015019572A1 (en) | Information processing, apparatus, information processing method and computer program for displaying information corresponding to cryptographic keys | |
WO2015019821A1 (ja) | 情報処理装置、情報処理方法及びコンピュータプログラム | |
US11223489B1 (en) | Advanced security control implementation of proxied cryptographic keys | |
CN102045335A (zh) | 终端设备、签名生成服务器、简单标识管理***、方法及程序 | |
CN107104938B (zh) | 建立安全的数据交换通道方法、客户端及计算机可读介质 | |
JP6439695B2 (ja) | 情報処理装置、情報処理方法及びコンピュータプログラム | |
JP6320943B2 (ja) | 鍵共有装置、鍵共有システム、鍵共有方法、プログラム | |
US10382430B2 (en) | User information management system; user information management method; program, and recording medium on which it is recorded, for management server; program, and recording medium on which it is recorded, for user terminal; and program, and recording medium on which it is recorded, for service server | |
WO2023025369A1 (en) | Client application entity, target application entity, root of trust device, and methods for establishing a secure communication channel |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 201480050319.3 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14846478 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2015537886 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15021177 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14846478 Country of ref document: EP Kind code of ref document: A1 |