JP2001209313A - Certificate issuing device, information processing device, information communication system, attribute certifying method, and storage medium - Google Patents

Abstract

(57) [Summary] [Problem] To provide an information communication system in which attribute information can be disclosed fairly among a plurality of users so that each user can communicate with peace of mind. . SOLUTION: In a certificate issuing device 102, a public key storage means 201 stores a public key of a target user, and a secret key storage means 202 stores a secret key corresponding to the public key. The attribute information disclosure unit 203 discloses an attribute identifier corresponding to the attribute information of the target user. The user value generation unit 204 generates a value unique to the target user. The certificate issuing unit 205 issues a certificate including secret information based on the secret key, the unique value of the target user, and the attribute identifier to the target user.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention is used, for example, in an apparatus or a system for issuing a certificate including attribute information for representing a user in a network system.
In particular, a computer reads out a certificate issuing device, an information processing device, an information communication system, an attribute certifying method, and a processing step for executing the same for the purpose of fairly releasing attribute information among a plurality of users. The present invention relates to a storage medium that stores data in a possible manner.

[0002]

2. Description of the Related Art Conventionally, in communication between a client (user) and a server in a network system, in order for a user to access server resources, user authentication of the user is required. As this user authentication, for example, the X.X. Public key certificates such as 509 are often used.

[0003] The public key certificate is information that guarantees the association between the public key and the user, and is signed by a trusted third party called a certificate authority in the system. .

[0004] Further, the public key certificate contains attribute information for representing a user, and this attribute information is often used as authorization information or authority information. One example of this is SSL (Se) implemented in many browsers.
There is a WWW (World Wide Web) server that performs user authentication using a cure sockets layer.

[0005] The WWW server confirms whether or not the user has a private key corresponding to the public key included in the public key certificate presented by the accessing user, thereby authenticating the user. I do. Also, the WWW server
The access of the user is controlled based on attribute information (information including information such as the user's name and affiliation) included in the public key certificate presented by the user.

On the other hand, a means called an attribute certificate has been proposed for separating and managing attribute information included in the public key certificate.

[0007] The attribute certificate is information for guaranteeing the association between the public key or the public key certificate and the attribute information for representing the user. Like the public key certificate, the attribute certificate is a trusted key in the system. Signed by three parties.

[0008] In creating the public key certificate and the attribute certificate as described above, when a trusted third party in the system applies a signature (electronic signature), a public key cryptosystem such as RSA is used. Used.

Here, for example, X. "Attribute Certificate" proposed in 509
(Hereinafter also referred to as “X.509 attribute certificate”) is one of the attribute certificates. Although the format is very similar to the public key certificate of X.509 (hereinafter also referred to as “X.509 public key certificate”), the public key information is not included. That is, X. Unlike the public key certificate, the 509 attribute certificate does not include public key information, and thus cannot be used alone for authentication. Therefore, X. 509 attribute certificate is X.509. 509
Combined use with a public key certificate is required.

As described above, an attribute certificate which cannot be authenticated alone because it does not include public key information is a NetBill system (http: // www-
netbll. com) and the like.

On the other hand, there is an attribute certificate that includes key information and can be authenticated alone. An example of this is SPKl (Simple Public Key I).
nfrastructure, http: // www.
clark. net / pub / cme / html / sp
ki. html).

[0012]

However, the conventional authentication using the public key certificate and the attribute certificate as described above has the following problems.

First, all attribute information included in a public key certificate and an attribute certificate is considered privacy information.
There is a requirement that it be disclosed only to trusted entities. In addition, the determination as to whether or not to publish its own attribute information is left to the user.

For example, in a wide area distributed network such as the Internet, it is recommended to pay attention when publishing one's own name which is privacy information. May be required. In this case, the user specifies the name to the communication partner. At this time, if the communication partner also specifies the name, there is a policy that the user may permit disclosure of his / her name. In the case of exchanging names between two parties having such a policy, there is no problem if both parties are valid users, but there is also a possibility that an unauthorized user who does not present himself even if his / her name is presented. Therefore, a mechanism for fairly distributing attribute information (here, “name”) is required.

[0015] However, conventional public key certificates and attribute certificates include attribute information such as names, and this certificate is necessary for the other party to authenticate their own attribute information. Therefore, it is conceivable that the attribute information in the certificate is carried away by the other party, and a dilemma occurs when attempting to authenticate the attribute information in both directions.

For example, when performing mutual authentication between a server and a client (user) in communication using SSL implemented in many browsers, first, the server sends a certificate of the server itself to the client. Even if the client is not an authorized user, the user can easily obtain a server certificate, that is, a certificate including server attribute information. this is,
This is very problematic in terms of protecting privacy information.

Accordingly, the present invention has been made to eliminate the above-mentioned drawbacks, and is configured so that attribute information can be disclosed fairly among a plurality of users so that each user can communicate with peace of mind. Can, certificate issuing device,
It is an object of the present invention to provide an information processing apparatus, an information communication system, an attribute certifying method, and a storage medium in which a computer readablely stores processing steps for executing the method.

[0018]

For such a purpose,
A first invention is a certificate issuing device that issues a certificate including attribute information indicating a target user to a target user, and a public key storage unit that stores a public key of the target user;
Secret key storage means for storing a secret key corresponding to the public key stored in the public key storage means, attribute information disclosure means for publishing an attribute identifier corresponding to the attribute information of the target user,
A user value generation means for generating a unique value of the target user;
A certificate containing secret information based on the secret key stored in the secret key storage means, the unique value of the target user generated by the user value generation means, and the attribute identifier published by the attribute information disclosure means. And a certificate issuing means for issuing to a target user.

According to a second aspect, in the first aspect,
The certificate issuing means performs an operation using the unique value of the target user and the secret key on the attribute discriminator, thereby generating information that can be generated only when the user owns the secret key. The secret information is generated as the secret information.

According to a third aspect, in the first aspect,
The public key storage means stores a public key (n, e) of the public key cryptosystem RSA, the secret key storage means stores a secret key d corresponding to the public key (n, e), The attribute information publishing means publishes an attribute identifier c corresponding to the attribute information of the target user, and the user value generating means outputs the unique information a of the target user having the secret information a of the target user.
証明書 e is generated, and the certificate issuing means obtains secret information b = (a ＾ ec) ＾ d from the attribute discriminator c and the unique information a 情報 e of the target user, and obtains the secret information. Attribute certificate (a, b: c) based on the information b and the secret information a,
It is issued to target users.

According to a fourth aspect, in the first aspect,
The public key storage means stores a public key (n, e) of a public key cryptosystem RSA, and the secret key storage means stores a secret key d corresponding to the public key (n, e). The attribute information publishing means publishes an attribute identifier c corresponding to the attribute information of the target user, the user value generating means generates arbitrary information U unique to the target user, and the certificate issuing means From the discriminator c and the unique information U of the target user, b = (U−c) ＾ d is obtained, and an attribute certificate (U, b: c) using the information b as secret information of the target user is obtained as follows: It is issued to target users.

According to a fifth aspect, in the first aspect,
The user value generation means generates information having a relation with a public key certificate of a target user as information unique to the target user.

According to a sixth aspect, in the first aspect,
It is characterized by comprising a certificate destroying means for destroying a certificate issued to a target user by the certificate issuing means, and a business closing information storage means for storing revocation information in the certificate destroying means.

According to a seventh aspect, in the sixth aspect,
The information stored in the business closing information storage means can be referred to from outside.

According to an eighth aspect based on the first aspect,
The attribute information publishing means holds information indicating the relationship between the attribute information and the attribute identifier as information signed by a secret key stored in the secret key storage means.

According to a ninth aspect, in the first aspect,
The certificate issuing means distributes random information to a target user, and updates the attribute identifier based on the random information.

In a tenth aspect based on the first aspect, the certificate issuing means issues a certificate based on the random information to a target user.

An eleventh invention is characterized in that, in the first invention, the target user and another user are provided with transmission log holding means for holding transmission log information in a communication for publishing their own attribute information with each other. And

[0029] In a twelfth aspect based on the first aspect, the public key storage means satisfies n '* L <n with respect to the maximum number L of the number of issued certificates for the attribute identifier. A public key e 'corresponding to' * q '(p', q ': prime number) is stored, and the secret key storage means stores the public key e'
The attribute information publishing means publishes a public key (n ', e') corresponding to the attribute identifier, and the user value generation means stores a multiple of the information d ' It is characterized by user-specific information.

A thirteenth invention is an information processing device connectable to a plurality of terminal devices on the user side via a network, and has the function of the certificate issuing device according to any one of claims 1 to 12. It is characterized by the following.

According to a fourteenth aspect, there is provided a user-side information processing apparatus connectable via a network to a certificate issuing organization having the function of the certificate issuing apparatus according to any one of claims 1 to 12. Means for generating public information for confidential information included in the certificate issued by the certificate issuing authority; means for publishing the attribute discriminator included in the certificate to a verifier; Means to publish to
By releasing information based on the above confidential information to the verifier,
Means for proving to a verifier that the secret information corresponding to the public information is held.

According to a fifteenth aspect, there is provided a user-side information processing apparatus connectable via a network to a certificate issuing organization having the function of the certificate issuing apparatus according to any one of claims 1 to 12, Information a @ e and c obtained from certificates (a, b: c) issued by the above certificate issuing organization
From the random information a_1 and b_1 and a = a_1 * a_2 and b = b_1 * b from the means for disclosing the certificate (a, b: c) to another verifier who verifies the certificate (a, b: c).
_2 that satisfies the expression _2, and obtains information a_1 @ e, a_2 @ e, and b_ obtained from the result.
1 @ e, b_2 @ e means to be disclosed to the verifier, and information a_1 @ e, a_2 @ e, b_1 @ e, b_
2 ＾ e is a = a_1 * a_2 and b = b_1 * b_2
Information a_ based on the result of checking whether or not
A means for disclosing information randomly selected and transmitted from 1, b_1, a_2, and b_2.

According to a sixteenth aspect, in the fifteenth aspect, the certificate (a,
b: c), and information a_ which is disclosed by a prover who is another user who certifies the certificate (a, b: c).
1 ＾ e, a_2 ＾ e, b_1 ＾ e, b_2 ＾ e, a =
means for confirming whether or not the expressions a_1 * a_2 and b = b_1 * b_2 are satisfied; and
Means for randomly selecting any of the information a_1, b_1, a_2, and b_2 and transmitting the selected information to the prover.

According to a seventeenth aspect, there is provided a user-side information processing apparatus connectable via a network to a certificate issuing organization having the function of the certificate issuing apparatus according to any one of claims 1 to 12. The information U and c obtained by the certificate (U, b: c) issued by the certificate issuing organization are disclosed to a verifier who is another user who verifies the certificate (U, b: c). From means and random information b_1, b
= B_1 * b_2, the information b_2 that satisfies the formula:
A means for publishing the information b_1 @ e and b_2 @ e obtained from the result to the verifier, and the information b_1 @ e from the verifier
And means for disclosing information randomly selected and transmitted from the information b_1 and b_2 based on a result of checking whether or not b_2 ＾ e satisfies the expression b = b_1 * b_2. And

According to an eighteenth aspect based on the seventeenth aspect, the certificate (U,
b: c), and information b_ published by a prover who is another user who certifies the certificate (U, b: c).
Means for confirming whether 1 ＾ e and b_2 ＾ e satisfy the equation of b = b_1 * b_2, and, based on the result of the confirmation, randomly selecting any of the information b_1 and b_2 Means for transmitting to the prover.

In a nineteenth aspect based on the fifteenth or seventeenth aspect, the certificate (a, b: c) or the certificate (U, b: c) is randomized by the certificate issuing organization. Including a certificate generated based on the information r, a means for exchanging the random information r with a prover is provided.

According to a twentieth aspect, in the fifteenth or seventeenth aspect, there is provided means for presenting transmission log information for communication with the prover to the certificate issuing organization.

According to a twenty-first aspect, in the fifteenth aspect, when two certificates (a, b_1: c_1) and (a, b_2: c_2) issued by the certificate issuing organization are held, It is characterized by comprising means for disclosing two attribute identifiers c_1 and c_2 to a verifier using certificates (b_1, b_2: c_2-c_1) obtained from these certificates.

According to a twenty-second invention, in the seventeenth invention, when two certificates (U, b_1: c_1) and (U, b_2: c_2) issued by the certificate issuing organization are held, It is characterized by comprising means for disclosing two attribute identifiers c_1 and c_2 to a verifier using certificates (b_1, b_2: c_2-c_1) obtained from these certificates.

A twenty-third aspect of the present invention is an information processing apparatus having a function of disclosing attribute information indicating itself by communicating with an information processing apparatus on another user side. For a matrix describing whether the information is public or private, and an attribute identifier i indicating public attribute information indicated by the matrix,
Means for generating random information r_x (i), and encrypting the random information r_x (i) using an encryption key Pub_c unique to the attribute identifier c, which can be decrypted only by members having the same attribute identifier c. And the information E_ {Pub_i} (r_x
(I)) based on the information (i, E_ {Pub_i} (r_
x (i))) to another information processing apparatus on the user side, and an attribute identifier j transmitted from the information processing apparatus on the other user side and indicating public attribute information for the user.
The random information r_y (j) generated with respect to the information E_ ｛P encrypted by the encryption key Pub_c.
ub_jＥ (r_y (j))-based information (j, E_
Means for receiving {Pub_j} (r_y (j)));
The above information (j, E_ {Pub_j}) from another user
(R_y (j))), information r_x (i) *
means for verifying whether or not r_x (j) is held.

A twenty-fourth invention is an information communication system in which a plurality of devices are communicably connected to each other.
A function of the certificate issuing device according to any one of claims 12 to 12, or a function of the information processing device according to any one of claims 13 to 23.

A twenty-fifth aspect of the present invention is an information communication system in which a plurality of devices are communicably connected to each other via a network, wherein the plurality of devices transmit attribute information in order to release attribute information of a user. A device having an attribute certificate issuing function for issuing an attribute certificate for guaranteeing the above, and a device having an attribute certification function for publishing user attribute information using the attribute certificate.

In a twenty-sixth aspect based on the twenty-fifth aspect, the apparatus having the attribute certificate issuing function is the first aspect.
It has the function of the certificate issuing device according to any one of (1) to (12).

In a twenty-seventh aspect based on the twenty-fifth aspect, the apparatus having the attribute certifying function is characterized in that:
3. The information processing apparatus according to any one of 3.

A fourth invention is an attribute certifying method including a certificate issuing step for issuing, to a target user, an attribute certificate for linking attribute information indicating the target user, wherein the certificate issuing step is public. A public key storing step of storing a public key of a key cryptosystem, a secret key storing step of storing a secret key corresponding to the public key, and an attribute for publishing an attribute identifier which is a value corresponding to attribute information indicating a target user An information disclosure step, a user value generation step of generating a unique value of the target user, and an operation using the secret key from the unique value of the target user for the attribute classifier characterizing the attribute information In this manner, an attribute certificate issuance step of generating secret information that can be generated only when the user owns the secret key and issuing an attribute certificate including the secret information to the target user. It is characterized by including.

A twenty-ninth aspect of the present invention is an attribute certification method including a certificate issuing step of issuing an attribute certificate for associating attribute information indicating a target user with a target user,
The certificate issuing step includes a public key storing step of storing a public key (n, e) of a public key cryptosystem RSA, and a secret key storing step of storing a secret key d corresponding to the public key (n, e). An attribute information publishing step of publishing an attribute identifier c that is a value corresponding to attribute information indicating the target user; a user value generating step of generating unique values a and a 及 び e of the target user; For the attribute identifier c that characterizes the target user, b = (a
＾ e-1) ＾ d is calculated, and an attribute certificate issuance step of issuing an attribute certificate (a, b: c) using the values a and b as secret information of the target user to the target user is provided. And

A thirtieth invention is an attribute certifying method including a certificate issuing step of issuing an attribute certificate for linking attribute information indicating a target user to a target user,
The certificate issuing step includes a public key storing step of storing a public key (n, e) of a public key cryptosystem RSA, and a secret key storing step of storing a secret key d corresponding to the public key (n, e). An attribute information publishing step of publishing an attribute identifier c which is a value corresponding to attribute information indicating a target user; a user value generating step of generating a unique value U of the target user; and an attribute characterizing the attribute measure From the unique value U of the target user for the identifier c, b = (U−c) ＾ d
And issuing an attribute certificate (U, b: c) having the value b as secret information of the target user to the target user.

According to a thirty-first aspect, in any one of the twenty-eighth to thirty-second aspects, the unique value of the target user includes a value associated with the public key certificate of the target user.

[0049] In a thirty-second aspect based on any one of the twenty-eighth to thirty-second aspects, the certificate issuance step is an attribute certificate destruction step of destroying the attribute certificate issued in the attribute certificate issuance step. And an attribute certificate revocation list storing step for always retaining the revocation information in the attribute certificate revocation step in the latest state.

According to a thirty-third aspect, in the thirty-second aspect, the discard information in the attribute certificate discard list storing step can be used by any user to confirm whether or not any attribute certificate is valid. It is characterized by.

In a thirty-fourth aspect based on any one of the twenty-eighth to thirty-fourth aspects, the attribute information disclosure step includes the step of using the secret key to represent the relationship between the attribute information and the attribute identifier. And storing the information as signed information.

In a thirty-fifth aspect based on any one of the twenty-eighth to thirty-fifth aspects, a certifying step of certifying the attribute information to a verifier using the attribute certificate issued in the certificate issuing step. Generating public information for the secret information included in the attribute certificate, publishing the attribute identifier and the public information included in the attribute certificate to the verifier, Publishing the information obtained by the used operation to the verifier, thereby certifying to the verifier that the secret information corresponding to the public information is held.

According to a thirty-sixth aspect, in the twenty-ninth aspect, the certifier who is the user who has received the attribute certificate (a, b: c) issued in the certificate issuing step,
When certifying the attribute information to a verifier, a first step in which the prover publishes values a @ e and c to the verifier, and the prover randomly selects a value a_1
And b_1, a = a_1 * a_2 and b = b_1
* Calculate values a_2 and b_2 that satisfy the expression b_2, and calculate the values a_1 @ e, a_2 @ e, b_1 @ e, and b_
A second step of disclosing 2 @ e to the verifier, and the verifier verifies the values a_1 @ e, a_
2 ＾ e, b_1 ＾ e, and b_2 ＾ e are a = a_1 *
a third step of checking whether or not the expressions a_2 and b = b_1 * b_2 are satisfied; and the verifier checks (1) a_
1, b_1 (2) a_1, b_2 (3) a_2, b_1
(4) a fourth step of randomly selecting a_2 and b_2 and transmitting them to the prover, and the prover sends any of the values (1) to (4) transmitted from the verifier A fifth step to be disclosed, and the second step to the fifth step
The method is characterized by including a step of certifying the retention of the attribute associated with the value c while keeping the values a and b secret by repeatedly executing the steps.

According to a thirty-seventh aspect, in the thirtieth aspect, the certifier who is the user who has received the attribute certificate (U, b: c) issued in the certificate issuing step,
When certifying the attribute information to the verifier, the certifier first discloses the values U and c to the verifier, and the certifier randomly selects the value b_1. , B = b_1 * b_2.
And the second step of disclosing the values b_1 @ e and b_2 @ e to the verifier, and the verifier verifies that the values b_1 @ e and b_2 @ e disclosed by the prover are b = b_
A third step of checking whether the expression 1 * b_2 is satisfied, and a fourth step in which the verifier randomly selects (1) b_1 (2) b_2 and transmits it to the prover;
The prover repeatedly executes the fifth step of disclosing any one of the values (1) and (2) transmitted from the verifier, and the second step to the fifth step, Proving the retention of the attribute associated with the value c while keeping the value b secret.

In a thirty-eighth aspect based on the twenty-ninth aspect, the certificate issuance step includes at least the destruction of the attribute certificate (a, b: c) issued in the attribute certificate issuance step. Generating a random value r when updating the attribute discriminator c and distributing the value r only to authorized users;
To an attribute identifier c * r @ e.

In a thirty-ninth aspect based on the thirty-eighth aspect, the attribute certificate issuing step comprises the step of:
Attribute certificate based on * r ＾ e (a * r, b * r: c * r
(E) is issued to the target user, and the attribute certificate (a) issued in the attribute certificate issuing step is issued.
* R, b * r: c * r @ e) replaces the attribute certificate (a, b: c) with the attribute certificate (a *
r, b * r: c * r ＾ e), and includes a step of performing attribute proof.

According to a fortieth aspect, in the thirty-eighth aspect, the attribute certifying method for fairly certifying the attribute between the user X and the user Y using the attribute certificate held by each other, An encryption key Pub_c unique to the attribute identifier c, which can be decrypted only by members having the same attribute identifier c.
And a first step of holding a policy matrix describing public and private policies for each attribute, and a random value r_x (i ) And its value r
_X (i) is encrypted with an encryption key Pub_c.
{Pub_i} (r_x (i)) is calculated, and (i, E_ {Pub_i} (r_x
(I))) generating a random value r_y (j) for an attribute discriminator j corresponding to an attribute that may be disclosed, Value r
_Y (j) value E_ ｛P encrypted with encryption key Pub_c
a third step of calculating ub_j (r_y (j)) and transmitting (j, E_ {Pub_j} (r_y (j))) obtained as a result of the calculation to the user X; For all of the attribute sets (i, j) that may be performed, the user X and the user Y are mutually assigned r_
verifying whether or not x (i) * r_y (j) is held by using a stepwise secret exchange protocol.

In a forty-first aspect based on any one of the twenty-eighth to thirty-ninth aspects, the certificate issuance step further comprises: n ′ * L for the maximum number L of attribute certificates issued for an arbitrary attribute identifier. N = p '* q' (p ', satisfying n
q ′: prime number), a corresponding public key e ′ and a secret key d ′, and a step of publishing a public key (n ′, e ′) for the attribute identifier by the attribute information publishing step. Selecting a multiple of the information d 'as a unique value of the target user.

According to a forty-second aspect, in the forty-first aspect, the certificate issuing step includes a step of holding an encryption key unique to the attribute identifier.

In a forty-third aspect based on the twenty-ninth aspect, in the certificate issuance step, a random value r is generated, and based on the value r, the attribute certificate (a, b:
c) instead of the attribute certificate (a, b * r: c + (1-r)
ス テ ッ プ e) * b ＾ e) is issued to the target user, and the attribute certificate (a, b * r: c + (1-r ＾ e)) is included.
* B @ e), the user performs attribute proof using the above-mentioned attribute certificate (a, b * r: c + (1-r @ e) * b @ e), and then converts the value r into: The method includes a step of performing attribute proof by anonymizing the attribute identifier c by mutually exchanging with the user of the proof destination by the stepwise secret exchange protocol.

In a forty-fourth aspect based on the thirty-fifth aspect, the certificate issuing step generates a random value r and, based on the value r, the attribute certificate (U, b:
c) instead of the attribute certificate (U, b * r: c + (1-r)
ス テ ッ プ e) * b ＾ e) is issued to the target user, and the attribute certificate (U, b * r: c + (1-r ＾ e))
* B @ e), the user performs attribute proof using the attribute certificate (U, b * r: c + (1-r @ e) * b @ e), and then sets the value r to: The method includes a step of performing attribute proof by anonymizing the attribute identifier c by mutually exchanging with the user of the proof destination by the stepwise secret exchange protocol.

In a forty-fifth aspect based on the forty-third or forty-fourth aspect, the value r, which the user has previously committed in the stepwise secret exchange protocol, is set to the public health of the organization that issues the attribute certificate. By presenting the transmission log at the moment when the attribute certificate is issued, during the information exchange by the stepwise secret exchange protocol, the stepwise secret exchange The method is characterized in that the method includes a step of maintaining the fairness of the attribute proof even when the protocol is interrupted.

According to a forty-sixth aspect, in the twenty-ninth aspect, the target user has two attribute certificates (a, b_1: c_l) and (a, b_
2: c_2), attribute certificates (b_1, b_2: c_2-c_) obtained from those attribute certificates.
The method includes a step of performing attribute proof for two attribute identifiers c_1 and c_2 using 1).

According to a forty-seventh aspect based on the thirty-fifth aspect, the target user performs two attribute certificates (U, b_1: c_1) and (U, b_
2: c_2), attribute certificates (b_1, b_2: c_2-c_) obtained from those attribute certificates.
The method includes a step of performing attribute proof for two attribute identifiers c_1 and c_2 using 1).

According to a forty-eighth aspect, the function of the certificate issuing device according to any one of claims 1 to 12, or the functions of the claims 13 to 23
25. The function of the information processing apparatus according to any one of the above, or claim 24.
A computer-readable storage medium storing a processing program for implementing the functions of the information communication system according to any one of the above-described items.

According to a forty-ninth aspect of the present invention, a computer-readable storage medium stores the processing steps of the attribute certifying method according to any one of claims 28 to 47.

In each of the first to forty-ninth aspects of the invention,
For example, according to the first to fourth and twenty-eighth to thirtieth aspects of the present invention, a certificate (attribute certificate) including secret information is issued to a user so that the user can perform communication in a network system or the like. Attribute information can be disclosed.

According to each of the fifth and thirty-first aspects, the user (prover) can use the public key certificate and the attribute certificate together, and the verifier can use the attribute information of the prover and the public key certificate. Can be related.

According to each of the sixth, seventh, thirty-second, and thirty-third inventions, the destruction of the attribute certificate by the attribute certificate issuing organization can be confirmed, and any user can make any attribute certificate The validity of can be confirmed.

Further, according to the eighth and thirty-fourth aspects, the association between the attribute held by the attribute certificate issuing organization and the attribute identifier can be trusted by the signature at the attribute certificate issuing organization. . Further, it is possible to locally verify the association between an attribute and an attribute identifier without making an inquiry to an attribute certificate issuing organization.

According to the fourteenth and thirty-fifth aspects, the user holding the attribute certificate can certify the attribute information by himself.

According to each of the fifteenth, sixteenth, and thirty-sixth inventions, the user holding the attribute certificates (a, b: c) can keep the information a and b secret and associate them with the attribute identifier c. It is possible to prove the retention of the attribute information obtained.

According to each of the seventeenth, eighteenth, and thirty-seventh inventions, the user holding the attribute certificate (U, b: c) can associate the attribute b with the attribute identifier c while keeping the information b secret. It is possible to prove the retention of attribute information.

According to each of the ninth, tenth, thirty-eighth, and thirty-ninth aspects, when an attribute identifier needs to be updated for the purpose of, for example, destroying a user's attribute certificate, the attribute can be efficiently updated. An update of the identifier can be performed.

In addition, the eleventh, twelfth, twentieth, twenty-third, and fourth
According to each of the inventions 0 to 42 and 45, the two parties can fairly prove each other's attribute information.

According to each of the nineteenth, forty-third, and forty-fourth aspects, the attribute information can be certified by making the attribute identifier anonymous.

The above-mentioned twenty-first, twenty-second, twenty-sixth, forty-sixth, and forty-seventh
According to the inventions described above, it is possible to certify the attribute information by making the user anonymous.

Also, according to the thirteenth aspect, the user holding the attribute certificate can certify his / her own attribute information, and can fairly disclose the attribute information to the other user. Can be built.

According to each of the twenty-fourth to twenty-seventh aspects, the user holding the attribute certificate can certify his / her own attribute information, and can fairly disclose the attribute information to the other user. An information communication system can be constructed.

According to each of the forty-eighth and forty-ninth aspects, the user holding the attribute certificate can certify his / her own attribute information, and can fairly disclose the attribute information to the other user. An apparatus or system can be constructed.

[0081]

Embodiments of the present invention will be described below with reference to the drawings.

(First Embodiment) The present invention provides, for example,
It is applied to a communication system 100 as shown in FIG. As shown in FIG. 1, the communication system 100 includes an institution-side terminal device 102 that issues a certificate and a plurality of user-side terminal devices 103, 104,.
01 are connected to each other.

Note that the certificate issued by the certificate issuing device 102 is a certificate including attribute information indicating a user such as a public key certificate and an attribute certificate. Here, as one example, Attribute certificate. Also, here, for simplicity of description, a plurality of user-side terminal devices 103, 104,
.. Among the terminal devices 103 of the user A and the terminal device 104 of the user B.

The network 101 is provided with a public key infrastructure using an arbitrary public key cryptosystem. That is, each of the users A and B and the public key certificate issuing organization (not shown) has a pair of a public key and a private key. Has issued a public key certificate.

The terminal device on the institution side that issues the attribute certificate by the attribute certificate issuing function (hereinafter referred to as “attribute certificate issuing side terminal device”) 102 is an authority different from the public key certificate issuing institution. It is provided as a device on the engine side.

The terminal device 103 of the user A and the user B
The terminal devices 104 have the same configuration, and can mutually authenticate attribute information by an attribute certification function.

Hereinafter, the communication system 100 as described above will be specifically described.

For example, as shown in FIG. 2, the attribute certificate issuing terminal device 102 includes a public key storage unit 201 for storing a public key of a public key cryptosystem, and a public key storage unit 201 stored in the public key storage unit 201. A secret key storage unit 202 for storing a secret key corresponding to the attribute information, an attribute information disclosure unit 203 for releasing an attribute identifier which is a value corresponding to the attribute information, and a unique value of a target user who issues the attribute certificate. User value generation unit 204
And an attribute certificate issuing unit 205 for issuing an attribute certificate to the target user.

Here, the attribute certificate issuing unit 205 particularly issues the attribute identifier (the user ID of the target user) generated by the user value generation unit 204 in order to issue an attribute certificate that associates attribute information with the target user. An operation using the secret key of the target user stored in the secret key storage unit 202 is performed on the value that characterizes the attribute information, that is, a value unique to the target user, thereby generating only the secret key of the target user. The secret information that cannot be generated is generated, and an attribute certificate including the secret information is issued to the target user.

For this reason, the attribute certificate issuing unit 205 selects numerical values n, p, q, d, and e as follows. That is, with p and q being sufficiently large prime numbers, n = pq is calculated, e is selected to be relatively prime to the Euler function Φ (n), and de = 1 mod (p−1) (q−1) Choose d to satisfy. Then, the attribute certificate issuing unit 205 discloses (n, e) as a public key and holds d as a secret key.

Therefore, the components 201 to 205 provided in the attribute certificate issuing terminal device 102 shown in FIG.
, The public key storage unit 201 stores the public key (n, e) of the RSA as the public key cryptography, and the secret key storage unit 202 stores the secret key d corresponding to the public key (n, e). The attribute confirmation report publishing unit 203 publishes the attribute identifier c, which is a value corresponding to the attribute information,
Generates the unique values a and a @ e of the target user, and the attribute certificate issuing unit 205 issues an attribute certificate (a, b: c) for linking the attribute information to the target user. In particular, the attribute certificate issuing unit 205 calculates b: = (a ＾ ec) ＾ d from the unique value a of the target user, and sets the values a and b as secret information of the target user. (A, b: c) is issued to the target user.

FIG. 3 shows the attribute certificate issuing terminal device 102.
Shows a procedure for issuing an attribute certificate to the user A and the user B.

For example, an attribute certificate (user A
When issuing a certificate that associates certain attribute information with the user A, the attribute certificate issuing terminal device 102 first checks whether the user A has the attribute information to be associated with the user A (step S301). ). As a confirmation method at this time, a method of confirming the attribute information of the user A in the real world by presenting the license of the user A or the like can be considered.

Next, the attribute certificate issuing terminal device 102
Publishes the attribute identifier c, which is a value corresponding to the attribute information confirmed in step S301, by the attribute information disclosure unit 203 (step S302). At this time, if the attribute information is different, a different value is prepared for the attribute identifier c.
Note that a value corresponding to the attribute information is set in the attribute identifier c. That is, if the attribute information is different, the value of the attribute identifier c is also different. In other words, a corresponding value is set to the attribute identifier c for each attribute information.

Next, the attribute certificate issuing terminal device 102
Is a unique value x (public) of the user A associated with the public key certificate of the user A (certificate issued by the public key certificate issuing organization not shown) by the user value generation unit 204. A value (generated from the key certificate) is calculated (step S303). The method of associating the value x with the public key certificate of the user A is, for example, as follows: (1) Embedding the ID of the public key certificate (ID indicating the issuer and serial number, etc.) in the lower bits of the value a @ e . (2) Calculate with a one-way function from the data of the public key certificate and the nonce. (3) Publish the data obtained by applying a signature with the private key stored in the private key storage unit 202 to the public key certificate and the value a @ e. (4) Describe the value a @ e in the public key certificate of the user A. And the like.

Next, the attribute certificate issuing terminal device 102
Calculates a = x ＾ d by the user value generation unit 204 using the value x of the user A acquired in step S303 (step S304). The value a obtained by this calculation becomes a part of the secret information of the user A.

Next, the attribute certificate issuing terminal device 102
Is transmitted by the attribute certificate issuing unit 205 to step S303.
B = (aａec) ＾ d is calculated using the secret information a of the user A obtained in (step S305). The value b obtained by this calculation also becomes a part of the secret information of the user A.

Then, the attribute certificate issuing terminal device 102
Is transmitted by the attribute certificate issuing unit 205 to step S304.
And the secret information a and b of the user A acquired in S305
Issue an attribute certificate (a, b: c) to the user A.

As described above, the user A who has received the attribute certificate (a, b: c) issued from the attribute certificate issuing terminal device 102 certifies its own attribute information as follows. I do.

First, the user A uses the terminal device 103 to perform user authentication for the user B using the public key certificate from the attribute certificate issuing terminal device 102. That is, the user A proves to the user B that the user A has the attribute information corresponding to the attribute identifier c.
Of the private key corresponding to the public key in the public key certificate of the user B is proved to the user B.

FIG. 4 shows the terminal device 103 of the user A and the terminal device of the user B when the user A proves to the user B that the private key corresponding to the public key in the public key certificate of the user A is held to the user B. 4 shows communication between the communication devices 104.

First, the terminal device 103 of the user A discloses the unique value a @ e and the attribute identifier c of the user A to the user B (step S401). With the release of the attribute identifier c here, the user A who is going to certify now
Is transmitted to the user B (verifier).

Next, the terminal device 104 of the user B receives the value a ＾ e and the attribute identifier c from the terminal device 103 of the user A.
And confirms the association between the value a @ e and the public key certificate of the user A (step S402).

Next, the terminal device 103 of the user A randomly generates values a_1 and b_1 and calculates values a_2 and b_2 such that a = a_1 * a_2 b = b_1 * b_2 (step S403). .

Next, the terminal device 103 of the user A discloses the values a_2 and b_2 acquired in step S403 to the user B (step S404). Note that the values a_2, b
Since _2 is randomly generated, the information of the value a and the value b, which are the secret information of the user A, does not leak at all.

Next, the terminal device 104 of the user B receives the values a_2 and b_2 from the terminal device 103 of the user A, and receives the values a_1＿e, a_2＿e, b_1 ＾ e, b_2 ＾.
It is confirmed whether or not e satisfies the two expressions of a = a_1 * a_2 b = b_1 * b_2 (step S4)
05).

Next, the terminal device 104 of the user B obtains the four values a_1 @ e, a_2 @ e, b at step S405.
An arbitrary value is selected at random from _1 @ e and b_2 @ e, and the selected value is transmitted to the terminal device 103 of the user A (step S406).

Then, the terminal device 103 of the user A receives the value (value a_1１０４) received from the terminal device 104 of the user B.
e, a_2 @ e, b_1 @ e, or b_2 @ e) is disclosed (step S407).

The processes of steps S403 to S407 described above are repeatedly executed a required number of times. By such processing, if the response of the user A to the challenge of the user B is valid, the user B can confirm that the user A holds the secret information a and b.

(Second Embodiment) In this embodiment,
In the communication system 100 shown in FIG. 1, the procedure of issuing the attribute certificate and certifying the attribute information is performed by the following configuration.

First, as in the first embodiment, the attribute certificate issuing unit 205 selects numerical values n, p, q, d, and e, and publishes (n, e) as a public key. d is stored as a secret key.

Here, the attribute certificate issuing terminal device 102
However, the procedure for issuing the attribute certificate to the user A and the user B is the procedure as shown in FIG. 3 in the first embodiment, but in the present embodiment, for example, the procedure shown in FIG. The procedure is as follows.

For example, an attribute certificate (user A
When issuing a certificate that associates certain attribute information with the user A, the attribute certificate issuing terminal device 102 first checks whether the user A has the attribute information to be associated with the user A (step S501). ). As a confirmation method at this time, a method of confirming the attribute information of the user A in the real world by presenting the license of the user A or the like can be considered.

Next, the attribute certificate issuing terminal device 102
Publishes the attribute discriminator c, which is a value corresponding to the attribute information confirmed in step S501, by the attribute information disclosure unit 203 (step S502).

Next, the attribute certificate issuing terminal device 102
Is a unique value U of the user A having a relation with the public key certificate of the user A (certificate issued by the public key certificate issuing authority not shown) by the user value generation unit 204. (Value directly rejected from public key certificate)
Is calculated (step S503).

Next, the attribute certificate issuing terminal device 102
Is transmitted by the attribute certificate issuing unit 205 to step S503.
B = (U−c) ＾ d is calculated using the value U of the user A acquired in step (step S504). The value b obtained by this calculation becomes a part of the secret information of the user A.

The attribute certificate issuing terminal device 102
Is transmitted by the attribute certificate issuing unit 205 to step S503.
And the attribute certificate (U, b :) using the user U's value U acquired in step S504 and the user A's secret information b acquired in step S504.
c) to the user A.

As described above, the user A who has received the attribute certificate (U, b: c) issued from the attribute certificate issuing terminal device 102 certifies his / her attribute information as follows. I do.

First, the user A uses the terminal device 103 to perform user authentication for the user B using the public key certificate from the attribute certificate issuing terminal device 102. That is, the user A proves to the user B that the user A has the attribute information corresponding to the attribute identifier c.
Of the private key corresponding to the public key in the public key certificate of the user B is proved to the user B.

FIG. 6 shows the terminal device 103 of the user A and the terminal device of the user B when the user A proves to the user B that the private key corresponding to the public key in the public key certificate of the user A is held to the user B. 4 shows communication between the communication devices 104.

First, the terminal device 103 of the user A gives the user B a unique value U and an attribute identifier c of the user A.
Is made public (step S601). By disclosing the attribute identifier c here, the attribute information of the user A to be certified is transmitted to the user B (verifier).

Next, the terminal device 104 of the user B receives the value U and the attribute identifier c from the terminal device 103 of the user A, and checks the association between the value U and the public key certificate of the user A ( Step S602).

Next, the terminal device 103 of the user A randomly generates the value b_1 and calculates the value b_2 such that b = b_1 * b_2 (step S60).
3).

Next, the terminal device 103 of the user A discloses to the user B the values b_1 @ e and b_2 @ e based on the values b_1 and b_2 and the public key (n, e) obtained in step S603 ( Step S604). Note that the value b_1＿
Since e, b_2 @ e is randomly generated, the information of the value b, which is the secret information of the user A, does not leak at all.

Next, the terminal device 104 of the user B receives the values b_1 @ e and b_2 @ e from the terminal device 103 of the user A.
Is received, and it is confirmed whether or not the following expression is satisfied: b = b_1 * b_2 (step S60)
5).

Next, the terminal device 104 of the user B randomly selects an arbitrary value from the two values b_1 and b_2 in step S605, and transmits the selected value to the terminal device 103 of the user A (step S605). Step S606).

Then, the terminal device 103 of the user A receives the value received from the terminal device 104 of the user B (the value b_1,
(any value of b_2) is disclosed (step S60).
7).

The processes of steps S603 to S607 are repeatedly executed as many times as necessary. By such processing, if the response of the user A to the challenge of the user B is valid, the user B can confirm that the user A holds the secret information b.

(Third Embodiment) The present invention provides, for example,
It is applied to a communication system 700 as shown in FIG. The communication system 700 is the communication system 10 of FIG.
0, but the configuration of the attribute certificate issuing terminal device 102 is different.

[0130] In the communication system 700 of FIG. 7, parts that operate in the same manner as the communication system 100 of FIG. 1 are given the same reference numerals, and detailed description thereof will be omitted.

That is, in the communication system 700 according to the present embodiment, since the attribute certificate needs to be destroyed as in the case of the public key certificate, as shown in FIG. An attribute certificate revocation unit 701 for revoking an attribute certificate and an attribute certificate revocation list for always storing the attribute certificate list information revoked by the attribute certificate revocation unit 701 for the device 102. Storage unit 7
02 is provided.

Therefore, for example, when it is necessary to discard the attribute certificate such that the value (ab) which must be kept secret by the user A becomes weak, the user A sends the attribute certificate to the terminal device 103 via the terminal device 103. A request to discard the attribute certificate is issued to the issuing terminal device 102.

When the attribute certificate issuing terminal device 102 receives the revocation request from the user A terminal device 103, the attribute certificate revocation unit 701 discards the attribute certificate of the user A, and Is presented to the attribute certificate revocation list storage unit 702.

The attribute certificate revocation list storage unit 702 stores the data of the attribute certificate revoked by the attribute certificate revocation unit 701 as a revocation certificate list. The revoked certificate list here is the CRL (CeCe) in the public key certificate.
rtificate Revocation List)
Similarly to the above, the data is signed, but the data to be signed is a set of values (a @ e, b @ e, c) or a value (U, b,
e, c). The revoked certificate list in the attribute certificate revocation list storage unit 702 is connected to the network 101 so that the verifier can access it.
Thereby, the verifier can browse the revocation list.

(Fourth Embodiment) The present invention provides, for example,
It is applied to a communication system 800 as shown in FIG. The communication system 800 is the communication system 10 of FIG.
0, but the configuration of the attribute certificate issuing terminal device 102 is different.

In the communication system 800 shown in FIG. 8, parts operating in the same manner as the communication system 100 shown in FIG. 1 are given the same reference numerals, and detailed description thereof will be omitted.

That is, as shown in FIG. 8, the communication system 800 according to the present embodiment transmits the attribute certificate to the terminal device 102 on the attribute certificate issuing side so that the validity of the attribute certificate can be confirmed. And an attribute certificate validity checking unit 801 for checking the validity of the attribute certificate.

For example, when the user A checks whether a certain attribute certificate has been revoked (whether the attribute certificate has been revoked by the configuration of the third embodiment or the like), the user A transmits A request for confirmation of the attribute certificate is made to the certificate issuing terminal device 102.

When the attribute certificate issuing terminal device 102 receives the confirmation request from the terminal device 103 of the user A, the attribute certificate validity confirmation unit 801 confirms the validity of the attribute certificate corresponding to the request. Then, the confirmation result is returned to the terminal device 103 of the user A.

With the above configuration, the user A and the user B can obtain the validity information (discard information) of the attribute certificate in real time.

(Fifth Embodiment) In the first to fourth embodiments, a case where an attribute certificate is disclosed in one direction, such as a case where an attribute certificate is disclosed from a user A to a user B. In this embodiment, the attribute certificate can be disclosed in both directions while maintaining fairness. In addition, here "disclose the attribute certificate fairly"
Means that attribute exchange is performed only when the declarations that disclose the attribute certificates match each other.

For example, in the communication system 100 shown in FIG. 1, first, the attribute certificate issuing unit 205 selects the numerical values n, p, q, d, and e as in the first embodiment.
(N, e) is published as a public key, and d is held as a secret key.

Here, for the maximum number L of attribute certificates issued for one attribute identifier, n ′ * L <n is satisfied. N ′ = p ′ * q ′ (p ′, q ′: prime number) And the corresponding public key e ′ and secret key d ′,
The public key (n ', e') for the attribute identifier is made public.
In order to identify a public key and a secret key for each attribute identifier, the public key is assigned to n′_c, e′_
c, and the secret key is represented by d′ _c.

In the present embodiment, the procedure in which the attribute certificate issuing terminal device 102 issues an attribute certificate to the user A and the user B is, for example, a procedure as shown in FIG.

For example, for the user A, the attribute identifier c
When the attribute certificate is issued to the user A, the attribute certificate issuing terminal 102 first checks whether the user A has the attribute information to be linked to the user A (step S901). The confirmation method at this time is as follows.
A method of confirming the attribute information of the user A in the real world by presenting the driver's license or the like can be considered.

Next, the attribute certificate issuing terminal device 102
Publishes the attribute discriminator c which is a value corresponding to the attribute information confirmed in step S901 by the attribute information disclosure unit 203 (step S902).

Next, the attribute certificate issuing terminal device 102
Is calculated by the user value generation unit 204 so that the value a is the secret key d′ _
c, and the value a @ e is related to the public key certificate of the user A (the certificate issued by the public key certificate issuing authority (not shown) described above).
Is calculated (step S903). The value a here means a secret key that can be decrypted only by the user having the attribute discriminator c, and becomes a part of the secret information of the user A.

Next, the attribute certificate issuing terminal device 102
Is transmitted by the attribute certificate issuing unit 205 to step S903.
B = (a ユ ー ザ e−c) に て d is calculated using the value “a” of the user A acquired in step S904 (step S904). The value b obtained by this calculation becomes a part of the secret information of the user A.

The attribute certificate issuing terminal device 102
Is transmitted by the attribute certificate issuing unit 205 to step S903.
And the secret information a and b of the user A acquired in S904
Issue an attribute certificate (a, b: c) to the user A.

On the other hand, the attribute certificate is issued to the user B in the same way as the attribute certificate is issued to the user A.

As described above, the user A and the user B, which have respectively received the attribute certificate by the attribute certificate issuing terminal device 102, mutually certify their own attribute information according to the procedure shown in FIG. .

First, the user A uses the terminal device 103 to issue a public auction / non-public auction as shown in FIG. 11 with respect to an attribute certificate (own attribute certificate) issued from the attribute certificate issuing terminal device 102. Keep the policy matrix. Similarly, the user B uses the terminal device 104 to issue a public auction / non-public auction as shown in FIG. Keep the policy matrix.

The public auction / non-public auction policy matrix shown in FIG. 11 includes attribute information c1, c2,
.., Cm, whether or not the target attribute information ci may be disclosed.

Next, the terminal device 103 of the user A uses the held public auction / non-public auction policy matrix as described above.
For an attribute identifier i indicating attribute information that may be disclosed,
Generate a random value r_a (i) and calculate E_ {e′_i} (r_a (i)). This shows that (r_a (i)) is encrypted with the public key e′_i for the attribute identifier i. Then, the terminal device 103 of the user A performs E_ {e '__
After calculating i｝ (r_a (i)), the sets (i, E_E_E) for all the attribute identifiers obtained by the calculation are obtained.
{E′_i} (r_a (i)) is transmitted to the terminal device 104 of the user B (step S1001).

Next, similarly, the terminal device 104 of the user B also obtains a random value r_b (for the attribute identifier j indicating the attribute information that may be made public, using the held public auction / non-public auction policy matrix. j), and E_ {e′_j} (r_b (j)) is calculated. This shows that (r_b (j)) is encrypted with the public key e′_j for the attribute identifier j. Then, the terminal device 104 of the user B sets E_ {e ′ __ for all the attribute identifiers indicating the attribute information that may be disclosed.
After performing the calculation of j｝ (r_b (j)), a set (j, E_E_) for all the attribute identifiers obtained by the calculation is obtained.
{E′_j} (r_b (j))) is transmitted to the terminal device 103 of the user A (step S1002).

Next, each of the terminal device 103 of the user A and the terminal device 104 of the user B receives all (i,
For j), it is verified whether or not r_a (i) * r_b (j) is held by a stepwise secret exchange protocol (step S1003).

The “stepwise secret exchange protocol” is, for example, held between two parties as described in Chapter 17 of “Okamoto and Yamamoto:“ Modern Encryption ”(industrial book)”. In order to exchange confidential information fairly, it is a method to disclose confidential information step by step.

Therefore, with the above-described configuration, user A and user B can communicate with each other by r_a (i) * r_b
Holding (j) can be healthy. This is user A
Means that the attribute information for the attribute identifier i and the user B have fairly exchanged the attribute information for the attribute identifier j, that is, that the attribute information has been fairly certified.

(Sixth Embodiment) First, in the first to fifth embodiments, the configuration is based on the assumption that the public key certificate and the attribute certificate are used together. In order to provide anonymity, it is possible to use only the attribute certificate. That is, the user may disclose that he is a member of a certain group, but may not disclose who is in the group.

For example, X. 509 (ITU-T Rec
ommendation X. 509, "Info.t"
ech. -OSI-The Directory: Au
"Attribute Certif" defined in the "authentication framework").
The “certificate” does not have private information in the certificate itself, and therefore, this certificate (attribute certificate) must be used in combination with the X.509 public key certificate. No, the NetBill system (http
p: // www. netbil. The same applies to attribute certificates such as “com /).

On the other hand, for example, SPKI (http: //
www. clark. net / pub / cme / htm
l / spki. Since the attribute certificate such as html) has confidential information, only this certificate can be used.

Therefore, in the present embodiment, the following configuration is implemented in order to maintain the anonymity of the public key even when the attribute certificate and the public key certificate are used together.

For example, in the communication system 100 shown in FIG. 1, the user A receives the attribute certificate (a, b_1: c_
1) and the attribute certificate (a, b_2: c_2), the terminal device 103 of the user A
Uses the attribute certificates (b_1, b_2: c_2-c_1) to certify the user B for two attribute identifiers, the attribute identifier c_1 and the attribute identifier c_2.

Therefore, with the above-described configuration, the user A can certify the attribute information while concealing his secret information a @ e.

Also, for a certain attribute identifier c_M, by placing a mask attribute such that all users hold an attribute certificate, other attribute identifiers are certified while maintaining anonymity. be able to. For example, 2
One of the two attribute identifiers c_1 and c_2
By using the mask attribute, the other attribute identifier can be certified while maintaining anonymity.

(Seventh Embodiment) First, in the normal exchange of attribute information, communication is performed only between users. However, attribute information is not exchanged fairly for some reason such as user's injustice. In order to cope with such a case, it is necessary to provide a trusted third-party organization. Therefore, in the present embodiment, a trusted third party organization is, for example,
As an attribute certificate issuing organization having the terminal device 102 as shown in FIG. 1, by presenting a communication log between users, it is possible to exchange attribute information fairly.

Specifically, for example, when the attribute certificate issuing terminal device 102 issues an attribute certificate to the user A, the attribute certificate issuing terminal device 102 In order to issue the attribute certificate with the attribute identifier of the user A being anonymous, the attribute certificate (a, b * r: c + (1-r) is generated by generating a random value r.
＾ e) * b ＾ e) is issued to the user A.

Therefore, the user A certifies the attribute information to the user B using the attribute certificate (a, b * r: c + (1-r ＾ e) * b ＾ e). .

When both the user A and the user B certify attribute information with each other, the value r is exchanged by using the above-described stepwise secret exchange protocol, so that fair attribute information is exchanged. Proof can be made.

At this time, for example, during the exchange of the value r,
When the protocol is interrupted for some reason, the value r of the other party cannot be received, and it is considered that fairness cannot be maintained.

Therefore, in this embodiment, the terminal device 103 of the user A and the terminal device 104 of the user B present the transmission log to the attribute certificate issuing terminal device 102, respectively. As a result, even when the above-described interruption of the protocol occurs, the value r of the partner can be restored, and fairness can be maintained.

Further, this is realized by a method in which the value r initially committed in the stepwise secret exchange protocol is encrypted with the public key e of the attribute certificate issuing terminal device 102. By adopting this method, only the attribute certificate issuing organization having the private key d for the public key e can restore the committed value r. Further, since the attribute identifier c can be obtained from the value r, the attribute information of the user can be restored, the attribute information can be disclosed to the user who could not obtain the attribute information, and fairness can be maintained. Can be. For an unauthorized user, measures such as destruction of the attribute certificate can be considered according to the policy of the attribute certificate issuing terminal device 102.

An object of the present invention is to supply a storage medium storing program codes of software for realizing the functions of the host and the terminal according to the first to seventh embodiments to a system or an apparatus, and to provide the system or the apparatus with the storage medium. It is needless to say that the present invention is also achieved when the computer (or CPU or MPU) of the apparatus reads out and executes the program code stored in the storage medium. In this case, the program code itself read from the storage medium realizes the functions of the first to seventh embodiments, and the storage medium storing the program code constitutes the present invention. As storage media for supplying the program code, ROM, floppy disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R,
A magnetic tape, a nonvolatile memory card, or the like can be used. The functions of the first to seventh embodiments are realized by executing the program code read by the computer, and the OS running on the computer based on the instruction of the program code. It goes without saying that the present invention includes a case where the functions of the first to seventh embodiments are implemented by performing part or all of the actual processing. Further, after the program code read from the storage medium is written to a memory provided in an extension function board inserted into the computer or a function extension unit connected to the computer, the function extension is performed based on the instruction of the program code. It goes without saying that a CPU or the like provided in the board or the function expansion unit performs part or all of the actual processing, and the processing realizes the functions of the first to seventh embodiments.

[0174]

As described above, according to the present invention, an attribute certificate issuing organization can issue an attribute certificate, which is a certificate for guaranteeing association between a user and attribute information, to the user. The user holding the attribute certificate can certify his / her attribute information to any other user on the other side. Further, when the attribute information is mutually disclosed between the two parties, the disclosure can be performed fairly. For example,
When the present invention is applied to a system that requires protection of privacy information such as e-commerce in a wide-area distributed network such as the Internet, a user can use services provided by the system with confidence.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration of a communication system to which the present invention is applied in a first embodiment.

FIG. 2 is a block diagram showing a configuration of a terminal device on the attribute certificate issuing agency side of the communication system.

FIG. 3 is a flowchart for explaining the operation of the terminal device on the attribute certificate issuing organization side.

FIG. 4 is a diagram illustrating a flow of a process of proving attribute information between users in the communication system.

FIG. 5 is a flowchart for explaining the operation of the terminal device on the attribute certificate issuing agency side in the second embodiment.

FIG. 6 is a diagram illustrating a flow of a process of proving attribute information between the users in the second embodiment.

FIG. 7 is a block diagram showing a configuration of a communication system to which the present invention is applied in a third embodiment.

FIG. 8 is a block diagram showing a configuration of a communication system to which the present invention is applied in a fourth embodiment.

FIG. 9 is a flowchart for explaining the operation of the terminal device on the attribute certificate issuing agency side in the fifth embodiment.

FIG. 10 is a diagram illustrating a flow of a process of proving attribute information between users in the fifth embodiment.

FIG. 11 is a diagram for explaining a public / non-public policy matrix used by the user.

[Explanation of symbols]

 REFERENCE SIGNS LIST 100 communication system 101 network with public key infrastructure 102 terminal device on attribute certificate issuing agency 103 terminal device on user A 104 terminal device on user B 201 public key storage unit 202 private key storage unit 203 attribute information disclosure Part 204 user value generation part 205 attribute certificate issuing part

Claims (49)

[Claims] 1. A certificate issuing apparatus for issuing a certificate including attribute information indicating a target user to a target user, wherein the public key storage means stores a public key of the target user; Secret key storage means for storing a secret key corresponding to the public key stored in the server, attribute information disclosing means for disclosing an attribute identifier corresponding to the attribute information of the target user, and a user value for generating a unique value of the target user Generating means, a secret key stored in the secret key storing means, a unique value of the target user generated by the user value generating means, and secret information based on an attribute identifier published by the attribute information disclosing means. A certificate issuing unit for issuing a certificate including the certificate to a target user. 2. The certificate issuing means performs an operation on the attribute discriminator using the unique value of the target user and the secret key, so that the certificate issuance means is provided only when the private key is owned. 2. The certificate issuing device according to claim 1, wherein information that cannot be generated is generated as the secret information. 3. The public key storage means stores a public key (n, e) of a public key cryptosystem RSA, and the secret key storage means stores a secret key corresponding to the public key (n, e). The attribute information publishing means publishes an attribute identifier c corresponding to the attribute information of the target user, and the user value generating means stores the target user's unique information a ＾ e having the target user's secret information a. The certificate issuance means generates secret information b = (a−e- based on the attribute discriminator c and the unique information a ＾ e of the target user.
c) Acquire ＾ d, and obtain its secret information b and the secret information a.
2. The certificate issuing device according to claim 1, wherein the attribute issuing device issues an attribute certificate (a, b: c) to the target user. 4. The public key storage means stores a public key (n, e) of a public key cryptosystem RSA, and the secret key storage means stores a secret key corresponding to the public key (n, e). The attribute information publishing means publishes an attribute identifier c corresponding to the attribute information of the target user; the user value generating means generates arbitrary information U unique to the target user; The means obtains b = (U−c) ＾ d from the attribute discriminator c and the unique information U of the target user,
2. The certificate issuing device according to claim 1, wherein an attribute certificate (U, b: c) using the information b as secret information of the target user is issued to the target user. 5. The certificate issuing apparatus according to claim 1, wherein the user value generating means generates information having a relation with a public key certificate of the target user as information unique to the target user. . 6. A certificate revocation means for revoking a certificate issued to a target user by the certificate issuance means, and a business closing information storage means for storing revocation information in the certificate revocation means. The certificate issuing device according to claim 1, wherein 7. The certificate issuing device according to claim 6, wherein the information stored in said out-of-business information storage means can be referred to from outside. 8. The attribute information publishing unit holds information indicating the relationship between the attribute information and the attribute identifier as information signed by a secret key stored in the secret key storage unit. The certificate issuing device according to claim 1, wherein the certificate is issued. 9. The certificate issuing apparatus according to claim 1, wherein said certificate issuing means distributes random information to a target user, and updates said attribute identifier based on said random information. . 10. The certificate issuing device according to claim 1, wherein the certificate issuing unit issues a certificate based on the random information to a target user. 11. The certificate issuing apparatus according to claim 1, further comprising transmission log holding means for holding transmission log information in communication for allowing the target user and other users to publish their own attribute information. . 12. The public key storage means stores n ′ * L for a maximum number L of certificates issued for the attribute identifier.
A public key e 'corresponding to n = p' * q '(p', q ': prime number) satisfying <n is stored, and the secret key storage means stores a secret key d' corresponding to the public key e '. The attribute information publishing means publishes a public key (n ', e') for the attribute identifier, and the user value generating means sets a multiple of the information d 'as unique information of the target user. The certificate issuing device according to claim 1, wherein: 13. An information processing device connectable to a plurality of terminal devices on the user side via a network, wherein the information processing device has the function of the certificate issuing device according to any one of claims 1 to 12. Information processing device. 14. A user-side information processing apparatus connectable via a network to a certificate issuing organization having the function of the certificate issuing apparatus according to claim 1. Means for generating public information for confidential information included in a certificate issued by an organization; means for publishing an attribute discriminator included in the certificate to a verifier; means for publishing the public information to a verifier By publishing information based on the secret information to the verifier,
Means for certifying to a verifier that the secret information corresponding to the public information is held. 15. A user-side information processing apparatus connectable via a network to a certificate issuing organization having the function of the certificate issuing apparatus according to claim 1. Certificate issued by the institution (a, b:
means for disclosing information a @ e and c obtained by c) to a verifier who is another user who verifies the certificate (a, b: c), and a = a_1 from random information a_1 and b_1. * A
_2 and information a_2 that satisfies the expression b = b_1 * b_2
And b_2, and information a_1 obtained from the result
Means for releasing {e, a_2 @ e, b_1 @ e, b_2 @ e to the verifier, and information a_1 @ e, a_2 @ e, b_1} from the verifier.
e, b_2 ＾ e, where a = a_1 * a_2 and b = b_1
Means for disclosing information randomly selected and transmitted from the information a_1, b_1, a_2, and b_2 based on the result of checking whether or not the expression b_2 is satisfied. apparatus. 16. Receiving a certificate (a, b: c) issued by the certificate issuing organization, and receiving the certificate (a, b: c).
b: Information a_1 @ e, a_2 @ e, b_1 @ e, and b_ released from a prover who is another user who proves c).
2 ＾ e is a = a_1 * a_2 and b = b_1 * b_2
Means for confirming whether or not the following formula is satisfied; and information a_1, b_1, a_
16. The information processing apparatus according to claim 15, further comprising: means for randomly selecting any one of the information b and b_2 and transmitting the selected information to the prover. 17. A user-side information processing apparatus connectable via a network to a certificate issuing organization having the function of the certificate issuing apparatus according to claim 1; Certificate issued by the institution (U, b:
The information U and c obtained by c) are transferred to the certificate (U,
means for disclosing b: c) to a verifier, which is another user to be verified, and information b_2 satisfying an expression of b = b_1 * b_2 from random information b_1, and information b_1 ＾ e obtained from the result. And b_2 @ e to the verifier, and information b_1 @ e and b_2 @ e from the verifier, b = b
An information processing apparatus, comprising: means for disclosing information randomly selected and transmitted from the information b_1 and b_2 based on a result of checking whether or not an expression of _1 * b_2 is satisfied. 18. A certificate (U, b: c) issued by the certificate issuing organization is received, and the certificate (U, b: c) is received.
b: Information b_1 @ e and b_2 @ e released from a prover who is another user who proves c) is b = b_1 *
a means for confirming whether or not the formula b_2 is satisfied; and means for randomly selecting any of the information b_1 and b_2 and transmitting the information to the prover based on the result of the confirmation. 18. The information processing apparatus according to claim 17, wherein 19. The certificate (a, b: c) or the certificate (U, b: c) includes a certificate generated by the certificate issuing organization based on random information r. 18. The information processing apparatus according to claim 15, further comprising means for exchanging random information r with a prover. 20. The information processing apparatus according to claim 15, further comprising means for presenting transmission log information at the time of communication with the prover to the certificate issuing organization. 21. Two certificates (a, b_1: c_1) and (a, b_) issued by the certificate issuing institution.
2: c_2), means for disclosing two attribute identifiers c_1 and c_2 to the verifier using certificates (b_1, b_2: c_2-c_1) obtained from these certificates is provided. The information processing apparatus according to claim 15, wherein 22. Two certificates (U, b_1: c_1) and (U, b_
2: c_2), means for disclosing two attribute identifiers c_1 and c_2 to the verifier using certificates (b_1, b_2: c_2-c_1) obtained from these certificates is provided. The information processing apparatus according to claim 17, wherein 23. An information processing apparatus having a function of publishing attribute information indicating one another by communicating with an information processing apparatus on another user side, wherein each attribute information is disclosed and undisclosed. Means for generating random information r_x (i) with respect to an attribute identifier i indicating public attribute information indicated by the matrix; and a means for generating random information r_x (i) ) With the same attribute identifier c
Means for encrypting with an encryption key Pub_c unique to the attribute identifier c, which can be decrypted only by a member having the attribute, and information E_ {Pub_i} (r
_X (i)) based on information (i, E_ {Pub_i}
Means for transmitting (r_x (i))) to the information processing device on the other user side, and an attribute identifier j transmitted from the information processing device on the other user side and indicating public attribute information for the user. The random information r_y (j) generated for the encryption key P
Information E_ {Pub_j} encrypted by ub_c
Information (j, E_ @ Pub_) based on (r_y (j))
j｝ (r_y (j))) and the information (j, E_ {Pub_j}) from another user.
(R_y (j))), information r_x (i) *
means for verifying whether or not r_x (j) is held. 24. An information communication system in which a plurality of devices are communicably connected to each other, wherein at least one of the plurality of devices is a certificate issuance device according to any one of claims 1 to 12. An information communication system having a function of a device or a function of the information processing device according to any one of claims 13 to 23. 25. An information communication system in which a plurality of devices are communicably connected to each other via a network, wherein the plurality of devices have an attribute for guaranteeing attribute information in order to publish attribute information of a user. An information communication system comprising: a device having an attribute certificate issuing function for issuing a certificate; and a device having an attribute certification function for publishing user attribute information using the attribute certificate. 26. The information communication system according to claim 25, wherein the device having the attribute certificate issuing function has the function of the certificate issuing device according to any one of claims 1 to 12. 27. The information communication system according to claim 25, wherein the device having the attribute certification function has the function of the information processing device according to any one of claims 14 to 23. 28. An attribute certifying method including a certificate issuing step of issuing an attribute certificate for linking attribute information indicating a target user to a target user, wherein the certificate issuing step includes a public key cryptosystem. A public key storing step of storing a public key, a secret key storing step of storing a secret key corresponding to the public key, and an attribute information publishing step of publishing an attribute identifier which is a value corresponding to attribute information indicating a target user. A user value generating step of generating a unique value of the target user; and performing an operation using the secret key on the attribute discriminator characterizing the attribute information from the unique value of the target user. An attribute certificate issuing step of generating secret information that can be generated only when the key is owned, and issuing an attribute certificate including the secret information to the target user. An attribute certification method characterized by the following. 29. An attribute certifying method including a certificate issuing step of issuing an attribute certificate for linking attribute information indicating a target user to a target user, wherein the certificate issuing step includes a public key cryptosystem RSA. A public key storing step of storing a public key (n, e) of the public key, a secret key storing step of storing a private key d corresponding to the public key (n, e), and a value corresponding to attribute information indicating a target user An attribute information publishing step of publishing an attribute identifier c, a user value generation step of generating a unique value a and a @ e of the target user, and an attribute identifier c characterizing the attribute measure. Calculates b = (a ＾ e-1) 固有 d from the unique value a of the attribute, and issues an attribute certificate (a, b: c) using the values a and b as secret information of the target user to the target user. Certificate issuance An attribute certifying method characterized by including 30. An attribute certifying method including a certificate issuing step of issuing an attribute certificate for linking attribute information indicating a target user to a target user, wherein the certificate issuing step includes a public key cryptosystem RSA. A public key storing step of storing a public key (n, e) of the public key, a secret key storing step of storing a private key d corresponding to the public key (n, e), and a value corresponding to attribute information indicating a target user An attribute information publishing step of publishing an attribute identifier c which is: a user value generating step of generating a unique value U of the target user; Calculate b = (U−c) ＾ d from U,
An attribute certificate (U,
b) issuing an attribute certificate to the target user. 31. The attribute certification method according to claim 28, wherein the unique value of the target user includes a value having a relation with a public key certificate of the target user. 32. The certificate issuing step, wherein the attribute certificate discarding step for discarding the attribute certificate issued in the attribute certificate issuing step, and the discarding information in the attribute certificate discarding step being always updated with the latest information. 31. The attribute certification method according to claim 28, further comprising: storing an attribute certificate revocation list stored in a state. 33. The attribute certificate according to claim 32, wherein the discard information in the attribute certificate discard list storage step allows any user to confirm whether or not any attribute certificate is valid. Method. 34. The attribute information publishing step includes a step of storing the attribute information and the attribute identifier as information signed by the secret key in order to represent the relationship between the attribute information and the attribute identifier. The attribute certification method according to any one of claims 28 to 30. 35. A prover that certifies the attribute information to a verifier by using the attribute certificate issued in the certificate issuing step, wherein the public information on the secret information included in the attribute certificate is provided. Generating the attribute identifier and the public information included in the attribute certificate to the verifier; and releasing the information obtained by the operation using the secret information to the verifier. The method according to any one of claims 28 to 30, further comprising the step of: certifying to the verifier that the secret information corresponding to the public information is held. 36. A certifier, which is a user who has received the attribute certificate (a, b: c) issued in the certificate issuing step, certifies the attribute information to a verifier. A first step in which the prover discloses the values a 値 e and c to the verifier; and the prover randomly selects values a_1 and b_1,
Calculate the values a_2 and b_2 which satisfy the expressions of a = a_1 * a_2 and b = b_1 * b_2, and obtain the value a_1 ＾ e,
a_2 step of disclosing a_2 ＾ e, b_1 ＾ e, and b_2 ＾ e to the verifier, and the verifier verifies the value a_1 ＾ disclosed by the prover.
e, a_2 ＾ e, b_1 ＾ e, and b_2 ＾ e are a =
a third step of checking whether or not the expressions a_1 * a_2 and b = b_1 * b_2 are satisfied; and the verifier: a fourth step of randomly selecting a_2 and b_2 and transmitting them to the prover; and a step in which the prover discloses one of the values (1) to (4) transmitted from the verifier. 5. The method according to claim 1, further comprising: repeating the second step to the fifth step, and certifying the holding of the attribute associated with the value c while keeping the values a and b secret. 29. The attribute certifying method according to 29. 37. A certifier, who is a user who has received the attribute certificate (U, b: c) issued in the certificate issuing step, performs the proof of the attribute information to a verifier, A first step in which the prover discloses the values U and c to the verifier, and the prover randomly selects a value b_1, and b = b_1
* Calculate a value b_2 that satisfies the expression b_2, and obtain a value b
A second step of disclosing _1 @ e and b_2 @ e to the verifier; and the verifier discloses a value b_1 @ e disclosed by the prover.
And a third step of checking whether or not b_2 ＾ e satisfies the expression b = b_1 * b_2, and the verifier randomly selects (1) b_1 (2) b_2 and sends it to the prover A fourth step in which the prover discloses any of the values (1) and (2) transmitted from the verifier; and a second step to the fifth step. Certifying the retention of the attribute associated with the value c while keeping the value b secret by repeatedly executing the attribute certifying method. 38. The certificate issuance step includes at least the destruction of the attribute certificate (a, b: c) issued in the attribute certificate issuance step.
When updating the attribute discriminator c, a step of generating a random value r and distributing the value r only to authorized users; and a step of changing the attribute identifier c to an attribute identifier c * r ＾ e 30. The attribute certifying method according to claim 29, comprising: 39. The attribute certificate issuance step, wherein the attribute certificate (a * r, b) based on the attribute identifier c * r @ e
* R: c * r @ e) to the target user, and receives the attribute certificate (a * r, b * r: c * r @ e) issued in the attribute certificate issuing step. Characterized in that the method includes a step in which a user performs attribute proof using an attribute certificate (a * r, b * r: c * r @ e) instead of the attribute certificate (a, b: c). 39. The attribute certification method according to claim 38, wherein 40. An attribute certifying method for fairly certifying an attribute between a user X and a user Y using an attribute certificate held by each other, wherein only members having the same attribute identifier c have attributes. A first step of storing a decryptable encryption key Pub_c unique to the attribute identifier c, a policy matrix describing public and private policies for each attribute, and corresponding to the attributes that the user X may publish. A random value r_x (i) is generated for the attribute identifier i, and a value E obtained by encrypting the value r_x (i) with the encryption key Pub_c is used.
_ {Pub_i} (r_x (i)), and the result of the calculation is (i, E_ {Pub_i} (r_x
(I))) transmitting a random value r_y (j) to the attribute discriminator j corresponding to the attribute that may be disclosed, Value r_y (j) Value E_ encrypted with encryption key Pub_c
｛Pub_j (r_y (j)) is calculated, and the result of the calculation is (j, E_ {Pub_j} (r_y
(J))) to user X, and for all sets of attributes (i, j) of user X and user Y that may be open to each other, user X and user Y are mutually r_x (I) verifying whether * r_y (j) is held using a stepwise secret exchange protocol. 41. The certificate issuance step includes: n = p ′ * q ′ that satisfies n ′ * L <n with respect to a maximum number L of attribute certificate issuances for an arbitrary attribute identifier.
(P ′, q ′: prime number), a step of selecting a corresponding public key e ′ and a secret key d ′, and a step of publishing the attribute information, publishing the public key (n ′, e ′) for the attribute identifier. 31. The method according to claim 28, further comprising: selecting a multiple of the information d ′ as a unique value of the target user.
The attribute certifying method according to any one of the above. 42. The attribute certification method according to claim 41, wherein the certificate issuing step includes a step of holding an encryption key unique to the attribute identifier. 43. The certificate issuing step generates a random value r and, based on the value r, replaces the attribute certificate (a, b: c) with the attribute certificate (a, b * r). : C
+ (1-r ＾ e) * b ＾ e) to the target user, wherein the attribute certificate (a, b * r: c + (1-r ＾ e) * b
ユ ー ザ e) receives the attribute certificate (a, b)
* R: c + (1−r ＾ e) * b ＾ e), and after performing the attribute proof, the above value r is mutually exchanged with the user to be proved by the stepwise secret exchange protocol. ,
30. The attribute certifying method according to claim 29, further comprising the step of certifying the attribute with the attribute identifier c being anonymous. 44. The certificate issuing step generates a random value r and, based on the value r, replaces the attribute certificate (U, b: c) with an attribute certificate (U, b * r). : C
+ (1-r ＾ e) * b ＾ e) to the target user, wherein the attribute certificate (U, b * r: c + (1-r ＾ e) * b
ユ ー ザ e) receives the attribute certificate (U, b)
* R: c + (1−r ＾ e) * b ＾ e), and after performing the attribute proof, the above value r is mutually exchanged with the user to be proved by the stepwise secret exchange protocol. ,
31. The attribute certifying method according to claim 30, further comprising the step of certifying the attribute with the attribute identifier c being anonymous. 45. The user encrypts the value r previously committed by the stepwise secret exchange protocol by the publicity of the organization that issues the attribute certificate, and stores the transmission log in the attribute certificate. By presenting to the issuing opportunity, even if the stepwise secret exchange protocol is interrupted during the information exchange by the stepwise secret exchange protocol, at least for the reason including the improper use of the user, the fairness of the attribute proof 45. The attribute certification method according to claim 43, further comprising the step of: 46. When the target user holds two attribute certificates (a, b_1: c_1) and (a, b_2: c_2) in the certificate issuing step, attributes obtained from the attribute certificates are obtained. Certificate (b_1, b_2: c
30. The attribute certification method according to claim 29, further comprising the step of: performing attribute certification for two attribute identifiers c_1 and c_2 using (_2-c_1). 47. When the target user holds two attribute certificates (U, b_1: c_1) and (U, b_2: c_2) in the certificate issuing step, attributes obtained from those attribute certificates Certificate (b_1, b_2: c
31. The attribute certification method according to claim 30, further comprising the step of performing attribute certification for two attribute identifiers c_1 and c_2 using (_2-c_1). 48. The function of the certificate issuing device according to any one of claims 1 to 12, the function of the information processing device according to any of claims 13 to 23, or the function of any of claims 24 to 27 A computer-readable storage medium storing a processing program for performing the functions of the information communication system according to item 1. 49. A storage medium, wherein the processing steps of the attribute certification method according to claim 28 are stored in a computer readable manner.