JP2006128761A - COMMUNICATION METHOD AND COMMUNICATION SYSTEM USING ENCRYPTION TECHNIQUE, AND BIOLOGICAL INFORMATION VERIFYING DEVICE - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide encryption communication technology capable of smoothly, surely and securely carrying out communication processing by introducing verification processing employing biological information. <P>SOLUTION: In the communication processing process of a method with which a message based on the encryption technology using a communication key (called an encryption message) is generated and the encryption message is transmitted via a communication network, the method includes at least a biological information for collation generating step of digitizing the biological information of a user and storing in advance the digitized biological information in an apparatus as biological information for collation, and a biological information verification step of digitizing the newly inputted or transmitted biological information and comparing and verifying the newly inputted or transmitted biological information with the information for collation, so that the authentication of the legitimateness between communication apparatuses and the authentication of the legitimateness of the user or the like are realized. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a communication technique using biological information (biometric information). More specifically, the present invention relates to device authentication, user authentication, and encryption technology using digitized biometric information (biometric information).

  When important information (for example, highly confidential information) is exchanged via a communication network, there is an encryption technique as a technique for preventing theft of the information. This encryption technique is roughly classified into a secret key encryption method (common key encryption method), a public key encryption method, and a digital signature method.

  First, in the “secret key encryption method (common key encryption method)”, the sender and the receiver share the “secret key”, the sender uses this to encrypt the transmission information, and the receiver uses the shared “ The encryption information is decrypted using the “secret key”. This method has the advantage that the encryption key and the decryption key are common and the encryption / decryption speed is high. On the other hand, this method has a problem that if the secret key is stolen, the encrypted information can be freely decrypted by a third party other than the authorized recipient.

In the “public key encryption method”, the sender encrypts transmission information using the “public key” on the receiver side, and the receiver decrypts the received encryption information using its own “secret key”. In this method, the encryption key is different from the decryption key, and the encryption / decryption speed is slow, and anyone can encrypt using the public key, so there are some disadvantages that a third party can impersonate the sender. is there. On the other hand, this method has an advantage that it is suitable for communication with the majority because it is easy to manage keys and only one key needs to be disclosed.
In other words, the above encryption technology is used for the purpose of concealing messages on the communication path from third parties.
In the “digital signature scheme”, the sender transmits encrypted information (digital signature) with a signature created using the “secret key” on the sender side, and the receiver sends the “public key” on the sender side. Is used to verify the received cryptographic information. In this method, since the private key is a sender-specific key, a third party cannot impersonate the sender, so that the creator of the message information (sender) can be proved and the message information sent It can prove that it has not been tampered with.
That is, this digital signature technology. It is used to prove the author of the message and to prevent tampering.

   Here, in addition to concealing the content of the message on the communication path and confirming that the communication partner device is the correct device, or when proving that certain information was created by a specific user, in particular, An authentication technique in which a digital signature is added to the public key cryptosystem described above is beginning to be adopted.

  In this authentication technology, in order to confirm (verify) whether the “public key” used for encryption is legitimate, is not someone else, or has been tampered with, What is referred to as a “book” is generally used. This "public key certificate" proves that the used "public key" is a valid "public key" by being digitally signed by a third party (authentication center) that can guarantee its validity. To do.

When the “public key certificate” is used, the digital signature Sig _u (M) for the message M of the user U is usually created by the user device, and the message M, Sig _u (M), and the public key PubKey _u of the user U are Both “public key certificate Cert _u ” are sent to the receiver side. The recipient first “verifies” the validity of the public key certificate Cert _u using the “public key” of a predetermined authentication center (center device). If the verification result is valid, then it is common to take out the public key PubKey _u of the user U from Cert _u and use it to “verify” the validity of the digital signature Sig _u (M). Is.

Here, if some prior arts related to key encryption technology are listed, Patent Document 1 discloses that a sender creates a ciphertext using a receiver's public key, transmits it to a receiver via a communication circuit, and receives it. A public key encryption communication method for decrypting ciphertext using a secret key has been disclosed. In Patent Document 2, a certificate is encrypted with a public key and transmitted to a client, and an authentication server generates a shared key through verification of a certificate returned from the client. The shared key is used to authenticate with the client. A technique for performing cryptographic communication with a server is disclosed. Patent Documents 3 to 5 disclose communication techniques using digital signatures.
JP 2004-012826 A. JP 2004-159100 A. Japanese Patent Laid-Open No. 20003123212. JP 2002-152189 A. Japanese Patent Application Laid-Open No. 2003-234737.

  Next, the second background technique is an authentication technique using biometric information. This authentication technique is a technique for authenticating an individual using information unique to an individual such as physical characteristics and physical characteristics (hereinafter referred to as “biological information”).

  In this biometric authentication technology, commonly used physical features include fingerprints, palm prints, handprints, veins on the back of hands, irises, faces, voices, etc., and physical characteristics include handwriting and keystrokes. Can be mentioned. These features and characteristics are not likely to change over a long period of time, and there is an advantage that there are almost no third parties having similar characteristics and properties. Therefore, this biometrics technology is increasingly attracting attention due to the arrival of the network society, and its range of use is expanding, since it is difficult in principle to perform false authentication compared to authentication technology using a password or password. .

  When authentication is performed using biometric information, biometric information unique to the person is measured in advance and registered in a storage unit such as a computer. It confirms whether or not it matches biometric information data registered in advance, and authenticates the authenticity of the identity.

  In an authentication technique in which a digital signature is added to a public key cryptosystem, both a “public key certificate” verification process and a “digital signature” verification process must be performed in order to verify a user's digital signature. In addition to the message and the digital signature, since the public key certificate must be transmitted, the transmission work is troublesome.

  Since it is not the user himself but the user device that actually generates the digital signature, it is difficult to confirm whether the user's own intention really worked for the generation of the digital signature. For example, the possibility that the user device has generated a digital signature with the intention of a third party who has picked up the user device that happened to be dropped cannot be denied. Furthermore, it is difficult to confirm whether the recipient of the message is a truly valid user.

  In view of this, the present invention creates an encrypted message using an encryption key, and introduces verification processing using biometric information into the process of transmitting the encrypted message via a communication network. The main purpose is to provide a smooth, reliable and safer encryption communication technology.

  The present invention is roughly divided into (A) a communication method, (B) a communication system, and (C) a biological information verification device. Hereinafter, it demonstrates in order.

  (A) Communication method.

  This method is a method of creating an encrypted message using a key and transmitting the encrypted message via a communication network, digitizing user's biometric information, and using this as biometric information for verification as a predetermined device The biometric information creation procedure for collation stored in advance and the biometric information verification procedure for digitizing biometric information newly input or transmitted and comparing the biometric information with the collation information are performed at least in the communication process. The apparatus is an apparatus selected from any one of a user device, a verifier, a receiver, a server, and a terminal, for example. The key is a user's biometric information or a secret key corresponding to the user's biometric information. Note that “encrypted message” means message information created using a cryptographic technique using a key.

  According to the biometric information verification procedure of the present method, the authenticity of the device involved in communication is authenticated, the authenticity of the digital signature sent in response to the message is verified, and the message receiver It is possible to authenticate the authenticity of the user.

(B) Communication system.

  The system includes at least a user device of a message recipient, a relay processing device that relays the message communicated via a communication network, and / or a server that distributes the message. Then, the relay processing device or the server holds biometric information for verification obtained by digitizing the biometric information of the user, and the biometric information newly entered in the communication network and the biometric information for verification The comparison verification process is performed in the relay processing apparatus or the server. As the relay processing device, for example, one device selected from a verifier (verification device), a terminal, and a receiver can be adopted.

(C) Biological information verification device.

  This apparatus is an apparatus that intervenes in the process of creating an encrypted message using a key and transmitting the encrypted message via a communication network. Further, biometric information for verification obtained by digitizing the biometric information of the user is held (stored), and comparison verification processing means between the biometric information newly entered in the communication network and the biometric information for verification is reduced. Prepare at least. Note that the comparison and verification processing of newly entered biometric information (challenge data) and digitized biometric biometric information is based on, for example, whether or not they match within a predetermined error range. Can be done. In creating the encryption key, the digitized biometric information of the user can be used.

  According to the present invention, the present invention creates a cryptographic message using a key and introduces verification processing using biometric information into the process of transmitting the cryptographic message via a communication network, thereby enabling communication processing. Smooth, reliable, and safer encryption communication can be realized.

  DESCRIPTION OF EXEMPLARY EMBODIMENTS Hereinafter, preferred embodiments for carrying out the invention will be described with reference to the accompanying drawings. Each embodiment and processing example shown in the accompanying drawings show an example of a typical concept and embodiment of the method, apparatus, and system according to the present invention, and the scope of the present invention is thereby limited. It is not interpreted narrowly.

  The first to third embodiments to be described below all relate to a communication technique using biological information (biometric information). More specifically, the first embodiment is a device (apparatus) authentication technology using digitized biometric information (biometric information), the second embodiment is a user authentication technology using the biometric information, and the third embodiment. Relates to an encryption technique using the biometric information and a technique for authenticating the authenticity of a user who is a message recipient. Hereinafter, it demonstrates in order.

  (First embodiment).

  First, attached FIG. 1 is a diagram showing a basic configuration of a system according to the present invention.

  FIG. 1 shows a user U, a user device UD (for example, a computer terminal) owned by the user U, and a verifier (verification apparatus) that verifies the validity of the user device UD. In addition, a center device C that manages the entire system is provided.

  FIG. 2 is a diagram illustrating a configuration of the user device UD, the verifier V, and the center apparatus.

  First, the user device UD is typically an information terminal such as a personal computer, a PDA, or an IC card owned by the user U. The user device UD is provided with a secure storage unit 1, a main storage unit 2, a display device 3, an input device 4, a controller 5, an arithmetic unit 5, a communication interface 6, and the like via a bus X.

  The secure storage unit 1 stores a “secret key” (described later) of the user U given from the center device C (see FIG. 1). The biometric information of the user U, which is also used as a “public key”, is stored in the secure storage unit 1 or the main storage unit 2. The communication interface 7 includes an interface for performing communication with the verifier V, specifically, a wired network or wireless network interface, a card contact terminal, and the like.

  The display device 3 is for displaying a message to the user U, and the input device 4 is for receiving input from the user such as a switch or a keyboard.

  The configuration of the verifier V is almost the same as the configuration shown in FIG. In the verifier V, the secure storage unit 1 is not always necessary. The communication interface 7 includes an interface for communication with the user device UD. The display device 3 of the verifier V is also for displaying a message to the user, and the input device 4 is also for receiving input from the user such as a switch and a keyboard. The input device 4 includes a reading device for inputting the biological information of the user U.

  Note that an embodiment in which the respective units of the verifier are located at remote locations and connected via a communication network can be considered. That is, a terminal portion (not shown) provided with the display device 3 and the input device 4 and an operation unit (not shown) provided with an operation unit 5 for authentication and signature verification are provided at remote locations. It may be configured to be located and connected via a communication network. Further, as an extension thereof, a configuration in which a plurality of terminal portions are connected to one arithmetic unit may be adopted.

  The configuration of the center apparatus C (see FIG. 1) that manages the entire system is the same as the configuration shown in FIG. In the center apparatus C, the master key that is most important in the system is stored in the secure storage unit 1.

  As will be described later, the biometric information of the user U is obtained from the input device 4, and the biometric information is used as the public key (signature verification key) of the user U, and the secret key (signature generation key) of the user U using the master key described above. Will be generated.

  As an example, the biometric information of the user U and the secret key are transmitted to the user device UD via the communication interface 7 (see FIG. 2) and stored in the secure storage unit 1 (see FIG. 2). As another example, it is stored in a recording medium (not shown) via a media interface (not shown), and finally transmitted to the user device UD via the media interface, and stored in the secure storage unit 1.

Here, in the present embodiment, as a tool, for example, the ID signature technique proposed by Paterson can be suitably used. This technology is, for example,
1098754698515_0
From this, you can get a paper with the details. This ID signature technology creates a digital signature that passes verification using arbitrary data (Identity, ID) such as the name and email address of the user U as a public key (verification key), and a technology for verifying this It is.

  When this ID signature technology is used, the center apparatus C performs the following setup only once when the system is started up.

(1) digit number defines the additive group G ₁ and the multiplicative group G ₂ are each prime q. Here, G ₁ is generally a subgroup of groups formed by points on an elliptic curve on a finite field.

(2) e: A bilinear map (bilinear map) e consisting of G ₁ × G ₁ → G ₂ is determined. Here, bilinear map e is 1) bilinear: for any P, QεG ₁ and any a, bεZ, e (aP, bQ) = e (P, Q) ^ab holds 2) Non-degenerate (non-degenerate): If P is a generator of G ₁ , e (P, P) is a generator of G ₂ 3) Computable: There is an efficient algorithm for calculating e (P, Q) for any P, QεG ₁ , which satisfies the above conditions 1) to 3) ( For details, see the paper by Boneh below).

(3) An arbitrary generation source P of G ₁ is determined. (4) A random value sεZ ^* q is determined as a system master key. (5) Define Ppub = sP. (6) Three hash functions H ₁ : {0,1} ^* → G ₁ , H ₂ : {0,1} ^* → Zq, H ₃ : G ₁ → Zq are determined. (6) public information _{systems q, G 1, G 2,} e, P, Ppub, target _{H 1, H 2, H 3} . Here, “open” means giving to a user device UD, a receiver, or the like, which is a component of the system.

  The key generation method will be described below with reference to FIG. FIG. 3 is a flowchart showing an example of the procedure of the method.

  The center apparatus C (see FIG. 1) generates a “secret key” corresponding to the case where this is a “public key” from the biometric information of the user U, and gives it to the user U.

  First, the user U inputs the biometric information of the user U via an input device (not shown) provided in the center device C. As “biological information”, fingerprints, palm prints, handprints, veins on the back of the hand, blood flow in the subcutaneous blood vessels of the fingers, irises, faces, voice, etc. can be adopted as the “biological information”. A handwriting, a keystroke, etc. can also be mentioned and it is not specifically limited narrowly (this point is the same in all embodiments).

  Since the biometric information input from the input device of the center device C is analog data, the center device C digitizes and encodes it, and converts it into, for example, JPEG image data. The biometric information of the user U digitized in this way can be made to function as biometric information for verification used in the verification process, and is represented by the symbol “Bu” below.

Next, the center device C generates the “secret key” of the user U when the digitized biometric information Bu is used as a public key. Qu = H ₁ (Bu) Du = sQu is calculated, and Du at this time becomes the “secret key” of user U. This “secret key” is used when the user U encrypts the message.

  As described above, the center apparatus C transmits the digitized biometric information Bu and the secret key Du to the user device UD via the communication interface or stores them in the recording medium via the media interface. To do. Finally, the digitized “biological information Bu” and “secret key Du” are stored in the user device UD.

  Next, an “authentication protocol” for verification processing in the verifier V will be described with reference to FIGS. The verification process in the verifier V includes verification of the existence of the user U (whether a user corresponding to the biological information is really present) and validity of the user device (really the biological body of the user). It is a process of performing verification (device authentication) on whether or not a secret key corresponding to information is obtained.

  FIG. 4 is a diagram showing an overall flow in the user U, the user device UD, and the verifier V regarding the verification process of the verifier V, FIG. 5 is a flowchart of the user device UD, and FIG. 6 is a flowchart of the verifier V. It is.

First, the digitized biometric information Bu of the user U created by the center apparatus C and the random number RuεZq created by the user device UD are sent from the user device UD to the verifier V (reference F in FIG. 4). ₁ ).

Then, the user U input device verifier V, its own biometric information at the time (in FIG. 4 is referred to as "challenge data".) To enter into a new (see F ₂ in FIG. 4). The verifier V digitizes this challenge data in the same manner as the center device C described above.

Then, the verifier V is a the digitized challenge data, and the biometric information Bu for matching digitized that have been previously transmitted from the user device UD (see F _1), but a predetermined It is verified whether or not they match within the error range (see “Biometric Information Verification” in FIG. 4).

Then, the result of the verification, if the match, the random number Rv∈Zq the verifier V is created, and transmits to the user device UD (see F ₃ in FIG. 4).

Upon receiving the random number Rv from the verifier V, the user device UD creates a message M from the random numbers Ru and Rv (see FIG. 4). Note that the message M may be created by, for example, M = H ₂ (Ru || Rv) (Ru || Rv represents a connection between Ru and Rv).

  Next, the user device UD generates a “digital signature” for the message M according to the following methods (1) to (3).

(1) Choose a random kεZ ^* q.

(2) R = k · P, S = k ⁻¹ (H ₂ (M) · P + H ₃ (R) · Du) is calculated. Here, k ⁻¹ is an inverse element of k in Zq.

  (3) As a digital signature Y, a set of R and S, that is, Y = <R, S> is output.

Then, the user device UD transmits the digital signature Y to verifier V (see _{F 4} in FIG. 4).

  Next, when the verifier V newly receives the digital signature y = <r, s>, the verifier V verifies the validity of the digital signature y using the digital biometric information Bu already held (in FIG. 4). (See “Signature Verification”). A specific method of this signature verification is as follows.

  (A) A message M is created from Ru and Rv in the same manner as the user device UD.

(B) Calculate C ₁ = e (r, s).

(C) C ₂ = e (P, P) ^{H2 (M)} · e (Ppub, Qu) ^{H3 (r)} is calculated.

However, Qu = H ₁ (Bu).

(D) If C ₁ and C ₂ match, it is determined that this user device UD is valid.

  As described above, the verifier V verifies the validity of the received digital signature y to determine the validity of the user device UD. If the verifier V determines that the user device UD is valid, the verifier V performs subsequent processing based on the result. I do. In the subsequent processing, for example, a communication session is started with the user device UD. If it is determined that the communication session is not valid, the communication session is not started.

  In the above embodiment, it has been assumed that the ID signature technology proposed by Paterson is used. However, the ID signature technology is not limited to this, for example, “proceedings of The Workshop on Selected” published by Springer-Verlag. Several schemes, including the scheme described in the paper `` Efficient Identity based Signature Schemes based on Pairings '' by Hess in `` Areas in Cryptopraphy (SAC) 2002, Lecture Notes in Computer Science, Vol. 2595, 2002 '' Has been proposed, it is free to use in the present invention. This is the same in the embodiments described below.

  (Second Embodiment).

  Next, the configuration of the “second embodiment” of the present invention will be described with reference to FIGS.

  The first embodiment described above relates to processing for determining the legitimacy of the user device UD using the digitized biological information (Bu), that is, device authentication (device authentication). In contrast, this second embodiment uses digitalized biological information (Bu) to determine the validity of a “digital signature” sent in response to a message from the user U. That is, it relates to message authentication.

  7 is a conceptual diagram of a system configuration according to the present embodiment, FIG. 8 is a diagram showing an overall flow in the user U, the user device UD, and the receiver W regarding the verification processing of the receiver W, and FIG. 9 is a user device UD. FIG. 10 is a flowchart of the receiver W.

  In the second embodiment, first, as shown in FIG. 7, a user device UD (for example, a computer terminal, a portable terminal, an IC card, etc.) owned by the user U and a “digital signature” from the user U And a center device C that manages the entire system.

  Note that the configurations of the user device UD and the center apparatus C are as shown in FIG. 2 described above, and the configuration of the receiver W is the same as this, and therefore a detailed description of these configurations is omitted here. .

  Also, a method of creating biometric information Bu obtained by digitizing analog biometric information input from an input device (not shown) of the center apparatus C, and the secret of the user U when the biometric information Bu is a “public key”. The key generation method is also the same as in the above embodiment (especially, see FIG. 3). The center device C transmits the generated biometric information Bu and secret key Du to the user device UD via the communication interface 7 or to a predetermined recording medium via a media interface (not shown). Store. Ultimately, the “biological information Bu” and the “secret key Du” are stored in the user device UD.

  A process in which the user U who has obtained a “secret key” for encrypting a plaintext message generates a digital signature for the message M and transmits it to the regiever W from the user device UD will be described below.

First, to the receiver W from the user device UD, sends a digital biometric information Bu user U to center device C has created (see reference numeral F ₅ in FIG. 8).

Next, the user U newly inputs his / her biological information (corresponding to “challenge data” in FIG. 8) to the input device of the receiver V (see F _{6 in} FIG. 4). The receiver W digitizes the challenge data (that is, newly input biological information) in the same manner as the center device C described above.

Then, the receiver W includes the digitized challenge data, and is previously transmitted from the user device UD (see F _5), biometric information for matching stored digitized Bu, but predetermined It is verified whether or not they match within the range of the error (see “Biometric information verification” in FIG. 8).

  Next, if they match as a result of the verification, the user device UD creates the digital signature Y for the message M by the same method as (1) to (3) in the case of the first embodiment described above. . On the other hand, if they do not match, the subsequent processing ends.

Then, the user device UD, the message M and the digital signature Y, and transmits to the receiver W (see _{F 7} in FIG. 4).

  Subsequently, when a new digital signature y = <r, s> is received, the receiver W verifies the validity of the digital signature y using the biometric information Bu for verification already held (FIG. 8). (See "Signature verification" in the middle). A specific method of signature verification is performed as follows.

(I) Calculate C ₁ = e (r, s).

(II) C ₂ = e (P, P) ^{H2 (M)} · e (Ppub, Qu) ^{H3 (r)} is calculated.

However, Qu = H ₁ (Bu).

(III) If C ₁ and C ₂ match, it is determined that the digital signature y is a valid digital signature Y for the message M by the user U. On the other hand, if they do not match, it is determined that the digital signature is not valid.

  As described above, the receiver W verifies the validity of the received digital signature y, and if it is determined to be valid, the receiver W performs subsequent processing based on the message M based on the result. The subsequent processing starts, for example, a communication session related to the authenticated message M with the user device UD. If it is determined that it is not valid, such an authenticated communication session is not started.

  In the communication session related to the message M, for example, in the case where the message M is a transmission request for a certain content, the receiver W receives the requested content only when the digital signature y sent to the receiver W is valid. Send to device UD.

  (Third embodiment).

  In the third embodiment, after authenticating the user U using the biometric information, the biometric information is encrypted as it is as the “public key” of the user U, and communication is performed. The existence of the user U who is a valid recipient.

  Currently, when a key for encryption is shared between a sender and a receiver, a “public key cryptosystem” is often used. Since the “secret key” in this public key cryptosystem is at least several hundred bits in size, it is difficult for the user U to store it. Moreover, since it is necessary to keep this securely, the secret key is normally stored in the user device UD owned by the user U.

  In general, a server that provides information transmits a message encrypted using a key for encrypting the message to the user device UD, and the user device UD decrypts and provides it to the user U. However, for example, when the user device UD is stolen and the user device UD is used even when the valid user U is absent, a message that should have been originally provided to the valid user U is transferred to a third party. It will cross over.

  If a legitimate user U does not activate using a personal identification number, there may be a countermeasure to prevent the user device UD from operating. In this case, however, the personal identification number is exposed or the activation mechanism is altered. Then, even if a legitimate user is absent, the user device operates and provides a message to a third party.

  Therefore, in the third embodiment, when the server transmits a message to the user U, the biological information of the user U is first used to confirm that the user U exists, and then the biological information is transmitted. Is used as the “public key” of the user U to encrypt the message and send it to the user device UD. The user device UD stores the biometric information of the user U (which becomes a “public key”) and a “secret key” corresponding to the user U. The user device UD and the user U receive a message only when both are present. It is devised so that it can be obtained. This will be specifically described below with reference to FIG.

  First, as shown in FIG. 11, the system according to the third embodiment includes a server S that transmits a message to a user device UD owned by a user U, and a terminal T that serves as an interface between the user device UD and the server S. And a center device C (not shown in FIG. 11) for managing the entire system, not shown.

  The basic configuration of the user device UD, terminal T, server S, and center apparatus C is the same as the configuration shown in FIG. 2 used in the description of the first embodiment.

  In the terminal T composed of a large computer or the like, the secure storage unit 1 (see FIG. 2) is not necessarily required. As an example, when the terminal T performs secure communication with the server S, the secure storage unit 1 stores the secret key of the terminal T or the common key of the server S and the terminal T. Note that these secret keys and common keys are general and are not essential parts of the present invention.

  Even in the server S, the secure storage unit 1 (see FIG. 2) is not necessarily required. As an example, when the server S performs secure communication with the terminal T, the secure storage unit 1 stores the secret key of the server S or the common key of the server S and the terminal T. Note that. These secret keys and common keys are general. The communication interface of the server S includes an interface for communication with the terminal T.

  Here, the tools that can be used in the present embodiment are not particularly limited. For example, the ID-based signature technique proposed by Boneh and Franklin can be suitably used.

This technology manages Boneh
1098754698515_1
From this, you can get a paper with the details. This ID-based signature technique is a technique that enables encrypted communication to the user U using any data (Identity, ID) such as the name and mail address of the user U as a public key (verification key).

  When this ID-based signature technique is used, the center apparatus C performs the following setup only once when the system is started up.

(1) digit number defines the additive group G ₁ and the multiplicative group G ₂ are each prime q. Here, G ₁ is generally a subgroup of groups formed by points on an elliptic curve on a finite field.

(2) e: A bilinear map (bilinear map) e consisting of G ₁ × G ₁ → G ₂ is determined. Here, bilinear map e is 1) bilinear: for any P, QεG ₁ and any a, bεZ, e (aP, bQ) = e (P, Q) ^ab holds 2) Non-degenerate (non-degenerate): If P is a generator of G ₁ , e (P, P) is a generator of G ₂ 3) Computable: There is an efficient algorithm for calculating e (P, Q) for any P, QεG ₁ , which satisfies the above conditions 1) to 3) ( For details, see the paper above).

(3) An arbitrary generation source P of G ₁ is determined. (4) A random value sεZ ^* q is determined as a system master key. (5) Define Ppub = sP. (6) Two hash functions H ₁ : {0,1} ^* → G ₁ and H ₂ : G ₂ → {0,1} ⁿ are determined. Here, n is a predetermined length of the ciphertext, and is set to n = 128 or n = 160, for example. (6) System public information covers q, G ₁ , G ₂ , e, n, P, Ppub, H ₁ , H ₂ . Here, “public” means giving to the user device UD, terminal T, server S, and the like, which are components of the system.

  Here, the generation of the user key is performed by the center apparatus C (not shown in FIG. 11), and the specific method is the same as in the case of the first embodiment described above. (See FIG. 3 in particular).

  Here, processing examples (processing examples 1 to 3) for the server S to transmit a message to the user U who has obtained the “secret key” will be described below. In the following example, it is assumed that a secure communication channel is established between the server S and the terminal T using, for example, an existing public key encryption technique.

  First, “Processing Example 1” related to message transmission shown in FIG. 12 will be described.

In the processing example 1, first, with respect to Example user device UD Terminal T, sends the biometric information Bu user U to center device C is made (see F ₈ in FIG. 12).

Next, the user U inputs his / her biometric information (corresponding to “challenge data” in FIG. 12) at that time to an input device (not shown) of the terminal T (F _{9 in} FIG. 12). reference). The terminal T digitizes this challenge data in the same manner as the center apparatus C, and verifies whether or not the Bu previously acquired from the user device UD matches within a predetermined error range ( Biometric information verification). If they do not match, the subsequent processing is terminated.

If you have above verification do not match, the terminal T is to the server S, send a notification to the effect that the verification was successful (authenticated notification) (see F ₈ in FIG. 12).

In contrast, the server S, to the terminal T, to send a message M of the user U addressed (see _{F 11} in FIG. 12). Note that communication between the server S and the terminal T is transmitted safely.

  As an example, when the user device UD sends Bu to the terminal T, the identification information IDu of the user U may also be sent, and the terminal T may send this IDu to the server S.

  Here, when the center device C creates the “secret key” of the user U and sends it to the user device UD, the center device C generates the identification information IDu of the user U, and sends both Bu and IDu to the user device UD. It shall be stored. As a result, the server S can take a history such as the message M sent to the user U in the past.

The identification information IDu may be used by the center device C at random, for example, by selecting a value of 128 bits or 160 bits for the user U, or a hash function h: {0,1} ^* → {0,1} ⁿ may be used to generate IDu = h (Bu). Here, n is a predetermined arbitrary length, for example, n = 128 or n = 160 is used.

  When IDu = h (Bu) is set using the hash function, the user device UD does not need to send the identification information IDu of the user U to the terminal T, and sends only the biological information Bu, and the terminal T receives IDu. Can also be made.

Since the biometric information Bu is information unique to the user U, it may be used as it is as the identification information IDu. However, the biometric information Bu is, for example, image data such as JPEG and may have a large size. For this reason, it is preferable to use the identification information IDu in terms of increasing efficiency. Further, instead of the hash function h, H ₁ may be used so that IDu = H ₁ (Bu) = Qu.

Terminal T, once received the message M from the server S (see F ₁₁ in FIG. 12), using the biometric information Bu as a public key to encrypt the message M (see FIG. 12).

  Here, the message M itself may be encrypted by using the ID-based signature technology described below, and if the message M has a size of, for example, several tens of bytes, the message M itself may be AES or the like. The encryption may be performed using a common key encryption algorithm, and the temporary key used for the encryption may be encrypted using a technique described below.

  In the following description, a message encrypted using the ID-based signature technique (that is, a message to the user U or a temporary key) is M.

i) Find Qu = H ₁ (Bu).

ii) Choose a random value rεZ ^* 2q.

iii) U = rP, V = M (XOR) H ₂ (gu ^r ) is calculated (XOR: Exclusive Or).
Here, gu = e (Qu, Ppub).

  iV) A set of U and V, that is, C = <U, V> is output as the encrypted message C.

Terminal T transmits the encrypted message C to the user device UD (see _{F 12} in FIG. 12). When M is a temporary key, an encrypted message m obtained by encrypting the message M from the server S is also transmitted.

Subsequently, when the user device UD receives the ciphertext C ′ = <U ′, V ′> of the ID-based signature technology, the user device UD uses the stored secret key Du to obtain V ′ (XOR) H ₂ (e ( A message M is obtained by performing a decoding process based on the equation Du, U ′)) = M.

If M is the message itself sent from the server S, the message M can be obtained by this, and if it is a temporary key, the encrypted message can be decrypted by using it to obtain a plaintext message. Obtainable. The message M from the server S in this manner was obtained, for example, by displaying on the display device 3 (see FIG. 2), the user device UD provides to the user U (see F ₁₃ in FIG. 12).

  Next, another processing example of message transmission (processing example 2) will be described with reference to FIG.

In this processing example 2, the server S performs authentication of the user U using the biological information and message encryption. First, the user device UD sends a biometric information Bu to the terminal T (refer to _{F 14} in FIG. 13), the terminal T sends it to the server S (see _{F 15} in FIG. 13).

Then, the user U is a terminal T, inputs the biometric information as challenge data (see F ₁₆ in FIG. 13), the terminal T sends it to the server S and digitizes (F ₁₇ in FIG. 13 reference).

  The server S verifies that the digitized challenge data and the digitized biometric information Bu sent in advance coincide with each other within a predetermined error range (biometric information verification). If they do not match, the process ends.

If they match, the digitized biometric information Bu as "public key" to encrypt a message in the manner described above, and transmits the encrypted message C to the terminal T (refer to F ₁₈ in FIG. 13).

Terminal T is sent to the user device UD After receiving this encrypted message C (see _{F 19} in FIG. 13).

User device UD, using the private key of the user U that has already been stored, decrypts the ciphertext with above-described method, provides a plain text message M to user U (see F ₂₀ in FIG. 13).

  If this message transmission processing example is used, the communication path between the server S and the terminal T may not be established, and the cost for ensuring safety can be reduced.

  As a modification of the processing example 2, the user device UD includes a biometric information input device, and before the digitized biometric information Bu is transmitted to the terminal T or before the plaintext message is provided to the user U. Alternatively, the biometric information of the user U is input before both, and the digital information only when the input information matches the digitized biometric information Bu stored in the terminal T with a certain error. The biometric information Bu may be transmitted or a plain text message may be provided. Thus, the safety is further improved by introducing biometric information verification in the user device UD.

  In the above description, a message is presented from the server S to the user U. However, the message is not limited to a communication message in a normal sense, and various messages such as e-mail and software for movies, music, news, etc. Content may be included. This point is common to all the embodiments.

Furthermore, in the above description, the sender of the message is called by the name of the server S, but it is not necessarily a large-scale content server. For example, as in “processing example 3” shown in FIG. 14, a personal computer used by a general user U operates as a combination of the terminal T and the server S, and is based on the digitized biometric information Bu of the user U. After performing verification (biometric information verification), the message may be encrypted. The flow of this processing example 3 is shown by F _{18 to} F ₂₁ in FIG.

  FIG. 15 shows the processing flow of the user device UD in time series. The processing flow of the user device UD is common to the above-described processing examples 1 to 3.

  FIG. 16 shows the processing flow of the terminal T in the above processing example 1 (see FIG. 12) in time series. FIG. 17 shows the processing flow of the server S in the processing example 1 in time series.

  FIG. 18 shows the processing flow of the terminal T in the above processing example 2 (see FIG. 13) in time series. FIG. 19 shows the processing flow of the server S in the processing example 2 in time series.

  FIG. 20 shows the processing flow of the user device UD in “Modification of Processing Example 2” described above in time series. As can be seen from FIG. 20, in this processing flow, before the digitized biometric information Bu is transmitted to the terminal T, biometric information verification (refer to biometric information verification 1 in FIG. 20) is performed to proceed to the subsequent processing. To decide. Or before providing a plaintext message to the user U, it is the structure which performs biometric information verification (refer biometric information verification 2 of FIG. 20), and determines whether it progresses to a subsequent process. Note that both verification 1 and verification 2 may be performed.

  FIG. 21 shows the processing flow of the terminal / server in the above processing example 3 (see FIG. 14) in time series.

  The present invention can be used as a highly secure key encryption communication technique. In particular, it can be suitably used when authenticating the authenticity between communication devices or authenticating the authenticity of a user.

It is a figure showing the basic composition of the system concerning the present invention. It is a figure which shows the structure of a user device (UD), a verifier (V), and a center apparatus (C) used by this invention. It is a flowchart which shows the example of a procedure of the method of the key generation in this invention. It is a figure showing the whole flow in the user U, the user device UD, and the verifier V regarding the verification process of verifier (V). It is a flowchart of the user device (UD) in 1st Embodiment. It is a flowchart of verifier (V) in 1st Embodiment. It is a basic conceptual diagram of the system configuration concerning a 2nd embodiment. It is a figure showing the whole flow in a user (U), a user device (UD), and a receiver (W) regarding the verification process of a receiver (W). It is a flow figure of a user device (UD) in a 2nd embodiment. It is a flowchart of the receiver (W) in 2nd Embodiment. It is a basic conceptual diagram of the system configuration concerning a 3rd embodiment. It is a figure which shows the method of the "processing example 1" which concerns on message transmission. It is a figure which shows the method of the "processing example 2" of message transmission. It is a figure which shows the method of the "processing example 3" of message transmission. It is a figure which shows the processing flow of the user device (UD) all common to the process examples 1-3 in time series. It is a figure which shows the process flow of the terminal T in the process example 1 shown in FIG. 12 in time series. It is a figure which shows the process flow of the server S in the process example 1 in time series. It is a figure which shows the processing flow of the terminal T in the process example 2 shown in FIG. 13 in time series. It is a figure which shows the processing flow of the server S in the process example 2 in time series. It is a figure which shows the processing flow of the user device (UD) in "the modification of the processing example 2" in time series. It is a figure which shows the processing flow of the terminal and server in the process example 3 shown in FIG. 14 in time series.

Explanation of symbols

Bu Digital biometric information C Center device N Communication network such as Internet S Server T Terminal U User UD User device

Claims (10)

A method of creating an encrypted message using a key and transmitting the encrypted message via a communication network,
A biometric information creation procedure for collation that digitizes user biometric information and stores this in advance in a predetermined device as biometric information for collation,
A biometric information verification procedure for digitizing biometric information newly input or transmitted and comparing and verifying with the verification information;
A communication method for performing at least communication processing.   2. The communication method according to claim 1, wherein the device is a device selected from any one of a user device, a verifier, a receiver, a server, and a terminal.   The communication method according to claim 1, wherein authenticity of the device related to communication is authenticated by the biometric information verification procedure.   The communication method according to claim 1, wherein the authenticity of the digital signature sent in response to the message is verified by the biometric information verification procedure.   The communication method according to claim 1, wherein authenticity of a user who is a message recipient is authenticated by the biometric information verification procedure. The communication method according to claim 1, wherein the key is a secret key corresponding to a case where the biometric information of the user is used as a public key. At least a user device of a message recipient, a relay processing device that relays the message communicated via a communication network, and / or a server that distributes the message,
The verification processing biometric information obtained by digitizing the user biometric information is held by the relay processing device or the server, and the comparison verification between the biometric information newly entered in the communication network and the verification biometric information is performed. A communication system that performs processing in the relay processing device or the server. The communication system according to claim 7, wherein the relay processing device is one device selected from a verifier, a terminal, and a receiver. An apparatus for creating an encrypted message using a key and intervening in the process of transmitting the encrypted message via a communication network,
Biometric information that holds biometric information for verification obtained by digitizing biometric information of a user and includes at least comparison verification processing means between the biometric information newly entered in the communication network and the biometric information for verification Verification device. The biometric information verification apparatus according to claim 9, wherein the biometric information digitized by a user is used to create the key.