Cryptography – Key management – Key distribution
Reexamination Certificate
2000-08-24
2004-11-02
Peeso, Thomas R. (Department: 2132)
Cryptography
Key management
Key distribution
C380S278000, C380S283000, C380S028000, C380S045000
Reexamination Certificate
active
06813357
ABSTRACT:
TECHNICAL FIELD
The present invention relates to a cryptographic key sharing method employed in a star communication system consisting of a base station and a plurality of terminals or a communication system consisting of only a system manager and a plurality of terminals and, more particularly, a key sharing method which is capable of safely distributing a common secret key to all terminals except terminals specified by the base station, and a key sharing method which is capable of safely distributing the common secret key only to particular terminals.
BACKGROUND ART
In the star communication system in which the base station manages a plurality of terminals, the case is discussed where the base station and a plurality of subsidiary terminals constitute a group and then the same group secret key is shared with the group members to broadcast the cipher communication. Information encrypted by using the group secret key can be decrypted only by the terminals which have the same secret key in the group.
Meanwhile, the case where particular terminals should be excluded from this group will occur. There are cases where, for example, a certain terminal in the group is robbed and thus illegal practices such as the eavesdrop of the cipher communication, the transmission of false information, etc. are conducted by using the terminal. At this time, the base station which manages this secret key must exclude the stolen terminal as soon as possible and update the group secret key, and only remaining terminals must share a new secret key.
Also, it is necessary to construct another group newly. There are cases where the out-of-group terminal is entered into the group, the terminals which belong to different groups are combined into one group, etc. At this time, the base station must share a new group key as soon as possible with the terminals constituting the group.
FIG. 29
shows a key updating method to share the key data with terminals other than the terminals specified by the base station, according to the first example in the prior art. In
FIG. 29
, five terminals T
1
to T
5
hold inherent keys k
1
to k
5
respectively, and the base station manages the inherent keys of all terminals. At this time, the case where, for example, the base station excludes the terminal T
1
and distributes a new common secret key to other terminals T
2
to T
5
will be explained hereunder.
First, the base station generates the secret key K, encrypts this secret key K by using k
2
to k
5
as keys respectively, and distributes them to the terminals T
2
to T
5
respectively. Respective terminals except the excluded terminal T
1
decrypt the encrypted keys by using the inherent keys to obtain the secret key K. In
FIG. 29
, for example, Ek
2
(K) is the ciphertext which is obtained by encrypting K by using the inherent key k
2
. Since data on this communication line are encrypted by the inherent keys of the terminals T
2
to T
5
respectively, the terminal T
1
cannot obtain the secret key K generated by the base station even if such terminal T
1
can intercept this communication data.
However, according to this method, in order to exclude one terminal from N terminals, normally the base station must perform (N−1) time the encryption and transmit (N−1) pieces of data. If a size of the group is increased, this operation becomes extremely a burden on the base station. In addition, the services such as the cipher communication, etc. in the group must be stopped until all station have been updated. In this case, if the service suspending term which is required until distribution of data to (N−1) terminals has been finished is prolonged, the weighty problem has arisen.
FIG. 30
shows a key updating method, which is disclosed in Patent Application Publication (KOKOKU) Hei 5-46731, according to the second example in the prior art. In this second example in the prior art, the public key cryptosystem is employed. In
FIG. 30
, five terminals T
1
to T
5
hold intrinsic secret keys (e
1
, d
1
) to (e
5
, d
5
) respectively. Here, suppose that
e
i
·d
i
mod(
p
−1)=1 (
p
is a prime number of the system publication)
can be satisfied in each secret key (e
i
, d
i
). The base station
1
manages the public keys
p
1
=g
e1
mod
p, . . . , p
5
=g
e5
mod
p
of all terminals. Where g is an integer of the system publication. To calculate the secret key (e
i
, d
i
) of each terminal based on the public key p
i
of each terminal and information g, p of the system publication is difficult because it arrives at the discrete logarithm problem if the bit length is set long. Like the example 1 in the prior art, if the terminal T
1
should be excluded, first the base station generates a random number R and generates a key
K=g
R
mod
p
and thus calculates
Z
2
=p
2
R
mod
p, . . . , Z
5
=p
5
R
mod
p
and then distributes them to T
2
to T
5
except the terminal T
1
. The respective terminals i except the terminal T
1
obtain the updated keys K
K=Z
i
di
mod
p
(=(
p
i
R
)
di
mod
p
=((
g
ei
)
di
)
R
mod
p=g
R
mod
p
),
which are common to the base station, by using the received Z
i
and the secret key d
i
.
However, according to the key sharing method in the prior art, in order to exclude one terminal from N terminals, the base station must perform (N−1) time the encryption and transmit (N−1) pieces of data. For example, the case will be considered where one terminal is excluded from 1000 terminals and then a new common secret key is shared with remaining 999 terminals. At this time, in the first and second examples in the prior art, the encryption process must be carried out 999 times and also 999 ciphertexts must be transmitted. At any rate, these operations put the heavy burden onto the base station side.
Further, normally the terminal has not so high computational capability since it must be implemented small in size at low cost. Such terminal must update the key at high speed. In the second example in the prior art, the terminal must perform the power residue calculation of long bit length to obtain the key. Such calculation puts the considerable burden onto the terminal which has not the high computational capability, so that the processing time becomes long until the key sharing can be achieved.
The present invention has been made in light of such points and it is an object of the present invention to achieve a key sharing method of sharing distributed key information with other terminals and a key sharing method of sharing the distributed key information only with particular terminals and having following features.
(1) An amount of communication from the base station to the terminal is small. An amount of data transmission at the base station is small. The service suspending term required until all terminals complete the key sharing is short.
(2) The terminal whose computational capability is not high can achieve the key sharing at high speed. The process in the terminal can be reduced.
In addition, an object of the present invention is to overcome the above problems in the prior art, and to achieve a key sharing method which is secure against the faking attack and the tampering attack by adding a signature function without increase in the communication amount. Also, an object of the present invention is to achieve a key sharing method which is secure against the adaptive chosen ciphertext attack on the basis of the Cramer-Shoup cipher.
However, three following problems exist in the above key sharing method.
(1) It is preferable that the secret information of the terminal should be updated periodically to improve the security. In this case, if the new secret information is distributed to terminal by terminal, an amount of communication and a time needed until the update is completed are increased. In addition, normally the update of the public information is also needed when the secret information are updated. Thus, since the public book and the public information which are saved locally in the terminals are updated, an upda
Anzai Jun
Matsumoto Tsutomu
Matsuzaki Natsume
Matsushita Communication Industrial Co., Ltd.
Morgan & Lewis & Bockius, LLP
Peeso Thomas R.
LandOfFree
Exclusive key sharing method does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Exclusive key sharing method, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Exclusive key sharing method will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3356891