The present invention relates to a communication apparatus having communication means and authenticating a communication partner at the time of communication by using a digital certificate, a communication apparatus used for a communication partner, a communication system formed of a superordinate apparatus and a subordinate apparatus provided by such a communication apparatus, a certificate transmission method transmitting a digital certificate used for authentication in such a communicating apparatus or communication system, to a communication partner, an anomaly detection method detecting anomaly of authentication in such a communication apparatus or communication system, and a program for configuring a computer to function as the aforementioned communication apparatus.
Conventionally, it is practiced to construct various systems by connecting plural communication apparatuses each having the function of communication with each other via a network such that the communication apparatuses can communicate with each other across the network. One example of such a system is the electronic commerce system, in which the order of a product is transmitted from a computer such as a PC functioning as a client to a server connected to the Internet. Further, there is a proposal of the system in which various electronic apparatuses are connected with each other via a network by providing thereto the function of client or server, so that remote control of the electronic apparatuses becomes possible.
In such a system, it is important to confirm whether or not the partner of the communication is a valid or appropriate communication partner, or the information transmitted from the communication partner is not falsified. In the case of using the Internet, in which the information is passed to the communication partner by irrelevant computers, it is also necessary to protect the information, particularly classified information, from wiretapping.
In order to meet for such a demand, the communication protocol such as SSL (Secure Socket Layer) is proposed and used extensively.
By using this protocol at the time of communication, authentication of the communication partner is achieved by combining the public key cryptosystem and the common key cryptosystem, and falsification or wiretapping is prevented as a result of encryption of the information. Further, the communication partner can also authenticate the apparatus that is transmitting the communication thereto.
With regard to the technology related to authentication that uses SSL or public key cryptosystem, reference should be made to Reference 1 and Reference 2 below.
Hereinafter, the communication procedure employed at the time of mutual authentication according to SSL will be explained particularly with regard to the part of the authentication processing.
FIG. 19 is a flowchart showing the processing executed at the time of mutual authentication between a communication apparatus A and a communication apparatus B according to SSL, together with the information used for the processing, wherein FIG. 19 shows the processing for each of the communication apparatus A and the communication apparatus B.
As shown in FIG. 19, it is necessary for the mutual authentication conducted according to SSL to store the root key certificate and also the private key and the public key certificate in each of the communication apparatuses.
Here, it should be noted that this private key is a key issued by a CA (certificate authority) for each of the apparatuses, while the public key certificate is a digital certificate issued by the CA for the public key corresponding to that private key together with a digital signature. Further, the root key certificate is a digital certificate issued by the CA with digital signature for the root key corresponding to the route private key used by the CA for the digital signature.
FIGS. 20A and 20B show the relationship of the foregoing.
As shown in FIG. 20A, the public key A is formed of a key main part used for decrypting the documents encrypted by the private Key A and bibliographical information that includes the information about the issuer (CA) of the public key, the term of validity of the public key, and the like.
In order to demonstrate that the key main part or the bibliographic information of the public key A is not falsified, the CA encrypts the hash value obtained by hash processing of the public key A by using the route public key and produces a digital signature, which is attached to the client public key. Further, the identification information of the route private key used for the digital signature is added to the bibliographic information of the public key A as the signature key information. This pubic key certificate attached with the digital signature is used for the public key certificate A.
In the case of using the public key certificate A in the authentication processing, the digital signature included therein is decrypted by using the key main part of the root key, which is the public key corresponding to the route private key. Thus, when the decryption is carried out successfully, it means that the digital signature is duly attached by the CA. Further, in the case the hash value obtained by the hash processing of the part of the public key A agrees with the hash value obtained by the decryption, this means that there has been no damaging or falsification also in the key itself. Further, when the received data is successfully decrypted by using the public key A, this means that the data is duly transmitted from the owner of the private key A.
In order to carry out the authentication processing, it is necessary to store the root key in advance, wherein this root key is stored in the form of root key certificate in which a digital signature is attached by the CA as shown in FIG. 20B. This root key certificate has the self-signature form in which the digital signature can be decrypted by the public key contained itself. Thus, in the case of using the root key, the digital signature is decrypted by using the key main part included in the root key certificate, and the decrypted digital signature is compared with the hash value obtained by the hash processing of the root key. When these two agree with each other, it is confirmed that the root key is not damaged.
Next, the flowchart of FIG. 19 will be explained, wherein it should be noted that the arrows connecting the two flowcharts represent transfer of data. Thereby, the transmission side carries out the transfer processing in the steps at the root part of the arrow, while the reception side carries out the processing steps at the head part of the arrow upon reception of that information.
In the event the processing of any of the steps has not completed successfully, there is produced a response indicative of failure of authentication and the processing is interrupted. The same applies also in the case the partner has returned the response of failed authentication or there occurs timeout in the processing.
In the explanation hereinafter, it is assumed that the communication apparatus A requests communication to the communication apparatus B.
In this case, the CPU of the communication apparatus A starts the processing of the flowchart shown at the left of FIG. 19 by executing a predetermined control program and transmits a connection request to the communication apparatus B in the step S11.
Upon reception of the connection request, the CPU of the communication apparatus B starts the processing of the flowchart at the right of FIG. 19 by executing a predetermined control program. Further, a first random number is created in the step 21 and the first random number thus created is encrypted by using the private key B.
Next, in the step S22, the first random number thus encrypted is transmitted to the communication apparatus A together with the public key certificate B.
In the side of the communication apparatus A, the step S12 is carried out upon reception of the same and the validity of the public key certificate B is examined by using the root key certificate.
Upon confirmation, the first random number is decrypted by using the public key B included in the public key certificate B thus received. When the decoding has been made successfully, it is confirmed that the first random number is the one duly received from the issue source of the public key certificate B.
Thereafter, in the step S14, a second random number and a seed of a common key are created separately to the step S13, wherein the seed of the common key can be created based on the data exchanged so far in the past communication.
Next, in the step S15, the second random number is encrypted by using the private key A, and the seed of the common key is encrypted by using the public key B. Further, in the step S16, these (encrypted second random number and the seed of common key) are transmitted to the server together with the public key certificate A. It should be noted that the encrypting of the seed of the common key is made in such a manner that the seed of the common key is not known to other apparatuses than the communication partner.
Next, in the step S17, a common key used thereafter for encryption of the communication is created from the seed of the common key, which has been created in the step S14.
In the side of the communication apparatus B, the validity of the public key certificate A is examined in the step S23 by using the root key certificate upon reception of the data transmitted from the communication apparatus A in the step S16.
Upon confirmation, the second random number is decrypted in the step S24 by using the public key A included in the received public key certificate A. When the decryption is made successfully, it is confirmed that the second random number is duly received from the issue source of the public key certificate A.
Thereafter, the seed of the common key is decrypted in the step S25 by using the private key B.
With this, the seed of the common key is shared between the communication apparatus A and the communication apparatus B. Thereby, it should be noted that no other apparatuses than the foregoing communication apparatus A, in which the seed is created, and the communication apparatus B having the private key B, can know this seed of the common key.
When the processing up to here has been successfully achieved, the communication apparatus B also creates, in the step S26, the common key to be used for encryption in the communication thereafter, from the seed of the common key thus decrypted.
Upon completion of the processing of the step S17 in the side of the communication apparatus A and the completion of the step S26 in the side of the communication apparatus B, confirmation is made with regard to the mutual success of authentication and with regard to the encryption process to be used in the communication thereafter. Thereby, agreement is made between the communication apparatuses A and B that the communication thereafter will be made by the foregoing encryption process while using the common key thus created. With this, the processing of authentication is completed. Here it is assumed that this confirmation includes also the response from the communication apparatus B indicating that the authentication is made successfully.
With this, communication is established between the communication apparatuses A and B, and it becomes possible to make encrypted communication of data thereafter, according to the common key cryptosystem while using the common key created in the step S17 or S26.
By carrying out such processing, it becomes possible for the communication apparatus A and the communication apparatus B to exchange the common key safely, and a safe route of communication is established.
In the foregoing processing, it should be noted that it is not mandatory to encrypt the second random number by the private key A and transmit the public key certificate A to the communication apparatus B.
In this case, the steps S23 and S24 in the side of the communication apparatus B can be omitted and the processing becomes the one shown in FIG. 21.
Although such a process does not allow the communication apparatus B to authenticate the communication apparatus A, such a process will nevertheless be sufficient in the case authentication of the communication apparatus B by the communication apparatus A is sufficient. Further, in such a case, memorizing the root key certificate to the communication apparatus A is sufficient, and there is no need of memorizing the private key A and the public key certificate A. Further, there is no need of memorizing the root key certificate.
Meanwhile, in such authentication process, there can be two levels of authentication. The first level judges whether or not the apparatus of the communication partner is the one that satisfies a predetermined standard. For example, judgment is made in the first level as to whether or not the apparatus of the communication partner is the one supplied from the same vendor or whether or not the apparatus of the communication partner is the one passed a predetermined test. The second level identifies the apparatus of the communication partner individually.
In the case of carrying out the first level authentication, a set of public key certificate and private key is stored commonly to the equipments satisfying a predetermined standard and authentication is carried out at the time of the SSL communication by confirming that the partner of the communication is duly the apparatus that is subjected to the public key certificate. Thus, there is no need of exchanging the identification information (ID) pertinent to the apparatuses.
In the case of the second level authentication, it is possible to carry out the authentication by establishing a safe communication route by using the key similar to the one used in the case of the first level authentication and causing the partner of communication to transmit the ID for identification of the partner. Thereby, the authentication is achieved by using this ID.