1. Field of the Invention
The present invention relates to a communication method using encryption, and more particularly to a method and network for sharing between a group of communicating entities (subjects of communication such as an apparatus, a software, a man and a collection thereof) an encryption key intrinsic to the group of entities prior to the communication.
2. Related Background Art
In communications using encryption, the security of communication contents significantly relies on the fact that only the entities which will become a sender and a receiver know an encryption key but no other entities know the encryption key, whereby a safer and more efficient encryption key sharing method is desired.
The encryption key sharing method has been described in detail in the documents as listed below:
R. Blom, "Non-public key distribution", CRYPTO' 82, 1982
S. Tujii, T. Ito and K. Kurosawa, "ID-based cryptosystem using discrete logarithm problem", Elect. Lett., Vol. 23, No. 24, 1987.11.
Conventionally, the encryption key sharing methods are largely classified into the following four categories, the features of which will be presented below.
The first encryption key sharing method is a method in which each entity shares an encryption key with all the communication partners supposed by making individual arrangements through the communication using other encryption or by physical means. The first encryption key sharing method has a higher security, but takes much trouble when there are a great number of communication partners supposed. Since it is difficult to make arrangements for the key with indefinitely many unknown partners, the first encryption key sharing method is unsuitable for encryption communication with such indefinitely many partners.
The second encryption key sharing method is a method in which each entity creates public information based on its own secret information, registers this public information into a public film which can be freely read from but is strictly managed for writing or deleting, and in making communication, calculates an encryption key to be shared from its own secret information and the partner's public information. The second encryption key sharing method allows the sharing of an encryption key with any entity by referring to the public film as necessary in making communication, and is therefore available for encryption communication with indefinitely many partners, but requires a management system for the public film or corresponding public information. Further, in a large-scale network, each entity may take much trouble in referring to the partner's public information.
The third encryption key sharing method is a method in which each entity exchanges a value generated from random numbers secretly determined, using the public information determined intrinsic to a communication path, to calculate an encryption key to be shared. The third encryption key sharing method allows simply the sharing of encryption key with any entity only by exchanging the random number information. However, prior to encryption communication, a preliminary communication for exchanging the random number must be performed, in which it is not possible to confirm the communication partner. Therefore, a so-called "impersonation" may arise to attempt to pass the approval by pretending to be another person.
The fourth encryption key sharing method is a method in which the center accepts an identifier (ID) of each entity such as a name or a telephone number, generates a secret key corresponding to its ID, using a secret algorithm intrinsic to the center, and sends it to each entity, each entity calculating an encryption key to be shared from its secret key and the communication partner ID. This method is called an ID-based key sharing method, and allows for the confirmation of the communication partner. This method is further subdivided into a method of requiring preliminary communication prior to encryption communication and a method of not requiring preliminary communication. The method of requiring preliminary communication is unusable like an electronic mail capable of sending only the communication text by encryption, whereas the method of not requiring preliminary communication can be used like the electronic mail and has wider service ranges.
The key sharing method of not requiring preliminary communication is expected for use in the future, and has the following features.
First, as preparation, the center determines a secret algorithm g(i, j) (where i, j is ID, and assumed to be exchangeable), and delivers gi(j) with i fixed to each entity. Where it is desired that the entities A, B share the key, A enters ID of B into its own algorithm to obtain a common key kAB: EQU kAB=gA(B).
Also, B enters ID of A into its own algorithm to obtain the same common key kAB: EQU kAB=gB(A)
However, the ID-based key sharing method of not requiring the above preliminary communication had some problems as stated below.
There is a possibility that one algorithm g(i, j) which is a secret of the center may be destroyed by the collusion of a plurality of entities having gi(j).
Also, since the safety relies on mathematical characteristics of the system such as the computational complexity or the rank of matrix used, the extended safety or system is difficult to attain.
Further, if only one center is provided, an attack on security from the center itself cannot be prevented, because the center has a grasp of all the secrets. This will be further detailed below.
In the conventional example, it is supposed that the center is reliable, or a plurality of centers which are not in collusion are provided, but nowadays when there is no public institution or system for the key sharing method, the center may be possibly a company which has manufactured the key sharing method or a firm which markets the key sharing method by obtaining permission from its manufacturing company. In such situations, it is not ensured that the center is reliable, nor that there are a plurality of centers which are not in collusion with one another. Accordingly, from this aspect, none of the conventional key sharing methods without preliminary communication are safe, but no safe methods in practice have been proposed.
Also, the conventional key sharing methods without preliminary communication have the following problem associated with the collusion, even though the center is reliable. For example, it is supposed that the same key sharing method is adopted for A firm and B firm, and shared among a number of personnel in each of those firms. Further, it is supposed that the A firm knows that the B firm also adopts the same key sharing method, but the B firm does not know what other firms adopt the same key sharing method. If there are personnel necessary for collusion in the A firm, the secret of the center is exposed by the collusion only within the A firm, and the secret of the B firm is also exposed. As a result, the B firm is subjected to a damage such as tapping or tampering, but cannot tell who the offender is. Although this situation can be resolved by providing separate secret algorithms for the A firm and the B firm, the secret communication between A and B firms is not assured.