1. Field of the Invention
The present invention relates to authentication and cryptography between equipment connected to each other.
2. Description of the Related Art
These days, image capturing using digital cameras has prevailed. This is because images captured by digital cameras do not deteriorate with time, can be stored and searched easily, and can be transmitted to remote places easily.
With the development of semiconductor processes, the capacity of memory cards for recording image data increases rapidly. Recently, even gigabyte-class memory cards have become popular, and one memory card can record much image data. On the other hand, much image data may leak at once from a lost or stolen memory card. Leakage of much image data poses a serious problem in terms of privacy protection.
As a measure against the leakage of image data, there is proposed a method of encrypting, within a digital camera, images captured by the digital camera, and recording the encrypted image data on a memory card. To make encryption effective, key information necessary for encryption must be managed securely. The following are conceivable methods of managing key information in a digital camera:
(1) a method of managing key information within a digital camera; and
(2) a method of inputting key information from outside a digital camera in encryption.
Method (1) will be called an “inner key method”, and method (2) will be called an “outer key method”.
(1) Inner Key Method
Inner key methods can be classified into two types, “common-key cryptographic model” and “public-key cryptographic model” in accordance with the classification of the cryptographic algorithm.
According to the inner key method of the common-key cryptographic model, only encrypting and decrypting sides hold a common key in secret. If this method assumes the use of encrypted image data by a personal computer (PC), a common key held in a digital camera in secret must be shared with the PC.
The inner key method of the public-key cryptographic model can make an encryption key (public key) and a decryption key (secret key) different from each other, and can lay the encryption key open to the public. The digital camera manages a public key necessary for encryption, and this management is very easy because of the features of the public-key cryptographic model. However, the public-key cryptographic model creates a much heavier processing load than the common-key cryptographic model. The processing ability of the digital camera is poor, and the processing load of the public-key cryptographic model poses a problem.
(2) Outer Key Method
Outer key methods can be classified into two types, “human model” and “device model” in accordance with the entity which manages key information.
According to the outer key method of the human model, the user inputs key information to a digital camera in encryption. To make encryption effective, random key information of at least a predetermined length (e.g., a personal identification number (PIN) of at least a predetermined length) is exploited. However, the digital camera has only a limited user interface including a dial and buttons. Thus, input of key information via the user interface of the digital camera has practical drawbacks.
According to the outer key method of the device model, a device which holds key information is mounted in a digital camera to load key information from the device in encryption. This method has resistance to the destruction attack and the like, like a smart card, and can employ devices with various features for managing key information, and with processing ability.
For example, there is a device called a MOPASS (mobile passport) card. The MOPASS card is an integrated card of a flash memory and smart card, and has the same physical shape as that of the flash memory. The MOPASS card can be used as a device with the same attack resistance as that of the smart card without providing a new physical interface to a digital camera. By using the device with such attack resistance, key information held in the device can be considered secure.
Device Authentication
In terms of a set of a digital camera and device, it is important whether the device mounted in the digital camera holds desired key information. One solution to this is device authentication (or partner authentication) based on the ISO/IEC9798 series. According to device authentication, when a device which holds key information is used by mounting it in a digital camera, the digital camera confirms whether the device is an authentic one holding desired key information, and the device confirms whether the digital camera should receive key information. That is, the digital camera and device authenticate each other.
It is considered that a digital camera is used without being connected to a network in many cases. Hence, authentication cannot utilize a third party. Mutual authentication methods using no third party among authentication methods based on the ISO/IEC9798 series are as follows.
Two-pass Authentication Method (ISO/IEC9798-2) Using Common-Key Cryptographic Model
Entities A and B share a secret key K. The entity A transmits message M (EK(M)) encrypted with the secret key K to the entity B. The entity B decrypts encrypted message EK(M), and verifies the likelihood of the message M to authenticate the entity A. The entity A authenticates the entity B by executing the same procedures inversely.
Three-Pass Authentication Method (ISO/IEC9798-2) Using Common-Key Cryptographic Model
Entities A and B share a secret key K. The entity A authenticates the entity B by the challenge-response method. The entity B generates a response using the secret key K and the common-key cryptographic model. The entity B authenticates the entity A by executing the same procedures inversely. When sending back a response from the entity B to the entity A, one pass can be deleted by adding a challenge.
Two-pass Authentication Method (ISO/IEC9798-3) Using Public-Key Cryptographic Model
An entity A transmits digital signature-added message M to an entity B. The entity B verifies the digital signature of the message M with the public key of the entity A to authenticate the entity A. The entity A authenticates the entity B by executing the same procedures inversely.
Three-Pass Authentication Method (ISO/IEC9798-3) Using Public-Key Cryptographic Model
This method is also based on the same challenge-response method as that of the three-pass authentication method (ISO/IEC9798-2) using the common-key cryptographic model except that a digital signature is used to generate a response.
Two-Pass Authentication Method (ISO/IEC9798-4) Using MAC
This authentication method is the same as the two-pass authentication method (ISO/IEC9798-2) using the common-key cryptographic model except that a MAC (Message Authentication Code) is generated instead of encrypted message EK(M).
Three-Pass Authentication Method (ISO/IEC9798-4) Using MAC
This authentication method is also based on the same challenge-response method as that of the three-pass authentication method (ISO/IEC9798-2) using the common-key cryptographic model except that the MAC is used to generate a response.
Problems of Digital Camera
The following problems remain unsolved in a method of encrypting an image within a digital camera by a simple combination of the outer key method of the device model with device authentication.
First, device authentication raises a problem. More specifically, authentication (mutual authentication) must be executed twice: a digital camera authenticates a device holding a key, and the device authenticates the digital camera. That is, both the digital camera and device must have the authentication function. As a result, the processing procedures and functional mounting may become redundant.
Second, a digital camera requires a function of receiving key information from the outside. Similar to the first problem, the processing procedures and functional mounting may become complicated.
Problems of Device Authentication
When simply combined with a conventional method, device authentication suffers the following problems.
The two-pass authentication method essentially cannot resist the replay attack. For example, in the two-pass authentication method (ISO/IEC9798-2) using the common-key cryptographic model, an attacker wiretaps a communication path between entities A and B, acquires encrypted message EK(M), and sends it back to the entity B. This disguises the attacker as the entity A.
The three-pass authentication method takes a long time for three-pass message exchange (procedures) till the completion of device authentication.