The present invention relates generally to information or data security technology for communication networks using an encryption/decryption device and, more particularly, to technology for preventing abuse of the network in a personal mobile communication system.
The technology for information security of the system in the communication network is roughly divided into (a) a user authentication technique which prevents an unauthorized access to the network by making a check to see if a user is an authorized one, and (b) a cryptographic technique which conceals communication contents on the circuit being actually used, thereby preventing eavesdropping by a third party.
With respect to the authentication technique (a), CCITT has proposed, as an authentication technique for future personal communication technology, a system such as shown in FIG. 3, in which the network and all users employ identical encryption devices and the network authenticates the users individually without presenting or revealing their passwords or similar personal authentication key on the circuit. Let the identifier of the user named i and his authentication key be represented by ID.sub.i and K.sub.i, respectively, and assume that K.sub.i is known only to the network and the user named i. When the user i wants to use the network, he presents first the information ID.sub.i to the network. Then the network generates and sends a random number r.sub.u to the user i. The user i encrypts the random number r.sub.u with the encryption device using the authentication key S.sub.i as a cipher key and sends the encrypted random number to the network. Finally, the network encrypts the random number r.sub.u using the authentication key of the user i held therein as a cipher key and, when the value of the thus encrypted random number matches with the value of the encrypted random number sent from the user i, authenticates the party A (the user i) as an authorized user. This system requires a total of three interactions between the user and the network, including the presentation of the identification of the user to the network.
Thereafter, to prevent eavesdropping by the outsider (b), some key delivery system is used to implement key sharing between the network and the user. Finally, they use the shared cipher key to encrypt correspondence and start communication between them.
As mentioned above in connection with the prior art, attention has been directed primarily to the function or feature that the network authenticates the user. This is because the system has been designed on the understanding that the network is always correct or error-free. In personal communications, however, it is supposed that a base station, which covers a very narrow communication range, effects a position registration accompanying its communication with the user or his migration; hence, there is a possibility that an abuser sets up a false base station and accesses the user via a radio channel. In such a situation, if the user would use his authentication key as a key to encrypt a proper numeral intentionally chosen by the false network and send it back thereto, the false network could obtain a plaintext and a ciphertext which would allow it to attack the encryption algorithm in the authentication protocol used. This is a chosen plaintext attack by the false network on the encryption algorithm in the authentication protocol, and it is pointed out in a literature (E. Biham and A. Shamir, "Differential crypro-analysis of DES-like cryptosystem," '90 EUROCRYPTO, August 1990) that there is a fear that according to the choice of the cipher system, user's authentication key would be revealved by several rounds of such chosen plaintext attacks. Thus, the conventional system has a construction which allows the chosen plaintext attack on the user encryption algorithm. Furthermore, simply by eavesdropping communications between the valid user and the network, a third party could acquire a numeral chosen by the valid network and its encrypted version obtained using the user's secret key as an encryption key. This indicates that an ordinary eavesdropper could make the known plaintext attack on the encryption algorithm in the authentication protocol, and it is pointed out in a literature (Makoto Matsui, "Linear Cryptanalysis of DES cryptosystems (I)," Cryptosystem and Information Security Symposium SCI93, January 1993) that there is the likelihood that according to the choice of the cipher system, user's authentication key would be revealed by several rounds of the known plaintext attack. Since the effectiveness of the known plaintext attack has been reported, the authentication protocol needs to have a construction which is free from the known plaintext attack as well as the chosen plaintext attack on the encryption algorithm, but in the conventional system the protocol is still unable to avoid these attacks.
Besides, according to the prior art system, since the network only authenticates the user, a key necessary for cipher communications must be delivered separately of the user authentication. This inevitably causes an increase in the number of communications or interactions and an increase in the amount of data to be processed for communication.