1. Field of the Invention
The present invention relates to an apparatus for providing a public key certificate.
2. Description of the Related Art
With the emergence of IPv6, there is anticipated a situation which enables a network connection of an equipment, that has not been connectable to a network. An example of such equipment is a digital camera for end users, directly connectable to the Internet.
In a personal computer or a work station supporting IPv6, the Ethernet® is normally employed as an interface for connection with the network, and an IEEE identifier (MAC address) provided therein is used for constructing an IPv6 address.
The IPv6 is present in three kinds, namely a link local address, a site local address and a (aggregatable) global address.
An address system, including details of these addresses and a constructing method thereof, is described for example in RFC 2373 “IP Version 6 Addressing Architecture”, RFC 2374 “An IPv6 Aggregatable Global Unicast Address Format”, RFC 2375 “IPv6 Multicast Address Assignment”, RFC 2350 “Proposed TLA and NLAA Assignment Rule”, RFC 2461 “Neighbor Discovery for IP Version 6 (IPv6)”, and RFC 2462 “IPv6 Stateless Address Autoconfiguration”.
However, in case information corresponding one-to-one to a hardware, such as IEEE identifier (MAC address), is used in a fixed manner, such information may be regarded as corresponding one-to-one to the apparatus or the user thereof, and invasion of privacy may result by monitoring communications utilizing such address.
In order to prevent such drawback, a method of generating a random IPv6 address (more exactly an interface ID) is proposed for example in FRC 3041 “Privacy Extensions for Stateless Address Autoconfiguration in IPv6”. There is also described a protocol (or extension thereof), in case a randomly generated value is already used, for detecting such state and calculating/generating another random value, thereby determining a unique random value.
Now let us consider an encrypted communication utilizing IPsec, in case the apparatus utilizes an IPv6 address generated by a method as described in the foregoing. IPsec is a protocol in which two apparatuses on the internet share secret data not known to any other, and encryption and authentication are executed based on such secret data, it is necessary in the communication to securely share secret data and mutual IPv6 addresses. The data such as the secret data and mutual IPv6 addresses are called SA (Security association).
A protocol for securely sharing SA is called IKE (Internet key exchange) and is defined in RFC 2409 “The Internet Key Exchange (IKE)”. Securely sharing of SA means to securely share SA only with an intended counterpart, and requires secure authentication of the counterpart. The IKE defines four authentication methods, namely 1) a method utilizing a pre-shared key, 2) a method utilizing a digital signature, 3) authentication with public key encryption, and 4) a revised method of authentication with public key encryption.
However, in consideration of a situation realizing protection of privacy (not providing identifying information), for example in an IPsec communication of a user with a shopping site, it is practically impossible for the shopping site to share pre-shared keys with unspecified plural communication counterparts prior to the IPsec communication, so that the method utilizing the pre-shared key is not usable.
In other methods, it is possible execute IKE among unspecified plural communication partners in case information (public key in most cases) necessary for using the digital signature or the public key encryption can be made securely available. For this purpose, what is considered most promising is an environment or a system called PKI (public-key infrastructure), and, a public key certificate plays a principal role therein.
The public key certificate is a digital signature for confirming and ensuring a correspondence between an entity (entity executing communication such as a computer or a person) and a public key of such entity, issued by a third party reliable for a combination of the ID information etc. of the entity and the public key. The reliable third party is called CA (certification authority), and the public key for confirming the authority of the digital signature of CA is widely known.
However, the currently utilized public key certificate includes ID information of the owner (subject) such as FQDN (fully qualified domain name) and cannot therefore realize the privacy protection in this state.
There is also conceived a method of not including the ID information of the subject in the public key certificate, and such certificate is called anonymous public key certificate.
However, such anonymous public key certificate is still associated with a drawback same as in the aforementioned IEEE identifier (MAC address). More specifically, as long as a same anonymous public key certificate is used continuously, it is possible to link plural communications (such as IPsec based on the public key certificate), and, the correspondence between the anonymous public key certificate and the subject thereof, if found out even once, leads to an invasion of privacy, so that the level of privacy protection is still weak.
In consideration of these drawbacks, a strong privacy protection is conceived realizable if it is possible to use a different IPv6 address and a different anonymous public key certificate in a communication with a different counterpart. These are called one-time IPv6 address and one-time anonymous public key certificate. Such one-time IPv6 address may be changed for every communication counterpart or for every packet.
However, for such one-time IPv6 address, there is known the aforementioned FRC 3041 “Privacy Extensions for Stateless Address Autoconfiguration in IPv6”, but there has not been known a method of efficiently and securely issuing the one-time anonymous public key certificate to an apparatus capable of IPv6 communication (hereinafter called IPv6 supporting apparatus).
There also exists a following drawback. In case the ID information of the communication counterpart is not known, the communication counterpart is identified by the IP address only. However, since a packet exchanged on a LAN of Ethernet® can be accessed by all the nodes on such LAN, in a situation of a communication between entities A and B, a malicious entity C present on the same LAN may impersonate as the entity A. More specifically, when the public key certificate of the entity A is transmitted to B for executing an IPsec communication based on a one-time anonymous public key certificate between A and B, C can disguise as A by replacing the public key certificate of A by that of C.
Such impersonation is also possible over a wider range not limited to a LAN, by applying a DoS (Denial of Services) attack to a DNS (Domain Name System) server or router and providing a false information by a false DNS server or router during such attack. Such situation can be coped with by confirming the ID of the counterpart in case such ID is known, but there has not been known a method of preventing such attack in the above-described situation of anonymous communication.