The present invention relates to an electronic authentication system for giving a digital signature to data by using a cryptography technique.
In recent years, with developing of a computer network such as Internet or the like, a demand for electrically paying cash on a network becomes strong, and so-called electronic cash or digital cash is developed. In this case, a financial institution or a user gives a digital signature to value data showing an amount of money to send data to a third party, and the third party ascertains the validity of the digital signature to determine whether the value data is genuine. By the above electronic authentication, electronic payment can be performed.
This electronic authentication uses a cryptography technique to prevent a third party from stealing or counterfeiting communication data. As general cryptography schemes, a common-key cryptography scheme or a secret-key cryptographic scheme (hereinafter called a common-key cryptography scheme) and a public-key cryptographic scheme are known.
In the common-key cryptography scheme, a key used for encryption of data (plaintext) is the same as a key used for decryption (return to plaintext) of a ciphertext. Therefore, in the common-key cryptography scheme, a ciphertext can be communicated exclusively among specific persons who know the key. When a person sends a ciphertext to a third party, the third party must know the key of the person in advance. In this case, the key means a unique bit string having a proper length and assigned to each person. Since a person inconveniently memorizes or inputs the bit string itself, a character string represented by an ASCII code or the like may be assigned to the person as a key, the ASCII code will be converted into a bit string corresponding to the character string in a processing apparatus, and the bit string may be used for encryption or decryption.
On the other hand, in the public-key cryptographic scheme, a key for encryption is different from a key for decryption. One is disclosed, to be referred to as a "public key" or an "open key" hereinafter, and the other is secret, to be referred to as a "secret key". The secret key and the public key are set to satisfy a predetermined mathematical rule. In general, one of the secret key and the public key is determined first, and the other is formed according to this rule. Only a person in question is secretly informed of the secret key, and the others are not informed of the secret key. The public key is electrically stored in a dictionary file of a system. A third party can know the public key. As a matter of course, a generation process of these keys is systematically secret, and outsiders cannot know the generation process.
Encryption in the public-key cryptographic scheme is performed when a third party communicates with a person. When the third party wants to encrypt a communication text, the third party searches a dictionary file for the public key of the person and encrypts the communication text by using the searched public key to sends the ciphertext. On the reception side, the receiver decrypts the ciphertext by using his/her secret key. In this manner, a person who does not know the secret key cannot decode the encrypted communication text (ciphertext), and communication from a third party to the person is kept secret. According to the public-key scheme as described above, the third party encrypts a communication text by using a public key of a person at a communication destination. Therefore, the person can receive communication data from an unspecified number of persons in secret.
When the cryptography technique using the public-key cryptographic scheme is used, electronic authentication may be performed as follows. Electronic authentication is performed when a certain person sends data to a third party. Unlike cryptographic communication, the certain person encrypts signature data by using his/her secret key. Document data with signature (plaintext) and encrypted signature data are sent to the third party. The third party decrypts the encrypted signature data by using a public key of the certain person and compares the sent signature data (plaintext) with the decrypted signature data to determine whether the signature data is genuine (electronic authentication).
As the decryption using the public-key cryptographic scheme, an RSA scheme (Rivest-Shamir-Adleman scheme) is mainly used. The principle of the RSA scheme uses a power calculation and a modulo (mod) calculation in which a remainder of division is computed. More specifically, in encryption, a remainder Y of the plaintext X powered by Ko (X.sup.Ko) the divisor N is computed. In this case, Ko (and N) is a public key, and Y is a ciphertext. In decryption, a remainder of Y powered by Kp (Y.sup.Kp) by the disivor N is computed. This remainder coincides with the original plaintext X. Therefore, Kp serves as a secret key. The public keys of all persons are electronically stored in a dictionary file or the like such that anybody can freely search for the public keys. Each public key can be read by using a name or an ID number of the person.
In the RSA scheme, since a public key and a secret key have the same mathematical property, when the public key and the secret key are used in a reversed order, the electronic authentication described above can be performed.
Since anybody can access an electronic dictionary file in which the public key is stored, a security problem is posed. More specifically, when the electronic dictionary file is counterfeited or falsified by a malicious hacker, a third party can illegally give signature data onto communication data by using a pair of false secret key and false public key to establish authentication. In the RSA scheme, it is assumed that Kp, N, and Ko which satisfy the above relationship exist, and that Ko cannot be computed on the basis of N and Kp. However, if both the secret key and the public key are set to +1 (or -1), the above relationship is satisfied. Therefore, when the public key is set to +1 (or -1) by falsifying the electronic dictionary file, authentication is established by illegally encrypting signature data by using a false secret key (+1 (or -1)).
This false authentication may be also established in a communication system using the public-key cryptographic scheme.
As described above, in conventional cryptography using a public-key cryptographic scheme, a dictionary file in which a public key is electronically stored may be falsified. Therefore, encryption or decryption may be illegally performed, and illegal authentication may be established.