1. Field of the Invention
The present invention generally relates to a communication apparatus, a communication system, a communication apparatus control method and an implementation program thereof.
More particularly, the present invention relates to a communication apparatus that has communication means and provides digital certificates to be authenticated by a communicating party for communication.
Furthermore, the present invention relates to a communication system having a lower-level communication apparatus such as the above-mentioned communication apparatus and an upper-level communication apparatus working as a communicating party of the communication apparatus.
Furthermore, the present invention relates to a communication apparatus control method for providing digital certificates to be authenticated by a communicating party for communication.
Furthermore, the present invention relates to a program to cause a computer to behave as the above-mentioned communication apparatus.
2. Description of the Related Art
Conventionally, a variety of communication systems have been constructed to have structure in which one or more communication apparatuses having respective communication functions are connected to communicate each other via networks. For example, such systems include a so-called “electric commerce system”. In an electric commerce system, orders for commodities are sent from computers, such as personal computers (PCs), working as client apparatuses, and these orders are received at server apparatuses capable of communication to PCs via the Internet. Also, a remote management system for electronic apparatuses is proposed. In such a system, various types of electronic apparatuses, some of which work as client apparatuses and others of which work as server apparatuses, are connected via a network and are managed through mutual communication.
In construction of such a system, when an entity attempts to communicate to another entity, it is indispensable to check whether these entities are appropriate communicating parties and additionally whether transmitted information has been not tampered. Especially, in case of communication via the Internet, information is often routed through irrelevant computers until the information reaches the communicating parties. Thus, it is necessary to prevent contents of confidential information from being eavesdropped during transmission thereof. A communication protocol such as SSL (Secure Socket Layer) has been designed and widely used for that need. In communication in compliance with this protocol, if a communicating party is authenticated and information contents are encrypted in accordance with a combination of public-key cryptography and common-key cryptography, it is possible to properly prevent such tempering and eavesdropping. Also, a destination apparatus can authenticate a source apparatus requesting the communication.
For example, Japanese Laid-Open Patent Applications No. 2002-353959 and No. 2002-251492 disclose techniques related to authentication based on SSL and public-key cryptography.
Now, an exemplary communication procedure of cross-certification in compliance with SSL is described wherein an authentication process portion thereof is focused.
FIG. 1 is a flowchart of exemplary respective operations executed by communication apparatuses A and B for conventional cross-certification in compliance with SSL.
Referring to FIG. 1, in cross-certification in accordance with SSL, each of the communication apparatuses A and B must be provided in advance with a root-key certificate, a private key and a public-key certificate. The private key is issued to each communication apparatus by a certificate authority (CA). The public-key certificate is a digital certificate created by CA in such a way that a digital signature is attached to a public key corresponding to the private key. The root-key certificate is a digital certificate created by CA in such a way that a digital signature is attached to a root key corresponding to a root private key to generate the digital signature of the public-key certificate.
FIGS. 2A and 2B show exemplary relations among these elements.
Referring to FIG. 2A, a public key A is composed of a key body to decrypt a document encrypted with a private key A and bibliographic information having some information items, for example, including CA issuing the public key A and a term of validity. In order to show that the key body and the bibliographic information are not tampered, CA uses a root private key to encrypt a hash value obtained by hashing the public key A, and attaches the hash value as a digital signature to the public key A. At this time, CA adds identification information of the root private key in use for the digital signature as signature key information to the bibliographic information of the public key A. This public-key certificate having the digital signature is the public-key certificate A.
When an authentication process is performed by using the public-key certificate A, the key body of the corresponding root public key is used to decrypt the attached digital signature. If the decryption is successfully completed, it can be concluded that CA attached the digital signature. In addition, if the hash value obtained by hashing the public key A matches a hash value obtained by decrypting the digital signature, it can be determined that the key itself has not been also damaged and tampered. Furthermore, if the received data can be successfully decrypted with the public key A, it can be concluded that the data was sent from an owner of the private key A.
Here, in order to conduct such authentication, the root key must be stored in advance. As shown in FIG. 2B, this root key is stored as a root-key certificate to which CA attaches a digital signature. The root-key certificate is created in a self-signing form in which the digital signature can be decrypted with a root public key included therein. In order to use the root public key, the key body of the root-key certificate is used to decrypt the digital signature, and a hash value obtained by the decryption is compared to a hash value obtained by hashing the root public key. If these values are the same, it can be determined that the root public key has not been damaged and tampered.
The flowchart of FIG. 1 is described in detail. In FIG. 1, illustrated arrows between two respective process streams executed by the two communication apparatuses A and B represent data transfer. In the flowchart, each arrow means that a transmitter transmits information at a process step shown in the arrow source of the arrow. Also, it is supposed that in response to receipt of the transmitted information, the corresponding receiver performs a process step shown in the arrow head of the arrow. In addition, if a step is not successfully completed, a response to report authentication failure is returned at this time, and then the process is halted. If such authentication failure response is received from the other communicating party or the process is timed out, the process is halted.
In the illustration, the communication apparatus A requests to establish communication to the communication apparatus B. In this case, in response to execution of a predetermined control program by CPU (Central Processing Unit) of the communication apparatus A, the process stream shown in the left-hand side of FIG. 1 is initiated. At step S11, the communication apparatus A sends a connection request to the communication apparatus B.
In response to receipt of the connection request, CPU of the communication apparatus B executes a predetermined control program, and then the process stream shown in the right-hand side of FIG. 1 is initiated. At step S21, the communication apparatus B generates a first random number, and then uses a private key B to encrypt the first random number. At step S22, the communication apparatus B sends the encrypted first random number and a public-key certificate B to the communication apparatus A.
At the side of the communication apparatus A, when receiving the encrypted first random number and the public-key certificate B, the communication apparatus A checks whether the public-key certificate B is valid by using a root key certificate possessed by the communication apparatus A at step S12.
If the public-key certificate B is determined to be valid, the communication apparatus A uses a public key in the received public-key certificate B to decrypt the first random number at step S13. If the decryption is successfully completed, the communication apparatus A can make sure that the first random number was sent from the party to which the public-key certificate B was issued. At step S14, the communication apparatus A generates a second random number and a seed of a common key. This common key seed can be generated, for example, based on data exchanged in communication so far. At step S15, the communication apparatus A uses the private key A to encrypt the second random number, and uses the public key B to encrypt the common key seed. At step S16, the communication apparatus A sends these encrypted data together with the public-key certificate A to the communication apparatus B. The encryption of the common key seed is intended to make the common key seed secret to any apparatus other than the communication apparatus B. Then, at step S17, the communication apparatus A generates the common key to encrypt subsequent communication from the common key seed generated at step S14.
At the side of the communication apparatus B, when receiving the data sent at step S16 by the communication apparatus A, the communication apparatus B checks whether the public-key certificate A is valid based on a root-key certificate possessed by the communication apparatus B at step S23. If the public-key certificate A is determined to be valid, the communication apparatus B uses the public key A in the received public-key certificate A to decrypt the second random number. If the decryption is successfully completed, the communication apparatus B can make sure that the second random number was sent from the party to which the public-key certificate A was issued.
At step S25, the communication apparatus B uses the private key B to decrypt the common key seed. Through the communication so far, the common key seed can be shared by the communication apparatuses A and B. Also, this common key seed cannot be known to any apparatus other than the communication apparatus A generating the common key seed and the communication apparatus B possessing the private key B. If the process so far is successfully completed, the communication apparatus B can generate the common key for encryption of subsequent communication from the decrypted common key seed at step S26.
Then, after completion of steps S17 and S26 of the communication apparatuses A and B, respectively, the communication apparatuses A and B can confirm the success of cross-certification and identify the cryptographic scheme in use for subsequent communication. Then, the communication apparatuses A and B accept that the subsequent communication should follow the cryptographic scheme employing the generated common key, and the certification process is terminated. It is noted that the confirmation includes a response indicating that the authentication from the communication apparatus B has been successfully completed. In this manner, the communication between the communication apparatuses A and B is established each other, and the communication apparatuses A and B can subsequently communicate each other by encrypting data in the determined common key cryptographic scheme with the common key generated at step S17 or S26.
Through execution of the above authentication process, it is possible to safely share a common key between the communication apparatuses A and B and establish a secure communication path.
In the above process, the communication apparatus does not necessarily encrypt the second random number with the public key A and then send it together with the public-key certificate A to the communication apparatus B. In this case, steps S23 and S24 of the communication apparatus B may become unnecessary, and another exemplary authentication process corresponding to the case may be illustrated in FIG. 3. In the illustrated process, the communication apparatus B cannot authenticate the communication apparatus A. However, if the communication apparatus A only has to authenticate the communication apparatus B, the authentication process shown in FIG. 3 works satisfactorily. Also, in this case, only the root-key certificate has to be stored in the communication apparatus A. In other words, the private key A and the public-key certificate A may not be possessed by the communication apparatus A. On the other hand, the root-key certificate does not have to be possessed by the communication apparatus B.
Meanwhile, a term of validity is usually set to a public-key certificate in use of the above-mentioned authentication, and the public-key certificate is periodically updated. Also, in cases where a private key is apparently leaked or a root key is renewed, the public-key certificate is updated.
Such updating means may record such an updated public-key certificate in a recording medium and send the recording medium to a user by registered mail so that the user can update the public-key certificate securely.
However, if the updating means as described above is adopted, the user must be familiar to apparatus functions at some degree. Also, if the user fails to update the public-key certificate, the public-key certificate cannot be updated.
Thus, for the purpose of realizing reliable and easy updating, there is a demand that the public-key certificate can be sent from an apparatus capable of communicating to a communication apparatus to be updated and be automatically updated by the communication apparatus. In this case, not only the public-key certificate but also a private key are often updated. Thus, it is necessary to send the updated certificate and key via a secure path free from eavesdropping and tampering. For example, such a path may be a SSL-based communication path employing a key prior to the updating.
However, in automatic updating of such certificate and key, there is a risk that the updating may not succeed, for example, because a user carelessly powers off the communication apparatus during the updating operation. In this case, the certificate and key to be updated may be damaged. If such a situation occurs, authentication cannot be conducted by using the certificate and key any more. Thus, a managing apparatus thereof cannot identify the communication apparatus reliably, nor the certificate and key cannot be sent securely. In these cases, if the certificate has to be automatically updated, it is impossible to automatically update the certificate again due to failure of the previous updating.
In addition, in these cases, even if the apparatus communicates for purpose other than certificate updating, authentication cannot be properly conducted, and it is impossible to establish secure communication between the apparatus and another apparatus. Then, if the apparatus cannot help being untreated in such a condition, this may adversely affect normal operation of the apparatus.