1. Field of the Invention
The present invention relates to a technology for updating a digital certificate safely and easily.
2. Description of the Related Art
There are various systems in which communication apparatuses having communication functions are connected via a network. As an example of the system, there is a so-called electronic commerce system in which a computer such as a PC (personal computer) functioning as a client apparatus sends an order of a commodity, and a server connected to the computer via the Internet receives the order. In addition, a system is proposed in which functions of a client apparatus or a server apparatus are provided to various electronic apparatuses, and the electronic apparatuses are connected with each other via a network so that remote management for the electronic apparatuses are realized.
For constructing such systems, it is important to check whether a communication partner is valid or whether received information is not A tampered with. In addition, especially for the Internet, since data pass through a plurality of computers until the data are received by the communication partner, it is necessary to prevent tapping of secret information. For satisfying the above-mentioned requirements, a SSL (Secure Socket Layer) protocol has been developed, and the SSL is widely used. By performing communications by using the protocol, authentication of a communication partner is performed by using a combination of a public key encryption method and a common key encryption method, and tampering and tapping can be prevented by encrypting information. The communication partner can also authenticate a request origination apparatus.
Japanese laid-open patent application 2002-353959 and Japanese laid-open patent application 2002-251492 disclose technologies relating to the SSL and authentication by using the public key encryption, for example.
In the following, a communication procedure for performing mutual authentication by using the SSL is described. In the following description, authentication processes are mainly described. FIG. 1 is a flowchart showing processes performed by a communication apparatus A and a communication apparatus B in which the apparatuses perform mutual authentication according to the SSL. FIG. 1 also shows data used in the procedure.
As shown in FIG. 1, when performing mutual authentication based on the SSL, it is necessary to store a root key certificate, a private key and a public key certificate in each communication apparatus. The private key is a key owned by each apparatus. The public key certificate is a digital certificate generated, by a CA (certificate authority), by adding a digital signature of the CA to a public key corresponding to the private key. The root key certificate is a digital certificate generated by adding a digital signature of the CA to a public key corresponding to a private key of the CA used for the digital signature.
FIGS. 2A and 2B show relationships among the keys. As shown in FIG. 2A, the public key A includes a key body used for decrypting a document encrypted by a private key A, and bibliographic information including an issuer (CA) and an effective term of the public key and the like. The CA performs a hash process on the public key A to obtain a hash value, and encrypts the hash value by using the root private key and adds the encrypted hash value to the public key as a digital signature. In addition, identifying information of the root private key used for the digital signature is added to the bibliographic information of the public key A as signature key information. The public key A with the digital signature is the public key certificate A.
When using the public key certificate A in an authentication process, the digital signature is decrypted by using the root key that is a public key corresponding to the root private key. If the decryption is successfully done, it can be checked that the digital signature was added by the valid CA. In addition, it can be checked whether the key is not broken or tampered with by checking if the hash value obtained from the public key A is the same as the hash value obtained by decrypting the encrypted hash value. In addition, by checking whether received data can be decrypted by using the public key A, it can be checked that the data are sent from an owner of the private key A.
For performing authentication, it is necessary to store the root key beforehand. Also as to the root key, as shown in FIG. 2B, the root key is stored as a root key certificate to which a digital signature of the CA is added. The root key certificate is a self-signature type in which the digital signature can be decrypted by using a public key included in the root key certificate. When using the root key, the digital signature is decrypted by using a key body included in the root key certificate to obtain a hash value, so that the hash value is compared with a hash value calculated from the root key. If they are the same, it can be checked that the root key is not broken or the like.
The flowchart of FIG. 1 is described in the following. In the figure, arrows between two flowcharts indicate data transfers. A sending side performs a transmission process in a step at an originating point of the arrow. A receiving side that receives data from the sending side performs a step at a top of the arrow. In the procedure, if a process in a step does not successfully end, the process is interrupted at that time after sending a response indicating an authentication failure. Also, the process is interrupted in an communication apparatus when the communication apparatus receives the response indicating the authentication failure from the other party or when a timeout occurs in a process.
In this example, the communication apparatus A sends a communication request to the communication apparatus B. When sending the request, a CPU in the communication apparatus A starts the procedure of a flowchart in the left side of FIG. 1 by executing a control program. Then, in step S11, the communication apparatus A sends a connection request to the communication apparatus B.
When the communication apparatus B receives the connection request, the communication apparatus B starts a procedure indicated by a flowchart in the right side of FIG. 1 by executing a control program. In step S21, the communication apparatus B generates a first random number, and encrypts the first random number by using a private key B. Then, in step S22, the communication apparatus B sends the encrypted first random number and a public key certificate B to the communication apparatus A.
When the communication apparatus A receives the data, the communication apparatus A checks validity of the public key certificate B by using a root key certificate in step S12. After the public key certificate B is verified, the communication apparatus A decrypts the first random number by using a public key B in the public key certificate B in step S13. When the first random number is successfully decrypted, the communication apparatus A can ensure that the first random number is received from an issuing object of the public key certificate B. After that, the communication apparatus A sends information indicating success of authentication to the communication apparatus B.
When the communication apparatus B receives the information, the communication apparatus B requests the communication apparatus A to send a public key certificate to be used for authentication in step S23.
In response to that, the communication apparatus A generates a second random number and a seed of a common key in step S14. For example, the seed of the common key can be generated based on data exchanged in communications so far. The communication apparatus A encrypts the second random number by using the private key A, encrypts the seed of the common key by using the public key B in step S15, and sends these pieces of data and the public key certificate A to the communication apparatus B in step S16. In this process, the encryption of the seed of the common key is performed for preventing the seed from being known by apparatuses other than the communication apparatus B.
In a next step S17, a common key used for communications after that is generated by using the seed of the common key generated in step S14.
When the communication apparatus B receives the data, the communication apparatus B checks validity of the public key certificate A by using the root key certificate in step S24. After the validity is checked, the communication apparatus B decrypts the second random number by using the public key A included in the received public key certificate A. If the decryption is successfully done, it can be ensured that the second random number is received from an issuing object of the public key certificate A.
After that the communication apparatus B decrypts the seed of the common key by using the private key B. According to the processes described so far, the seed of the common key is shared between the communication apparatus A and the communication apparatus B. The seed of the common key is not known by any apparatus other than the communication apparatus A that generated the seed and the communication apparatus B having the private key B. When the processes so far are successfully done, the communication apparatus generates a common key used for communications from the seed of the common key in step S27.
After the step S17 in the communication apparatus A and the step S27 in the communication apparatus B end, the apparatuses mutually check the success of the authentication and check an encryption method used for later communications, and end the processes relating to authentication. In later communications, the common key is used in the encryption method. In the checking, a response indicating success of authentication is sent from the communication apparatus B. A communication channel is established by the above-mentioned processes. After that, communications can be performed in which data are encrypted by a common key encryption method using the common key generated in step S17 or S27.
By performing these processes, the communication apparatuses A and B can safely share the common key after performing mutual authentication, so that a route for performing communications safely can be established.
In the above-mentioned processes, it is not mandatory for the communication apparatus A to send the encrypted second random number and the public key certificate A to the communication apparatus B. If this process is not performed, the communication apparatus B cannot authenticate the communication apparatus A. However, when it is not necessary for the communication apparatus B to authenticate the communication apparatus A, the above process is not necessary. In this case, the communication apparatus A only stores the root key certificate, and the private key A and the public key certificate A are not necessary. It is not necessary to store the root key certificate in the communication apparatus B.
In the above-mentioned authentication processes, there is a possibility that a strength of the encryption is not enough due to advance of technologies. For example, after a high performance computer or a superior algorithm is developed, if a public key having a short length is used, there is a possibility that a private key corresponding to the public key is derived from the public key in a short time. Against this problem, it is required that the length of the pubic key can be changed. In addition, it is also required that a format of the public key certificate can be changed.
For changing the length of the public key or the format, it is necessary to provide a new CA. However, if a new CA is provided, validity of a new digital certificate cannot be verified by using the previous root key, so that the authentication process cannot be performed. Therefore, it is necessary to provide an apparatus to perform authentication with a new public key certificate, a new private key and a new root key certificate which correspond to the new key length or the new format. For storing the certificate, the key and the like into a newly manufactured apparatus, an technology described in a document “RSA Keon Factory-CA solution”, [online], RSA security, URL: http://www.rsasecurity.com/japan/products/keon/keon_fac t (26 Nov. 2003) may be used.
However, the document does not disclose any method for distributing the certificate corresponding to the new key length and the new format to an apparatus that has been shipped and is operating in a customer's site.
Especially, for realizing the above-mentioned authentication in a system operated automatically like the remote management system of the above-mentioned electronic apparatuses, each managed apparatus should automatically select a communication request destination, a digital certificate and a key used for performing authentication processes. In addition, it is preferable to set a new certificate automatically.
However, for realizing the above-mentioned processes, there is a problem in that operation load and application development load may increase and that security may decrease. For example, in a case where a new certificate is distributed to an apparatus, if a communication partner of the apparatus receives accesses from the apparatus at a destination same as that for an old certificate, the destination should support both certificates so that processes are complicated and process load may increase. In addition, if a safe communication channel cannot be established between the communication partner and the apparatus, there is a possibility that exchanged data may be tapped or tampered with so that security may be degraded.