1. Field of the Invention
The present invention relates to a cryptographic communication method for communicating by using cryptography and a cryptographic communication device for implementing the method, and in particular to a cryptographic communication method and device for securely distributing a cryptographic key.
2. Description of Background
Recently, many methods for protecting data with cryptography or authenticating the data have been researched and utilized for transmitting a data through an insecure communication path in which a third party can eavesdrop or alter a message.
The cryptography is classified into two kinds: a common key cryptosystem and public key cryptosystem. In particular, public key cryptography is suitable for a key sharing protocol and a digital signature. For example, the Rivest Shamir Adleman (RSA) cryptosystem and the DiffieHellman (DH) cryptosystem are commonly known.
When cryptographic communication is implemented by secret-key cryptosystem, a sender and a receiver have to share a common cryptographic key in advance. For sharing a common key, public key technique can be used. For example, the DH method (W. Diffie & M. E. Hellman, "New Directions in Cryptography" IEEE Trans. on Information Theory, IT-22, 6, pp. 644-645, June 1976) being popular is the oldest one.
The DH method is a key distribution method between two users based on the difficulty of the discrete logarithm. That is, it is difficult to find an integer x for a given g, y and p, which satisfies the following equation. EQU y=g.sup.x mod p (x and g are both integers)
On the other hand, it is easy to calculate y for a given integers x, g, and p.
Since the DH method was proposed, many improved cryptographic key sharing methods have been proposed. For example, in some key distribution methods, a key to be shared changes every time or an authentication function for authenticating the sender is added. Moreover, methods in which a group of two or more persons can communicate among them by distributing a key have been proposed.
Ito et al. proposed an improved key distribution method (T. Ito, T. Habutsu, I. Sasase, S. Mori "One-Way Key Distribution System Based on Identification Information Without Public Information Directory", Lecture Notes No. A-283, pp. 1-283, National Conference of the Institute of Electronics Information and Communication Engineers, March, 1990). This method has the following properties: authentication of the public key is provided. The key changes for each communication and the communication required for the key distribution is one-way from the sender to the receiver. The key distribution method realized in the one-way communication like the above proposition is suitable for a communication system in which the transmission delay is relatively large. Such a communication system is, for example, for an electronic mail system.
Moreover, as mentioned in the Ito's paper, the one-way key distribution method might have an opportunity to be extended for sharing a key among three or more persons if the shared key depends only on random numbers generated by the sender.
The Ito method is shown abstractly in FIG. 1.
As shown in FIG. 1, a cryptographic key K is generated in a key generating section 111 of a sending station 101 under the control of a random number r generated in a random number generating section 112. Then, a message M is encrypted under intervention of the cryptographic key K in an encrypting section 113. The encrypted message C is sent to a receiving station 102. Also, a unit of key-distribution-information Y is generated in a key-distribution-information generating section 114 by using both the random number r and the public information PK. The key-distribution-information Y is also sent to the receiving station 102.
In the receiving station 102, the cryptographic key K is restored by using the key-distribution-information Y and secret information SK of the receiving station 102 in a key restoration section 115. Then, the encrypted message C is decrypted to provide the plain message M under intervention of the restored key K in a decrypting section 116.
In the above configuration, when a key K is sent from the sender 101 to the receiver 102, the key-distribution-information Y must satisfy two functions as follows:
A. an authentication function in which the receiver 102 can authenticate that the key-distribution-information Y has been positively sent from a first station (that is, from the sender 101).
B. a confidentiality function for reliably sending the key Y to a specific receiver only. Besides the Ito method, many types of key distribution methods which realizes the above two functions are available. For example, in the RSA cryptograph, the authentication function is embodied by the digital signature and the confidentiality function is realized by encryption.
In more detail, by using a receiver encrypting function Er, a sender decryption function Ds, and a hash function h, the key distribution can be embodied. For example, the key-distribution-information Y is generated from the key K as shown by the following equation. EQU Y=Er(K, Ds(h(K)))
Where, the function Ds(h(K)) indicates the sender digital signature for the key.
The receiver 102 who has already received the key-distribution-information Y decrypts the information Y by using his own decryptoin function Dr so that the key K and the sender digital signature are obtained as shown by the following equation: EQU K,Ds(h(K))=Dr(Y).
Moreover, the receiver 102 confirms the signature by using a sender encrypting function Es.
This method is used for sharing the key K between two persons. This method must be secure so long as the cryptographic key K will never be revealed to anyone else.
However, in the above method, some attack will be successful in two cases as follows.
A first case occurs when the used key K is revealed to a third party by some means after the cryptographic communication. That is, when an attacker knows the key-distribution-information Y, a encrypted mail C, and the cryptographic key K which is used for encrypting a message M to create the encrypted mail C, the attacker can encrypt a message M' by using the cryptographic key K to make a encrypted mail C', and then send both the information Y and the encrypted mail C' to the receiver 102. In this case, the receiver feels that the message M' has been sent from a true sender 101.
A second case occurs when the above method is extended to a key distribution method implemented among three or more persons as follows.
When defining a sender s and a plurality of receivers r1, r2, ---, rj, the sender s prepares key-distribution-information Yi for the receiver ri by using an encryption function Eri of the receiver ri (i=1, 2, ---, j) as Yi=Eri(K,Ds(h(K))). Thereafter, the receiver ri, who has received the key-distribution-information Yi, recovers the cryptographic key K, while authenticating that the sender is the true sender s in the same manner as the key distribution between two persons.
In this case, after the key distribution is carried out among a group of three or more persons, one of the receivers can impersonate the sender s to send a message M' to another receiver. Everyone belonging to the group can impersonate the sender s for the same reason as the first case because they know that the key corresponding to the key-distribution-information Yi (i=1, 2, ---, j) is K.