In an encryption communication field, many authenticating methods are proposed. Normally, authentication is performed (by a verifier) by verifying identity of a person who knows certain confidential information. For example, in an authenticating method according to the related art, disclosed in Japanese Unexamined Patent Publication HEI 2000-182102, both A (an encryption communication apparatus in a certifier side) and B (an encryption communication apparatus in a verifier side) held a common key in advance and authenticated each other through following procedures.
(1) A generates a random number R1, and sends the random number R1 to B.
(2) B generates an authentication code 1 from the random number R1 and the common key. B also generates a random number R2. Then, B sends the authentication code 1 and the random number R2 to A.
(3) A generates an authentication code from the random number R1 and the common key, and checks if the authentication code is identical with the authentication code 1 received from B. (Accordingly, A authenticates B.)
(4) Next, A generates an authentication code 2 from the random number R2 and the common key, and sends the authentication code 2 to B.
(5) B generates an authentication code from the random number R2 and the common key, and checks if the authentication code is identical with the authentication code 2 received from A. (Accordingly, B authenticates A.)
Further, an authenticating method that a plurality of information is held respectively to generate a common key (secret key), the common key (secret key) is not shared, and the common key (secret key) is generated at a time of authenticating or a time of sharing the key is also disclosed. Further, an encryption authenticating method (Fiat-Shamir method, etc.) based on zero knowledge proof technique and a method (a public key encryption method) using two asymmetric data cryptographic keys, i.e., a public key and a secret key, that is a method of encrypting using the public key (or secret key) and decrypting using the secret key (or public key) are also used in various apparatuses.
Normally, the tamper-resistance for making easy read-out impossible has been realized by storing confidential information (key, etc. used for encryption processing) in a nonvolatile memory and controlling an access to this by a microprocessor. For example, in a plurality of encryption communication apparatuses including a base station in a mobile commerce system, a cellular phone and a smart card, etc., or a plurality of encryption communication apparatuses including a roadside machine in a non-stop automatic toll receiving system and an on-board equipment in vehicle and a smart card, etc., accessing is performed in a method of sending (or receiving) a determined command and receiving (or sending) a response for this.
Such command and response are transmitted through a communication line between the encryption communication apparatuses. However, since it is relatively easy to access the communication line from an outside, there is a high possibility that data transmitted on the communication line are monitored from the outside or false data are inserted intentionally.
Further, since various analysis/attack methods, e.g., failure analysis, timing analysis, electric power analysis, etc. have been proposed in recent years, an opinion that it is impossible to read out the confidential information in the nonvolatile memory is becoming wrong.
In the above-stated encryption communication apparatuses according to the related art, when an operation (or processing or conversion) is performed using the confidential information, information, e.g., waveform of electric power, processing time, etc. which is useful for an attacker leaks to the outside. Therefore, there has been a problem that it is impossible to ensure sufficient security against masquerading, tampering, eavesdropping on the communication line, etc.
Further, since measures with respect to flow of information in the encryption communication apparatus have not been sufficient, there has been a problem that a chance of attack, e.g., cryptanalysis, etc. increases, and consequently damage due to forgery increases.
This invention is intended to solve the above-stated problems. It is an object to obtain an encryption communication apparatus with excellent tamper-resistance while ensuring the sufficient security.