(1) Field of the Invention
The present invention relates to a method for authentication between apparatuses using challenge and response system. Specifically, it relates to a technique for improving security against so-called spoofing (gaining access by pretending to be someone else).
(2) Description of the Related Art
A challenge and response system has been commonly used in authentication between apparatuses.
FIG. 1 shows a construction of a server and a terminal in a common challenge and response system.
A server 130 comprises a random number generating unit 131, a key storing unit 132, a data converting unit 133, and a comparing unit 134. A terminal 140 comprises a key storing unit 141 and a data converting unit 142. A key data K is secretly assigned in advance to both the key storing unit 132 in the server 130 and the key storing unit 141 in the terminal 140. The key data is assigned by such a way in which the server 130 issues the key data K to a user of the terminal 140 when the terminal 140 is registered as an authorized terminal by the sever 130, and then the user sets up using the key data K.
The following is steps in which the server 130 authenticates that the terminal 140 is authorized.
Step 1: The server 130 generates a random number R in the random number generating unit 131 and sends the random number R as a piece of challenge date to the terminal 140.
Step 2: The terminal 140 receives the random number R from the server 130; the data converting unit 142 obtains a data D as follows, using the random number R and the key data K stored in the key storing unit 141, and the terminal 140 sends the data D as a piece of response data to the server 130.D=F(K, R)
F(X, Y) indicates an operation in which a predetermined conversion is applied to Y taking X as a parameter and a result of the conversion is output. Z=F(X, Y) is required to be such that an operation for obtaining X is difficult when Z and Y are given.
Step 3: In the server 130, the data converting unit 133 obtains a data E as follows, using the random number R and the key data K stored in the key storing unit 132.E=F(K, R)
Step 4: The server 130 compares the response data D received from the terminal 140 and the data E obtained in the step 3; only when the data D and E are identical, the server 130 authenticates the terminal 140.
A detailed explanation about the challenge and response system in general can be found in the following reference: Ross Anderson, Security Engineering—a Guide to Building Dependable Distributed Systems, John Wiley & Sons, Inc., 2001, p. 17 (2.2.1 Challenge and Response).
On the other hand, the above-described conventional example has such a problem explained below in terms with security.
Assuming that there was a third party who was eavesdropping communication between the server 130 and the terminal 140 (hereinafter referred to as the third party), and that the third party obtained the pieces of challenge data R and the corresponding pieces of response data D exchanged in each authentication, and stored the sets of data, it is possible that the third party pretends to be an authorized user in a following way.
When the third party accessed to the server 130, the server 130 sends a piece of challenge data R to the third party. The third party looks into the stored sets of data to find the identical piece of challenge data R. If there was the identical piece of challenge data R, the third party sends a piece of response data D corresponding to the piece of challenge data R to the server 130.
As in the above example, in a case the same challenge data that was used once is reused, it is possible that the third party is illegally authenticated and can pretend to be an authorized user. In particular, the challenge data is more likely to be reused when size of the challenge data is small, and a problem of spoofing becomes a greater issue.