Protocols for ensuring the security of a communication channel between a client apparatus and a server apparatus by authentication and cryptography include Transport Layer Security (TLS) and Secure Sockets Layer (SSL) (refer to non-patent literature 1 and 2, for example). These protocols include authentication between two apparatuses, the client apparatus and the server apparatus (processing 1), sharing of a common key between the two apparatuses by using a cryptography technology (processing 2), and processing to check the validity of a common key setting process by using secret information for identifying the common key and communication log information between the two apparatuses (processing 3). Authentication is performed as a safeguard against man-in-the-middle attacks, in which an attacker's apparatus impersonates the server apparatus to steal the common key from the client apparatus. There are two authentication modes: In one mode, authentication of the server apparatus alone is performed; in the other mode, authentication of both the server apparatus and the client apparatus is performed.
An outline of the protocols is given below. A protocol overview of TLS will be given here, but the same basic procedure applies to SSL and other extended protocols (TLS, SSL, and their extended protocols will be referred to as “TLS or the like” below). Items needed to explain the invention will be mainly described, and descriptions of other items that are not needed to explain the invention will be omitted.
[Mode in which Authentication of Server Apparatus Alone is Performed]
FIG. 1 is a sequence diagram illustrating an outline of a conventional mode in which authentication of the server apparatus alone is performed. When TLS is used, a method based on RSA, a method based on Diffie-Hellman (DH), or the like can be selected as a key exchange scheme. Just the RSA-based method will be described below.
In preprocessing of this procedure, a secret key SKs of a second apparatus (server apparatus) is stored in a memory of the second apparatus. When a first apparatus (client apparatus) starts communicating with the second apparatus, the first apparatus generates a random number R1 and sends information (ClientHello message) that includes the random number R1 (ClientHello.random) and a cryptosystem list (cipher suite list) CSL to the second apparatus. In response to the information, the second apparatus generates a random number R2 and sends information (ServerHello message) that includes the random number R2 (ServerHello.random) and a cryptosystem (cipher suite) C selected from the cryptosystem list CSL to the first apparatus.
The second apparatus next sends information (Certificate message) that includes a public key certificate Cs to the first apparatus. The second apparatus also sends a ServerHelloDone message to the first apparatus, but a description of this process will be omitted here.
The first apparatus generates a random number and uses the generated random number as secret information (premaster secret) PMS. This information is used to identify the common key Key. The first apparatus generates encrypted text PKs(PMS) by encrypting the secret information PMS with the public key PKs of the second apparatus and sends information (ClientKeyExchange message) that includes the encrypted text PKs(PMS) to the second apparatus (challenge at the first apparatus in processing 1 and processing 2). The second apparatus can obtain the secret information PMS by decrypting the encrypted text PKs(PMS) by using its own secret key SKs and calculates a master secret key MS from the secret information PMS and the random numbers R1 and R2. The second apparatus calculates the common key Key from the master secret key MS and the random numbers R1 and R2.
The first apparatus then sends a notification (ChangeCipherSpec) of the start of encryption to the second apparatus (unless otherwise expressed explicitly, the description will be omitted), generates a finished message FN1 corresponding to the secret information PMS and communication log information HS1 between the second apparatus and the first apparatus, and sends the finished message FN1 to the second apparatus. When TLS is used, the finished message FN1 is a message authentication code (MAC) generated to authenticate the communication log information HS1 between the second apparatus and the first apparatus by using the master secret key MS. When TLS is used, the finished message FN1 is generally encrypted by a common key encryption processor 12i by using the common key Key, is sent to the second apparatus, and is decrypted as necessary. This process is omitted in FIG. 1 (and also in FIGS. 2 to 4 to be described later).
The second apparatus verifies the finished message FN1 by using the master secret key MS and the communication log information HS1 between the second apparatus and the first apparatus (processing 3). If the verification has finished successfully, the second apparatus sends a notification (ChangeCipherSpec) of the start of encryption to the first apparatus (unless otherwise expressed explicitly, the description will be omitted), generates a finished message FN2 corresponding to the secret information PMS and communication log information HS2 between the second apparatus and the first apparatus, and sends the message to the first apparatus (response from the second apparatus in processing 1 and processing 3). When TLS is used, the finished message FN2 is the message authentication code generated to authenticate the communication log information HS2 between the second apparatus and the first apparatus and the finished message FN1, by using the master secret key MS. When TLS is used, the finished message FN2 is generally encrypted by using the common key Key and sent to the first apparatus.
The first apparatus verifies the finished message FN2, using the master secret key MS, the communication log information HS2 between the second apparatus and the first apparatus, and the finished message FN1 (verification of response from the second apparatus in processing 1 and processing 3). If the verification has finished successfully, the first apparatus sends the encrypted text data (Key(Application DATA)) obtained by encrypting a message by using the common key Key to the second apparatus to perform common key cryptosystem communication.
[Mode in which Authentication of Both Server Apparatus and Client Apparatus is Performed]
FIG. 2 is a sequence diagram illustrating an outline of a conventional mode in which authentication of both the server apparatus and the client apparatus is performed.
As shown in FIG. 2, this mode differs from the mode in which authentication of the server apparatus alone is performed in the following points: the secret key SKc is stored in the first apparatus so that the second apparatus (server apparatus) authenticates the first apparatus (client apparatus); the first apparatus sends information (Certificate message) that includes the public key certificate Cc to the second apparatus and also sends signature information Sign (CertificateVerify message) generated with the secret key SKc of the first apparatus to the second apparatus (response from the first apparatus in processing 1). Now, the second apparatus can perform authentication of the first apparatus (verification of response from the first apparatus in processing 1).
[Communication Technology through Relay Apparatus]
SSL-VPN, SSL-accelerator, and other technologies are used to perform communication through a relay apparatus between the client apparatus and the server apparatus performing the processing as described above in accordance with TLS or the like (refer to non-patent literature 3, for example). With these technologies, the client apparatus and the relay apparatus share a common key by performing the processing described above using TLS or the like, and the server apparatus and the relay apparatus share a common key by performing the processing as described above using TLS or the like.
FIG. 3 is a sequence diagram illustrating an example of related art for performing communication through the relay apparatus between the client apparatus and the server apparatus, the apparatuses performing processing in accordance with TLS or the like.
In the example illustrated in FIG. 3, the first apparatus (client apparatus) and the second apparatus (server apparatus) perform authentication of both the server apparatus and the client apparatus and common key sharing, via the relay apparatus (TLS-authenticated GW). In this example, the first apparatus stores its secret key SKc, the relay apparatus stores its secret key SKg, and the second apparatus stores its secret key SKs. The first apparatus and the relay apparatus perform the above described processing in the mode in which authentication of both the server apparatus and the client apparatus is performed (the public key certificate Cs of the second apparatus is replaced with the public key certificate Cg of the relay apparatus; the public key PKs is replaced with the public key PKg; and the second apparatus is replaced with the relay apparatus) to share a common key Key1. In addition, the second apparatus and the relay apparatus separately perform the above described processing in the mode in which authentication of both the server apparatus and the client apparatus is performed to share a common key Key2.
FIG. 4 is a sequence diagram illustrating another example of communication through the relay apparatus, between the client apparatus and the server apparatus performing processing in accordance with TLS or the like.
In the example illustrated in FIG. 4, the first apparatus stores its secret key SKc, the relay apparatus stores its secret key SKg, and the second apparatus stores its secret key SKs. The first apparatus and the relay apparatus perform the above described processing in the mode in which authentication of both the server apparatus and the client apparatus is performed (the public key certificate Cs of the second apparatus is replaced with the public key certificate Cg of the relay apparatus; the public key PKs is replaced with the public key PKg; and the second apparatus is replaced with the relay apparatus) to share a common key Key1. In addition, the second apparatus and the relay apparatus separately perform the above described processing in the mode in which authentication of the server apparatus alone is performed to share a common key Key2.    Non-patent literature 1: T. Dierks, C. Akken, “The TLS Protocol Version 1.0,” [online] January 1999, Network Working Group, retrieved on Oct. 24, 2007, URL: http://www.ietf.org/rfc/rfc2246.txt    Non-patent literature 2: “SSL & TLS,” [online] May 2, 2007, retrieved on Oct. 26, 2007, URL: http://www21.ocn.ne.jp/˜k-west/SSLandTLS/Non-patent    Non-patent literature 3: Ryuichiro Maruyama, “Advantages of introducing SSL-VPN, a new wave in remote access (part 1),” [online] Sep. 13, 2003, ITmedia Inc., retrieved on Oct. 24, 2007, URL: http://www.atmarkit.co.jp/fsecurity/special/42ssl_vpn/ssl_vpn01.html