1. Field of the Invention
The present invention relates to a cipher key distribution system for distributing a cipher key from a key center to an unspecified number of user terminals through a public network.
2. Description of the Background Art
In a system formed by a key center and an unspecified number of user terminals connected with the key center through a public network, an enciphered application (AP) and a terminal program necessary for utilizing this system are initially distributed to an unspecified number of user terminals either through the network or by the use of information recording media. In such a system, in order to decipher the AP, the key center distributes a certain cipher key (referred hereafter as an AP key) to the user terminals.
Now, such a system ideally should satisfy the following conditions.
(1) A terminal program cannot be analyzed at the user terminal.
(2) An AP key obtained at the user terminal and a program for deciphering the AP are protected against an illegitimate use.
(3) A cipher scheme of the enciphered AP which is distributed to the terminal users and a cipher scheme for enciphering signals on communication lines have sufficient secrecy.
In the following, a use of the AP by a terminal user without using a connection with the key center through a legitimate protocol will be referred as an illegitimate use.
In general, for the condition (3), there are some propositions for a scheme which can guarantee a certain level of secrecy. However, for the conditions (1) and (2), there are cases in which it may be difficult to adopt a scheme relying on a specialized hardware for reasons such as that of cost, etc., and there is a need to provide a software based protection scheme. In such a software based protection scheme, however, a level of protection is a matter of relative significance because the analysis of the terminal program is still possible in principle, and the acquisition of the AP key obtained at the user terminal is also still possible.
In the above described system, depending on a protocol scheme used between the user terminal and the key center, the illegitimate use by a malicious terminal user is possible by means of the tapping of signal on the communication line between the key center and the user terminal.
For example, consider a conventional protocol scheme as shown in FIG. 1 in which the AP key is simply enciphered and distributed from the key center in response to the request for the AP key from the user terminal. This scheme will be referred hereafter as a conventional scheme A.
In this conventional scheme A, at the user terminal, the AP key request signal is produced by enciphering a user identifier such as user ID, pass word, etc., and an AP request data necessary for requesting a desired AP in a public key enciphering scheme E using a public key Ke that was distributed in advance as a cipher key, and transmitted to the key center. Then, at the key center, the received AP key request signal is deciphered by using a secret key Kd corresponding to the public key Ke, and an AP key distribution signal is produced by enciphering a decipher key (AP key) K1 of the requested AP in the public key enciphering scheme using a public key Ke' as a cipher key, and transmitted to the user terminal, while charging the fee for the requested AP to the user. Then, at the user terminal, the AP key distribution signal is deciphered by using a secret key Kd' corresponding to the public key Ke' that was distributed in advance, to obtain the AP key K1 of the desired AP. In this procedure, the transmission of the user identifier from the user terminal to the key center may be omitted.
Here, it is noted that the secret key enciphering scheme is a scheme in which the cipher key and the decipher key are the same, whereas the public key enciphering scheme is a scheme in which the cipher key and the decipher key are different. In the conventional scheme A described above, the public key enciphering scheme is used, but if the key can be shared secretly and safely in some manner at the beginning, it is also possible to consider a case of using the secret key enciphering scheme instead of the public key enciphering scheme.
In this conventional scheme A, even when the system satisfies all the conditions (1) to (3) noted above, it is still possible to make the illegitimate use of the AP as follows. Namely, the key center transmits the same AP key for the same AP, so that the same AP key distribution signal is going to be transmitted through the communication line every time the same AP is requested. Consequently, the illegitimate use is possible by recording the AP key distribution signal at a time of connecting with the key center once, and forming a dummy key center which reproduces the recorded AP key distribution signal. In other words, this is an illegitimate use of the AP by a fake key center using communication line tapping and recording.
This type of the illegitimate use is effective in a case of using the charging method in which each time of the use of the AP is charged separately. In such a case, the user terminal is going to receive the same AP key distribution signal for every time of the use of the same AP, so that it is possible to make the legitimate use in the first occasion in order to tap and record the AP key distribution signal, and input the recorded signal into the user terminal without connecting with the key center in the subsequent occasions.
Note however that, in this type of the illegitimate use, it is necessary to make the legitimate connection with the key center in the first occasion at least. For this reason, in a case of using the charging method in which the AP software itself is sold once and for all, this type of the illegitimate use is impossible, because in such a case, the same AP key will never be received again once the key for the AP is received from the key center at the user terminal.
On the other hand, in order to deal with this type of the illegitimate use, consider another conventional protocol scheme as shown in FIG. 2 in which the user terminal generates a random number and transmits that to the key center, and the key center enciphers and distributes the AP key according to the received random number. This scheme will be referred hereafter as a conventional scheme B.
In this conventional scheme B, at the user terminal, the AP key request signal is produced by enciphering a user identifier such as a user ID, pass word, etc., an AP request data necessary for requesting a desired AP, and a random number K3 generated at the terminal in a public key enciphering scheme E using a public key K2e that was distributed in advance as a cipher key, and transmitted to the key center. Then, at the key center, the received AP key request signal is deciphered by using a secret key K2d corresponding to the public key K2e, and an AP key distribution signal is produced by enciphering a decipher key (AP key) K1 of the requested AP in the secret key enciphering scheme E' using the random number K3 as a cipher key, and transmitted to the user terminal. Then, at the user terminal, the AP key distribution signal is deciphered by using the random number K3 generated earlier, to obtain the AP key K1 of the desired AP. In this procedure, the transmission of the user identifier from the user terminal to the key center may be omitted.
According to this conventional scheme B, a different signal flows through a communication line each time, so that, when the system satisfies the conditions (1) to (3) noted above, even if a third person intending the illegitimate use of the AP produces a dummy key center by tapping and recording the signal on the communication line and inputs the recorded signal into own terminal program, whether the inputted signal is enciphered by the same random number as that which was generated earlier at that user terminal or not is checked inside the user terminal, so that it is impossible to make the above described illegitimate use of the AP.
However, in this conventional scheme B, even when the conditions (1) to (3) noted above are satisfied, it is still possible to make the following illegitimate action which is different from the above described illegitimate use of the AP.
Namely, the third person can tap and record the signal from a legitimate user terminal to the key center, and then transmits the recorded signal to the key center later on. Here, if the public network used in this service is a type which does not have a function for confirming a calling side ID as in a case of the telephone network, it is possible to reproduce an information transmitted from the user terminal to the key center for the purpose of authenticating the calling side, by tapping and recording of the signal on the communication line in principle. When the AP key request signal from the user terminal is received, the key center transmits the AP key distribution signal corresponding to that, and charges the fee for the requested AP to the user when the requested AP is a chargeable one.
In this manner, the third person can makes the key center to transmit an unnecessary AP key to the legitimate user, and charge unnecessary fees to the legitimate user. In other words, this is an illegitimate charging by a fake user terminal using communication line tapping and recording.
Moreover, as already mentioned above, the conditions (1) and (2) noted above may not necessarily be satisfied completely all the times. In particular, in a case of using a protection based on the software technique, the analysis of the terminal software is often possible in principle albeit not so easy.
In such a case, the tapping and the recording of the signals on the communication line is the easiest thing one can do toward the program analysis. This is because when the meaning of the input output signals of the terminal program are analyzed, it is possible to reveal the function of the terminal program itself.
For example, for the conventional scheme B described above, the following procedure is predictable. First, the legitimate use of the AP is made, and the analysis of the meaning is carried out. The enciphered AP is disposed at hand of the terminal user from the beginning and it does not change in time, so that the AP key for deciphering the same AP also does not change in time. On the other hand, by means of the tapping of the communication line, it can be recognized that the received signal of the terminal program is different for the same AP each time, so that it can be recognized that the received signal is changed in some manner such as that which uses a random number.
Here, however, in order for the user terminal side to obtain the AP key by deciphering the received signal, it is necessary to learn a rule by which this constantly changing received signal is changing. In this regard, in the conventional scheme B, the signals are exchanged only once, so that it is evident that the user terminal side is specifying this rule for change at first. Consequently, by checking the rule for change specified by the terminal program, it is possible to obtain an information useful for the purpose of the illegitimate use.
In the conventional scheme B, when the terminal program is analyzed from such a viewpoint, even if the content of the signal itself cannot be revealed as it is enciphered, the meaning of each signal can be determined almost uniquely by conjecturing from the fact that the AP key itself does not change and the fact that the signals actually transmitted and received change. Thus, except for a case in which the analysis is impossible in principle, the difficulty in the analysis can be reduced considerably in this manner.
As described, a mere encipherment of the information on the communication line, and a simple variation of the signal on the communication line based on a random number are insufficient in coping with the problems of the illegitimate use and the illegitimate charging described above.
Furthermore, in a case of realizing a protection of the terminal program by means of software alone, without any hardware based protection, the analysis can be made difficult at best, and it remains possible in principle in many cases.
The user intending the illegitimate use of the AP can carry out the tapping and the recording of the signals on the communication line by using his own user terminal, for the purpose of analyzing the terminal program. In this case, by tapping and recording the signals between the user terminal and the key center for several times and simply comparing these recorded signals, an information useful for the purpose of analyzing the terminal program can be obtained.
Thus, in a situation in which the terminal program analysis or the illegitimate action using intermediate communication line tapping and recording by a malicious terminal user is possible, a mere encipherment of the signal on the communication line or a complication of the terminal program itself is insufficient as the protection against the illegitimate use, and it is necessary to deal with the problems of the illegitimate use and the illegitimate charging based on the production of the dummy key center or user terminal and the simplification of the analysis of the terminal program.