JP2010141619A - Communication apparatus, server apparatus, communication program, and data - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication apparatus capable of specifying a node that illegally alters a piece distributed in a content distribution system. <P>SOLUTION: The communication apparatus includes: a data receiver 514 for receiving first signature target information containing first apparatus identification information identifying another communication apparatus and a piece and a first electronic signature generated with respect to the first signature target information; a specific information storage 510 for storing second apparatus identification information identifying the communication apparatus and a non-public key assigned to the communication apparatus; an electronic signature generator 521 for generating a second electronic signature with respect to second signature target information containing the first signature target information, the first electronic signature and the second apparatus identification information while using the non-public key; and a data transmitter 515 for transmitting the second signature target information and the second electronic signature. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a communication device, a server device, and data.

  For example, a distribution method that distributes data using P2P (peer to peer) (referred to as P2P distribution) does not require a data distribution server having a huge storage and a large communication band, and is a distribution method with a large cost merit. is there. Further, since a node receiving data distribution is expected to supply data from a plurality of nodes, high-speed data acquisition utilizing the bandwidth in download and upload is expected. As described above, the P2P data distribution has a great merit, but on the other hand, there is anxiety in safety from the viewpoint of data security such as copyright protection. The following is assumed as a general premise in considering data security such as copyright protection as well as P2P distribution. All terminal devices or nodes are not hacked. If this premise is denied, the terminal device cannot hold data that should be kept secret or perform processing that should be kept secret, and most security techniques and devices for ensuring security cannot be established.

  In P2P distribution, there is a content distribution system that distributes encrypted data, and a node that receives the data distribution acquires a decryption key for decrypting the data (distributed data). A major problem in data security in P2P distribution of such a system is that the combination of distribution data and a decryption key for decrypting the distribution data is single or small in number. In this case, it is assumed that a certain node is hacked and the decryption key is exposed. In this case, this decryption key can be used to decrypt most distribution data. One method for solving this problem is to individualize distribution data for each node.

  As a technique for individualizing distribution data for each node in P2P distribution, for example, a Marking method disclosed in Patent Document 1 is known. In this method, distribution data is divided into pieces, and encrypted with a key matrix to generate an encrypted piece. As a result, a piece group consisting of encrypted pieces encrypted in a matrix is generated. And such a piece group is distributed via a P2P network. One node connected to the P2P network acquires one encrypted piece from among a plurality of encrypted pieces encrypted in a matrix for each piece. As a result, it is expected that the combination of encrypted pieces obtained by encrypting each piece constituting the distribution data is statistically unique for each node.

USP 7165050

  However, in the technique of the above-mentioned Patent Document 1, it is only statistically expected that the combination of encrypted pieces is unique for each node. In order to realize the unique combination of the encrypted pieces for each node, for example, the following two methods are conceivable. One method is to devise a method for distributing encrypted pieces. One is a method in which a key server holding a decryption key for decrypting each encrypted piece restricts delivery of the decryption key. For example, there is a system in which a node obtains a decryption key by declaring a combination of encrypted pieces to a key server in order for a node to decrypt a distributed piece group. In this system, in order to prevent a replay attack due to redistribution of the decryption key, there is a method in which the key server rejects a combination of the already obtained decryption key and an encrypted piece with many duplicates. However, either method may significantly reduce the distribution efficiency of the encrypted piece from time to time, and may not be able to take full advantage of the P2P network. In the former method, the independence of the data protection and the data distribution method is lost, which may be a major limitation in system construction.

  In P2P distribution, it is desirable to verify that the received piece has not been tampered with. In general, as a method of checking the integrity of pieces, there is a method in which a provider of delivery data calculates a hash value for each piece of delivery data and uses a bundle (hash table) of hash values of all pieces. is there. However, such a method can check the integrity of the piece, but it is difficult to identify a node that tampers with the piece.

  The present invention has been made in view of the above, and an object of the present invention is to provide a communication device, a server device, a communication program, and data that can identify a node that illegally alters a piece distributed in a content distribution system. And

  In order to solve the above-described problems and achieve the object, an embodiment of the present invention is a communication device that transmits a piece that is a part of data, and first device identification information that identifies another communication device. And first piece of signature object information including the piece, receiving means for receiving the first electronic signature generated for the first signature object information, second device identification information for identifying the communication device, A storage unit that stores a private key assigned to the communication device; a second unit that includes the first signature object information; the first electronic signature; and the second device identification information stored in the storage unit. Signature generating means for generating a second electronic signature for the signature target information using the private key stored in the storage means, and transmitting means for transmitting the second signature target information and the second electronic signature. It is characterized by providing.

  Moreover, one Embodiment of this invention is a program which can be performed with the said apparatus.

  Also, an embodiment of the present invention is a server device connected to a plurality of communication devices that transmit pieces that are part of data, the communication device including signature target information including the pieces, and the signature Generating a new electronic signature for new signature target information including an electronic signature generated by another communication device for the target information, transmitting the generated signature target information and the generated electronic signature, Receiving means for receiving a verification request for the electronic signature from the communication device, including the signature target information and the electronic signature generated for the signature target information; and the signature target information included in the verification request And verification means for verifying the electronic signature using a public key assigned to the communication device that generated the electronic signature included in the verification request, and the signature including the electronic signature that has not been verified. The communication device that generated the electronic signature for the object information, characterized in that it comprises a detection means for detecting as unauthorized communication device.

  In one embodiment of the present invention, data transmitted from a communication device that mediates distribution of a piece that is a part of distribution data is identified, and each of a plurality of communication devices that mediate distribution of the piece is identified. It includes signature object information including apparatus identification information and the piece, and a plurality of electronic signatures generated by the plurality of communication apparatuses for the signature object information.

  One embodiment of the present invention is data transmitted from a communication device that mediates distribution of a piece that is a part of distribution data to a server device, the signature target information including the piece, and the signature target information A plurality of electronic signatures generated by each of the plurality of communication devices that have transmitted the signature target information, and device identification information for identifying the plurality of communication devices that have transmitted the signature target information and the signature target information. The electronic signature verification request is associated with at least one of the transmitted public keys assigned to the plurality of communication devices.

  According to the present invention, there is an effect that it is possible to identify a node that tampers with a piece distributed in the content distribution system.

  Exemplary embodiments of a communication device, a server device, a communication program, and data according to the present invention will be explained below in detail with reference to the accompanying drawings.

(1) Configuration <Configuration of content distribution system>
FIG. 1 is a diagram showing a configuration of a data distribution system according to the present embodiment. In the data distribution system according to the present embodiment, a plurality of nodes 50, 51A to 51B are connected via a P2P network NT. Although not shown, other nodes can also be connected via the P2P network NT. Each node 50, 51 </ b> A to 51 </ b> B is connected to the key server 53. Each node 50, 51A-51B is a non-key used to generate an electronic signature of a piece that is a pair of a public key certificate and public key described in the public key certificate as assignment information uniquely assigned to each node. It holds a public key and a secret key that is used to encrypt the piece. The public key certificate includes at least a node ID that is device identification information and a public key for verifying an electronic signature. Public key certificates are described in, for example, the document ISO / IEC 9594-8. The public key certificates assigned to the nodes 50, 51A to 51B are pkc_0, pkc_1, and pkc_2, the private keys are sk_0, sk_1, and sk_2, and the node IDs included in the public key certificates are ID # 0. , ID # 1, ID # 2, public keys included in the public key certificate are pk_0, pk_1, pk_2, and private keys are s_0, s_1, s_2, respectively. Of the nodes 50 and 51A to 51B, the node 50 is a distribution start node serving as a data distribution base, and holds data to be distributed (referred to as distribution data). The distribution data may be plaintext or already encrypted ciphertext. For example, the distribution data may be video data protected by some DRM (Digital Right Management) System as encryption. The key server 53 holds a node ID assigned to each of the nodes 50 and 51A to 51B and a secret key. Furthermore, the key server 53 may hold a public key certificate assigned to each of the nodes 50 and 51A to 51B. Hereinafter, when it is not necessary to distinguish the nodes 51A to 51B, they are simply referred to as the node 51.

  Here, the hardware configuration of each device including the nodes 50 and 51 and the key server 53 will be described. Each device is a control device such as a CPU (Central Processing Unit) that controls the entire device, a storage device such as a ROM (Read Only Memory) or a RAM (Random Access Memory) that stores various data and various programs, and a variety of devices. It has an external storage device such as an HDD (Hard Disk Drive) or CD (Compact Disk) drive device that stores data and various programs, and a bus that connects them, and has a hardware configuration that uses a normal computer. ing. Each device includes a display device that displays information, an input device such as a keyboard and a mouse that accepts user instruction input, and a communication I / F (interface) that controls communication with an external device. Connected by

  The device identification information is information assigned to each node in the data distribution system and may be any information as long as each node can be identified. For example, the node ID, the MAC (Media Access) of the communication device, and the like. Control) address, serial number unique to the CPU of the communication device, and the like.

  The digital signature may be any signature information attached to the digital document in order to guarantee the validity of the digital document. For example, an RSA signature, DSA (Digital Signature Algorithm), ElGamal signature, Schnorr signature, Cramer- This is signature information generated by an algorithm such as a Shop signature, ECDSA (Elliptic Curve DSA), elliptical ElGamal signature, elliptical Schnorr signature, or the like.

<Configuration of distribution start node>
Next, in the hardware configuration described above, various functions realized when the CPU of the node 50 that is the distribution start node executes various programs stored in the storage device or the external storage device will be described. FIG. 2 is a diagram illustrating a functional configuration of the node 50. The node 50 includes a unique information storage unit 500, a random number generation unit 501, a temporary symmetric key generation unit 502, a piece encryption unit 503, a piece generation unit 504, a data transmission unit 505, and a transmission request reception unit 506. And an electronic signature generation unit 507. The unique information storage unit 500 is reserved as a storage area in an external storage device such as an HDD of the node 50, for example. The entities of the random number generation unit 501, the temporary symmetric key generation unit 502, the piece encryption unit 503, the piece generation unit 504, the data transmission unit 505, the transmission request reception unit 506, and the electronic signature generation unit 507 are: It is generated on a storage device such as a RAM when the CPU program of the node 50 is executed. Note that distribution data is stored in advance in the external storage device of the node 50.

  The unique information storage unit 500 stores a public key certificate, a private key, and a secret key assigned to the node 50. The public key certificate includes at least the node ID assigned to the node 51 and the public key. The piece unit 504 divides the distribution data into a plurality of pieces. The data size at the time of division is not particularly limited, but is assumed to be predetermined. The transmission request receiving unit 506 receives a piece request for requesting the piece divided by the piece forming unit 504 from the other node 51. When the transmission request reception unit 506 receives a piece request, the random number generation unit 501 generates a random number that is temporary information that can be different for each occurrence. Temporary information is a disposable value that needs to be different every time it is generated at a node. In addition to random numbers, for example, a time stamp, a communication sequence number, a node-specific counter value, or a Time Variant Parameter It is. The document ISO9798-1 is detailed about Time Variant Parameter.

The temporary symmetric key generation unit 502 generates a temporary symmetric key k_0 by the function F using the random number r_0 generated by the random number generation unit 501 and the secret key s_0 stored in the unique information storage unit 500. This can be expressed by the following equation (1).
k_0 = F (s_0, r_0) (1)

  Note that the function F is a one-way function, a symmetric key encryption, or a pseudo-random number generator, which does not know both the secret key and the random number that are the input values, and cannot guess the temporary symmetric key that is the output value. . The temporary symmetric key is an output value of the function F, and it is sufficient that the relationship between the input and output value of the function F is uniquely determined. The function F may be a hash function such as SHA-1 or SHA256, a common key cryptosystem such as AES or Hiercrypt, or a pseudo-random number generator such as Mersenne twister. A value obtained by combining a random number and a secret key may be input to the hash function. In the common key cryptosystem, a random number may be encrypted with a secret key, a secret key may be encrypted with a random number, a random number may be decrypted with a secret key, or a secret key may be decrypted with a random number. A value obtained by combining a random number and a secret key may be input to the pseudo-random number generator.

The piece encryption unit 503 encrypts the piece P using the temporary symmetric key k_0 generated by the temporary symmetric key generation unit 502, and outputs an encrypted piece E (k_0) P. The temporary symmetric key is also an encryption key used for encryption, and is also a decryption key for decrypting the encryption performed on the encrypted piece. The electronic signature generation unit 507 generates an electronic signature sig_0 for the encrypted piece E (k_0) P, the public key certificate pkc_0, and the random number r_0 by the function SIGN using the private key sk_0. The generation of the electronic signature is expressed by the following equation (2).
sig_0 = SIGN (sk_0, E (k_0) P || pkc_0 || r_0) (2)

  Here, the symbol || means data combination. Further, the above equation (2) shows an example of the combination order of signature generation target data. If the signature verification target has a mechanism that can grasp the combination order of the signature generation target data, the combination order is It may be any way.

  As the function SIGN, a signature generation algorithm in an electronic signature method such as RSA signature, DSA (Digital Signature Algorithm), ElGamal signature, Schnorr signature, Cramer-Shoop signature, ECDSA (Elliptic Curve DSA), elliptic ElGamal signature, elliptical Schnorr signature is used. May be. The data transmission unit 505 transmits the public key certificate stored in the unique information storage unit 500, the random number generated by the random number generation unit 501, and the piece encryption unit 503 to the other node 51 that transmitted the piece request. And the electronic signature generated by the electronic signature generation unit 507 are transmitted.

<Configuration of nodes other than the distribution start node>
Next, various functions realized when the CPU of the node 51 other than the distribution start node executes various programs stored in the storage device or the external storage device will be described. FIG. 3 is a diagram illustrating a functional configuration of the node 51. The node 51 includes a unique information storage unit 510, a random number generation unit 511, a temporary symmetric key generation unit 512, a piece encryption unit 513, a data reception unit 514, a data transmission unit 515, and a transmission request reception unit 516. A data storage unit 517, a transmission request transmission unit 518, a key request transmission unit 519, a piece decryption unit 520, an electronic signature generation unit 521, an electronic signature verification unit 522, and a piece verification request transmission unit 523. . The unique information storage unit 510 and the data storage unit 517 are reserved as storage areas in an external storage device such as an HDD of the node 51, for example. Random number generation unit 511, temporary symmetric key generation unit 512, piece encryption unit 513, data reception unit 514, data transmission unit 515, transmission request reception unit 516, transmission request transmission unit 518, key request transmission The entity of the unit 519, the piece decryption unit 520, the digital signature generation unit 521, the digital signature verification unit 522, and the piece verification request transmission unit 523 is stored in a storage device such as a RAM when the CPU program of the node 51 is executed. Is generated.

The unique information storage unit 510 stores a public key certificate, a private key, and a secret key assigned to the node 51. The public key certificate includes at least the node ID assigned to the node 51 and the public key. The configuration of the transmission request receiving unit 516 is the same as the configuration of the transmission request receiving unit 506 included in the node 50 described above. The transmission request transmission unit 518 transmits a piece request for requesting a piece to the node 50 or another node 51. The data reception unit 514 transmits at least the encrypted piece in which the piece is encrypted and the transmission of the encrypted piece from the node 50 or another node 51 to which the transmission request transmission unit 518 has transmitted the piece request. A public key certificate sequence including each public key certificate assigned to one other node 50, 51, a random number sequence including each random number generated by the other node 50, 51, and the other node 50, 51 51 receives the electronic signature sequence including the electronic signatures generated by 51. The electronic signature verification unit 522 receives the encrypted piece E (k_i-1)... E (k_0) P, the public key certificate sequence pkc_0,..., Pkc_i-1 and the random number sequence r_0,. -1 and the digital signature sequence sig_0,..., Sig_i-1 are expressed by the following formula (3) using the public key pk_i-1 included in the data sender's public key certificate. The electronic signature generated by the data sender is verified by the function VERIFY. Note that E (k_i-1)... E (k_0) P, pkc_i-1, r_i-1, sig_i-1, and pk_i-1 each deliver the i-th encrypted piece on the delivery path. Included in the encrypted piece calculated by the intermediary node 51, the public key certificate of the node 51, the random number generated by the node 51, the electronic signature generated by the node 51, and the public key certificate of the node 51 Means public key. The data E (k_0) P, pkc_0, r_0, sig_0, and pk_0 when i = 0 are the encrypted piece calculated by the node 50 that is the distribution start node, the public key certificate of the node 50, the node 50, a random number generated by the node 50, an electronic signature generated by the node 50, and a public key included in the public key certificate of the node 50.
Verification success / failure = VERIFY (pk_i-1, E (k_i-1) ... E (k_0) P || pkc_0 || r_0 || sig_0 || ... || pkc_i-1 || r_i-1, sig_i-1) (3)

For example, in the node 51 that first receives the encrypted piece from the node 50, the electronic signature generated by the node 50 is verified by the following equation (4).
Verification success / failure = VERIFY (pk_0, E (k_0) P || pkc_0 || r_0, sig_0) (4)

  As the function VERIFY, a signature verification algorithm paired with the function SIGN used at the time of signature generation is used. For example, when an RSA signature generation algorithm is used as SIGN, an RSA signature verification algorithm is used as VERIFY.

  If the verification of the electronic signature is successful, the data storage unit 517 stores the public key certificate sequence, random number sequence, electronic signature sequence, and encrypted piece received by the data reception unit 514 in association with each other. If the verification fails, the data reception unit 514 discards the public key certificate sequence, random number sequence, digital signature sequence, and encrypted piece received.

  When the transmission request reception unit 516 receives a piece request from another node 51, the random number generation unit 511 generates a random number. The temporary symmetric key generation unit 512 generates a temporary symmetric key by the function F described above using the random number generated by the random number generation unit 511 and the secret key stored in the unique information storage unit 510. The piece encryption unit 513 further encrypts one encrypted piece stored in the data storage unit 517 using the temporary symmetric key generated by the temporary symmetric key generation unit 512, and outputs a new encrypted piece To do. The electronic signature generation unit 521 uses a private key stored in the unique information storage unit 510 to create a new encrypted piece output from the piece encryption unit 513 and a data storage unit associated with the encrypted piece. In addition to the public key certificate sequence stored in 517, a new public key certificate sequence including the public key certificate stored in the unique information storage unit 510 and the data storage unit 517 in association with the encrypted piece A new random number sequence including the random number generated by the random number generation unit 511 in addition to the stored random number sequence, and a new digital signature sequence associated with the encrypted piece and stored in the data storage unit 517 Generate an electronic signature.

  The data transmission unit 515 transmits the following data to the other node 51 that has transmitted the piece request received by the transmission request reception unit 516. That is, a new public key certificate sequence including the public key certificate stored in the unique information storage unit 510 in addition to the public key certificate sequence stored in the data storage unit 517 in association with the encrypted piece to be transmitted A new random number sequence including the random number generated by the random number generation unit 511 in addition to the random number sequence stored in the data storage unit 517 in association with the encrypted piece, and the new encryption output from the piece encryption unit 513 And a new electronic signature sequence including the electronic signature generated by the electronic signature generation unit 521 in addition to the electronic signature sequence stored in the data storage unit 517 in association with the encrypted piece. When the encrypted piece is not stored in the data storage unit 517, even if the transmission request receiving unit 516 receives the piece request, the piece encryption unit 513 does not output the encrypted piece, and the data transmission unit 515 does not send the encrypted piece.

  Here, the public key certificate sequence, the random number sequence, the encrypted piece, and the electronic signature sequence transmitted from the nodes 50 and 51 will be specifically described. The public key certificate, the random number, and the electronic signature that are transmitted together with the encrypted piece from the node 50 are one each. Here, for convenience of explanation, these are the public key certificate string, the random number, and the like. May be described as a column and a digital signature column. Here, a case will be described in which the encrypted piece is transmitted from the node 50 to the node 51A, the encrypted piece is transmitted from the node 51A to the node 51B, and the key request is transmitted from the node 51B to the key server 53. For example, in response to a piece request from the node 51A for a piece P, the node 50 generates a temporary symmetric key k_0 using a random number r_0 and a secret key s_0, and encrypts the piece P using this to encrypt the piece P Assume that piece E (k_0) P is output. Further, it is assumed that the node 50 generates an electronic signature sig_0 for information (signature target information) including the random number r_0, the encrypted piece E (k_0) P, and the public key certificate pkc_0 using the private key sk_0.

  The signature target information refers to information that is a target for generating an electronic signature. As described above, in the case of the node 50, the random number r_0 generated by the node 50, the encrypted piece E (k_0) P encrypted by the node 50, and the public key certificate pkc_0 of the node 50 are used as signature target information. included. In the case of the node 51 that mediates the distribution of the encrypted piece i-th on the distribution path, the public key certificate sequence pkc_0,..., Pkc_i, the random number sequence r_0,. (K_i)... E (k_0) P and electronic signature strings sig_0,..., Sig_i-1 are included in the signature target information.

  Then, it is assumed that the node 50 transmits the encrypted piece E (k_0) P together with the public key certificate pkc_0, the random number r_0, and the electronic signature sig_0 to the node 51A. FIG. 4 is a diagram schematically illustrating information transmitted from the node 50 to the node 51A. The node 51A uses the public key pk_0 included in the public key certificate pkc_0 to determine whether the electronic signature sig_0 is a valid signature for the encrypted piece E (k_0) P, the public key certificate pkc_0, and the random number r_0. The signature verification unit 522 confirms this. When the verification result of the electronic signature is successful, the node 51A associates the public key certificate pkc_0, the random number r_0, the encrypted piece E (k_0) P, and the electronic signature sig_0 with each other in the data storage unit 517. I will remember it. The data storage unit 517 holds a correspondence relationship between the public key certificate, the random number generated by the node to which the public key certificate is assigned, and the electronic signature generated by the node to which the public key certificate is assigned. Each public key certificate sequence, each random number sequence, and each electronic signature sequence are stored in the state. On the other hand, when the verification result of the electronic signature is a verification failure, the node 51A discards the public key certificate pkc_0, the random number r_0, the encrypted piece E (k_0) P, and the electronic signature sig_0.

  When the node 51A transmits an encrypted piece for the piece P in response to the piece request from the node 51B, the node 51A generates a random number r_1, generates a temporary symmetric key k_1 using this and the secret key s_1, Assume that the encrypted piece E (k_0) P is further encrypted using this and the encrypted piece E (k_1) E (k_0) P is output. E (k_1) E (k_0) P indicates the multiple encrypted pieces P with the temporary symmetric keys k_0 and k_1 in this order. Further, the node 51A obtains the electronic signature sig_1 for the signature target information including the public key certificate sequence pkc_0, pkc_1, the random number sequence r_0, r_1, the encrypted piece E (k_1) E (k_0) P, and the electronic signature sig_0. It is assumed that it is generated using the public key sk_1. At this time, the node 51A assigns itself to the node 51B, which is stored in the unique information storage unit 510 in addition to the public key certificate pkc_0 stored in the data storage unit 517 and assigned to the node 50. Stored in the data storage unit 517, the random number r_1 generated by itself, the encrypted piece E (k_1) E (k_0) P, in addition to the random number r_0 stored in the data storage unit 517 In addition to the electronic signature sig_0, the electronic signature sig_1 generated by itself is transmitted. FIG. 5 is a diagram schematically showing information transmitted from the node 51A to the node 51B. The node 51B determines whether the electronic signature sig_1 is a valid signature for the encrypted piece E (k_1) (k_0) P, the public key certificate sequence pkc_0, pkc_1, the random number sequence r_0, r_1, and the electronic signature sig_0. The electronic signature verification unit 522 confirms the public key pk_1 included in the document pkc_1. If the result of the electronic signature verification is successful, these public key certificate sequences pkc_0 and pkc_1, random number sequences r_0 and r_1, encrypted pieces E (k_1) E (k_0) P and electronic signature sequences sig_0 and sig_1 The data is stored in the data storage unit 517 in association with each other.

  When the public key certificates of all nodes are stored in the key server 53, the node ID is extracted from the received public key certificate and the node ID is transmitted instead of the public key certificate. Thus, data sent between nodes can be reduced. That is, the node 51A stores, in addition to the node ID “ID # 0” included in the public key certificate pkc_0 stored in the data storage unit 517 and stored in the data storage unit 517, the unique information stored in the node 51B. Public key certificate pkc_1 assigned to itself stored in unit 510, random number r_1 generated by itself in addition to random number r_0 stored in data storage unit 517, encrypted piece E (k_1) E ( k_0) P and the electronic signature sig_1 generated by itself are transmitted in addition to the electronic signature sig_0 stored in the data storage unit 517. FIG. 6 is a diagram schematically illustrating information transmitted from the node 51 </ b> A to the node 51 </ b> B when the public key certificates of all nodes are stored in the key server 53. The node 51B determines whether the electronic signature sig_1 is a valid signature for the encrypted piece E (k_1) (k_0) P, the node ID string “ID # 0”, the public key certificate pkc_1, the random number strings r_0 and r_1, and the electronic signature sig_0. The electronic signature verification unit 522 confirms whether or not using the public key pk_1 included in the public key certificate pkc_1. If the result of the electronic signature verification is successful, the node ID string “ID # 0”, the public key certificate pkc_1, the random number string r_0, r_1, the encrypted piece E (k_1) E (k_0) P, and the electronic Signature sequences sig_0 and sig_1 are associated with each other and stored in the data storage unit 517.

  The key request transmission unit 519 transmits to the key server 53 a key request for requesting a decryption key for decrypting the encrypted piece stored in the data storage unit 517. Here, the key request transmission unit 519 includes the node ID sequence and the random number sequence extracted from the public key certificate sequence stored in the data storage unit 517 corresponding to the encrypted piece, in the key request. Send to. For example, a key request for requesting a decryption key for decrypting the encrypted piece E (k_1) E (k_0) P shown in FIG. 6 that is output when the node 51B performs encryption is the key. When transmitting to the server 53, the key request transmission unit 519 of the node 51B transmits a key request including the node ID string “ID # 0, ID # 1” and the random number string r_0, r_1. FIG. 7 is a diagram schematically showing information transmitted from the node 51B to the key server 53. As shown in FIG. As described above, when the node 51 requests the key server 53 for a decryption key for decrypting the encrypted piece, the node 51 indicates the distribution path of the encrypted piece, with the node 50 that is the distribution start node as a base point. The node ID string including the node IDs of the nodes 50 and 51 that mediate the distribution of the encrypted pieces and the random number string including the random numbers generated by the nodes 50 and 51 are transmitted to the key server 53. At the time of these transmissions, the key request transmission unit 519 performs transmission while maintaining the correspondence between each node ID and the random number generated by the node to which each node ID is assigned.

  The piece decryption unit 520 receives the temporary symmetric key sequence transmitted from the key server 53 in response to the key request transmitted from the key request transmission unit 519 as a decryption key, and decrypts the encrypted piece using the temporary symmetric key sequence. To do. For example, in the above-described example, when the node 51A performs encryption, the node 51B transmits the temporary request transmitted from the key server 53 in response to the key request including the node ID string and the random number string illustrated in FIG. Symmetric key sequences k_0 and k_1 are received. That is, each decryption key for decrypting each encryption performed at least once on the piece is received. FIG. 8 is a diagram schematically showing information transmitted from the key server 53 to the node 51B. Piece P is decrypted with the temporary symmetric key string shown in FIG. Note that how the key server 53 generates the temporary symmetric key string will be described later.

  Note that the order in which the node 51 obtains each of the plurality of pieces from which node and from which node is not particularly limited, but as described above, the node 51 encrypts each of the plurality of pieces. Each encrypted piece is acquired from the other nodes 50 and 51 by a piece request. Further, the node 51 receives each temporary symmetric key from the key server 53 by a key request for each encrypted piece, and obtains the distribution data described above by decrypting each encrypted piece.

  When there is a piece that cannot be correctly decrypted using the received decryption key, or the piece verification request transmission unit 523 has received a piece to determine whether the encrypted piece can be correctly decrypted before receiving the decryption key. In this case, a piece verification request is transmitted to the key server 53. If there is a piece that could not be correctly decrypted, a method of verifying the piece with a hash value as shown in FIG. 9 can be used. An example of a method for checking whether or not a piece has been correctly decoded will be described with reference to FIG. For example, when a provider of distribution data calculates a hash value for each piece of distribution data in advance and prepares a hash value string (hash table), and each node obtains decrypted distribution data, By comparing the hash value of the distribution data with the hash value of the hash table, it is possible to check whether or not the piece has been correctly decrypted. The piece verification request transmission unit 523 transmits a verification request for requesting verification of the encrypted piece stored in the data storage unit 517 to the key server 53. Here, the piece verification request transmission unit 523 uses the public key certificate sequence, the random number sequence, and the electronic signature sequence stored in the data storage unit 517 corresponding to the encrypted piece together with the verification target encrypted piece as a piece verification request. To the key server 53.

  For example, the node 51B transmits a verification request for verifying the encrypted piece E (k_1) E (k_0) P shown in FIG. 5 output when the node 51A performs encryption to the key server 53. In this case, the piece verification request transmission unit 523 of the node 51B, the public key certificate strings pkc_0 and pkc_1, the random number strings r_0 and r_1, the encrypted piece E (k_1) E (k_0) P, and the electronic signature strings sig_0 and sig_1 A piece verification request including FIG. 10 is a diagram schematically showing information transmitted from the node 51B to the key server 53. As shown in FIG. Thus, when the node 51 requests the key server 53 for a verification request for verifying the encrypted piece, the node 51 indicates the distribution route of the encrypted piece, and the node 50 that is the distribution start node is the base point. A public key certificate sequence including each public key certificate of each of the nodes 50 and 51 that mediates distribution of the encrypted piece, a random number sequence including each random number generated by each of the nodes 50 and 51, and each of the nodes 50 and 51 The electronic signature sequence including each electronic signature generated by the is transmitted to the key server 53. In these transmissions, the piece verification request transmission unit 523 generates each public key certificate, a random number generated by the node to which the public key certificate is assigned, and a node to which the public key certificate is assigned. Is transmitted in a state where the correspondence with the electronic signature is maintained.

  When the public key certificates of all nodes are stored in the key server 53, the piece verification request transmission unit 523 performs verification for requesting verification of the encrypted pieces stored in the data storage unit 517. The request is transmitted to the key server 53. At this time, the piece verification request transmission unit 523 includes the node ID sequence, random number sequence, and electronic signature sequence stored in the data storage unit 517 corresponding to the encrypted piece in the piece verification request and transmits them to the key server 53. . For example, the node 51B transmits a verification request for verifying the encrypted piece E (k_1) E (k_0) P shown in FIG. 6 output when the node 51A performs encryption to the key server 53. In this case, the piece verification request transmission unit 523 of the node 51B extracts the node ID “ID # 1” from the public key certificate pkc_1, and then the node ID string “ID # 0, ID # 1” and the random number string r_0, r_1. And a piece verification request including the encrypted piece E (k_1) E (k_0) P and the electronic signature strings sig_0 and sig_1.

  FIG. 11 is a diagram schematically illustrating information transmitted from the node 51 </ b> B to the key server 53 when the public key certificates of all nodes are stored in the key server 53. Thus, when the node 51 requests the key server 53 for a verification request for verifying the encrypted piece, the node 51 indicates the distribution route of the encrypted piece, and the node 50 that is the distribution start node is the base point. Each node ID string of each node 50, 51 that mediates the distribution of the encrypted piece, a random number sequence including each random number generated by each node 50, 51, and each electronic signature generated by each node 50, 51 is included. The electronic signature sequence is transmitted to the key server 53. In these transmissions, the piece verification request transmission unit 523 associates each node ID with a random number generated by the node to which the node ID is assigned and an electronic signature generated by the node to which the node ID is assigned. Send in the state of holding.

  The data reception unit 514 receives the piece verification result transmitted from the key server 53 in response to the piece verification request transmitted by the piece verification request transmission unit 523, and responds when the verification result is a verification failure. Discard the encrypted piece and try to obtain the encrypted piece from another node 51 again.

<Key server configuration>
Next, various functions realized when the CPU of the key server 53 executes various programs stored in the storage device or the external storage device will be described. FIG. 12 is a diagram illustrating a functional configuration of the key server 53. The key server 53 includes a secret key storage unit 530, a data reception unit 531, a public key certificate storage unit 532, a temporary symmetric key generation unit 533, a data transmission unit 534, an electronic signature verification unit 535, and a piece verification. The request receiving unit 536, the piece decoding unit 537, and the unauthorized node list storage unit 538 are included. The private key storage unit 530, the public key certificate storage unit 532, and the unauthorized node list storage unit 538 are secured as storage areas in an external storage device such as an HDD of the key server 53, for example. The entity of the data receiving unit 531, the temporary symmetric key generation unit 533, the data transmission unit 534, the electronic signature verification unit 535, the piece verification request reception unit 536, and the piece decryption unit 537 is the CPU of the key server 53. It is generated on a storage device such as a RAM when the program is executed.

  The private key storage unit 530 stores the private key assigned to each of the nodes 50 and 51 in association with the public key certificate assigned to each of the nodes 50 and 51 or the node ID included in the public key certificate. The data receiving unit 531 receives a key request including the above-described node ID sequence and random number sequence from the node 51.

  The public key certificate storage unit 532 is provided when the key server 53 is configured to store the public key certificates of all nodes. In the case where the node ID is provided without storing the public key certificate, the key server 53 does not need to include the public key certificate storage unit 532. The public key certificate storage unit 532 stores public key certificates assigned to the nodes 50 and 51. If the public key certificates of all the nodes are stored in the public key certificate storage unit 532, the data transfer amount between the nodes and the data transfer amount in a piece verification request to be described later can be reduced.

The temporary symmetric key generation unit 533 is associated with each node ID included in the key request received by the data reception unit 531 and is stored in the secret key storage unit 530 in the secret key s_i (0 ≦ i ≦ j−1: j is the number of times the piece is encrypted, and so on, and the decryption key is obtained by function F using each secret key and each random number r_i (0 ≦ i ≦ j-1) included in the random number sequence included in the key request. Generate k_i. This can be expressed by the following equation (5). The function F is the same as that used when the node 50 or the node 51 generates a temporary symmetric key. Accordingly, here, the temporary symmetric key is restored by the function F using the random number and the secret key.
k_i = F (s_i, r_i) (5)

  The data transmission unit 534 transmits the temporary symmetric key generated as the decryption key by the temporary symmetric key generation unit 533 to the node 51 that has transmitted the key request received by the data reception unit 531. For example, in the above example, when the node 51A performs encryption, the key server 53 is as shown in FIG. 8 in response to the key request including the node ID string and the random number string shown in FIG. Then, temporary symmetric keys k_0 and k_1 are obtained for the random numbers r_0 and r_1, and transmitted to the node 51B. Each symmetric key for decrypting each encryption performed on the piece is transmitted to the node 51B, so that the node 51B can completely decrypt the encryption of the encrypted piece. .

The piece verification request reception unit 536 receives from the node 51 a piece verification request including the public key certificate sequence, the random number sequence, the encrypted piece, and the electronic signature sequence. As an example, if the piece verification request shown in FIG. 10 is received, the temporary symmetric key generation unit 533 generates the decryption keys k_0 and k_1 by the same process as when the key request is received. The electronic signature verification unit 535 performs verification of the electronic signature sequences sig_0 and sig_1 using the public keys pk_0 and pk_1 included in the public key certificate sequence, and the piece decryption unit 537 stores E (k_1) (k_0) P. Perform decryption. The procedure for verifying the electronic signature and decrypting the encrypted piece is as follows. First, using the public key pk_1, the electronic signature sig_1 for the signature target information including the encrypted piece E (k_1) E (k_0) P, the public key certificate sequence pkc_0, pkc_1, the random number sequence r_0, r_1, and the electronic signature sig_0 Is verified by the function VERIFY as shown in the following equation (6).
Verification result = VERIFY (pk_1, E (k_1) (k_0) P || pkc_0 || r_0 || sig_0 || pck_1 || r_1, sig_1) (6)

When the verification of the expression (6) fails, the node ID of the node 51 that has transmitted the piece verification request received by the piece verification request receiving unit 536 is added to the illegal node list stored in the illegal node list storage unit 538. In addition, the data transmission unit 534 transmits “verification failure” to the node 51. If the above verification is successful, the encrypted piece is decrypted using the temporary symmetric key k_1, and the encrypted piece E (k_0) P, the public key certificate string pkc_0, and the random number string r_0 using the public key pk_0. The electronic signature sig_0 for the signature target information including the above is verified by the function VERIFY as shown in the following equation (7).
Verification result = VERIFY (pk_0, E (k_0) P || pkc_0 || r_0, sig_0) (7)

  When the verification of the expression (7) fails, the node ID included in the public key certificate pkc_1 is added to the unauthorized node list stored in the unauthorized node list storage unit 538, and the data transmitting unit 534 “Verification failure” is transmitted to the node 51. If the verification is successful, the data transmission unit 534 transmits “verification successful” to the node 51.

  If the public key certificates of all nodes are stored in the key server 53, the piece verification request receiving unit 536 receives the verification request shown in FIG. The verification request includes a node ID string, and the key server 53 selects the public key certificate pkc_i (0) corresponding to the node ID from among the public key certificates recorded in the public key certificate storage unit. ≦ i ≦ j-1) is taken out. The subsequent piece verification process is the same as when the verification request shown in FIG. 10 is received.

(2) Operation <Distribution start node: distribution processing>
Next, a procedure of processing performed in the data distribution system according to the present embodiment will be described. First, the procedure of the distribution process performed by the node 50 that is the distribution start node will be described with reference to FIG. The node 50 divides the distribution data into a plurality of pieces (step S1). When the node 50 receives a piece request for requesting a piece from another node 51 (step S2: YES), the node 50 generates a random number r_0 (step S3). Next, the node 50 generates the temporary symmetric key k_0 by the function F using the random number r_0 and the secret key s_0 stored in the unique information storage unit 500 (step S4). Then, the node 50 encrypts the piece P to be transmitted using the temporary symmetric key generated in step S4, and outputs the encrypted piece E (k_0) P (step S5). In addition, how to determine the piece to be transmitted is not particularly limited. Further, the node 50 uses the private key sk_0 stored in the unique information storage unit 500, the encrypted piece E (k_0) P generated in step S5, the public key certificate pkc_0 of the node 50 itself, and step S3. The electronic signature sig_0 for the signature target information including the random number r_0 generated in step S6 is generated (step S6). Then, the node 50 transmits the public key certificate pkc_0 stored in the unique information storage unit 500 to the other node 51 that has transmitted the piece request received in step S2, as shown in FIG. The random number r_0 generated in step S3, the encrypted piece E (k_0) P output in step S5, and the electronic signature sig_0 generated in step S6 are transmitted (step S7). Thereafter, the process returns to step S2, and the node 50 waits for reception of a new piece request. Note that the piece requests received in step S2 are not necessarily the same node 51, and the pieces P requested by the piece requests are not necessarily the same piece. Further, the random number generated in step S3 basically differs for each process in step S3.

<Reception processing>
Next, a reception process procedure in which the node 51 receives an encrypted piece from the node 50 or another node 51 will be described with reference to FIG. The node 51 transmits a piece request for requesting a piece to the node 50 or another node 51 (step S10). Then, the node 51 receives the public key certificate string, the random number string, the encrypted piece, and the electronic signature string from the node 50 or another node 51 that is the partner who transmitted the piece request in step S10 ( Step S11). Next, the electronic signature generated by the node 50 or the other node 51 which is the transmission partner is verified (step S12). If the verification in step S12 is successful (step S13: YES), the node 51 stores the public key certificate string, random number string, encrypted piece, and electronic signature string received in step S11 in association with each other (step S14). On the other hand, if the verification in step 12 fails (step S13: NO), the node 51 discards the public key certificate sequence, random number sequence, encrypted piece, and electronic signature sequence received in step S11 (step S15).

  When the node 51 transmits a piece request to the node 50, in step S11, the public key certificate string, the random number string, the encrypted piece, and the electronic signature string shown in FIG. Here, although not shown in the figure, a node connected to the P2P network NT, where f is an integer equal to or greater than 1, will be described in a generalized manner. For convenience of explanation, the node ID of the node is ID # f. The node to which the node ID “ID # f” is assigned is the piece P as shown in FIG. 15 from the node to which the (f −1) th node ID “ID # (f-1)” is assigned. , Public key certificate sequence pkc_0,..., Pkc_ {f-1}, random number sequence r_0,..., R_ {f-1}, and encrypted piece E (k_ {f-1}). Receive E (k_0) P and digital signature sequence sig_0... Sig_ {f-1}. At this time, the node IDs “ID # 0,..., ID # (f-1)” included in the public key certificate string respectively identify which node the encrypted piece was encrypted and transmitted. Therefore, the distribution route of the encrypted piece is shown.

<Nodes other than the distribution start node: distribution processing>
Next, the procedure of distribution processing performed by the nodes 51 other than the distribution start node will be described with reference to FIG. When the node 51 receives a piece request for requesting a piece from another node 51 (step S20: YES), the node 51 generates a random number (step S21). Then, the node 51 generates a temporary symmetric key by the function F using the random number generated in step S21 and the secret key stored in the unique information storage unit 510 (step S22). Next, using the temporary symmetric key generated in step S22, the node 51 further encrypts an encrypted piece that is an encrypted piece obtained by encrypting a piece P and is stored in the data storage unit 517, and newly An encrypted piece is output (step S23). Then, using the private key stored in the unique information storage unit 510, the function SIGN generates an electronic signature for the signature target information including the public key certificate sequence, the random number sequence, the encrypted piece, and the electronic signature sequence ( Step S24). Thereafter, the node 51 adds the public key certificate stored in the data storage unit 517 in association with the encrypted piece to be transmitted to the other node 51 that has transmitted the piece request received in step S20. In addition to the new public key certificate sequence including the public key certificate stored in the unique information storage unit 510 and the random number sequence stored in the data storage unit 517 in association with the encrypted piece, it is generated in step S21. In addition to the new random number sequence including the random number, the new encrypted piece output in step S23, and the electronic signature sequence stored in the data storage unit 517 in association with the encrypted piece, the electronic signature generated in step S24 And an electronic signature sequence including the message (step S25).

<Decryption process>
Next, a procedure of a decryption process in which the node 51 acquires a decryption key from the key server 53 and decrypts the encrypted piece using the decryption key will be described with reference to FIG. The node 51 reads the public key certificate sequence and the random number sequence associated with the encrypted piece stored in the data storage unit 517 (step S30), and node ID based on the node ID included in the public key certificate A column is acquired (step S31). Then, a decryption key for decrypting the encrypted piece is requested, and a key request including the node ID sequence acquired in step S31 and the random number sequence read from the data storage unit 517 is transmitted to the key server 53 (step S32). ). Next, the node 51 receives the temporary symmetric key transmitted from the key server 53 in response to the key request transmitted in step S32 as a decryption key (step S33), and decrypts the encrypted piece using the temporary symmetric key. (Step S34).

  For example, the node to which the above-described node ID “ID #f” is assigned, with respect to the key server 53, as shown in FIG. 18, the node ID string “ID # 0,. # (F-1) "and a random number sequence r_0, ..., r_ {f-1}. Then, the node receives the temporary symmetric keys k_0,..., K_ {f-1} for the piece P from the key server 53 as shown in FIG. (K_ {f-1})... E (k_0) P is decoded to obtain piece P. In this way, each node 51 can obtain all the temporary symmetric keys for decrypting the encryption performed for each piece, and thereby can decrypt the encryption performed for the piece. The piece can be completely decrypted. In this way, each node 51 receives each temporary symmetric key from the key server 53 by a key request for each encrypted piece in which each of the plurality of pieces is encrypted, and decrypts each encrypted piece, The above distribution data can be obtained.

<Peace verification request processing>
Next, a procedure in which the node 51 transmits a piece verification request to the key server 53 and receives a piece verification result will be described with reference to FIG. The node 51 reads out the encrypted piece stored in the data storage unit 517, the public key certificate sequence, the random number sequence, and the electronic signature sequence associated with the encrypted piece (step S40), and the encrypted piece and the publicized information are disclosed. A piece verification request including a key certificate string, a random number string, and an electronic signature string is transmitted to the key server 53 (step S41). Next, the node 51 receives the piece verification result transmitted from the key server 53 in response to the piece verification request transmitted in step S41 (step S42), and ends the process if the verification result is successful (step S42). Step S43: YES). On the other hand, if the verification result is unsuccessful (step S43: NO), the encrypted piece, the public key certificate sequence, the random number sequence, and the electronic signature sequence associated with the encrypted piece are discarded ( Step S44).

  For example, the node to which the above-described node ID “ID #f” is assigned, with respect to the key server 53, as shown in FIG. {F-1}, random number sequence r_0,..., R_ {f-1}, encrypted piece E (k_ {f-1}),..., E (k_0) P and electronic signature sequence sig_0, ..., sig_ {f-1} is transmitted. Then, the node receives the piece verification result (success or failure) from the key server 53.

<Key server: Key transmission processing>
Next, a procedure of key transmission processing in which the key server 53 transmits a decryption key in response to a key request from the node 51 will be described with reference to FIG. When the key server 53 is requested to receive a decryption key for decrypting the encrypted piece and receives a key request including a node ID string and a random number string from the node 51 (step S50: YES), the key server 53 is included in the received key request. The secret key stored in the secret key storage unit 530 in association with each node ID included in the node ID string to be read is read for each node ID (step S51). The key server 53 generates a temporary symmetric key as a decryption key by the function F for each node ID using the random numbers for all the node IDs and the secret key read in step S51 (step S52). Next, the key server 53 transmits the temporary symmetric key generated as the decryption key in step S52 to the node 51 that transmitted the key request received in step S50 (step S53).

  For example, the key server 53 responds to a key request including a node ID string and a random number string as shown in FIG. 18 for the piece P with respect to the node assigned the node ID “ID #f” described above. Temporary symmetric keys k_0,..., K_ {f−1} as shown in FIG. 19 are transmitted.

<Key server: piece verification process>
Next, a procedure of piece verification processing in which the key server 53 verifies a piece in response to a piece verification request from the node 51 and transmits a verification result will be described with reference to FIG. When the key server 53 is requested to verify the piece and receives a piece verification request including the public key certificate sequence, the random number sequence, the encrypted piece, and the electronic signature sequence from the node 51 (step S600: YES), the reception is received. The private key stored in the private key storage unit 530 in association with each node ID included in the public key certificate string included in the piece verification request is read for each node ID (step S601). Then, the key server 53 uses the random numbers for all the node IDs and the secret key read in step S601 to decrypt the temporary symmetric keys k_0,..., K_ {f-1} by the function F for each node ID. (Step S602). Here, f is the number of encryption times of the encrypted piece included in the piece verification request, that is, the number of times the encrypted piece is transferred. For example, f can be obtained as the number of data included in each data string such as a public key certificate string, a random number string, and an electronic signature string. Next, the key server 53 sets i = f−1 (step S603), and repeats the following steps S604 to S607 until i = 0. First, the key server 53 includes the public key certificate sequence pkc_0,..., Pkc_i, the random number sequence r_0,..., R_i, and the encrypted piece E (k_i) ... E (k_0) P included in the piece verification request. And the electronic signature sequence sig_0,..., Sig_ {i-1}, whether or not the electronic signature sig_i is a valid signature is determined using the function VERIFY using the public key pk_i included in the public key certificate pkc_i. (Step S604). When the verification result in step S604 is verification success (step S605: YES), the encrypted piece E (k_i) E (k_ {i-1})... E (k_0) P is used as the temporary symmetric key k_i. The encrypted piece E (k_ {i-1})... E (k_0) P is obtained (step S606). Next, the key server 53 sets i = i−1 (step S607), and if i = 0 (step S608: YES), the public key certificate pkc_0, the random number r_0, and the encrypted piece E (k_0) P On the other hand, whether or not the electronic signature sig_0 is a valid signature is verified by the function VERIFY using the public key pk_0 included in the public key certificate pkc_0 (step S609). When the verification result in step S609 is a verification success (step S610: YES), the key server 53 transmits a verification success to the node 51 that has transmitted the piece verification request received in step S600 (step S612). When the verification result of step S604 is a verification failure (step S605: NO) and when the verification result of step S609 is a verification failure (step S610: NO), the key server 53 stores the unauthorized node list storage unit. The node ID of the node 51 included in pkc_ {i + 1} is added to the unauthorized node list recorded in 538 (step S611), and the data transmission unit 534 indicates “verification failure” to the node 51. Transmit (step S613). If i = 0 is not satisfied in step S607 (step S608: NO), the key server 53 repeats the processing from step S604 onward until i = 0 in step S608.

  Next, the key server 53 stores the public key certificates of all the nodes in the public key certificate storage unit 532, and the node ID string is included in the piece verification request as shown in FIG. The processing in this case will be described with reference to FIG. When the key server 53 is requested to verify the piece and receives a piece verification request including the node ID string, the random number string, the encrypted piece, and the digital signature string from the node 51 (step S700: YES), the received piece The secret key associated with each node ID included in the node ID string included in the verification request and stored in the secret key storage unit 530 is read for each node ID, and the node ID string included in the received piece verification request is read. The public key certificate associated with each included node ID and stored in the public key certificate storage unit 532 is read for each node ID (step S701). First, the key server 53 uses the random numbers for all the node IDs and the secret key read in step S701 to decrypt the temporary symmetric keys k_0,..., K_ {f-1} by the function F for each node ID. (Step S702). Here, f is the number of encryption times of the encrypted piece included in the piece verification request, that is, the number of times the encrypted piece is transferred. Next, the key server 53 sets i = f−1 (step S703), and repeats the following steps S704 to S707 until i = 0. Then, the key server 53 reads the public key certificate sequence pkc_0,..., Pkc_i read in step S701, the random number sequence r_0,..., R_i included in the piece verification request, and the encrypted piece E (k_i). .. The public key included in the public key certificate pkc_i indicates whether or not the electronic signature sig_i is a valid signature for E (k_0) P and the electronic signature sequence sig_0, ..., sig_ {i-1} Verification is performed by the function VERIFY using pk_i (step S704). When the verification result in step S704 is a verification success (step S705: YES), the encrypted piece E (k_i) E (k_ {i-1})... E (k_0) P is used as the temporary symmetric key k_i. The encrypted piece E (k_ {i-1})... E (k_0) P is obtained (step S706). Next, the key server 53 sets i = i-1 (step S707). If i = 0 (step S708: YES), the public key certificate pkc_0, the random number r_0, and the encrypted piece E (k_0) P are stored. On the other hand, whether or not the electronic signature sig_0 is a valid signature is verified by the function VERIFY using the public key pk_0 included in the public key certificate pkc_0 (step S709). When the verification result in step S709 is a verification success (step S710: YES), the key server 53 transmits a verification success to the node 51 that has transmitted the piece verification request received in step S700 (step S712). When the verification result of step S704 is a verification failure (step S705: NO) and when the verification result of step S709 is a verification failure (step S710: NO), the key server 53 stores the unauthorized node list storage unit. The node ID of the node 51 included in pkc_ {i + 1} is added to the unauthorized node list recorded in 538 (step S711), and the data transmission unit 534 indicates “verification failure” to the node 51. Transmit (step S713). If i = 0 is not satisfied in step S707 (step S708: NO), the key server 53 repeats the processing after step S704 until i = 0 in step S708.

  The unauthorized node list may be distributed from the key server 53 to each of the nodes 50 and 51 regularly or irregularly. Further, each node 50, 51 may request the key server 53 periodically or irregularly to obtain an unauthorized node list. Each of the nodes 50 and 51 may partially limit transmission / reception of the encrypted piece based on the obtained information of the illegal node list. For example, when a node 51 having an unauthorized node list receives a piece request from another node, the piece request may be rejected if the node ID of the other node is described in the unauthorized node list. . Further, when the node 51 having the illegal node list makes a piece request to another node, if the node ID of the other node is described in the illegal node list, the piece request is issued to the other node. You may decide not to do.

  According to the above configuration, when a certain illegal node tampers with the encrypted piece, the key server verifies the encrypted piece using the electronic signature generated each time the encrypted piece is transferred. This makes it possible to identify the unauthorized node.

It is a figure which shows the structure of the data delivery system concerning 1st Embodiment. It is a figure which illustrates the functional structure of the delivery start node concerning the embodiment. It is a figure which illustrates functional composition of nodes other than the distribution start node concerning the embodiment. It is a figure which shows typically the information transmitted to nodes other than a distribution start node from the distribution start node concerning the embodiment. It is a figure which shows typically the information transmitted to the other node from the node concerning the embodiment. It is a figure which shows typically the information transmitted to the other node from the node concerning the embodiment. It is a figure which shows typically the information transmitted to the key server from the node concerning the embodiment. It is a figure which shows typically the information transmitted to the node from the key server concerning the embodiment. It is a figure which shows an example of the piece verification method using a hash value. It is a figure which shows typically the information transmitted to the key server from the node concerning the embodiment. It is a figure which shows typically the information transmitted to the key server from the node concerning the embodiment. It is a figure which illustrates the functional structure of the key server concerning the embodiment. It is a flowchart which shows the procedure of the delivery process which the node which is a delivery start node concerning the embodiment performs. It is a flowchart which shows the procedure of the reception process in which the node concerning the embodiment receives an encryption piece from a delivery start node or another node. It is a figure which shows typically the information received by the node concerning the embodiment. It is a flowchart which shows the procedure of the delivery process which nodes other than the delivery start node concerning the embodiment perform. It is a flowchart which shows the procedure of the decoding process which the node concerning the embodiment acquires a decoding key from a key server, and decodes an encryption piece using this. It is a figure which shows typically the information which the node concerning the embodiment transmits. It is a figure which shows typically the temporary symmetric key which the node concerning the embodiment receives. It is a flowchart which shows the procedure of the piece verification request | requirement process in which the node concerning the embodiment transmits a piece verification request | requirement to a key server, and receives a piece verification result. It is a flowchart which shows the procedure of the key transmission process in which the key server concerning the embodiment transmits a decoding key according to the key request from a node. It is a flowchart which shows the procedure of the piece verification process which the key server concerning the embodiment verifies a piece according to the piece verification request | requirement from a node, and transmits a verification result. It is a figure which shows typically the information transmitted to the key server from the node concerning the embodiment. It is a flowchart which shows the procedure of the piece verification process which the key server concerning the embodiment verifies a piece according to the piece verification request | requirement from a node, and transmits a verification result.

Explanation of symbols

50, 51, 51A, 51B Node 53 Key server 500 Unique information storage unit 501 Random number generation unit 502 Temporary symmetric key generation unit 503 Piece encryption unit 504 Piece generation unit 505 Data transmission unit 506 Transmission request reception unit 507 Electronic signature generation unit 510 Unique information storage unit 511 Random number generation unit 512 Temporary symmetric key generation unit 513 Piece encryption unit 514 Data reception unit 515 Data transmission unit 516 Transmission request reception unit 517 Data storage unit 518 Transmission request transmission unit 519 Key request transmission unit 520 Piece decryption unit 521 Electronic signature generation unit 522 Electronic signature verification unit 523 Piece verification request transmission unit 530 Private key storage unit 531 Data reception unit 532 Public key certificate storage unit 533 Temporary symmetric key generation unit 534 Data transmission unit 535 Electronic signature verification unit 536 Piece verification Request acceptance unit 537 Piece decryption unit 538 Dorisuto storage unit NT P2P networks

Claims (12)

A communication device that transmits a piece that is part of data,
Receiving means for receiving first signature object information including first device identification information for identifying another communication device and the piece, and a first electronic signature generated for the first signature object information;
Storage means for storing second device identification information for identifying the communication device, and a private key assigned to the communication device;
A second electronic signature for the second signature object information including the first signature object information, the first electronic signature, and the second device identification information stored in the storage means is stored in the storage means. Signature generating means for generating using a public key;
Transmitting means for transmitting the second signature object information and the second electronic signature;
A communication apparatus comprising: The receiving means includes the first signature object information including the first device identification information and a first encrypted piece that is the piece encrypted by the other communication device, the first electronic signature, and the Receiving the first temporary information generated when the other communication device encrypts,
Temporary information generating means for generating second temporary information that may differ for each generation;
Key generation means for generating a temporary symmetric key using the second temporary information;
An encryption means for outputting a second encrypted piece obtained by further encrypting the first encrypted piece using the temporary symmetric key;
The signature generation means includes the first signature object information obtained by replacing the first encrypted piece with the second encrypted piece, the first electronic signature, and the second device identification information stored in the storage means. Generating a second electronic signature for the second signature target information including using the private key stored in the storage means;
The transmission means transmits the second signature target information, the second electronic signature, the first temporary information, and the second temporary information;
The communication apparatus according to claim 1. The first signature object information includes a public key certificate including the first device identification information and a public key assigned to the other communication device, and the first encrypted piece;
The communication device according to claim 2. The receiving means further receives a public key corresponding to the private key used when generating the first electronic signature,
Verification means for verifying the first electronic signature using the public key and the first signature object information;
The signature generation unit generates the second electronic signature for the second signature target information using the private key stored in the storage unit when it is verified that the first electronic signature is correct. To do,
The communication apparatus according to claim 1. The receiving means transmits the pieces of first signature object information including a plurality of pieces of the first device identification information for identifying each of the plurality of other communication devices that mediate transmission of the pieces, and the pieces. A plurality of the first electronic signatures generated by each of the plurality of other communication devices for each,
The transmission means further transmits a verification request for the first electronic signature including the first signature object information and the first electronic signature to a server device capable of verifying the electronic signature,
The receiving means further receives the verification result of the first electronic signature from the server device as a response to the verification request;
The communication apparatus according to claim 1. A server device connected to a plurality of communication devices that transmit pieces that are part of data,
The communication device generates a new electronic signature for new signature target information including signature target information including the piece and an electronic signature generated by another communication device for the signature target information, and generates the signature Transmitting the signature target information and the generated electronic signature,
Receiving means for receiving a verification request for the electronic signature from the communication device, including the signature target information and the electronic signature generated for the signature target information;
Verification means for verifying the electronic signature using the signature target information included in the verification request and a public key assigned to the communication device that generated the electronic signature included in the verification request;
Detection means for detecting the communication device that has generated the electronic signature for the signature target information including the electronic signature that has not been verified as an unauthorized communication device;
A server device comprising: Further comprising storage means for storing device identification information for identifying the communication device and the public key assigned to each of the communication devices in association with each other.
The receiving means receives the verification request including the signature target information, the electronic signature, and the device identification information of the plurality of communication devices that transmitted the signature target information in association with each other,
The verification means verifies the electronic signature using the signature object information included in the verification request and the public key of the storage means corresponding to the device identification information included in the verification request;
The server device according to claim 6. The receiving unit receives the verification request including the signature target information, the electronic signature, and the public keys assigned to the plurality of communication devices that transmitted the signature target information in association with each other;
The verification means verifies the electronic signature using the signature object information included in the verification request and the public key included in the verification request;
The server device according to claim 6. And further comprising storage means for storing the secret information assigned to each of the communication devices and the device identification information for identifying the communication device in association with each other.
The verification request is information that can be different for each generation generated by each of the plurality of communication devices, and the device identification associated with a plurality of temporary information for generating an encryption key for encrypting the piece Including information,
The signature target information is encrypted each time a plurality of communication devices transmit the signature target information with a plurality of encryption keys generated using the temporary information by a plurality of communication devices,
The verification unit generates an encryption key using the temporary information included in the verification request and the secret information of the storage unit corresponding to the device identification information included in the verification request. The signature object information is decrypted by using the decrypted signature object information and the public key to verify the electronic signature;
The server device according to claim 6. A communication device that transmits a piece of data,
Receiving means for receiving first signature object information including first device identification information for identifying another communication device and the piece, and a first electronic signature generated for the first signature object information;
The second device identification information, the first signature object information, and the first electronic device stored in storage means for storing second device identification information for identifying the communication device and a private key assigned to the communication device. Signature generating means for generating a second electronic signature for the second signature object information including the signature using the private key stored in the storage means;
Transmitting means for transmitting the second signature object information and the second electronic signature;
Communication program to function as Data transmitted from a communication device that mediates distribution of pieces that are part of distribution data,
Signature information including device identification information for identifying each of a plurality of communication devices that mediate delivery of the piece and the piece, and a plurality of electronic devices generated by the plurality of communication devices for the signature target information Including signature,
Data characterized by that. Data transmitted from the communication device that mediates the distribution of pieces that are part of the distribution data to the server device,
Signature object information including the piece, a plurality of electronic signatures generated by each of the plurality of communication apparatuses that transmitted the signature object information to the signature object information, and a plurality of the communication that transmitted the signature object information Including an electronic signature verification request that associates at least one of device identification information for identifying a device and public keys assigned to the plurality of communication devices that transmitted the signature object information,
Data characterized by that.

Images