JP2001331104A - Method and device for digital signature - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make it possible to discriminate a digital signature by a digital signature generator him-/herself from that by a third party who pretends to be the signature generator. SOLUTION: Before distributing a message with a digital signature containing a generated digital signature and the message, a device 1 of a digital signer registers a signature log 2235 of the message with the digital signature in a signature log table 2234. A device 3 of a digital signature verifier obtains a signature log list from the device 1 of the digital signer, and verifies whether or not the message with the digital signature has been generated by the device 1 of the digital signer, by checking whether or not the message with the digital signature to be verified is registered in the signature log list obtained by the message with digital signature to be a verification object.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] The present invention relates to a digital signature technique.

[0002]

2. Description of the Related Art A digital signature, which is a technique for giving a function equivalent to a conventional seal to a digitized message such as an electronic document, is a technique that enables advanced use of a network in electronic commerce and the like. It is getting attention.

[0003] Documents relating to digital signature technology include, for example, the following.

Reference 1: Alfred J. Menezes, Paul C. va
n Oorschot, and Scott A. Vanstone, "Handbook of Ap
plied Cryptography "CRC Press, Inc. 1997 Reference 2: Bruce Schneier," Applied Cryptography Sec
ond Edition ", JognWiley & Sons, Inc. 1996 Reference 3: International Application Number PCT / US91
/ 05386 Reference 4: "Standerd Specifications for Public Key C
ryptography (DraftVersion 11) "IEEE P1363, IEEE, J
uly 1999 In the digital signature technology described in each of the above documents, the digital signature creator applies a secret key held in secret to the message M to be signed or its characteristic value and a hash value that is a message digest. As a result, a digital signature A for the message M is generated.
Then, a digital signature A is attached to the message M and the message M is released. The digital signature verifier compares the digital signature A attached to the message M with the result obtained by applying the public key paired with the secret key to the message M or its hash value. If the two do not match, the message M may have been tampered with after the digital signature A was generated.

[0005] For this reason, only when the two match, the digital signature A authenticates that the digital signature A is given to the message M.

[0006] It should be noted that P75, "CHAPTER4 Int" in Reference
ermediate Protocols, 4.1 TIMESTANPING SERVICES "and Reference 3 show that a digital signature creator generates a new digital signature by adding a certain falsification to a message generated by the creator and replaces the original message and the digital signature with these. In this technology, a digital signature creator is required to sign a message _Mn to be signed or a hash value thereof and a digital signature A _n-1 generated immediately before. the data and time data, itself by the action of secret key held in secret, generating a digital signature a _n for the message M _n. in this way, a digital signature a _n
Of the digital signature A _{n + 1} that is generated next, the digital signature A _n of the signature target data generated in the previous is reflected. Therefore, in addition to any tampering with the message M _n of digital signature creator himself generates generates a new digital signature A _n, these original message M _n and that replaces the digital signature A _n fraud Is performed, the matching with the digital signature _{An + 1} cannot be achieved.

[0007]

By the way, the above-mentioned digital signature technique is based on the premise that the digital signature creator holds his / her private key in secret.
That is, it is assumed that only a digital signature creator holding the secret key can generate a digital signature that can be verified using the public key paired with the secret key.

If a third party illegally obtains the digital signature creator's private key and impersonates as the digital signature creator and performs the digital signature, for any reason, such as the inability of the digital signature creator to manage the private key, This digital signature technology cannot detect this.

The International Application Numbe
r PCT / US93 / 1117 discloses a technique for generating a new digital signature for a message by applying a new secret key held by a digital signature generator to a message and a digital signature for the message. . However, this technique has the potential to allow a third party to illegally obtain the private key of the digital signature creator due to the recent dramatic improvement in the computing power of the computer and the improvement of the algorithm for finding the private key from the public key. This is a technique for securing the security of a digital signature that has been performed before, in which a third party who has illegally obtained a secret key impersonates a digital signature generator and detects a digital signature that has been performed. Can not.

SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and an object of the present invention is to combine a digital signature created by a digital signature creator with a digital signature impersonated by a third party as a digital signature creator. It is to provide an identifiable digital signature technology.

[0011]

In order to achieve the above object, a first aspect of the present invention is to provide a digital signature creator which, prior to distribution of a digitally signed message including a generated digital signature and a message, The log data of the message with the digital signature is registered in a log list. Here, the log data may be the digitally signed message itself, or a digitally signed message in which a message included in the digitally signed message is replaced with a hash value of the message.

The hash value used in the present invention refers to a value calculated by a function called a hash function that outputs a fixed-length value from an arbitrary-length input. For the purpose of ensuring safety, use a function that makes it difficult to find two different input values that give the same output value and find an input value that has a given output value. Is desirable. It is assumed that the algorithm of the hash function is open to the entire system.

In this way, the digital signature verifier obtains the log list from the digital signature generator and checks whether or not log data of the message with the digital signature to be verified is registered in the log list. This makes it possible to verify whether or not the message with the digital signature to be verified has been distributed by the digital signature creator.

According to a second aspect of the present invention, a digital signature creator transmits a digital signature for a message generated by the digital signature creator to a reliable third party, a time stamp issuing authority. Encrypts the digital signature and the time data using a secret key held in secret, and asks the user to generate a time stamp.
Then, the time stamp is attached to the message and distributed.

[0015] By doing so, the digital signature verifier obtains the time data and the digital signature from the time stamp attached to the message using the private key of the time stamp issuing authority and the paired public key. By checking whether the date and time indicated by the time data has passed the date and time notified in advance by the digital signature creator, it is possible to verify whether the digital signature is valid by the digital signature creator Becomes

[0016]

FIG. 1 is a schematic diagram of a system to which a first embodiment of the present invention is applied.

As shown in the figure, the present system includes a digital signer side apparatus ₁₁ to 1 _n (hereinafter simply referred to as a digital signer side apparatus 1) for creating a message with a digital signature, and a digital signer side apparatus 1. purchaser apparatus 3 ₁ to 3 but which holds a digital signature created message
_n (hereinafter simply referred to as the purchaser's device 3), the digital signature verifier's device 5 for verifying the digitally signed message created by the digital signer's device 1, and the digital signer's device 1 And a mediator device 7 that publishes a message list and obtains a digitally signed message from the digital signer device 1 on behalf of the purchaser device 3.

In the embodiment of the present invention, a message has the same value as digital data such as an electronic document, digitized multimedia data such as image data and audio data, and securities. Digital data and the like. Further, the term “purchase” used in the description of the embodiment of the present invention refers to an act of obtaining a digitally signed message created by a digital signer by any method, regardless of whether it is charged or not. .

FIG. 2 is a schematic configuration diagram of the digital signer side device 1, the purchaser side device 3, the digital signature verifier side device 5, the mediator side device 7, and the time stamp issuing device 8.

Each device includes a CPU 11, a RAM 12 functioning as a work area for the CPU 11, an external storage device 13 such as a hard disk device, and a reading device for reading data from a portable storage medium 15 such as a CD-ROM or FD. 14, an input device 16 such as a keyboard and a mouse, a display device 17 such as a display, a communication device 18 for communicating with other devices via a network, an IC card connection device 19, and each of the components described above. It can be constructed by connecting an IC card 22, which is a storage medium with a calculation function, to an electronic computer 21 having a general configuration provided with an interface 20 for controlling data transmission and reception between elements.

External storage device 1 of digital signer side device 1
Stored in 3 is a request for the IC card 22 to generate a digital signature for the message, a digital signature generated by the IC card 22 attached to the message, and a signature for distribution as a digitally signed message. The digital signature verifier 5 is requested to verify the message PG (program) 131 and the digitally signed message generated by the digital signature verifier 1, or in accordance with an instruction from the digital signature verifier 5. A verification request P for providing the digital signature verifier side device 5 with information necessary for the digital signature verifier side device 5 to verify a message with a digital signature.
G (program) 132. These are loaded on the RAM 12 and are signed by the CPU 11 into the signed message creation processing unit 1.
11 and a verification request processing unit 112.

Stored in the external storage device 13 of the purchaser-side device 3 are a signed message obtaining PG (program) 331 for obtaining a digitally signed message from the digital signature-side device 1, and the obtained digital signature. A verification request PG (program) 332 for requesting the digital signature verifier apparatus 5 to verify the attached message.
These are loaded on the RAM 12, and are embodied by the CPU 11 as processes of a signed message acquisition processing unit 311 and a verification request processing unit 312.

Stored in the external storage device 13 of the digital signature verifier side device 5 is a signature verification PG for verifying a message with a digital signature in accordance with an instruction from the digital signer side device 1 or the purchaser side device. (Program) 531. This is loaded on RAM12 and
Thus, the present invention is embodied as a process called a signature verification processing unit 511.

The mediator device 7 obtains a digitally signed message from the digital signer device 1 in place of the purchaser device 3. Basically, it has a configuration similar to that of FIG. Buyer's device 3, Digital signature verifier's device 5,
The intermediary device 7 may not have an IC card connection device.

These programs are read from a portable storage medium 15 such as a CD-ROM or FD by a reading device 14,
It may be installed in the external storage device 13 or may be downloaded from the network to the external storage device 13 via the communication device 18.

FIG. 3 is a schematic configuration diagram of the IC card 22 shown in FIG.

As shown, the IC card 22 includes a CPU 221.
A RAM 222 functioning as a work area for the CPU 221; an EEPROM 223 for storing various programs and data; and an I / O 224 for communicating with the computer 21 via the IC card connection device 19.
And In the present invention, the EEPROM refers to a nonvolatile memory in which data can be electrically rewritten.

The EEPROM 223 stores a signature generation PG (program) 2231 for generating a digital signature for the message and a secret key 22 used for generating the digital signature in accordance with an instruction from the signed message generation processing unit 111.
A public key certificate 22 including a public key paired with 32 and a private key 2232
33, and a signature log table 2234 for recording the history of digital signature generation. Here, signature generation
The PG2231 and the secret key 2232 are set when the IC card 22 is issued, and are set so that they cannot be read from outside the IC card 22. What is written at the time of issuing a card and is not rewritten afterward, such as the signature generation PG2231, may be stored in a non-rewritable ROM instead of the EEPROM 223. The public key certificate 2233 is set when the IC card 22 is issued, and is set so that it can be read from outside the IC card 22.

The signature log table 2234 is stored in an IC card
No information is recorded when the IC card 22 is issued, and every time the IC card 22 generates a digital signature, the generated digital signature, the hash value of the message to be signed, and the name of the purchaser of the message to be signed (the purchaser device) 3) is added. The signature log table 2234 is set so that it can be read from outside the IC card 22 but cannot be rewritten from outside the IC card 22 and data cannot be erased. And In the example shown in FIG.
This shows the state after digital signature generation processing has been performed N times in the IC card 22, and the signature log table 2234 contains N
Signature logs 2235 are stored.

The issuing process of the IC card 22, that is, the EEPROM
223, a signature generation PG2231, a private key 2232, and a public key certificate 223
The process of storing and setting 3 may be performed by an IC card issuer. Alternatively, the IC card issuer can use EEPR
Issued with only the signature generation PG2231 stored in OM223,
The digital signer, the owner of the C card 22,
232 and the public key certificate 2233 may be stored and set in the EEPROM 223.

The digital signer stores the secret key 2232 in the EEPROM 22
When storing and setting in the IC card 3, the IC card issuer stores the secret key generation program in the IC card 22 in advance and executes the program by the digital signer, so that the digital signer himself can also store the secret key 2232. It is desirable to store and set without knowing the value of.

The CPU 221 loads the signature generation PG 2231 into the RAM 222 and executes the same, thereby realizing the signature generation processing unit 2211 as a process.

Next, with reference to FIG. 4, the operation when the purchaser's device 3 obtains a message with a digital signature from the digital signer's device 1 will be described.

In the digital signer side apparatus 1, upon receiving a message transmission request from the purchaser side apparatus 3, the signed message creation processing unit 111 stores the message to be transmitted, for example, various messages. The hash value is obtained by reading the data from the external storage device 13 and evaluating the hash value with a hash function. Then, the hash value of the message and the purchaser's device that made the transmission request
The address 3 is sent to the signature generation processing unit 2211 to request signature generation (S6101). The signature generation processing unit 2211 applies a secret key 2232 to the hash value of the transmitted message to generate a digital signature for the message (S6).
102). The signature generation processing unit 2211 stores the hash value of the message, the digital signature, and the purchaser-side device 3 that has issued the transmission request.
Log 2235 consisting of the address of
2234 (S6103), and sends the digital signature and the public key certificate 2233 to the signed message creation processing unit 111.
It is preferable that the signature log table 2234 be able to manage data sequentially, such as by attaching an index in advance, because the temporal context between the signature logs can be easily understood. The signed message creation processing unit 111 creates a digitally signed message by attaching the digital signature to the message to be transmitted, attaches the public key certificate 2233 to the message, and The data is transmitted to the device 3 (S6104).

In the purchaser's apparatus 3, when a message acquisition request is instructed by the purchaser via the input device 36, the signed message acquisition processing section 311 sends the digital signer's apparatus of the acquisition source holding the message. A message transmission request is transmitted to the digital signer 1 (S6001), and a digital signature-added message is sent from the digital signer side apparatus 1 (S6002). The signed message obtaining processor 311 verifies the digital signature included in the received digitally signed message. Specifically, the public key of the public key certificate 2233 attached to the message with the digital signature is applied to the digital signature, and a hash value is obtained from the message included in the message with the digital signature. Are compared (S6003). If they match (OK in S6004), the digital signature is authenticated to be the one included in the digitally signed message, the digitally signed message is accepted, and the source is obtained. The address of the digital signer side device 1 is added and stored in the external storage device 33 (S600).
Five). If they do not match (NG in S6004), the message with the digital signature is discarded without authentication (S6006).

Before actually accepting the digitally signed message, the purchaser device sends a digital signature verification request to be described later, if necessary, for example, according to the value of the digitally signed message, etc. The request may be made to 5 to verify the signature, and after confirming that the signature is valid, the signature may be accepted.

When the intermediary apparatus 7 acts on behalf of the purchaser apparatus 3, the intermediary apparatus 7 executes the flow of the purchaser apparatus 3 shown in FIG. 4, and purchases the signed message accepted in S6005. Is transmitted to the user-side device 3. In this case, since the purchaser-side device 3 does not need to perform the verification process shown in S6003, the burden on the purchaser-side device 3 can be reduced. The mediator device 7
Obtains in advance information about messages owned by each digital signer side apparatus 1 and publishes a list of messages owned by each digital signer side apparatus 1 to each purchaser side apparatus 3 using the Web or the like. Is preferred.

The digital signer side device 1 may create a message with a digital signature based on the intention of the digital signer regardless of the request from the purchaser side device 3. In this case, the buyer-side device shown in FIG.
Step 3 will not be performed. However, the purchaser of the message with the digital signature can verify the signature by using the purchaser-side device 3 to request the digital signature verifier-side device 5 for a signature verification request described later.

For example, taking as an example digital data in which a message has the same value as a security (herein referred to as electronic security), the digital signer who is the issuer of the electronic security is the digital signer. Device 1
Is used to create and issue a digital certificate with a signature, by executing the flow of the digital signature side device 1 shown in FIG. In addition,
At the stage of issuance of the electronic security, since the purchaser of the created electronic security with a signature is not clear, the address of the purchaser is not included in the signature log 2235 registered in the signature log table 2234.

The intermediary apparatus 7 obtains the electronic certificate with the signature issued by the digital signer apparatus 1 and publishes it using the Web or the like. Then, in response to a request from the purchaser-side device 3, a desired electronic certificate with a signature is transmitted or sent by mail or the like. Before actually performing the purchase procedure, the purchaser of the electronic securities requests the digital signature verifier's apparatus 5 to verify the electronic securities to be purchased using the purchaser's apparatus 3, and the validity is confirmed. The actual purchase procedure can be performed only when the purchase is completed.

Next, referring to FIG. 5, the operation when the purchaser side device 3 requests the digital signature verifier side device 5 to verify the message with the digital signature obtained from the digital signer side device 1. Will be described.

In the purchaser's device 3, the verification request processing unit 3
12, when the purchaser instructs, via the input device 36, a request to verify the digitally signed message held by the own device, the digitally signed message is added to the digitally signed message as the source of the digitally signed message. It attaches the address of the signer side device 1 and sends it to the digital signature verifier side device 5 to request verification (S7001). It waits for the verification result to be sent from the digital signature verifier side device 5 (S7002), and displays the verification result on, for example, the display device 37 (S7003).

In the digital signature verification side device 5, upon receiving the digital signature signed message verification request from the purchaser side device 3, the signature verification processing unit 511 performs a step for the digital signature signed message sent with the request. As in S6003 and S6004, the first-stage verification is performed (S7101, S7102).

If OK in S7102, authentication is performed, and the flow advances to S7103. In the case of NG in S7102, the authentication result is not authenticated, and the verification result is transmitted to the purchaser-side apparatus 3 that transmitted the verification request and the digital signer-side apparatus 1 specified by the address added to the message with the digital signature (S7108). ).

In S7103, the signature verification processing unit 511 sends the signature log table 2 to the digital signer side apparatus 1 specified by the address attached to the message with the digital signature.
Requesting transmission of all signature logs 2235 (referred to as signature log list) recorded in 234 (S7103), waiting for a signature log list from the digital signer side apparatus 1 (S7104), and signing. The verification processing unit 511 performs a second-stage verification on the message with the digital signature. Specifically, it is checked whether or not the digital signature included in the digitally signed message and the signature log including the hash value of the message obtained in S7101 are registered in the obtained signature log list (S7105).

If registered (OK in S7106)
Authenticates the message with the digital signature as being valid in the digital signer side apparatus 1 that has submitted the signature log list, and verifies the result with the purchaser side apparatus 3 that transmitted the verification request and the digital signature. The message is transmitted to the digital signer side apparatus 1 specified by the address attached to the attached message (S7107).

If it is not registered (in the case of NG in S7106), the message with the digital signature is not generated by the digital signer side apparatus 1 which submitted the signature log list, that is, the secret key 2232 is generated by some method. The third party who has obtained the ID pretends to be a digital signer, determines that the digital signature has been generated improperly, and identifies the result by the purchaser-side device 3 that transmitted the verification request and the address attached to the digitally signed message. The message is transmitted to the digital signer side device 1 (S7108).

In the digital signer side apparatus 1, the verification request processing unit 112
It waits for a signature log list transmission request and verification result to be sent (S7201). When a transmission request for the signature log list is sent, all the signature logs 2235 registered in the signature log table 2234 of the EEPROM 223 are read and transmitted to the digital signature verifier side device 5 (S7202). When the verification result is sent (S7203), the contents are displayed on, for example, the display device 17 (S7204). By transmitting the verification result to the digital signer side apparatus 1 in this way, for example, the verification result indicates that a third party who has obtained the private key 2232 by some method impersonates the digital signer and improperly signs the digital signature. If it indicates that the signature has been generated, it is possible to take measures such as changing the secret key 2232 for signature generation.

In the present invention, the transmission of the history log list from the digital signer side apparatus 1 to the digital signature verifier side apparatus 5 is performed by communication using a network as described above. More IC card 22
You may make it perform by sending itself.

Next, referring to FIG. 6, when the digital signer side apparatus 1 requests the digital signature verifier side apparatus 5 to verify the message with the digital signature generated by the own digital signer side apparatus 1. Will be described.

In the digital signer side apparatus 1, the verification request processing unit 112 receives the address of the purchaser side apparatus 3 which is the purchaser of the message with the digital signature from the digital signer via the input unit 16, and When a request for verification of a message with a digital signature is issued, the input address of the purchaser's device 3 is transmitted to the digital signature verifier's device 5 and verification is requested (S8001). afterwards,
Proceeding to S8002, the processing of S7201 to S7204 in the flow shown in FIG. 5 is executed.

In the digital signature verification side apparatus 5, upon receiving a verification request for a message with a digital signature from the digital signer side apparatus 1, the signature verification processing section 511 receives the request specified by the address sent with the request. A request to transmit a message with a digital signature to be verified is sent to the side device 3 with the address of the digital signer side device 1 that has transmitted the verification request (S8101), and the system waits for the message to be sent. (S8102). After that, the process advances to S8103 to execute the processes of S7101 to S7109 in the flow shown in FIG.

In the purchaser's device 3, the verification request processing unit 3
The step 12 waits for a request for transmission of a message with a digital signature to be verified from the digital signature verifier 5 (S8201). Then, a message with a digital signature obtained from the digital signer side device 1 specified by the address attached to the request is read out, for example, from the external storage device 33 or the like, and transmitted to the digital signature verifier side device 5 (S8202). ). After that, proceed to S8203,
The processing of S7002 to S7003 in the flow shown in FIG. 5 is executed.

According to the present embodiment, the digital signer's side apparatus 1 distributes a digitally signed message including a digital signature and a message generated by itself,
The signature log 2235 including the digital signature and the hash value of the message is registered in the signature log table 2234.

The digital signature verifier apparatus 5 stores the signature log 2235 registered from the digital signature creator apparatus 1.
And obtains a signature log list including a digital signature and a hash value of the message included in the digitally signed message to be verified. By doing so, whether the digitally signed message to be verified is a valid message generated by the digital signer side device 1, or
It becomes possible to identify whether a third party who has acquired the secret key 2232 by any method impersonates the digital signer and has been illegally generated.

Unlike the above embodiment, the signature log table may be set in the external storage device 13 provided in the computer 21 in addition to the EEPROM 223. And EE
By registering the newly generated signature log in the signature log table of the PROM 223, the number of logs registered in the signature log table of the EEPROM 223 exceeds a predetermined number (this number may be set in consideration of the capacity of the EEPROM 223). If you have EEPROM223
The oldest log registered in the signature log table may be moved to the signature log table of the external storage device 13, and then the new signature log may be registered in the signature log table of the EEPROM 223.

Alternatively, a plurality of signature logs registered in the signature log table of the EEPROM 223 may be collectively registered in the signature log table of the external storage device 13 at one time.
The registration in the signature log table of the external storage device 13 may be appropriately performed according to the instruction of the signer,
It may be performed automatically each time the predetermined number is reached.

Alternatively, the newly generated signature log is stored in the EE
By registering in the signature log table of the PROM 223 and the signature log table of the external storage device 13 of the computer 21, and by registering the newly generated signature log in the signature log table of the EEPROM 223, it is registered in the signature log table of the EEPROM 223. If the number of logs to be
The oldest log among the signature logs registered in the signature log table of the PROM 223 is deleted from the signature log table of the EEPROM 223, and then the newly generated signature log is stored in the EEPROM.
223 may be registered in the signature log table.

In this way, even when the capacity of the EEPROM 223 is small, the digital signer side device 1 can be realized.

In order to prevent the digital signer from falsifying the signature log, the signature log table set in the external storage device 13 is set to be writable only from the IC card 22 or is rewritten to a CD-R or the like. It is preferable to use a storage medium that cannot be used.

Instead of setting a signature log table in the EEPROM 223, a signature log management device 9 for managing a signature log table for each digital signer side device 1 is newly provided in addition to the configuration of FIG. Is also good. Then, the digital signer side apparatus 1 may register the signature log in the signature log table associated with the own digital signer side apparatus 1 every time a new digital signature is generated. In the same manner as when registering in the signature log table of the storage device 13, a plurality of signature logs are grouped together and a signature log management device
It may be registered in a signature log table provided in association with the nine digital signer-side devices 1.

In this case, in S7103 of the flow shown in FIG. 5, the digital signature verifier side device 5 sends a request for transmission of the signature log list to the signature log This is performed by attaching the address of the signer-side device 1. S7201 and S7202 in the flow shown in FIG.

When receiving the request for transmitting the signature log list, the signature log management device 9 stores the signature log list of the digital signer side device 1 specified by the address attached to the request in the digital signature verifier side device. Send to 5. By doing so, it is possible to prevent the signature log from being falsified by the digital signer.

The signature log management device 9 may be constructed on the same computer as the digital signature verifier's device 5, or may be constructed on both the same computer and a different computer. The logs may be managed by a signature log management device on the same computer, and when a certain number is reached, the logs may be collectively registered in a signature log management device on a different computer.

If there is no privacy problem,
The signature log data in the signature log management device 9 may be made public to other devices connected by a network for a certain period of time or always after the signature is generated.
However, it is set so that the log cannot be rewritten or deleted. In this way, for example, buyers can make sure that the records of the transactions in which they are involved are indeed reflected in the signer's log, and that they can be viewed from many other devices. By managing the signature log, it becomes difficult for the signer himself to falsify the signature log data, so that the reliability of the entire system can be improved. The device for publishing the signature log may be provided separately from the signature log management device.

It is also possible to set unique information for each IC card, and to use this information to assure that the registered signature log is indeed related to the signature generated by the IC card 22. For example, when an IC card issuer issues an IC card,
It is set secretly for the signer who is the owner of each IC card. Each time a signature generation process is performed by an IC card, information unique to the IC card is stored in a MAC (Messag) that is different from the secret key 2232 for generating a digital signature.
e Authentication Code) is used as a secret key to generate a MAC for the digital signature and register it in the signature log table along with the signature log, and in response to a signature log list transmission request from the digital signature verifier. ,
Send the signature log list containing this MAC.

The above method makes it more difficult to falsify the signature log. This is because the digital signature verifier obtains, in advance or as necessary, the unique information of the IC card that generated the signature from the IC card issuer, and uses the information to confirm the validity of the MAC, thereby obtaining a signature log. This is because it is possible to detect the falsification of the information. In addition, since information that the signer himself does not know is used as a secret key, forgery of the signature log by the signer himself can be prevented.

In addition to storing the MAC in the signature log table, the MAC is output together with the digitally signed message to the purchaser, and the purchaser reinforces the confirmation that the signature on the message he has purchased is valid. You may make it available as a means to do.

When the signature log management device 9 is provided and a signature log table is set therein, the signature log management device 9 is
When the signature log is registered in the signature log table provided in the signature log management device 9, the unique information of the IC card that generated the signature is obtained in advance from the C card issuer or as necessary. To check the legitimacy of
Only the correct one may be registered. In this case, when a signature log that does not satisfy the validity of the MAC is attempted to be registered, it is considered that the signature can be forged because the secret key 2232 for the signature has been exposed.
A warning may be issued to the signer or the entire system, and thereafter, the secret key or signature scheme may not be used.

Instead of using information unique to each IC card as a secret key for generating a MAC, another digital signature for ensuring that the signature is generated by a specific IC card 22 is used. Even if used as a secret key, MAC
As in the case of the above, forgery of the signature log can be made difficult. In the above method, unique information itself is not required for each IC card for signature verification to confirm that the signature is generated by the IC card 22, and public key information corresponding to the unique information is available to anyone. It is easy to use as a means to reinforce the confirmation that the signature on the message purchased by the buyer is valid, unlike when using the MAC.

In the above method, from the viewpoint of avoiding the risk of forgery due to the improvement of the decryption algorithm, it is desirable to use a digital signature method different from the digital signature sent as a signed message to the purchaser.
From the viewpoint of reducing the mounting scale in the card 22,
Since it is more advantageous to use the same digital signature method, it is sufficient to select the method according to the situation.

If the information unique to each IC card is dynamically updated, the secret key information will not be fixed, so that there is an advantage that the analysis of the secret key becomes difficult. In the above method, it is necessary to know the updating means in order to confirm the validity using information unique to each of the original IC cards. For example, after performing processing using unique information, a hash value of the unique information may be obtained, and the hash value may be used as new unique information.

Next, a description will be given of a second embodiment capable of more effectively preventing the falsification of the signature log. The configuration of each device of the system according to the present embodiment includes a signature log table 22
Except for the configuration of the signature log 2235 stored in 34, it is basically the same as that of the first embodiment.

The purchaser's device 3 is the digital signer's device 1
The operation of obtaining a message with a digital signature from the digital signer is the same as that of the first embodiment shown in FIG. The specific processing contents of the signature verification in are different.

In the digital signer-side apparatus 1, the signature generation processing unit 2211 has a hash value h (M _{N− N)} of the message M _N included in the signature log 2235 generated by the previous (N−1) th signature generation processing. ₁ ) and the digital signature Sign _N-1 (h (M
_N-1 ) and Sign _N-1 ) (this is referred to as the previous data P _N-1 ) and the hash value h (M _N ) of the message M _N sent from the signed message creation processing unit 111. The secret key 2232 is operated to generate a digital signature Sign _N (S6102). For the first time
When the signature is generated in the (first time), an initial value IV previously determined as a value common to the entire system or a value unique to each device may be used as the previous data P ₀ , or as `` none '' Is also good. The signature generation processing unit 2211 converts the signature log 2235 including the previous data P _N-1 , the hash value h (M _N ) of the message, the digital signature Sign _N, and the address of the purchaser device 3 that has made the transmission request into a signature log. It is registered in the table 2234 (S6103). Previous data P _N-1 and digital signature Sig
n _N and public key certificate 2233 stored in EEPROM 223,
The message is sent to the signed message creation processing unit 111. The signed message creation processing unit 111 creates a digitally signed message by attaching the previous data P _N-1 and the digital signature Sign _N to the message M _N to be transmitted, and attaches the public key certificate 2233. And transmits it to the purchaser-side device 3 (S610
Four).

[0076] In the above embodiment, when generating the digital signature Sign _N, before the data P _N-1, not be used before the data of the hash value h (P _N-1). in this case,
Instead of before the data to be stored in the signature log table data P _N-1 may be pre-data of the hash value h (P _N-1). In addition to the hash value h (M _N-1 ) of the message and the digital signature Sign _N-1 , N-
A set of three hash values h (P _N−1 ) of the previous data P _N−2 used for performing the first signature may be used. Further, a hash function used for obtaining a hash value for a message and a hash function used for obtaining a hash value for previous data may be different. In addition, as in the case of using (h (M _N-1 ), Sign _N-1 ) as the previous data P _N-1 , even if P _i (0 <i <N-1) is not stored, If _PN-1 can be obtained by calculation from other data, the previous data may not be stored to reduce the data storage area, but may be obtained by calculation as needed.

By the above processing, the signature log table 2234
As shown in FIG. 7, the signature log 2235 stored in the file includes the previous data, the hash value of the message, and the digital signature.

In the purchaser device 3, in the comparison step of S6003, not only the hash value obtained from the message included in the digitally signed message is compared but only the hash value obtained from the previous data included in the digitally signed message is used. Is set as a comparison target.

Next, referring to FIG. 8, the operation when the purchaser side apparatus 3 requests the digital signature verifier side apparatus 5 to verify the message with the digital signature obtained from the digital signer side apparatus 1. Will be described. In the following, the verification operation in a situation where the determination of “forgery” is a disadvantageous result for the signer is described as an example.

In FIG. 8, the processes of S11001, S11002, and S11003 are the same as S7001, S7002, and S7003 of FIG. 5, respectively.

The verification request processing unit 312 receives a request to transmit a message with a digital signature as reference data from the digital signature verifier side apparatus 5 (S111).
01), a message with a digital signature obtained from the digital signer side device 1 specified by the address attached to the request is read out from, for example, the external storage device 33 and transmitted to the digital signature verifier side device 5 ( S11
102).

In the digital signature verification side device 5, the signature verification processing unit 511 uses the digital signature included in the digitally signed message and the public key of the public key certificate 2233 attached to the digitally signed message. Then, the first stage verification is performed (S11201). The case where the signature is authenticated (the processing of S11203 and S11204 when OK in S11202) and the case where it is not authenticated (the processing of S11214 when NG in S11202) are the same as S7103, S7104 and S7108, respectively.

The signature verification processing unit 511 performs the second-stage verification on the message with the digital signature. Specifically, it is determined whether or not a signature log including the digital signature and the previous data included in the message with the digital signature and the hash value of the message obtained in S11201 is registered in the obtained signature log list (S11205). .

If registered (OK in S11206)
Performs the same determination as in step S7106, and performs the third-stage verification on the message with the digital signature. Specifically, S112
In the signature log list obtained in 04, compared to the signature log corresponding to the digitally signed message to be verified,
The hash value and the digital signature of the message included in the signature log registered immediately before are read. For example,
In FIG. 7, if the digital signature included in the digital signature-added message to be verified and the signature log including the previous data and the hash value of the message obtained in S11201 are the Nth, the log is included in the (N-1) th signature log. Read the hash value and digital signature of the message. The signature verification processing unit 511 compares the hash value of the message and the digital signature included in the signature log registered immediately before with the previous data included in the message with the digital signature to be verified. Here, the previous data is, as described above,
It is composed of the hash value of the message included in the signature log registered immediately before and the digital signature (S1120
7).

If the two do not match (in the case of NG in S11208), it is determined that the signature log corresponding to the digitally signed message to be verified has been tampered with, and the result is transmitted to the purchaser side apparatus that transmitted the verification request. It is transmitted to the digital signer side apparatus 1 specified by 3 and the address attached to the digitally signed message (S11216). If they match (if S11206 is OK), the process proceeds to S11209.

In S11209, the signature log list obtained in S11204 is specified by the address of the purchaser included in the signature log registered immediately before the signature log corresponding to the message with the digital signature to be verified. A request to transmit a message with a digital signature as reference data to the purchaser side device 3 is made by attaching the address of the digital signer side device 1 that has transmitted the verification request, and the message is sent. Wait for (S1121
0).

The signature verification processing unit 511 performs a fourth-stage verification on a digitally signed message obtained as reference material.

Specifically, the hash value of the message included in the message with the digital signature obtained in S11210 is obtained. Then, the digital signature and the previous data included in the digitally signed message obtained in S11210 and the hash value of the message in the signature log list obtained in S11204 are smaller than the signature log corresponding to the digitally signed message to be verified by one. It is checked whether or not the contents match the contents of the previously registered signature log (S112)
11).

If the two do not match (in the case of NG in S11212), it corresponds to the signature log corresponding to the digitally signed message to be verified and the digitally signed message of the reference material recorded immediately before this. Both of the signature logs have been tampered with, resulting in the third
Judging that the result of the stage verification may have been OK,
The result is transmitted to the purchaser's device 3 that transmitted the verification request and the digital signer's device 1 specified by the address attached to the digitally signed message (S1121).
7). If the two match (OK in S11212), the digital signature-signed message to be verified is authenticated as a legitimate one generated by the digital signer side apparatus 1 that submitted the signature log list, and as a result, Is transmitted to the purchaser-side device 3 that transmitted the verification request and the digital signer-side device 1 specified by the address attached to the digitally signed message (S11213). Digital signer side device 1
The processing of steps S11301 to S11305 in step S7
Same as 201 to S7204.

Next, referring to FIG. 9, when the digital signer side apparatus 1 requests the digital signature verifier side apparatus 5 to verify the message with the digital signature generated by the own digital signer side apparatus 1. Will be described.

In the digital signer side apparatus 1, in step S12001, the same processing as in S8001 is performed, and in S12002, the processing of S11301 to S11305 in the flow shown in FIG. 8 is executed.

In the steps S12101 and S12102, the digital signature verification side device 5 performs the same processing as S8101 and S8102, and in S12103, S11201 to S11217 of the flow shown in FIG.
Execute the processing of

In the buyer's device 3, step S1220
1. In S12203, the same processing as in S8201 and S8202 is performed, and in S12204
Then, the processes of S11002 to S11003 of the flow shown in FIG. 8 are executed.

Also, when a request to transmit a message with a digital signature as reference data is sent from the digital signature verifier side device 5 (S122201 in the case of NO in S12201).
02), the verification request processing unit 312 outputs the digital signer side device specified by the address attached to the request.
Read the message with the digital signature as reference material obtained from 1 and read the digital signature verifier side device 5
(S12205).

According to the present embodiment, the validity of a message with a digital signature can be checked in more detail.

In the signature verification in the third stage of the above embodiment, the signature log corresponding to the message with the digital signature to be verified, that is, the Nth signature log, and the (N-1) th signature log immediately before the Nth signature log Was checked for consistency (whether or not the chain was correctly maintained), but the consistency between the (N-1) th signature log and the (N-2) th signature log immediately before it was also checked. It may be. This was repeated to check that the chain before and after for more signature logs contained in the signature log list was correctly maintained, so that the signature log list could be more reliably checked. Is also good.

In the signature verification in the third stage of the above embodiment, an arbitrary number of signature logs including the signature log corresponding to the digital signature message to be verified among all the signature logs recorded in the signature log table 2234 are described. Of the set is checked by checking whether the previous data included in the signature log matches the digital signature and the hash value of the message included in the previous signature log to detect tampering of the signature log. Is also good.

It is determined whether or not the hash value of the message with the digital signature is reflected in the digital signature included in one or more signature logs registered after the signature log corresponding to the message with the digital signature. Thus, alteration of the signature log may be detected.

According to the present embodiment, in order to forge a past electronic signature, one or more electronic signatures before or after the electronic signature to be forged is created must be forged consistently. Will not be. This increases the difficulty of falsifying past electronic signatures, making it harder to attack legitimate business practitioners by falsifying signatures, and for the right business practitioner, falsifying alibi Having a difficult position has the effect of increasing the proof of the mediator when exposed to malicious attacks.

In the above embodiment, in the signature verification in the second stage, if the signature data included in the digital signature message to be verified is not included in the signature log list submitted by the signer, the verification target The digital signature was determined to have been forged, and if it was included, the validity of the signature log list was confirmed in the third and fourth stages.

This is because it is unlikely that the signer will submit a falsified signature log list if the determination of “forgery” is a disadvantageous result for the signer submitting the signature log list. is there.

On the other hand, if the determination that the signature is valid is a disadvantageous result for the signer submitting the signature log list, the signature verification in the second stage will If the signature data of is included in the submitted signature log list, it is determined to be valid,
If it is not included, the validity of the signature log list may be confirmed in the third and fourth stages.

Alternatively, after receiving the signature log list in S11204, first, the validity of the signature log list is confirmed, and if the signature data to be verified is in the verified signature log list, the validity of the signature log list is confirmed. The signature may be determined.

When the signer cannot submit the entire signature log list to the verifier for some reason such as destruction of data, the signer is generally submitted as (part of) the signature log list. Although it is not possible to trust all the information received, a reliable signature log can be extracted from the transmitted information according to the method described below.

In the digital signature verification side device 5,
Among the signature logs included in the submitted signature log list, those having evidence that a signature corresponding to an area that cannot be controlled by the signer himself can be regarded as a reliable signature log.

For example, the signature stored as the signature log 2235 in the EEPROM 223 area is automatically written when the signer uses the IC card 22 to generate a signature. Since this area is set so that it cannot be rewritten or erased,
It cannot be controlled by the signer itself (it cannot be tampered with).
Therefore, the log corresponding to the signature stored in the EEPROM 223 area may be regarded as reliable.

Similarly, since the signature stored in a trusted third party such as the signature log management device 9 cannot be controlled by the signer itself, the signature log corresponding to this signature can be regarded as reliable.

Further, at a certain point in time before signature verification by the signature verifier is performed, for example, immediately after the signature is generated by the signer, the signature published by newspapers and broadcasts and known by an unspecified number of people is also used. Since it is very difficult for the signer to assume that the signature did not exist after the point in time and cannot be controlled by the signer himself, the signature log corresponding to this signature can be regarded as reliable.

[0109] Other buyers who have no interest may sign.
Owning it (eg, as a signature log) can also be considered a trusted signature log.

Further, if it is confirmed that the integrity of the reliable signature log with the immediately preceding signature log, that is, that the chain is properly maintained, the immediately preceding signature log is also regarded as a reliable signature log. be able to. Because, in the present invention, the signature log contains the hash value of the previous message or the signature, so that even if the digital signature itself is easily forged due to the disclosure of a secret key, a reliable signature can be obtained. This is because it is very difficult to forge the previous signature log so as to match the hash value included in the log. By repeating this procedure, you can start with a trusted signature log,
While confirming that the chain has been maintained, the signature logs in the range that could be traced back one by one, that is, in the direction of the earlier signature log, are included in the submitted signature log list. It can be considered a reliable part.

[0111] In this embodiment, a digital signer side apparatus 1, when generating a digital signature, but as before including data P _i, including a hash value of the previous signature target message and signature data Further, in addition to the previous data, another data may be included in the signature generation.

For example, the public key certificate 2233 transmitted to the purchaser device 3 or the hash value thereof may be included. By doing so, when the digital signer generates a digital signature, the public key certificate 2233
Has the advantage that it is easier to show that it did exist. Because the public key certificate 2233 is included in the chain and stored as a signature log, the public key certificate part was later tampered with and did not exist. Because it is very difficult to do. As a result, even if in the future it becomes possible to forge a public key certificate by exposing the private key of the certification authority that issues the public key certificate, the public key certificate 2233 will not be a forged one. It is easy to show that there is no.

Similarly, in order to indicate in the future that the data at the time when the digital signature was generated was present, the data should be included in addition to the previous data when the digital signature is generated. can do. In this case, in order to be able to verify the signature, the purchaser's device sends the data, or data obtained by transforming the data into a form necessary for signature verification (for example, a hash value of the data), etc. Transmit with data etc.

In the present embodiment, the signature log table 2234 may be set not only in the EEPROM 223 but also in the external storage device 13 provided in the computer 21 as in the first embodiment.

Instead of setting the signature log table 2234 in the EEPROM 223, as described above, a signature log management device 9 for managing the signature log table may be provided for each digital signer side device 1.

The signature log management device 9 may be constructed on the same computer as the digital signature verifier side device 5, as in the first embodiment.

As in the first embodiment, data for ensuring that a signature has been generated by the IC card is generated by using information unique to each IC card (such as a serial number). It may be.

In the case where the signature log management device 9 is provided, prior to registration of the signature log in the signature log list, the signature log management device 9 executes S11207 and S11208 (third step) of the flow shown in FIG.
Only when the previous data included in the signature log matches the hash value and digital signature of the message included in the latest signature log data registered in the signature log list. Registration of the signature log in the signature log list may be permitted.
In this case, the digital signature verifier side device 5 can omit S11207 and S11209 (signature verification in the third stage) of the flow shown in FIG.

As in the first embodiment, a plurality of signature logs may be collectively registered in a signature log list managed by the signature log management device 9. In this case, a message is generated to the effect that registration to the signature log list has been performed, and a signature is generated for this message.
The fact that the user has registered in the signature log list may be reflected in his / her signature log list.

Next, a description will be given of a third embodiment in which time information is included in the digital signature in the first embodiment so that the validity / invalidity of the digital signature can be determined from the time information.

This system has a configuration in which a time stamp issuing device 8 for issuing a time stamp to the digital signature sent from the digital signer side device 1 is added to the system of the first embodiment shown in FIG. Becomes

The schematic configuration of the time stamp issuing device 8 is as follows.
This is the same as the configuration shown in FIG.

The external storage device 13 includes a time stamp issuing PG (program) 831 for encrypting the digital signature and the time data sent from the digital signer side device 1 to generate a time stamp, and a time stamp generation program. And a public key certificate 833 including a public key paired with the private key 832 is stored. These are R
The time stamp issuance processing unit 811 is loaded on the AM 12 and is embodied by the CPU 11 as a process.

Referring to FIG. 10, the operation when the purchaser's device 3 obtains a message with a digital signature from the digital signer's device 1 will be described.

In the digital signer side apparatus 1, FIG.
(S15101) are executed. The signed message creation processing unit 111 includes a signature generation processing unit 2211.
Is transmitted to the time stamp issuing device 8 to request issuance of the time stamp (S15102). When receiving the time stamp from the time stamp issuing device 8 (S15103), the signed message creation processing unit 111 creates a digitally signed message by attaching the time stamp to the message that is the target of the transmission request. The purchaser who has made a transmission request by attaching the public key certificate 2233 sent with the digital signature from the signature generation processing unit 2211 and the public key certificate 833 sent with the time stamp from the time stamp issuing device 8 This is transmitted to the side device 3 (S15104).

In the time stamp issuing device 8, the time stamp issuing processing section 811 includes the digital signer side device 1.
, A time stamp is generated (S15201). More specifically, the digital signature transmitted from the digital signer side device 1 and time data indicating the reception time of the digital signature are stored in an external storage device.
A time stamp is generated by encrypting using the secret key 832 stored in 83. The time stamp issuance processing unit 811 stores the generated time stamp in the external storage device 8.
3 with the public key certificate 833 stored therein, and transmits the digital signature to the digital signer side apparatus 1 which has transmitted the digital signature (S
15202).

In the buyer's device 3, S6001 shown in FIG.
Through S6002 to obtain a message with a digital signature (S15001). Next, the signed message obtaining processor 311 compares the time stamp included in the received digitally signed message with the public key of the public key certificate 821 attached to the message (the public key of the time stamp issuing device 8). A digital signature is obtained by decrypting the digital signature (S15002). The digital signature is verified by executing the processing of S6004 to S6006 (S15003).

The operation when the purchaser's device 3 requests the digital signature verifier's device 5 to verify the message with the digital signature obtained from the digital signer's device 1 will be described with reference to FIG. .

In the present embodiment, the digital signer who is the user of the digital signer side apparatus 1 may be exposed to the secret key 2232 held in secret, and may be illegally obtained by a third party. If so, the date and time of exposure should be specified and the digital signature verifier contacted immediately.
Then, the digital signature verifier associates the date and time notified by the digital signer with the address of the digital signer side device 1 used by the digital signer, and stores the date and time in the external storage device 53 of the digital signature verifier side device 5. It will be stored.

The verification request processing unit 312 executes the processing of S7001 to S7003 in the flow shown in FIG. 5, and obtains the verification result from the digital signature verifier side device 5 (S16001).

In the digital signature verification-side apparatus 5, upon receiving a request for verification of a message with a digital signature from the purchaser-side apparatus 3, the signature verification processing unit 511 determines the time contained in the message with the digital signature transmitted together with the request. The time data and the digital signature are obtained by decrypting the stamp using the public key of the public key certificate 821 (the public key of the time stamp issuing device 8) attached to the message with the digital signature (S16101).

The signature verification processing unit 511 examines the external storage device 53, and sets the exposure date and time of the secret key 2232 to the digital signer side device 1 specified by the address added to the message with the digital signature. It is checked whether or not it is (S16102). If an exposure date is set,
The process advances to step S16103, and if not set, the process advances to step S16105 to execute the processes in steps S7101 to S7109 shown in FIG.

In step S16103, the signature verification processing unit 511 determines in step S1610
It is checked whether the date and time indicated by the time data obtained in step 1 is newer than the exposure time set in the external storage device 53 (S1610
3).

If the message is new, it is determined that the digitally signed message to be verified is invalid, and the result is determined by the purchaser's device 3 that transmitted the verification request and the digital specified by the address added to the digitally signed message. The message is transmitted to the signer side device 1 (S16104). If it is not new, the process advances to S16105 to execute the processes of S7101 to S7109 shown in FIG.

In the digital signer apparatus 1, the verification request processing unit 112 executes the processing of S7201 to S7204 shown in FIG. 5 (S16201).

Next, referring to FIG. 11, when the digital signer side device 1 requests the digital signature verifier side device 5 to verify the message with the digital signature generated by the own digital signer side device 1. Will be described.

The processing of the digital signer side apparatus 1 is shown in FIG.
Are the same as the processing of S8001 to S8002 shown in FIG.

In the digital signature verification side apparatus 5, upon receiving the verification request of the message with the digital signature from the digital signer side apparatus 1, the signature verification processing section 511 purchases the purchaser specified by the address sent together with the request. It requests the side device 3 to transmit a digitally signed message with the address of the digital signer side device 1 that has transmitted the verification request, and waits for the message to be sent. After that, the processing of S16101 to S16105 shown in FIG. 11 is executed.

[0139] The processing of the purchaser-side device 3 is performed in step S8201 shown in FIG.
This is the same as the processing of S8203.

According to the present embodiment, the digital signature verifier side device 3 decrypts the time stamp contained in the digital signature message to be verified by using the public key of the time stamp issuing authority side device 8 and performs digital decoding. Get signature and time data. The date and time indicated by this time data is
By checking whether the exposure date and time notified by the digital signature creator has passed, it is possible to check the validity / invalidity of the digital signature before verifying the digital signature.

In the above embodiment, the digital signer side device 1 may request the time stamp to be issued intermittently (for example, once every m times). To determine the validity / invalidity of the digital signature based on the exposure date and time notified by the digital signature creator to the message with the digital signature to which the time stamp is not added, the following may be performed.

When the digital signer side apparatus 1 transmits the digital signature to the time stamp issuing apparatus 8 and requests the time stamp issuing apparatus 8 to issue a time stamp, as shown in FIG. The stamp is included in the signature log 2235 of the digital signature targeted for the stamp and registered in the signature log table 2234. The registration in the signature log table 2234 is performed in a time-series manner.

The digital signature verifier apparatus 3 is a signature log registered before the signature log corresponding to the digital signature message to be verified in the signature log table 2234, and has a time stamp recorded therein. The signature log is detected, and the time stamp is decrypted to obtain time data. Since registration with the signature log table 2234 is performed in a time-series manner, the digital signature message to be verified is generated at least after the date and time indicated by the decrypted time data. Therefore, if the exposure date and time notified by the digital signer is before the date and time indicated by the decrypted time data, the digital signature message to be verified is determined to be invalid.

Further, in the second embodiment, it is possible to determine whether a digital signature is valid or invalid by a time stamp. It is also possible to determine whether a digital signature is valid or invalid based on a time stamp without combining with the first and second embodiments.

Unlike the above embodiments, the message itself may be included in the signature log 2235 when the storage capacity of the storage device for storing the signature log table 2234 has a margin.

Different from the above embodiments, all the processing to be performed by the digital signer side apparatus 1 may be performed in the computer 21.

The present invention differs from the above embodiments in that a digital signature, a message (in addition to the preceding data in the second embodiment), and a public key paired with a private key owned by the digital signer, are provided. , Various signature methods can be applied that can authenticate whether or not the digital signature was made on the message.

[0148]

As described above, according to the present invention,
The digital signature created by the digital signature generator itself and the third
It is possible to provide a digital signature technique capable of discriminating a digital signature impersonated by a person as a digital signature generator.

[Brief description of the drawings]

FIG. 1 is a schematic diagram of a system to which a first embodiment of the present invention is applied.

2 is a digital signer side device 1, a purchaser side device 3, a digital signature verifier side device 5, and a mediator side device shown in FIG.
7 is a schematic configuration diagram of a time stamp issuing device 8. FIG.

FIG. 3 is a schematic configuration diagram of an IC card 22 shown in FIG.

FIG. 4 shows a first embodiment of the present invention;
FIG. 3 is a flowchart for explaining an operation when a digital signature-added message is obtained from the digital signer-side apparatus 1.

FIG. 5 shows a purchaser-side device according to the first embodiment of the present invention.
FIG. 3 is a flow chart for explaining an operation when requesting the digital signature verifier apparatus 5 to verify a message with a digital signature obtained from the digital signer apparatus 1;

FIG. 6 shows a first embodiment of the present invention in which the digital signer side apparatus 1
FIG. 6 is a flowchart for explaining an operation when requesting verification of a message with a digital signature generated by the own digital signer side apparatus 1;

FIG. 7 is a diagram illustrating a configuration of data stored in a signature log table 2234 according to the second embodiment of this invention.

FIG. 8 shows a purchaser-side device according to a second embodiment of the present invention.
FIG. 3 is a flow chart for explaining an operation when requesting the digital signature verifier apparatus 5 to verify a message with a digital signature obtained from the digital signer apparatus 1;

FIG. 9 is a block diagram of a second embodiment of the present invention.
FIG. 6 is a flowchart for explaining an operation when requesting verification of a message with a digital signature generated by the own digital signer side apparatus 1;

FIG. 10 is a flowchart for explaining an operation when the purchaser-side device 3 obtains a message with a digital signature from the digital signer-side device 1 in the third embodiment of the present invention.

FIG. 11 shows a third embodiment of the present invention in which the purchaser-side device 3 requests the digital signature verifier-side device 5 to verify a message with a digital signature obtained from the digital signer-side device 1. It is a flowchart for demonstrating operation | movement.

FIG. 12 is a diagram illustrating a configuration of data stored in a signature log table 2234 in a modification of the third embodiment of the present invention.

[Explanation of symbols]

 1 ... Digital signer side device 3 ... Purchaser side device 5 ... Digital signature verifier side device 7 ... Mediator side device 8 ... Time stamp issuing device 9 ... Signature log management device 11,31,51,81,221 ... CPU 12, 32,52,82,222… RAM 13,33,53,83… External storage device 14,34,54,84… Reader device 15,35,55,85… Storage medium 16,36,56,86… Input device 17, 37,57,87… Display device 18,38,58,88… Communication device 19… IC card connection device 20,40,60,90… Interface 21,41,61,91… Electronic computer 22… IC card 111… Signature Requested message creation processing units 112, 312… Verification request processing unit 131… Signed message creation program 132,332… Verification request program 223… EEPROM 224… I / O 311… Signed message acquisition processing unit 331… Signed message acquisition program 511… Signature Verification processing unit 531… Signature verification program 811… Time stamp issuance processing unit 831… Time stamp issuance program 832,2232… Secret Secret key 833,2233 public key certificate 2211 signature generation processing unit 2231 signature generation program 2234 signature log table 2235 signature log

 ──────────────────────────────────────────────────続 き Continued on the front page (72) Inventor Kazuo Takaki 1099 Ozenji Temple, Hitachi, Ltd. Hitachi, Ltd.System Development Laboratory (72) Inventor Toshiyuki Moritsu 1099, Ozenji Temple, Aso-ku, Kawasaki, Kanagawa Prefecture Co., Ltd. Hitachi, Ltd. Financial Systems Division (72) Inventor Mitsuru Iwamura 2-14-17 Nakamura, Nerima-ku, Tokyo (72) Inventor Tsutomu Matsumoto 13-45 Kakikindai, Aoba-ku, Yokohama-shi, Kanagawa F-term (reference) 5J104 AA09 AA11 AA16 EA04 JA21 LA03 LA06 NA02 NA12 NA20 NA37 NA40 NA42

Claims (22)

[Claims] A digital signature method for verifying a digital signature for a message, wherein a device or a hash value of the digital signature is applied to a secret key owned by the digital signature generator. A signature generating step of generating a digital signature for the digital signature and a registration step of distributing a digitally signed message including the generated digital signature and the message, and registering log data of the digitally signed message in a log list; A digital signature verifier's device, a verification target receiving step for receiving the distributed digital signature message as a verification target digital signature message; and a digital distribution unit for distributing the verification target digital signature message. A history acquisition step of acquiring signer log list, log data of the verification target digital signed message, examines whether or not it is registered in the log list,
If registered, a first verification step of authenticating that the digital signature signed message to be verified has been distributed by the digital signature creator;
A digital signature method, comprising: 2. The digital signature method according to claim 1, wherein in the registering step, log data of a message with a digital signature is managed by a history management center provided separately from the apparatus on the digital signer side. A digital signature method characterized by registering in a log list. 3. The digital signature method according to claim 1 or 2, wherein the digital signature verifier's device further comprises: before the first verification step, a message included in the verification target digital signature-added message; Using a digital signature and the public key paired with the private key,
The method further comprises a second verification step of certifying whether or not the digital signature included in the message with the digital signature to be verified has been made on the message included in the message with the digital signature to be verified. Digital signature method. 4. The digital signature method according to claim 1, wherein the signature generation step includes the step of: generating a message or a hash value of the message and data included in the latest log data registered in the log list. Data) to generate a digital signature for the message. The registering step distributes the generated digital signature, a message with a digital signature including previous data and a message, and generates the digital signature. A digital signature method characterized by registering log data of an attached message in a log list. 5. The digital signature method according to claim 4, wherein, prior to the first verification step, a digital signature included in the message with the digital signature to be verified and a pre-data And using the message and the public key of the pair with the private key, whether the digital signature included in the message with the digital signature to be verified is made for the message included in the message with the digital signature to be verified. A second verification step for authenticating whether or not
A digital signature method, further comprising: 6. The digital signature method according to claim 4 or 5, wherein the digital signature verifier sends the digital signature generated message to the digital signature generator by the first verification step. If it is authenticated that the message has been distributed, the previous data included in the message with the digital signature to be verified is registered one before the log data of the message with the digital signature to be verified in the log list. A digital signature method, further comprising a third verification step of checking whether or not the log data is included in the log data, and if the log data is included, authenticating that the log list has not been tampered with. . 7. The digital signature method according to claim 4 or 5, wherein in the apparatus on the side of the digital signature verifier, the digital signature generator verifies the message with the digital signature to be verified by the first verification step. If it is verified that the log data is distributed by the verification method, the previous data included in the log data registered one after the log data of the message with the digital signature to be verified in the log list is the verification data. The method further comprises a third verification step of checking whether or not the data matches the data calculated from the target digitally signed message, and if so, authenticating that the log list has not been tampered with. Digital signature method. 8. The digital signature method according to claim 4, wherein the registering step includes registering log data of a message with a digital signature in a log list with a distribution destination attached thereto, and In the apparatus, when the first verification step verifies that the message with the digital signature to be verified has been distributed by the digital signature creator, the digital signature with the digital signature to be verified is included in the log list. Obtain a message with a digital signature from the distribution destination attached to the log data that is registered immediately before or after the log data of the message, and check whether this is included in the log data registered immediately before or after the message. Check whether the log list has not been tampered with. A verification step, the digital signature method, characterized in that it further comprises. 9. The digital signature method according to claim 2, wherein in the signature generation step, a message or its hash value and data (previous data) included in the latest log data registered in the log list Generating a digital signature for the message by operating the secret key; distributing the digitally signed message including the generated digital signature, the previous data and the message; Is registered in the log list managed by the history management center, and the history management center includes the log data in the message with the digital signature to be verified prior to registering the log data in the log list in the registration step. Previous data is registered in the log list A digital signature method, further comprising a registration permission step of permitting registration of the log data in the log list only when the log data is included in the latest log data. 10. A digital signature device for generating a digital signature for a message, a signature generation means for applying a secret key to the message or its hash value to generate a digital signature for the message, Registering means for registering log data of a message with a digital signature in a log list stored in a storage means. 11. The digital signature device according to claim 10, wherein said signature generation means includes a message or a hash value thereof and data (previous data) included in the latest log data registered in said log list. Operating the secret key to generate a digital signature for the message, and the registration unit registers the generated digital signature, the log data of the message with the digital signature including the message, and the previous data in the log list. A digital signature device characterized by the above-mentioned. 12. The digital signature device according to claim 10, wherein said digital signature device is a storage medium with a calculation function having said storage means and configured to be connectable to an electronic computer. Digital signature device. 13. A digital signature device according to claim 12, wherein said registering means registers the log data of a newly generated message with a digital signature in a log list stored in said storage means. When the number of log data registered in the log list exceeds a predetermined number, the oldest log data among the log data registered in the log list is output to the computer, and is prepared in the computer. A digital signature device for registering the log data of a newly generated message with a digital signature after registering the oldest log data in the log list and deleting the oldest log data from the storage unit. 14. A digital signature verification device for verifying a digital signature generated by the digital signature device according to claim 10, wherein the digital signature verification message is stored in a storage unit of the digital signature device. Input means for accepting a log list, and checking whether log data of the digitally signed message to be verified is registered in the log list,
If registered, first verification means for authenticating that the digitally signed message to be verified was generated by the digital signature device, and the digitally signed message to be verified. Using a digital signature and a message included in the digital signature device and a public key paired with a secret key possessed by the digital signature device, to convert the digital signature included in the digitally signed message to be verified into the digitally signed message to be verified. And a second verification unit that authenticates whether or not the message is included in the digital signature verification device. 15. A digital signature verifying apparatus for verifying a digital signature generated by the digital signature apparatus according to claim 11, wherein the digital signature verifying apparatus stores a message with a digital signature to be verified and storage means of the digital signature apparatus. Input means for accepting a log list, and checking whether log data of the digitally signed message to be verified is registered in the log list,
If registered, first verification means for authenticating that the digitally signed message to be verified was generated by the digital signature device, and the digitally signed message to be verified. The digital signature included in the digitally signed message to be verified is converted into the digital signature to be verified using the digital signature, the previous data and the message included in the digital signature device, and a public key paired with a secret key possessed by the digital signature device. Second verification means for authenticating whether or not the message included in the signed message has been performed; and the previous data included in the digitally signed message to be verified is verified in the log list. The log registered immediately before the log data of the digitally signed message to be Examines whether or not included in the data,
If it is included, a third verification means for authenticating that the log list has not been tampered with. 16. A digital signature verification device for verifying a digital signature generated by the digital signature device according to claim 11, wherein the digital signature verification message is stored in a storage device of the digital signature device. Input means for accepting a log list, and checking whether log data of the digitally signed message to be verified is registered in the log list,
If registered, first verification means for authenticating that the digitally signed message to be verified was generated by the digital signature device, and the digitally signed message to be verified. The digital signature included in the digitally signed message to be verified is converted into the digital signature to be verified using the digital signature, the previous data and the message included in the digital signature device, and a public key paired with a secret key possessed by the digital signature device. Second verification means for authenticating whether or not the message is included in the signed message; and registering one log data after the log data of the digitally signed message to be verified in the log list. The previous data contained in the log data that is A digital signature verification device comprising: a third verification unit configured to determine whether or not the log list matches data calculated from the message, and if the data match, to verify that the log list has not been tampered with; . 17. A storage medium storing a program for verifying a digital signature generated by the digital signature device according to claim 10, wherein the program is read and executed by an electronic computer, Input means for receiving a digitally signed message to be verified and a log list stored in the storage means of the digital signature device; and whether or not log data of the digitally signed message to be verified is registered in the log list. Examine
If registered, first verification means for certifying that the message with the digital signature to be verified is generated by the digital signature device is established on the computer. A storage medium characterized by the above-mentioned. 18. A digital signature method for verifying a digital signature for a message, wherein a digital signature generator device operates a digital signature by applying a secret key owned by the digital signature generator to a message or its hash value. Generating a digital signature, transmitting the digital signature to a trusted third party, a time stamp issuing authority, and obtaining a time stamp in response to the digital signature, and attaching the obtained time stamp to the message. And a distribution step of distributing the digital signature as a message with a digital signature. The time stamp issuance authority device includes a time stamp on the data including the digital signature sent from the digital signature generator and the reception time of the digital signature. Owned by the issuing authority A time stamp generating step of generating a time stamp by applying a secret key; and a transmitting step of transmitting the time stamp to the digital signature creator. A verification target receiving step of receiving the signed message as a verification target digital signature message; and causing a time stamp included in the verification target digital signature message to act on a public key paired with a private key owned by a time stamp issuing authority. A digital signature and a signature obtaining step of obtaining time data; and checking whether or not the date and time indicated by the obtained time data has passed a deadline notified in advance by the digital signature creator. First verification step to authenticate the digital signature as valid Digital signature method characterized by having, when. 19. The digital signature method according to claim 18, wherein, in the apparatus of the digital signature verifier, when the digital signature is verified as valid by the first verification step, the digital signature is verified. Using a signature, a message included in the message with the digital signature to be verified, and a public key paired with a secret key of the digital signature creator, for the message including the digital signature in the message with the digital signature. A digital signature method, further comprising a second verification step of authenticating whether or not the digital signature has been made. 20. A digital signature system for generating a digital signature for a message, comprising: a digital signature device and a time stamp issuance device, wherein the digital signature device includes, in a message or a hash value thereof, a secret possessed by its own device. Signature generating means for operating a key to generate a digital signature; time stamp obtaining means for transmitting the digital signature to the time stamp issuing device and obtaining a time stamp in response thereto; and adding the obtained time stamp to the message. And a signed message creating means for creating a message with a digital signature, wherein the time stamp issuing device converts the data including the digital signature sent from the digital signature generating device and the reception time of the digital signature. , Own device Mitsukagi reacted with a digital signature system comprising: the time stamp generating means for generating a time stamp, and a transmitting means for transmitting the time stamp to the digital signature generation apparatus. 21. A digital signature verifying apparatus for verifying a digital signature generated by the digital signature system according to claim 20, wherein: input means for receiving a message with a digital signature to be verified; A signature obtaining unit for obtaining a digital signature and time data by applying a public key paired with a secret key possessed by the time stamp issuing device to the time stamp included in the time stamp issuing device; and a date and time indicated by the time data obtained by the signature obtaining unit. But,
A first verification unit that checks whether a time limit previously notified by a user of the digital signature device has passed, and if not, a first verification unit that authenticates the digital signature as valid; the digital signature; Using the message included in the digitally signed message to be verified and the public key paired with the private key possessed by the digital signature generation device, the digital signature is used for the message included in the digitally signed message to be verified. And a second verification means for authenticating whether the digital signature has been obtained. 22. A storage medium storing a program for verifying a digital signature generated by the digital signature system according to claim 20, wherein said program is read and executed by an electronic computer to perform verification. Input means for receiving a digitally signed message to be verified, and a public key paired with a private key possessed by the time stamp issuing device acting on a time stamp included in the digitally signed message to be verified, to obtain a digital signature and time Signature acquisition means for obtaining data, and the date and time indicated by the time data acquired by the signature acquisition means,
The digital signature device checks whether or not the time limit has been notified in advance by a user of the digital signature device. If the time limit has not passed, the first verification means for authenticating the digital signature as valid and the signature acquisition means obtain the digital signature. Using the digital signature, a message included in the digitally signed message to be verified, and a public key paired with a secret key possessed by the digital signature generation device, the digital signature is a digitally signed message to be verified. And a second verification means for authenticating whether or not the message included in the message has been performed on the computer.