JP2002328601A - Electronic sealing device and verifying method of digital signature - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve such a problem of a conventional system which uses digital signatures that a user must submit an application to a registration bureau in order to use his or her digital signature and be cleared by the bureau and it is cumbersome for the user. SOLUTION: Certifying bureau signature object information consists of a public key (31) and attribute information (32 and 33) corresponding to unspecified users. An electronic sealing device (2) stores a public key certificate (22) which includes certifying bureau signatures (37) generated by the bureau for the certifying bureau signature object information and is in a null and void condition and a secret key (21). A user (9) purchases the device (2) at a retail store (8) and the null and void condition of the certificate (22) is canceled by the application of the user.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an electronic seal stamp device that stores a private key and a public key certificate for generating a digital signature, and more particularly to an electronic seal stamp device that can easily generate a digital signature.

[0002]

2. Description of the Related Art A conventional system using a digital signature is executed by the following procedure. (1) A user who digitally signs data to be transmitted to another user applies to the registration authority for issuing a public key certificate. At this time, submit the application form. (2) The registration authority confirms information such as the name of the user based on the application submitted by the user. Check users face-to-face as needed. (3) The registration authority requests the certification authority to issue a public key certificate. A key pair, which is a pair of a public key requesting certification and a corresponding private key, is generated by a user, by a registration authority, or by a certificate authority. (4) The certificate authority generates a public key certificate in response to a request from the registration authority, and passes the IC card storing the private key and the public key certificate to the user via the registration authority. (5) The user generates a digital signature using his / her private key. (6) If the public key certificate has been revoked, the revocation information is made public by the public server upon application or determination of any of the user, registration authority, and certificate authority. (7) The verifier receiving the data with the digital signature of the user verifies the digital signature by referring to the user's public key certificate, root certificate, and revocation information obtained from the public server.

As described above, the conventional system using a digital signature has a problem that an application to a registration authority or a check by the registration authority is required until the user can use the digital signature, which is troublesome for the user. .

[0004]

SUMMARY OF THE INVENTION The present invention has been made to solve the above problems, and has as its object to enable a user to easily use a digital signature. It is still another object of the present invention to enable the inventor to easily use a digital signature and to increase the reliability of the digital signature as needed.

[0005]

An electronic seal stamp device according to the present invention includes a recording medium storing the following information (1) and (2) generated by a certificate authority. (1) a secret key; (2) a digital signature generated by the certification authority for certification authority signature target information including a public key corresponding to the secret key and attribute information corresponding to an unspecified user. A public key certificate that contains a certificate authority signature.

Further, a digital signature verifying method according to the present invention is characterized in that a secret key generated by a certificate authority and the following (a1)
The verifier who has received the transmission data with the digital signature for transmission data generated by using the secret key included in the electronic seal stamp device including the recording medium storing the information of the above (b1) to (b3) The above step verifies the transmission data digital signature. (A1) A certification authority signature, which is a digital signature generated by the certification authority, is included in certification authority signature target information including at least a public key corresponding to the secret key and attribute information corresponding to an unspecified user. (B1) a certificate obtaining step for obtaining the public key certificate; (b2) a certificate authority signature verifying step for verifying the certificate authority signature of the obtained public key certificate; (b3) the certificate authority A transmission data digital signature verification step of verifying the transmission data digital signature with the public key when the verification is successful in the signature verification step;

Further, the digital signature verification method according to the present invention further includes the following step (b4) after the transmission data digital signature verification step. (B4) an attribute comparing step of comparing attribute information included in the certificate authority signature target information with an attribute of a sender of the transmission data.

[0008]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiment 1 Embodiment 1 will be described with reference to FIGS. Referring to FIG.
Is the generation and sale of an electronic seal stamp device in this embodiment,
FIG. 2 is a diagram illustrating an example of the configuration of an electronic seal stamp device, FIG. 3 is a diagram illustrating the configuration of a public key certificate included in the electronic seal stamp device, and FIG. It is a flowchart which uses an electronic seal stamp device.

The configuration will be described. In FIG. 1, reference numeral 1 denotes a certificate authority that issues an electronic seal stamp device 2, and reference numeral 2 denotes an electronic seal stamp device that is issued by the certificate authority 1, such as an IC card as shown in FIG. It is a USB device. Here, the USB device is
USB (Universal Serial) provided in personal computers
Bus) terminal, which can be connected to an external storage device. As shown in FIG. 2, the electronic seal stamp device stores a secret key 21 unique to each electronic seal stamp device and a public key certificate 22 issued by the certificate authority for a public key corresponding to the secret key. In addition, the electronic seal stamp device 2 is provided with a display unit 23 on which a surname and a region name common to Japanese are printed. The certificate authority 1 sets various types of these surnames and area names and issues them.

Reference numeral 3 denotes the same public key certificate as the public key certificate issued by the certificate authority 1 and stored in the electronic seal stamp device 2. Reference numeral 4 denotes user information storage means for storing the public key 3.
5 receives the public key certificate 3 from the user information storage means 4 and publishes it to the public, and distributes signature creation software 6 for creating a digital signature and signature verification software 7 for verifying the digital signature. A server 8 purchases the digital seal stamp device 2 issued by the certificate authority and sells it to a user 9. A retail store (sales organization) 10 uses the signature generation software 6 and the digital seal stamp device 2 by the user 9. The generated digital signature for transmission data is a digital signature generated for data transmitted by the user (sender) 9 to the verifier 11. Reference numeral 11 denotes a verifier (receiver) that receives the data with the transmission data digital signature 10 from the user 9. The verifier 11 uses the signature verification software 7 downloaded from the public server 5. Then, the digital signature 10 for transmission data is verified by the public key certificate 2 and the root certificate 12 also downloaded from the public server 5. Reference numeral 13 denotes the verification result.

FIG. 3 shows the structure of the public key certificate 22 included in the electronic seal stamp device 2. Reference numeral 31 denotes a public key corresponding to the private key 21, and reference numeral 32 denotes a printed key on the display unit 23. Last name data, 33 is the area name data printed on the display unit 23, 34 is the validity period of the public key certificate 22, 35 is the certificate ID unique to the public key certificate, 36
Is the address of the public server 5 and 37 is the public key 31
This is the signature of the certification authority generated by the certification authority 1 for the certification authority signature target information composed of each information from the public server address to the address 36 of the public server.

Next, the operation will be described with reference to the flowchart of FIG. First, the certificate authority 1 generates a pair (key pair) of a public key and a corresponding private key (ST41). S
T41 is a key pair generation step. Next, a public key certificate is generated in ST42. In this embodiment, the public key certificate includes a predetermined user attribute. Here, the user attribute is the surname and residence of the user of the electronic seal stamp device, and the certificate authority 1 appropriately selects the predetermined user attribute information. For the surname, select a surname that is common to Japanese,
The place of residence may be selected in prefectures or in municipalities. FIG. 2 is an example in which “Suzuki” is selected as the surname and “Tokyo” as the place of residence. However, in other public key certificates, for example, “Suzuki” as the surname and “Chiba” as the place of residence are selected. Good. This user attribute information is not attributed to a specific individual, but assumes an unspecified individual,
It is allowed that there are a plurality of individuals corresponding to this attribute. Further, it is anticipated that there is an individual corresponding to the attribute in advance, and any one of the individuals corresponding to the attribute is selected in expectation of purchasing the electronic seal stamp device. The certificate authority 1 further sets the validity period of the public key certificate and generates a certificate ID unique to this certificate. Then, a digital signature 37 for the public key 31, last name 32, area name 33, validity period 34, certificate ID 35, and address 36 of the public server 5 is generated. ST42
Is a public key certificate generation step.

Next, the certificate authority 1 stores the secret key generated in ST41 and the public key certificate 22 generated in ST42 in the memory of the electronic seal stamp device 2. Outside the electronic seal stamp device 2, the user attributes "surname" and "resident location" in the public key certificate stored in the electronic seal stamp device 2 are printed in advance. Then, the certificate authority 1 wholesales the electronic seal stamp device 2 to the retail store 8 (ST43). ST43 is an electronic seal stamp creation step. The public key certificate 22 generated in ST42 has the same contents as the public key certificate 3 in FIG. 1, and the certificate authority 1 stores the public key certificate 3 and the root certificate in the user information storage unit 4 and thereafter makes the public key certificate public. It is stored in the server 5 (ST44). S
T44 is a certificate storing step.

The retail store 8 which has purchased the electronic seal stamp device 2 carries out sales activities in the same manner as, for example, a regular seal (sticker) at the storefront (ST45), and the user 9 purchases it (ST4).
6). ST45 is a sales step, and ST46 is a purchase step. The user 9 who purchases the electronic seal stamp device 2 usually selects and purchases the electronic seal stamp device 2 on which his / her last name and place of residence are printed. It is also possible to purchase. This is the same as when purchasing a normal seal (seal), it is possible to purchase a seal different from one's last name.

Next, the user 9 generates a transmission data digital signature 10 for the data to be transmitted to the verifier 11. At this time, the user 9 first downloads the signature generation software 6 from the public server 5 to his / her personal computer. The signature generation software 6 has a function of generating a hash of the data to be signed, and encrypting the hash with a secret key supplied from the outside to sign it. In this case, the secret key supplied from the outside is the secret key included in the electronic seal stamp device 2 purchased by the user 9, and the electronic seal stamp device 2
In the case of the C card, it is read from the IC card inserted into the card slot of the personal computer of the user 9, and in the case of the USB device, it is read from the USB device connected to the USB terminal of the user 9. The user 9 transmits the generated transmission data digital signature 10 and the transmission data to the verifier 11 (ST47). ST47 is a digital signature generation / transmission step. At this time, the user 9 enters the public key certificate 22
Certificate ID3 included in (same content as public key certificate 3)
5 and the public server 36 also transmit to the verifier 11 at the same time.

Upon receiving the transmission data with the digital signature 10 for transmission data and the certificate ID 35 from the user 9, the verifier 11 uses the received certificate ID 35 and the address 36 of the public server to correspond to the certificate ID 35. Download the public key certificate 3 and the root certificate (ST4
8). ST48 is a certificate obtaining step. At the same time, the signature verification software 7 is also downloaded. The signature verification software 7 has a function of verifying a digital signature with a public key supplied from outside. In this case, the public key supplied from outside is included in the public key of the certificate authority 1 or the public key certificate 3. The public key 31 of the user 9.

The verifier 11 verifies the signature of the certificate authority attached to the public key certificate 3 using the signature verification software 7,
Further, the transmission data digital signature 10 received from the user 9 is verified to confirm the validity of the transmission data (ST4).
9). At this time, the verifier 11 confirms whether the user attributes (surname 32 or area name 33) described in the public key certificate 3 match the attributes (surname or place of residence) of the user 9 or not. Also checks the validity of the transmitted data. ST
Reference numeral 49 denotes a certificate authority signature verification step, a transmission data digital signature verification step, and an attribute comparison step.

That is, the validity evaluation of the data transmitted from the user to the verifier determines that the public key certificate has been generated by the certificate authority and that the user attribute described in the public key certificate has This is done simply by making sure that it matches the attribute of the user who sent the data

As described above, in this embodiment, a user can easily use a digital signature by using an electronic seal stamp device purchased at a retail store. In addition, the verifier can confirm that the electronic seal stamp device used by the user to generate the digital signature for transmission data was created by a certificate authority, and furthermore, the user's surname, residence, etc. Since the user attribute can be confirmed, the validity of the digital signature for transmission data that does not always require strict reliability can be easily verified.

In the above embodiment, the electronic seal stamp device 2 is described as an example of an IC card or a USB device as shown in FIG. 2. However, a disk-shaped recording medium such as a CD-ROM or an MD or a magnetic tape may be used. The form is not particularly limited as long as it has a function of storing information.

In the above embodiment, the user 9 downloads the signature creation software 6 from the public server 5. However, when the certificate authority creates the electronic seal stamp device, the user 9 creates the signature on the electronic seal stamp device. Software may be stored. In this case, there is no need for the user to download the signature creation software, and the user can generate a digital signature only by using the electronic seal stamp device.

In the above embodiment, the verifier 11 downloads the signature verification software 7 from the public server 5. However, when the certificate authority creates the electronic seal stamp device, the verifier 11 adds the signature verification software to the electronic seal stamp device. May be stored. In this case, if the user 9 transmits the signature verification software to the verifier 11, the user does not need to download the signature verification software. In this case, in order to prevent the signature verification software from being tampered with, the certificate authority 1 generates a signature for the signature verification software and stores the signature in the electronic seal stamp device.
The reliability is improved if the user sends it to the verifier.

In the above embodiment, the verifier 11 downloads the public key certificate 3 from the public server 5, but the user 9 uses the electronic seal stamp device 2 having the same contents as the public key certificate 3. The public key certificate 22 included in the
1 may be sent. In this case, since the verifier does not need to download the public key certificate from the public server, there is an effect that convenience is high.

In the above embodiment, an example has been described in which the private key and the public key certificate are stored in the electronic seal stamp device 2.
Further, the signature generation software, signature verification software, and the signature of the certification authority for the signature verification software are stored, and the signature generation software, signature verification software, the signature of the certification authority for the signature verification software, and the public key certificate are further transmitted from the user. It may be sent to the verifier. In this case, since the verifier does not need to download anything from the public server or the like, there is an effect that convenience is high. Further, a root certificate may be stored in the electronic seal stamp device 2.

In the above embodiment, the public key certificate 22 (and 3) stores the user name and surname as user attributes. However, other attributes such as gender and age group (30 Age, forties, etc.), and there is no particular limitation on the number and types of items stored as user attributes. These stored items are displayed on the display unit 2 of the electronic seal stamp device 2.
By printing the information on No. 3, the user can purchase an electronic seal stamp device that matches his / her own attribute. Of course, it is also possible to purchase an electronic seal stamp device whose user attributes do not match.

Embodiment 2 FIG. Embodiment 2 is shown in FIGS.
This will be described with reference to FIG. In the first embodiment, the validity evaluation of the data transmitted from the user to the verifier is based on the fact that the public key certificate is generated by the certificate authority and that the user attribute described in the public key certificate is Since it is simply performed by confirming that the attribute matches the attribute of the user of the data transmission source, impersonation of the user cannot be completely prevented.
In this embodiment, an example will be described in which impersonation of a user is prevented and reliability of a digital signature for transmission data is improved.

FIG. 5 is a system diagram showing how the electronic seal stamp device according to the present embodiment is generated, sold, and used. FIG. 6 is a flowchart for using the electronic seal stamp device according to the present embodiment.

The system will be described with reference to FIG. 5. The same components as those in FIG. 1 described in the first embodiment are denoted by the same reference numerals, and description thereof will be omitted. In FIG. 5, reference numeral 51 denotes revocation information issued by the certificate authority 51, which is information for specifying a revoked public key certificate among the public key certificates issued by the certificate authority. Reference numeral 52 denotes a registration server, which receives the signed use report 53 submitted by the user 9, identifies the user 9 from the signed use report 53, and checks the revocation of the public key certificate owned by the user 9. The revocation cancellation user information 54 for cancellation is transmitted to the user information storage means 4. The revocation cancellation user information is sent from the user information storage means 4 to the public server 5.
Sent to and published.

Next, the operation will be described with reference to the flowchart in FIG. 6. The same steps as those in FIG. 4 described in the first embodiment are denoted by the same step symbols (ST41, etc.), and the description is omitted. When the certificate authority 1 generates the public key certificate shown in FIG. 3 in ST42, in ST51, it issues information indicating that the public key certificate having the certificate ID 35 of the public key certificate generated in ST42 is in a revoked state. User information storage means 4
And further stored in the public server 5.

The user 9 purchases an electronic seal stamp device at a retail store (ST46), attaches a transmission digital signature to the transmission data, and transmits it to the verifier 11 (ST47). Thereafter, the user 9 proceeds to ST53. Suppose you submit a notification to the registration authority as follows. The use report describes user information, which is detailed information (address, name, etc.) that can identify the individual user, and adds a digital signature to the detailed information using the electronic seal stamp device 2 purchased in ST46. The user 9 can use this signed usage report 5
3 is attached to the public key certificate included in the electronic seal stamp device 2 and transmitted to the registration authority. This use report 53 with a signature is stored in the registration server 52 of the registration authority. Upon receiving the signed use report 53 from the user 9, the registration authority detects the certificate ID 35 included in the signature, and in order to cancel the revocation of the public key certificate having this certificate ID 3, the revocation cancellation user The information 54 is transmitted to the user information storage means 4. The revocation cancellation user information 54 includes the certificate I of the public key certificate for which the revocation is canceled.
D and the user information of the user 9 who submitted the signed use report 53 is included.

When the revocation cancellation user information 54 is stored in the user information storage means 4, the certification authority 1 stores the revocation cancellation user information 54 in the public server 5 together with the public key certificate 5 (ST54). After that, the verifier obtains the root certificate and the public key certificate from the public server 5 in ST48 as in the first embodiment. However, the obtained public key certificate is revoked and valid, so When the digital signature for transmission data 10 transmitted from the user 9 is verified, the result that the digital signature for transmission data 10 is invalid because the public key certificate 3 has been revoked does not occur. The result is that the digital signature 10 for transmission data is valid.

ST47 → ST53 → ST54 → S
The flow of T48 → ST49 → ST56 consists of ST47 and ST
Since the invalidation canceling step ST501 comprising ST53 and ST54 is inserted between 48, the result that the digital signature for transmission data is valid is obtained in ST56. In this case, there is no problem even if the order of ST53 and ST47 is reversed.

On the other hand, in the same manner as in FIG.
If the process directly proceeds to ST48 after that, since the revocation of the public key certificate 3 has not been released, the verification of the transmission data digital signature 10 in ST49 always results in the signature being invalid.

As described above, in this embodiment, after the public key certificate 22 is issued by the certificate authority 1, the user submits a usage report, that is, after the registration application, the public key certificate 3 (public Key certificate 22) is registered in the public server 5 as valid.

As described above, in this embodiment, the public key certificate is revoked at the time of issuance,
Since the public key certificate becomes valid when the user submits personal information and the like, there is an effect that the reliability of the digital signature for transmission data generated by the user is improved.

Embodiment 3 Embodiment 3 will be described with reference to FIG. In the second embodiment, an example is shown in which the user cancels the revocation of the public key certificate by transmitting the signed use report 53 to the registration server 52. However, in the third embodiment, the signed use report is released. Here is an example in which a user brings to a government office.

FIG. 7 is a system diagram showing how an electronic seal stamp device according to this embodiment is generated, sold, and used.

The system will be described with reference to FIG. 7. The same components as those in FIG. 5 described in the second embodiment are denoted by the same reference numerals, and description thereof is omitted. In FIG. 7, reference numeral 61 denotes an office such as a city hall where the user 9 resides, and reference numeral 62 denotes official seal registration information issued by the office 61.

In the second embodiment, in ST53 of the flowchart of FIG. 6, the user sends the signed use report 53 to the registration server 52 online, but in this embodiment, the user 9 The signed use report 53 is brought to the government office 61 in the form of electronic data stored in a storage medium such as an FD. The government office 61 prints out the signature-added use report 53 or displays it on the display, and confirms the described contents with the user 9. When necessary, the user may be requested to present an identification card or the like or may be asked a question. When the government office confirms the content of the use report 53 with signature, it sends it to the registration authority as official seal registration information 62 in the form of electronic data. More than,
The operation from when the user 9 brings the signed use report 53 to the government office to when the office sends the official seal registration information 62 to the registration office is replaced with the operation in ST53 in FIG. This operation may be interchanged with the order of ST47.

According to this embodiment, the use report 53 with the signature is received face-to-face at the government office, so that the reliability of the public key certificate is increased and the electronic seal stamp device 2 has the same reliability as the real seal.

[0041]

As described above, since the electronic seal stamp device according to the present invention includes the recording medium storing the following information (1) and (2) generated by the certificate authority, the electronic seal stamp device is not specified. It is possible to sell to users of
This has the effect that the user can easily use the digital signature. (1) a secret key; (2) a digital signature generated by the certification authority for certification authority signature target information including a public key corresponding to the secret key and attribute information corresponding to an unspecified user. A public key certificate that contains a certificate authority signature.

Further, in the digital signature verification method according to the present invention, the secret key generated by the certificate authority and the following (a1)
The verifier who has received the transmission data with the digital signature for transmission data generated by using the secret key included in the electronic seal stamp device including the recording medium storing the information of the above (b1) to (b3) Since the digital signature for transmission data is verified in the step (1), there is an effect that the digital signature for transmission data can be easily verified. (A1) A certification authority signature, which is a digital signature generated by the certification authority, is included in certification authority signature target information including at least a public key corresponding to the secret key and attribute information corresponding to an unspecified user. (B1) a certificate obtaining step for obtaining the public key certificate; (b2) a certificate authority signature verifying step for verifying the certificate authority signature of the obtained public key certificate; (b3) the certificate authority A transmission data digital signature verification step of verifying the transmission data digital signature with the public key when the verification is successful in the signature verification step;

Further, since the digital signature verification method according to the present invention further includes the following step (b4) after the transmission data digital signature verification step, the reliability of the transmission data digital signature is improved. There is. (B4) an attribute comparing step of comparing attribute information included in the certificate authority signature target information with an attribute of a sender of the transmission data.

[Brief description of the drawings]

FIG. 1 shows generation of an electronic seal stamp device according to the first embodiment;
System diagram showing the state of sale and use.

FIG. 2 is a diagram showing an example of the configuration of an electronic seal stamp device.

FIG. 3 is a diagram illustrating a configuration of a public key certificate included in the electronic seal stamp device.

FIG. 4 is a diagram illustrating generation of an electronic seal stamp device according to the first embodiment;
Flowchart of sales and usage operations.

FIG. 5 shows generation of an electronic seal stamp device according to the second embodiment;
System diagram showing the state of sale and use.

FIG. 6 is a diagram illustrating generation of an electronic seal stamp device according to the second embodiment;
Flowchart of sales and usage operations.

FIG. 7 shows generation of an electronic seal stamp device according to the third embodiment;
System diagram showing the state of sale and use.

[Explanation of symbols]

1 certificate authority, 2 electronic seal stamp device, 3 public key certificate, 4 user information storage means, 5 public server,
6 signature creation software, 7 signature verification software, 8 retail stores, 9 users, 10 digital transmission data,
11 Verifier, 12 Root Certificate, 13 Verification Result, 21 Private Key, 22 Public Key Certificate, 23
Display, 31 public key, 32 last name data, 3
3 area name data, 34 validity period, 35 certificate ID, 36 public server address, 37 certificate authority signature, 51 revocation information, 52 registration server,
53 Use report with signature, 54 Revocation cancellation user information, 61 Government office, 62 Registered seal information.

Claims (3)

[Claims] 1. An electronic seal stamp device including a recording medium storing the following information (1) and (2) generated by a certificate authority. (1) a secret key; (2) a digital signature generated by the certification authority for certification authority signature target information including a public key corresponding to the secret key and attribute information corresponding to an unspecified user. A public key certificate that contains a certificate authority signature. 2. A digital signature for transmission data generated by using a secret key generated by a certificate authority and the secret key included in an electronic seal stamp device including a recording medium storing the following information (a1). A method for verifying a digital signature, wherein a verifier receiving the transmitted data verifies the digital signature for transmitted data in the following steps (b1) to (b3). (A1) A certification authority signature, which is a digital signature generated by the certification authority, is included in certification authority signature target information including at least a public key corresponding to the secret key and attribute information corresponding to an unspecified user. (B1) a certificate obtaining step for obtaining the public key certificate; (b2) a certificate authority signature verifying step for verifying the certificate authority signature of the obtained public key certificate; (b3) the certificate authority If the verification is successful in the signature verification step, the transmission data digital signature verification step verifies the transmission data digital signature using the public key; 3. The digital signature verification method according to claim 2, further comprising the following step (b4) after the transmission data digital signature verification step. (B4) an attribute comparing step of comparing attribute information included in the certificate authority signature target information with an attribute of a sender of the transmission data.