JP2008022189A - Electronic application method using virtual storage medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an electronic application method which prevents a user authentication medium from illegally being used for electronic application, and has high security without using any special device. <P>SOLUTION: The electronic application method includes: an electronic application server; and an application information authentication server in an administrative organization, and a database that the servers are equipped with, and transmits and receives application information to and from a user terminal to perform user authentication and application reception. The electronic application method is characterized in that: the information transmitted and received between the administrative organ and the user terminal is encrypted; and images electronically watermarked with the encrypted information, key information used for the encryption, and key information used for deencryption, are transmitted and received. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an electronic application method that uses various electronic application services such as administrative services and electronic money systems, and more particularly to an electronic application method that performs user authentication using a storage medium in which user information is stored.

  Currently, each local government provides an electronic application system to residents, and residents can process various applications from their own terminals. At that time, user authentication is required, but since a general authentication method using a user ID and password is easy to impersonate, an authentication method with a higher security level is required in the case of an application such as issuing an official document. It has been. As a method of responding to such a request, it has been proposed to perform user authentication processing using personal information registered in a storage medium with strong personal attributes such as a resident card or a credit card issued by a local government.

  However, in the electronic application system that performs user authentication using the conventional card, there is a problem that the card information is eavesdropped due to loss or forgery of the card, or recently, skimming or the like when reading the card information. As a method for solving this problem, a card authentication system as shown in Patent Document 1 has been proposed. This card authentication system has an information recording card storing identification data for identifying a user and a first encryption key, and has a connection part to which the information recording card can be attached, and authenticates the information recording card. A card authentication system including an authentication terminal that outputs a request, wherein the authentication terminal transmits an authentication request including a randomly generated second encryption key to the information recording card via the connection unit, In response to the authentication request, the recording card performs the encryption process on the identification data a plurality of times using the first and second encryption keys, and the authentication data generated by the encryption process includes: It is characterized by returning to the connection part of the authentication terminal.

JP 2003-110552 A

  By encrypting the data used for authentication as in the prior art, it is possible to prevent forgery or eavesdropping of the information recording card, but it cannot cope with loss of the card itself, and IC Even though card readers are widespread, there is a problem that it is not preferable to request a special device from the user for public applications such as issuance of official documents.

  An object of the present invention is to solve the above-described problems, to prevent unauthorized use of a user authentication medium in an electronic application, and to provide an electronic application method with high security without a special device.

  In order to solve the above-mentioned problems, in the user electronic application method of the present invention, the authentication card and the authentication data are transmitted and received in the above-described prior art by the user authentication by the virtual storage medium on the terminal and the encryption with the storage medium, respectively. Replace with sending and receiving.

  As a virtual storage medium used in the present invention, a mark image technique in which information is embedded as digital watermark information called an Internet mark is applied. This technique is similar to that disclosed in Japanese Patent Application Laid-Open No. 2006-18745, and an electronic data providing server, an authentication mark generation server, and a user terminal having an authentication unit operated by an authentication program are transmitted through an information communication network. In the mutually connected electronic data authentication system, the authentication mark includes a mark image having an electronic watermark information storage area, and the authentication mark generation server embeds the authentication information as electronic watermark information in the electronic watermark information storage area, Extracts and stores the mark image from the authentication mark, and the user terminal further includes an authentication mark forgery verification unit that verifies the digital watermark information storage area information, determines the authentication mark, and displays the contents according to the determination result. The digital watermark information storage area is divided into a first area and a second area, authentication information is embedded in the first area as digital watermark information, and information for verifying the validity of preset authentication information and presettable authentication The specific information of the mark generation server may be embedded in the second area as the second digital watermark information, and the authentication unit may be in a format that can access the first area but cannot access the second area.

  In the electronic application method of the present invention, the electronic data providing server is an electronic application server of an administrative institution, the authentication mark generation server is also provided in the administrative institution, or a virtual card generation server provided in a separate authentication institution, and the authentication program A user terminal having an operating authentication unit is used as an electronic application user's terminal, and an authentication unit operated by an authentication program is provided on the terminal screen in the form of a virtual card reader, and the authentication mark is a virtual for user authentication. The electronic watermark information storage area of the virtual card includes at least information for authenticating the user by the electronic application server, preferably information for authenticating the electronic application server on the user side. This digital watermark information storage area may be set as a separate area that is accessible / inaccessible according to each authentication subject as in the prior art.

  The virtual card transmits in advance personal information necessary for user authentication as an environmental preparation for electronic application from the user terminal to the electronic application server, and the electronic application server transmits the personal information to the virtual card generation server. Send to. The virtual card generation server includes a database for storing user information and virtual card generation information, a virtual card prototype file, an encryption key generation function, an encryption / decryption function, and a virtual card generation function. Necessary for communication encryption created by the user ID information and encryption key generation function by the virtual card generation function in the electronic watermark information storage area of the virtual card prototype file prepared in advance by storing the personal information in the database Information including a unique encryption key and a corresponding decryption key is stored as digital watermark information, and virtual card file information storing the digital watermark information is registered in the database as a virtual card for the user, and a virtual for the user is stored. Send the card file to the electronic application server. The numerical value with a large digit, which is the basis for creating the encryption key, is created from dynamic values such as server OS information and log information when creating the encryption key, even if it is created from static information such as the IP address and MAC address. However, it may be a numerical value extracted and converted from both values based on a certain rule. The electronic application server transmits the transmitted virtual card file to the corresponding user terminal, and preparation for the electronic application is completed.

  The authentication unit of the user terminal has an encryption function, and the application information and user information are encrypted and stored in the electronic watermark information storage area of the virtual card issued from the virtual card generation server with the stored encryption key. And a function of transmitting information stored in the virtual card format to the electronic application server. Further, the authentication unit of the user terminal may have an encryption key generation function similar to the function of the virtual card generation server, and may be stored separately in a digital watermark information storage area provided in the virtual card. This encryption key is used by the electronic application server when encrypting information to be transmitted from the electronic application server to the user, and is for detecting an unauthorized server at the user terminal.

  The electronic application server has a function of decrypting and extracting application information and user information encrypted and embedded in the virtual card format with a decryption key in the virtual card, and user information is obtained by the decryption function. Acquire and authenticate the user, acquire application information by the decryption function, and transmit necessary information to the processing server corresponding to the application content.

  The electronic application server transmits the virtual card and the update request to the virtual card generation server after receiving the application process or receiving information corresponding to the application from the processing server corresponding to the application content. The virtual card generation server newly generates a key pair when receiving an update request, and rewrites the encryption key / decryption key information of the virtual card. At this time, a numerical value created from a dynamic value such as the processing history of the electronic application server at the time of the update request or the log of the terminal OS may be used as the base of the encryption key. The user ID of the virtual card is continuously used as it is, and the value of the flag indicating the number of updates provided in the virtual card is increased by 1 from the initial value and stored, thereby confirming that it is an updated card after application. This information is also stored in a database provided in the virtual card generation server. The updated virtual card is returned to the user terminal by the same process as that at the initial issuance. At the time of the next application, the electronic application server accepts the application with this update card, and rejects the application when the number of updates differs from the database of the virtual card generation server.

  When the user temporarily saves the virtual card in the user terminal and makes an application at a later date, the virtual card is encrypted and saved. As a result, it is possible to prevent use by unauthorized copying when offline. The virtual card reader itself may be provided with another encryption key, and the virtual card stored with this key may be encrypted. The encryption key may be created by a method similar to the generation of the encryption key stored in the virtual card using a numerical value depending on the user terminal.

  As described above, according to the electronic application method using the virtual storage medium of the present invention, information encrypted in the form of a digital watermark and stored in the virtual card can be secured. Also, higher encryption can be realized by creating an encryption key based on dynamic information between the server side and the user side. In addition, since the virtual card is stored in an encrypted state even when it is offline, even if it is illegally copied, it can be prevented from being used in another terminal. The present invention can be applied to various authentication systems such as electronic application and electronic money, and can also provide a ubiquitous system by realizing a user's terminal on a mobile phone.

  Hereinafter, an embodiment of a user authentication method in an electronic application using the virtual storage medium of the present invention will be described.

  FIG. 1 is a diagram showing an overall configuration of an electronic application system applied in the present embodiment. As shown in FIG. 1, the electronic application system of this embodiment accepts an electronic application included in the administrative electronic authentication device 10, the user terminal 11, the network 20, and the administrative electronic authentication device 10, and distributes the processing. Application server 30, virtual card generation server and electronic authentication server 40 that bears the user authentication function in this embodiment, database 41 that holds user authentication information and virtual card information, and business server 50 provided by the government Send and receive information accordingly. Information transmission / reception between the user terminal 11 and the electronic application server 30 is performed by a virtual card 60 described later.

  FIG. 2 is a diagram showing a schematic configuration of the user terminal 11 of the present embodiment. As shown in FIG. 2, the user terminal 11 of this embodiment includes a CPU 110, a memory 120, a magnetic disk device 160, an input device 130 such as a keyboard, an output device 140 such as a monitor, and a communication device 150. . At the time of execution, the virtual card reader 121, the encryption processing unit 122, the decryption processing unit 123, the authentication processing unit 124, and the virtual card processing unit 125 are provided on the memory.

  The CPU 110 is a device that controls the operation of the entire user terminal 11. The memory 120 is a storage device that loads processing programs and data of the virtual card reader 121, the encryption processing unit 122, the decryption processing unit 123, the authentication processing unit 124, and the virtual card processing unit 125 when controlling the operation of the entire user terminal 11. It is. The magnetic disk device 160 is a device that holds various programs and the virtual card file 60. The input device 130 such as a keyboard is a device for performing authentication processing and application processing. The output device 140 such as a monitor is a device that performs various displays associated with authentication processing and application processing. The communication device 150 is a device for transmitting / receiving information to / from the administrative electronic authentication device 10.

  The virtual card reader 121 is displayed as an area for “inserting” a virtual card on the display screen of the user terminal 11, and “insertion” of the virtual card file 60 displayed in the form of a mark or icon with a reader image display function, ie, virtual. A function of accessing the card file 170 and transferring control to the virtual card processing unit 125, a function of “ejecting”, that is, a function of canceling access to the virtual card file 60, and the virtual card file 60 via the communication device 150. It consists of a function to transmit / receive to / from 10 electronic application servers 30. Here, the virtual card reader 121, the encryption processing unit 122, the decryption processing unit 123, the authentication processing unit 124, and the virtual card processing unit 125 are assumed to be acquired from the electronic application server 30 and installed. In the card reader 121, the communication address of the electronic application server 30 is set as a default communication destination at the time of installation.

  The encryption processing unit 122 has a function of encrypting electronic application information created at the user terminal with the encryption key in the virtual card file 60 information, and a function of creating an encryption key set on the user terminal side. This encryption key creation method may be the same as the server side setting encryption key creation method stored when creating the virtual card file 60 by the electronic authentication server 40, and this method will be described later in the virtual card file 60 issuing process.

  The decryption processing unit 123 decrypts the information encrypted in the electronic authentication server 40 with the encryption key in the virtual card file 60 information by the decryption key in the virtual card file 60 information and stored in the digital watermark information storage area as the digital watermark information. It has a function to extract and extract. The authentication processing unit 124 is a function used when authenticating the electronic authentication server 40 with the encryption key set on the user terminal side. The authentication processing unit 124 includes a decryption key corresponding to the encryption key set on the user terminal side. Check the suitability of the server.

  The virtual card processing unit 125 extracts information from the digital watermark information of the image, stores the encryption key and the stored information to the encryption key encryption processing unit 122, and stores the encrypted information as the digital watermark information of the image. It has a function of writing in an area, a function of extracting digital watermark information of an image in the virtual card file 60, passing it to the decryption processing unit 123 together with a decryption key, and decrypting the information, and displaying the decrypted information on the output device 140 It has a function.

  FIG. 4 is a diagram showing a schematic configuration of the electronic application server 30 provided in the administrative electronic authentication device 10 of the present embodiment. As shown in FIG. 4, the electronic application server 30 of this embodiment includes a CPU 410, a memory 420, a magnetic disk 460, an input device 430, an output device 440, and a communication device 450.

  The CPU 410 is a device that controls the operation of the entire electronic application server 30. The memory 420 is a storage device that loads various processing programs and data of the virtual card processing unit 421, the access authentication unit 422, the application processing unit 423, and the transmission information creation unit 424 when controlling the operation of the entire electronic application server 30. is there. The magnetic disk device 460 is a device that holds various programs and various information. The input device 430 such as a keyboard is a device for performing authentication processing and application processing. The output device 440 such as a monitor is a device that performs various displays associated with authentication processing and application processing. The communication device 450 is a device for transmitting and receiving information with the user terminal 11, the electronic authentication server 40, and the business server 50.

  The virtual card processing unit 421 receives the virtual card 60 from the user terminal 11, transmits the virtual card 60 to the electronic authentication server 40, decrypts the information by the electronic authentication server 40, receives the result, and receives the access The function passed to the authentication unit 422 and the application processing unit 423 and the information received from the transmission information creation unit 424 are transmitted to the electronic authentication server 40, and the electronic authentication server 40 encrypts the information and sends it to the virtual card 60. And receiving the stored virtual card 60 and returning it to the user terminal 11. The access authentication unit 422 obtains a part of the user information when the electronic authentication server 40 decrypts the information, and performs user authentication by collating with information in the database 41 provided in the electronic authentication server 40 Have The application processing unit 423 obtains information related to the application information when the electronic authentication server 40 decrypts information, and the electronic authentication server 40 has a function of transmitting electronic application screen information to the user terminal 11. It has a function of collating with the information in the database 41 and transmitting it to the corresponding business server 50. The transmission information creation unit 424 has a function of receiving transmission information received from the business server 50 and passing it to the virtual card processing unit 421. In addition, the electronic application server 30 has a business information table 461 having information necessary for cooperation with the business server 50 in the magnetic disk device 460. This table has at least information necessary for access to the business server 50, but since the contents vary depending on the business method of the administrative organization, a data example is omitted.

  FIG. 5 is a diagram showing a schematic configuration of the electronic authentication server 40 provided in the administrative-side electronic authentication device 10 of the present embodiment. The CPU 510 is a device that controls the overall operation of the electronic authentication server 40. The memory 520 controls various operations of the virtual card processing unit 521, the encryption processing unit 522, the decryption processing unit 523, the authentication processing unit 524, the virtual card issuing unit 525, and the database control unit 526 when controlling the operation of the entire electronic authentication server 40. A storage device for loading processing programs and data. The magnetic disk device 560 is a device that holds various programs and various information, and has a virtual card information file, its encryption / decryption key, a database 41 for storing history, and a virtual card prototype file 561. The input device 530 such as a keyboard is a device for performing authentication processing and application processing. An output device 540 such as a monitor is a device that performs various displays associated with authentication processing and application processing. The communication device 550 is a device for transmitting and receiving information with the electronic application server 30.

  The virtual card processing unit 521 transmits / receives the virtual card 60 to / from the electronic application server 30, extracts information from the digital watermark information of the image, extracts the digital watermark information in the virtual card file 60, and decrypts the key. A function for receiving the decrypted information by passing to the decryption processing unit 523 and a function for passing the information stored together with the encryption key to the encryption processing unit 522 and writing the encrypted information in the digital watermark storage area of the image information as the digital watermark information A function of returning the decrypted information to the electronic application server 30, and receiving the virtual card issue request and user information from the electronic application server 30 and receiving and issuing the virtual card 60 issued to the virtual card issuing unit 525 And a function of transmitting to the electronic application server 30.

  The encryption processing unit 522 has a function of encrypting information received from the electronic application server 30 with an encryption key in the virtual card 60 information when information is stored in the virtual card 60, and a virtual card issuing and updating in the virtual card issuing unit 525 Sometimes has a function to create an encryption key. Here, a method for creating an encryption key in the encryption processing unit 522 will be described. The encryption key / decryption key used here is assumed to be a key pair in ordinary public key encryption which is an asymmetric key. Other techniques may be used as long as sufficient security is maintained. Here, a numerical value with a sufficient number of digits for generating a random number that is a seed necessary for generating a prime number that is a basis for generating a public key is a processing history of the electronic application server at the time of issuing the user ID, a log of the terminal OS, or the like. A numerical value extracted from a dynamic value based on a certain rule is used. The key pair generation method is a commonly used technique, for example, generates a random number suitable for encryption by a random number generation program based on the extracted numerical value, and further generates two prime numbers from the generated random number by a prime number pair generation program, Based on the two prime numbers, a public key is obtained by a public key generation program, and a secret key is generated by the public key generation program using the public key.

  The decryption processing unit 523 has a function of decrypting the encrypted electronic application information extracted from the virtual card 60 using the decryption key in the virtual card 60 information. The authentication processing unit 524 has a function of comparing the decrypted information with the information in the database 41 and confirming whether the user information is correct and whether the update history of the virtual card 60 is compatible.

  FIG. 6 shows a data item configuration example of the user authentication table in the database 41. The data items of the user authentication table include at least a user ID 601, user terminal information 602, and user identification information 603 for identifying the individual user.

  The virtual card issuing unit 525 issues a virtual card 60 in which the encryption key / decryption key information created by the encryption processing unit 522 is stored in the virtual card original file 561 as an electronic watermark of the image by the virtual card processing unit 521, or once It has a function of updating information of the virtual card 60 used for the electronic application.

  FIG. 7 shows a data item configuration example of the virtual card 60 and the virtual card table in the database 41. The data items of the virtual card table include at least a user ID 601, image information 702 that is a screen display image of the virtual card 60, application information 703 that encrypts and stores user information and application information in the user terminal 11, and the electronic application server 30 issuance information 704 for encrypting and storing the result of the application content transmitted from the transmission information creation unit 424, the server issuance encryption key 705 created by the encryption processing unit 522, the server issuance decryption key 706, and the user terminal 11 A user-issued encryption key 707 created by the encryption processing unit 122, a reception number 708 issued by the access authentication unit 422 after user authentication by the electronic application server 30, and an application counter 709 indicating the number of application histories. These data items exist as plain text and encryption information stored in the respective item areas in the virtual card table of the database 41. In the virtual card 60, FIG. 7 is a schematic diagram, and at least application information. 703, issuance information 704, server issuance encryption key 705, server issuance decryption key 706, user issuance encryption key 707, preferably all information other than image information 702 is associated with a predetermined storage area of image information 702, and Store as watermark information. When there is information other than the information to be watermarked in the image, the image information 702 subjected to the digital watermark processing in association with the user ID 601 and each encrypted information item are stored in a file format. Here, when the virtual card 60 is issued, the application information 703, the issue information 704, the user issued encryption key 707, and the reception number 708 are empty, the application counter 709 has an initial value 0 or 1, and the image information 702 has a user ID 601. It is provided as information with only the key pair watermarked. The application counter 709 holds a value obtained by adding 1 to the initial value for each update process of the virtual card 60 described later, and the application counter information in the virtual card 60 and the application counter information in the virtual card table do not match. Then, information indicating that authentication is not possible is returned to the access authentication unit 422 of the electronic application server 30 as an application from an inappropriate card.

  The database control unit 526 has a function of managing information on the user authentication table and the virtual card table of the database 41, adds data when the virtual card 60 is issued, and updates data when an electronic application is accepted.

Hereinafter, the flow of the process of issuing the virtual card 60 in the electronic authentication server 40 and storing it in the user terminal 11 will be described with reference to FIG.
Virtual card issue request information is transmitted from the user terminal 11 to the electronic application server 30 (step 801). The virtual card processing unit 421 of the electronic application server 30 transfers the issue request information to the electronic authentication server 40 (step 802). The virtual card issuing unit 525 of the electronic authentication server 40 creates a temporary registration card from the virtual card prototype file 561 and returns it to the electronic application server 30 (step 803). The virtual card processing unit 421 of the electronic application server 30 transmits the temporary registration card and the virtual card reader installer to the user terminal 11 (step 804). The user terminal 11 installs a virtual card reader program including the temporary registration card and virtual card reader 121, the encryption processing unit 122, the decryption processing unit 123, the authentication processing unit 124, and the virtual card processing unit 125 (step 805). At this time, the cryptographic processing unit 122 obtains log information of the user terminal at the time of installation and uses it as a radix for generating random numbers, and decrypts with the user-issued cryptographic key 707 in the same procedure as the cryptographic generation processing in the cryptographic processing unit 522. A key is generated and stored in the temporary registration card as a digital watermark by the virtual card processing unit 125. Next, user identification information and user terminal information are acquired, encrypted by the encryption processing unit 122 with the user-issued encryption key 707, and stored in the temporary registration card by the virtual card processing unit 125 (step 806). The application information 703 is used for the area at this time. After storage, the temporary registration card is transmitted from the user terminal 11 to the electronic application server 30 (step 807). The electronic application server 30 receives the temporary registration card and performs user authentication processing at the access authentication unit 422 (step 808). It is confirmed from the user terminal information such as the IP address / port number of the temporary registration card transmission source received at this time that the user terminal has transmitted the temporary registration card. In the case of reception from an inappropriate terminal, an error message is returned from the access authentication unit 422 to the user terminal 11 and the process is terminated (step 809). In the case of user authentication OK, the temporary registration card is transmitted to the electronic authentication server 40, and similarly, information is extracted by the virtual card processing unit 521 of the electronic authentication server 40 and passed to the decryption processing unit 523 together with the decryption key for decryption. To obtain user registration information (step 810). The virtual card issuing unit 525 of the electronic authentication server 40 issues a user ID, the database control unit 526 stores the user ID and user registration information in the user authentication table of the database 41, and registers a new user (step 811). Next, the virtual card issuing unit 525 stores the user ID as a digital watermark in the temporary registration card by the virtual card processing unit 521, acquires log information of the electronic authentication server 40 at the time of application by the encryption processing unit 522, and generates a random number. Similarly, encryption key / decryption key information is generated and stored as a digital watermark in the temporary registration card by the virtual card processing unit 521, and the virtual card 60 is issued with the application information 703 empty (step 812). ). The encryption key / decryption key information created at this time is stored in the virtual card table of the database 41 by the database control unit 526. The virtual card issuing unit 525 encrypts the created virtual card 60 with the user-issued encryption key 707 by the encryption processing unit 522 and transmits it to the electronic application server 30, and the electronic application server 30 transmits the virtual card 60 to the user terminal 11 ( Step 813). In the user terminal 11, the acquired virtual card 60 is decrypted by the decryption processing unit 123 with the user-issued decryption key, and the server-issued encryption key 705 in the virtual card 60 extracted by the virtual card processing unit 125 by the encryption processing unit 122 or created separately. Re-encryption is performed using the encryption key of the virtual card reader 121 (step 814). The encrypted virtual card 60 is saved from the memory to the magnetic disk 160 (step 815). The stored virtual card is used for the next electronic application.

  Next, a series of electronic application processing procedures according to this embodiment will be described with reference to FIG. First, the user terminal 11 accesses the electronic application server 30 (step 901), the application processing unit 423 of the electronic application server 30 creates an electronic application Web screen (step 902), and transmits it to the user terminal 11 (step 903). An electronic application screen is displayed on the user terminal 11 (step 904). At this time, the virtual card reader 121 of the user terminal 11 displays the virtual card reader area 320 as a plug-in.

  FIG. 3 shows an example of an interface screen of the electronic application system of this embodiment by the virtual card reader 121. Here, in the electronic application interface screen 300 that the electronic application server 30 displays as a Web screen, a browser area 310 that displays items for inputting application information and operation buttons for application transmission, a Java (registered trademark) applet, etc. A format in which the virtual card reader 121 displays the virtual card reader area 320 as a plug-in is assumed. The virtual card reader 121 displays the encrypted virtual card 60 stored in the magnetic disk device 160 on the virtual card storage unit 321 and displays the reader image for “insertion” and “discharge” of the virtual card 60 as a virtual card. The information is displayed on the reader unit 322. The initial state is that there is no card in the virtual card storage unit 321. After the provisional registration card acquisition / virtual card reader program is installed, when the card acquisition button in the browser area 310 is clicked, the magnetic disk device is obtained by the series of processes shown in FIG. When the virtual card 60 is stored in 160, the virtual card 60 is displayed on the virtual card storage unit 321.

  Next, the virtual card is inserted into the virtual card reader using the screen interface as shown in FIG. 3 (step 905). In the screen image, when the virtual card 60 is moved to the virtual card reader unit 322, the encrypted virtual card 60 is decrypted by the decryption processing unit 123 with the decryption key of the virtual card reader 121 and information can be input. Here, the virtual card processing unit 125 extracts the server issued encryption key 705 in the virtual card 60. Next, when the information necessary for the electronic application is input using the screen interface as shown in FIG. 3 (step 906), the virtual card processing unit 125 passes the input information to the encryption processing unit 122 and encrypts it with the server issued encryption key 705. (Step 907), the virtual card processing unit 125 writes the digital card information in the application information 703 area as digital watermark information (Step 908). The virtual card reader 121 transmits the virtual card 60 in which the information is written to the electronic application server 30 (step 909). At this time, on the screen of FIG. 3, the virtual card 60 is “ejected” from the virtual card reader unit 322, and a message such as “sent” is displayed.

  The electronic application server 30 receives the virtual card 60 and performs user authentication processing in the access authentication unit 422 in the same manner as the processing in FIG. 8 (step 910). It is confirmed that the user terminal transmits the electronic application screen from the user terminal information such as the transmission source IP address and port number of the virtual card 60 received at this time. In the case of reception from an inappropriate terminal, an error message is returned from the access authentication unit 422 to the user terminal 11 and the process is terminated (step 911).

  In the case of user authentication OK, the virtual card 60 is transmitted to the electronic authentication server 40, the digital watermark information is extracted by the virtual card processing unit 521 of the electronic authentication server 40, and the virtual card is extracted by the decryption processing unit 523 using the server issue decryption key 706. The user ID information of 60 is decrypted, the virtual card table of the database 41 is searched by the database control unit 526, the latest decryption key corresponding to the user ID is obtained (step 912), and the decryption key of the virtual card table is obtained. Then, the decryption processing unit 523 decrypts the extracted information to obtain electronic application information (step 913). Since a virtual card 60 update process, which will be described later, is performed every time an electronic application process is performed and a key pair is reissued, the virtual card 60 cannot be decrypted unless it is the latest one. The database control unit 526 collates the application counter 709 of the virtual card table in the database 41 with the application counter of the virtual card 60 (step 914). If they do not match, an error message is returned to the user terminal 11 and the process is terminated (step 915). ). If they match, the application contents are approved, a reception number 708 for processing by the virtual card processing unit 521 is issued, and the reception number 708 and application information 703 to be transmitted to the business server are returned to the electronic application server 30 (step) 915). At this time, the database control unit 526 stores a value obtained by incrementing the application information 703, the reception number 708, and the application counter 709 in the virtual card table of the database 41. Further, the value of the application counter 709 counted up by the virtual card processing unit 521 is stored in the virtual card 60.

  Next, referring to FIG. 10, a procedure of processing for updating the virtual card 60 as well as returning the electronic application issue information will be described. After completion of the application approval process, the encryption processing unit 522 of the electronic authentication server 40 creates a new encryption key 705... In the same manner as when the virtual card 60 is issued based on the log information of the electronic authentication server 40 at the end of the approval process. A decryption key 706 is generated (step 1001). Next, the application issue information acquired by the transmission information creation unit 424 of the electronic application server 30 is acquired by the virtual card processing unit 521 of the electronic authentication server 40, and the issued content is encrypted by the encryption processing unit 522 with the new encryption key, The new encryption key 705 and the decryption key 706 are stored as a digital watermark in the virtual card 60 by the virtual card processing unit 521 (step 1002). Next, in the virtual card information table of the database 41 by the database control unit 526, a set of information before the update of the virtual card 60 received in the process of FIG. 9, the set of information of the updated virtual card 60, and the encryption key 705 / decryption key 706 is registered (step 1003). The virtual card issuing unit 525 transmits the virtual card 60 storing the information in step 1002 as the updated virtual card 60 to the electronic application server 30 (step 1004), and the virtual card processing unit 421 of the electronic application server 30 is the user of the database 41. Based on the user terminal information in the information table, the virtual card 60 storing the information is transmitted to the user terminal 11 (step 1005).

  The user terminal 11 receives the virtual card 60 (step 1006), the virtual card processing unit 125 extracts the digital watermark information, and the decryption processing unit 123 issues the issue information encrypted with the decryption key 706 in the virtual card file 60 information. Is decrypted (step 1007), and issuance information which is a reply result of the electronic application is obtained (step 1008). The received virtual card 60 is re-encrypted by the encryption processing unit 122 in the same manner as the processing of FIG. 8 (step 1009) for use in the next electronic application (step 1009), and the encrypted virtual card 60 is saved from the memory to the magnetic disk 160. (Step 1010).

  As described above, according to the electronic authentication system of this embodiment, an image file in which information is encrypted and embedded as a digital watermark is transmitted and received between the user terminal and the administrative electronic authentication device, and the encryption key is mutually Since it is created based on a dynamic value, it is possible to prevent eavesdropping on a virtual card in which information for using various services is stored. Further, by encrypting and storing a virtual card with an encryption key created based on information dependent on each user terminal, unauthorized copying of the virtual card can be prevented even when offline.

It is a figure which shows the whole structure of the electronic application system applied by this embodiment. It is a figure which shows schematic structure of the user terminal of this embodiment. It is a figure which shows the example of the screen interface of a user terminal. It is a figure which shows schematic structure of the electronic application server of this embodiment. It is a figure which shows schematic structure of the electronic authentication server of this embodiment. It is a figure which shows the example of a data item structure of the user authentication table in a database. It is a figure which shows the data item structural example of the virtual card table in a virtual card and a database. It is a figure which shows the flow of the issuing process of the virtual card in an electronic authentication server, and the storing process to a user terminal. It is a figure which shows the flow of a series of electronic application process procedures of this embodiment. It is a figure which shows the flow of the procedure of the process which performs the update process of a virtual card with return of electronic application issue information.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Administrative electronic authentication apparatus, 11 ... User terminal, 20 ... Network, 30 ... Electronic application server, 40 ... Electronic authentication server, 41 ... Database, 50 ... Business Server ... 60 virtual card 110 ... CPU of user terminal, 120 ... memory of user terminal, 160 ... magnetic disk device of user terminal, 130 ... input device of user terminal, 140. ..Output device of user terminal, 150 ... Communication device of user terminal, 121 ... Virtual card reader of user terminal, 122 ... Encryption processing unit of user terminal, 123 ... Decryption processing unit of user terminal , 124: User terminal authentication processing unit, 125: User terminal virtual card processing unit, 410: Electronic application server CPU, 420: Electronic application server memory 460 ... Electronic application server magnetic disk, 430 ... Electronic application server input device, 440 ... Electronic application server output device, 421 ... Electronic application server virtual card processing unit, 422 ... Electronic application server access authentication unit, 450 ... Electronic application server communication device, 423 ... Electronic application server application processing unit, 424 ... Electronic application server transmission information creation unit, 510 ... Electronic authentication CPU of server, 520, memory of electronic authentication server, 521, virtual card processing unit of electronic authentication server, 530, input device of electronic authentication server, 522, encryption processing unit of electronic authentication server, 523 ... Decryption processing unit of electronic authentication server, 524 ... Authentication processing unit of electronic authentication server, 540 ... Output device of electronic authentication server, 525 ... Electronic authentication Virtual card issuing unit of server 550... Communication device of electronic authentication server 526... Database control unit of electronic authentication server 560... Magnetic disk device of electronic authentication server 561. Virtual card prototype file.

Claims (3)

An electronic application method comprising an electronic application server and an application information authentication server and a database provided in the server in an administrative institution, transmitting and receiving application information to and from a user terminal, and performing user authentication and application reception,
Information transmitted and received between a government organization and a user terminal is encrypted, and the encrypted information, key information used for encryption, and key information used for decryption are transmitted and received in a format stored as an electronic watermark in an image. Electronic application method.   The key information used for the encryption and the key used for the decryption are created in each of the application information authentication server and the user terminal, and numerical values having a large number of digits based on the creation of the encryption key are respectively set in the application information authentication server and the user. The electronic application method according to claim 1, wherein the electronic application method is created from information dependent on a terminal. The key information used for the encryption and the key used for the decryption are created in each of the application information authentication server and the user terminal, and numerical values having a large number of digits based on the creation of the encryption key are respectively set in the application information authentication server and the user. The electronic application method according to claim 1 or 2, wherein the electronic application method is created from dynamic information in a terminal.

Images