JP2011223495A - Information processor and method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow even an information processor not having a secure area to safely authenticate other information processors at low cost.SOLUTION: A personal computer 71 has a list 81 storing n combinations of a challenge Ck and a response Rk. The personal computer 71 selects the i-th challenge Ci and send the selected i-th challenge Ci to an integrated circuit (IC) card 72. The IC card 72 decodes the challenge Ci to obtain a calculation value Ai. The IC card 72 encodes the calculation value Ai and sends the encoded calculation value Ai as a response R to the personal computer 71. The personal computer 71 selects the i-th response Ri from the list 81 to compare the response R with the response Ri. If the response R is equal to the response Ri, the personal computer 71 authenticates the IC card 72. The present invention can apply to an IC tag.

Description

  The present invention relates to an information processing apparatus, method, and program, and in particular, an information processing apparatus that can securely authenticate another information processing apparatus at low cost even if the information processing apparatus does not have a secure area. And a method and a program.

  Conventionally, a reader / writer can execute various transaction processes using an IC (Integrated Circuit) card. In general, in order to enhance security, the reader / writer authenticates the IC card prior to execution of transaction processing (see, for example, Patent Document 1). A series of processes until the IC card is authenticated is hereinafter referred to as “authentication process”.

[Authentication process by conventional authentication system]
FIG. 1 is a schematic diagram showing a flow of authentication processing of a conventional authentication system.

  The conventional authentication system 1 includes a reader / writer 11 and an IC card 12.

  Conventional authentication processing is executed in a secure environment (hereinafter referred to as “secure area”) in a secure chip, such as a tamper-resistant secure IC chip. For example, in the example of FIG. 1, a secure area 21 is constructed in the reader / writer 11 and a secure area 22 is constructed in the IC card 12. Therefore, the reader / writer 11 executes processing related to data encryption or decryption in the secure area 21. Similarly, the IC card 12 executes processing related to data encryption or decryption in the secure area 22. Processes related to data encryption or decryption include, for example, data encryption and decryption processes, processes for managing keys and algorithms used for data encryption or decryption, and sources of information used for authentication. There are processes that generate random numbers.

  The authentication process is executed before the original data is transmitted / received between the reader / writer 11 and the IC card 12. For example, when the user holds the IC card 12 close to the reader / writer 11, the reader / writer 11 authenticates the IC card 12 by non-contact proximity communication as follows.

  That is, the reader / writer 11 and the IC card 12 hold the shared key KA and key KB in their own secure areas 21 and 22, respectively.

  In this case, the reader / writer 11 encrypts the random number A1 using the key KA in the secure area 21 according to the encryption algorithm E1. Then, the reader / writer 11 transmits the encrypted random number A1 to the IC card 12 as a challenge C.

  When receiving the challenge C, the IC card 12 decrypts the challenge C using the key KA in the secure area 22 according to the decryption algorithm D1 corresponding to the encryption algorithm E1. Thereby, the calculated value A2 is obtained. Therefore, the IC card 12 encrypts the calculated value A2 using the key KB in the secure area 22 according to the encryption algorithm E2. Then, the IC card 12 transmits the encrypted calculated value A2 to the reader / writer 11 as a response R.

  Upon receiving the response R, the reader / writer 11 decrypts the response R using the key KB in the secure area 21 according to the decryption algorithm D2 corresponding to the encryption algorithm E2. Thereby, the calculated value A3 is obtained. Therefore, the reader / writer 11 compares the calculated value A3 with the random number A1, and authenticates the IC card 12 if they match.

Japanese Patent Laid-Open No. 10-20780

  However, when the personal computer functions as the reader / writer 11 to authenticate the IC card 12, it has been difficult to realize high-security authentication processing at low cost. That is, in order for a personal computer to safely hold a key and an encryption algorithm necessary for conventional authentication processing, it is necessary to construct a secure area by mounting a secure chip. However, since a secure chip is expensive to develop and operate, it is not practical to provide a secure area in a personal computer. Therefore, even if a personal computer that does not have such a secure area executes conventional authentication processing, it is difficult to ensure security.

[Authentication process by personal computer without secure area]
FIG. 2 is a schematic diagram showing a flow of authentication processing by a personal computer having no secure area.

  The authentication system 31 shown in FIG. 2 includes a personal computer 41 and an IC card 12.

  The IC card 12 has a secure area 22, but the personal computer 41 does not have a secure area.

  Therefore, when the personal computer 41 executes the same authentication process as in FIG. 1, the information necessary for the authentication process is held in the secure area 22 on the IC card 12 side, whereas the information required for the personal computer 41 side is secure on the personal computer 41 side. Not kept in an environment. That is, in the IC card 12, information necessary for authentication processing such as the key KA, the key KB, the decryption algorithm D 1, and the encryption algorithm E 2 is held in the secure area 22. However, in the personal computer 41, information necessary for the authentication process such as the key KA, the key KB, the encryption algorithm E1, and the decryption algorithm D2 is held in an insecure environment.

  Note that, within the scope of the description of FIG. 2 below, the key KA and the key KB are collectively referred to as “key”. The decryption algorithm D1, the encryption algorithm E2, the encryption algorithm E1, and the decryption algorithm D2 are collectively referred to as “algorithm”.

  Thus, it is not preferable from the viewpoint of security that the personal computer 41 that does not have a secure area holds information necessary for authentication processing, that is, a key and an algorithm. That is, the possibility that a third party steals a key or an algorithm from the personal computer 41 that does not have a secure area is much higher than when the third party has a secure area.

  In summary, since the personal computer 41 authenticates the IC card 12 has various uses such as a login process, it is required to be realized. However, since the personal computer 41 does not have a secure area from the viewpoint of cost or the like, the IC card 12 cannot be securely authenticated.

  Note that the above description applies not only when the personal computer 41 authenticates the IC card 72, but also when any information processing apparatus that does not have a secure area authenticates any other information processing apparatus. .

  The present invention has been made in view of such a situation, and enables an information processing apparatus having no secure area to safely authenticate other information processing apparatuses at low cost. .

  The information processing apparatus according to the first aspect of the present invention uses a common key shared with an IC card to be authenticated, and a random number is encrypted in advance according to a first encryption algorithm corresponding to a decryption algorithm possessed by the IC card. And using the common key as a challenge, the random number is encrypted in advance according to a third encryption algorithm that is the same as the second encryption algorithm of the IC card, A holding means for holding a list in which combinations of the challenge and the response of n (n is a plurality of integer values) generated by changing the random number are stored as a value obtained as a result; Selection means for selecting one set of combinations from the list held by the holding means, and included in the combination selected by the selection means The challenge transmitted from the transmission control means is received by the transmission control means for transmitting the challenge and the IC card, decrypted according to the decryption algorithm using the common key, and a calculation obtained as a result A value is encrypted according to the second encryption algorithm using the common key, and when the resulting value is transmitted as the response, a reception control means for receiving the response; and the reception control means And an authentication unit that authenticates the IC card when the response received by the selection unit matches the response included in the combination selected by the selection unit.

  Each of the n combinations stored in the list is given any number from 1 to n, and the selection means can select the combinations in the order of the numbers.

  Each of the n combinations stored in the list is given any number from 1 to n. If the combination of the predetermined number or more is selected by the selection means, the number is nth. Presenting means for presenting a warning indicating that the user is approaching to the user can be further provided.

  Until the last combination of the n combinations is selected by the selection unit, when the IC card is authenticated by the authentication unit, a login process of the information processing apparatus is executed, and the selection is performed. After the last combination of n combinations is selected by the means, the authentication means prohibits execution of login processing using authentication of the IC card, and instead uses an account name and password. The authentication processing that was performed can be executed.

  Combination generation means for executing processing for generating the combination of the challenge and the response at a predetermined timing can be further provided, and at least a part of the list held by the holding means is the combination generation means Can be updated each time the combination is generated.

  The combination generation unit generates n new combinations when the n combinations included in the list are selected by the selection unit, and the list held by the holding unit includes the combination The new n combinations generated by the generation unit can be updated to a new list in which the combinations are stored.

  The combination generation unit generates one or more combinations each time the authentication unit authenticates the IC card, and the combination generation unit generates the one or more combinations generated in the list held by the holding unit. The list can be updated by adding the combinations.

  The processing by the selection means, the transmission control means, the reception control means, and the authentication means is repeated L times (L is an integer value of 2 or more), and the IC card is authenticated by the authentication means for all L times. In this case, the authentication of the IC card can be successful.

  The combination generated by the combination generation unit is added with information indicating the generation date and added to the list, and the combination generation unit selects the combination based on the information indicating the generation date and time. be able to.

  The selection unit can select the combination generated by the combination generation unit at a date and time that is discrete from the generation date and time of the combination selected last time.

  The combination generated by the combination generation unit is added to the list with information indicating the number of authentications by the authentication unit at the time of generation, and the combination generation unit adds the information indicating the number of authentications. Based on this, the combination can be selected.

  The combination generation means generates a random number, generates a challenge based on the random number, transmits the challenge to the IC card, and the response generated by the IC card based on the transmitted challenge is When transmitted, the response is received, and the generated challenge and the received response can be generated as the combination.

  During or immediately after generation of the combination by the combination generation unit, authentication processing by the selection unit, the transmission control unit, the reception control unit, and the authentication unit is executed as the IC card sampling authentication process. Can do.

  In the IC card unauthenticating authentication process, if the response received by the reception control unit and the response included in the combination selected by the selection unit do not match, the previous IC The combination generated by the combination generation unit after card authentication can be discarded.

  When the combination is discarded by the authentication means, it can further comprise a presentation means for presenting a warning indicating a failure of the IC card unsuccessful authentication processing to the user.

  In the IC card unauthenticating process, the selection unit can select the combination stored in the list held in the holding unit as dedicated to the unauthenticating process.

  The transmission control means further transmits polling before transmitting the challenge, and when a control signal is transmitted from the IC card that has received the polling, the reception control means receives the control signal. The transmission control means can transmit the challenge to the IC card after the control signal is received by the reception control means.

  The control signal includes a card identifier that uniquely identifies the IC card, and the transmission control means recognizes the card identifier based on the control signal by the reception control means, and the recognized card When the identifier is specified to be that of the IC card, the challenge can be transmitted.

  In the list held in the holding means, the combination including a deliberately wrong response can be stored.

  When the list is transmitted from another information processing apparatus via a predetermined network, the reception control unit receives the list, and the holding unit holds the list received by the reception control unit be able to.

  The information processing method and program according to the first aspect of the present invention are a method and program corresponding to the information processing apparatus according to the first aspect of the present invention described above.

  In the information processing apparatus, method, and program according to the first aspect of the present invention, a common key shared with the IC card to be authenticated is used according to the first encryption algorithm corresponding to the decryption algorithm possessed by the IC card. The random number is encrypted in advance, and a value obtained as a result is set as a challenge, and the random number is previously determined in accordance with a third encryption algorithm that is the same as the second encryption algorithm of the IC card using the common key. Is encrypted, and the resulting value is used as a response, and a list in which combinations of the n challenges (n is a plurality of integer values) generated by changing the random number and the response are stored is stored. Retained. A set of combinations is selected from the held list, the challenge included in the selected combination is transmitted, the transmitted challenge is received by the IC card, and the common key is used. When the calculated value obtained by decrypting according to the decryption algorithm is encrypted according to the second encryption algorithm using the common key, and the resultant value is transmitted as the response, The response is received. Then, if the received response matches the response included in the selected combination, the IC card is authenticated.

  An information processing apparatus according to a second aspect of the present invention includes a random number generation unit that generates a random number and the IC card using a common key that shares the random number generated by the random number generation unit with the IC card. Using the value obtained as a result of encryption by the first encryption algorithm corresponding to the decryption algorithm as a challenge, the random number is the same as the second encryption algorithm of the IC card using the common key. A value obtained as a result of encryption by the encryption algorithm of 3, and a process for generating a combination of the challenge and the response is repeated while changing the random number, and the combination by the encryption means Each time the IC card is generated, the IC card is recognized by repeating the process of adding the combination to the list. And generating means for generating said list to provide to a device for the random number generation means, the encryption means, and said generating means is arranged to secure the environment.

  The information processing method and program according to the second aspect of the present invention are a method and program corresponding to the information processing apparatus according to the third aspect of the present invention described above.

  In the information processing apparatus, method, and program according to the second aspect of the present invention, a random number is generated, and the generated random number is converted into a decryption algorithm possessed by the IC card using a common key shared with the IC card. A value obtained as a result of encryption by the corresponding first encryption algorithm is taken as a challenge, and the random number is used as the third encryption same as the second encryption algorithm of the IC card using the common key. A value obtained as a result of encryption by the encryption algorithm is used as a response, and a process of generating a combination of the challenge and the response is repeated while the random number is changed, and each time the combination is generated, the combination is generated. Is added to the list, so that the IC card is provided to the device that authenticates the IC card. Door is generated. And it is in a secure environment that random numbers are generated, encrypted and generated.

  As described above, according to the present invention, even an information processing apparatus that does not have a secure area can safely authenticate other information processing apparatuses at low cost.

It is a schematic diagram which shows the flow of the authentication process of the conventional authentication system. It is a schematic diagram which shows the flow of the authentication process by a personal computer. It is a figure explaining the outline | summary of the principle of this invention. It is a figure explaining an example of the production | generation method of a list | wrist. It is a figure explaining the other example of the production | generation method of a list | wrist. It is a figure which shows an example of the relationship between the security strength according to the total number of the combinations in a list | wrist, and cost. It is a figure explaining recovery of security. It is a block diagram which shows the structure of one Embodiment of the authentication system with which this invention is applied. It is a block diagram which shows the functional structural example of a list production | generation apparatus. It is a block diagram which shows the hardware structural example of a personal computer. It is a block diagram which shows the functional structural example of CPU. It is a block diagram which shows the functional structural example of an IC card. It is a flowchart explaining an example of list generation processing. It is a flowchart explaining an example of the one-sided authentication process of a personal computer. It is a flowchart explaining an example of the one-side authentication process of an IC card.

[Outline of Embodiment of the Present Invention]
First, an outline of the present invention will be described with reference to FIG. 3 in order to facilitate understanding of the present invention.

  FIG. 3 is a diagram for explaining the outline of the principle of the present invention.

  The authentication system 61 shown in FIG. 3 includes a personal computer 71 and an IC card 72. The personal computer 71 permits login only to a user having an appropriate IC card 72. Therefore, the personal computer 71 authenticates the IC card 72.

  A process in which two information processing apparatuses authenticate each other is referred to as a “mutual authentication process”, whereas an authentication process in which one authenticates only the other is hereinafter referred to as a “one-side authentication process”.

  The IC card 72 has a secure area 91, but the personal computer 71 does not have a secure area.

  The personal computer 71 maintains a list 81 in which n combinations of the challenge Ck and the response Rk (hereinafter abbreviated as “combination” as appropriate) are stored. Here, k is an integer value from 1 to n, and n is an arbitrary integer value of 1 or more indicating the total number of combinations.

  Details of the list 81 will be described later. For example, the challenge Ck has a predetermined value Ak using the key KC of the IC card 72 according to the encryption algorithm E11 corresponding to the decryption algorithm D11 of the IC card 72. Information obtained as a result of encryption in advance. The response Rk is information obtained by, for example, previously encrypting the value Ak using the key KC included in the IC card 72 in accordance with the encryption algorithm E12 included in the IC card 72.

  When the personal computer 71 starts the authentication process, the personal computer 71 selects the i-th challenge Ci (i is any integer value from 1 to n) from the list 81 and transmits it to the IC card 72.

  Upon receiving the challenge Ci from the personal computer 71, the IC card 72 decrypts the challenge Ci using the key KC in the secure area 91 according to the decryption algorithm D11. Thereby, the calculated value Ai is obtained. Therefore, the IC card 72 encrypts the calculated value Ai using the key KC in the secure area 91 according to the encryption algorithm E12. Then, the IC card 72 transmits the encrypted calculated value Ai to the personal computer 71 as a response R.

  When receiving the response R, the personal computer 71 selects the i-th response Ri from the list 81, and compares the response R with the response Ri. If the response R and the response Ri match, the personal computer 71 authenticates the IC card 72.

  In this way, the one-side authentication process in which the personal computer 71 authenticates the IC card 72 (hereinafter, abbreviated as “authentication process” where appropriate) is not necessary.

  Here, the transmission timing of the challenge Ci at the start of the authentication process may be the timing at which the IC card 72 approaches, or may be at predetermined time intervals independent of the presence or absence of the proximity of the IC card 72. However, in the latter case, even when the IC card 72 does not exist in the vicinity of the personal computer 71, the challenge Ci is periodically transmitted, so that there is a possibility that the third party may be stolen. In such a case, when a challenge Ci to be transmitted is randomly selected from the list 81, a challenge Cq (q is an arbitrary integer value from 1 to n) used once in the past authentication process is There is a possibility that the challenge Ci to be transmitted is selected again. If the challenge Cq selected again as the challenge Ci to be transmitted in this way is stolen by a third party at the time of use in the past authentication process, the third party may be abused. Therefore, in order to eliminate such a fear, it is preferable to set the use order for each combination in the list 81, for example, set the number after the challenge code C as the use order. In this case, in the authentication process of the number of times of authentication i, a combination of the order of use i, that is, the challenge Ci and the response Ri are used to prevent duplicate use of the combination used in the past. There is almost no risk of Cq being abused.

  However, since the total number n of combinations in the list 81 is finite, if the authentication process is repeatedly executed, all combinations in the list 81 are used in n authentication processes. Therefore, a measure is required when all the combinations in the list 81 are used. For example, it is possible to take measures such as newly creating n combinations or reusing the same n combinations. Details of these measures will be described later.

  Here, in the above description, only one IC card 72 is mentioned for the sake of simplicity. However, actually, it is necessary to provide the IC card 72 to a plurality of users. In order to mass-produce such a plurality of IC cards 72, the decryption algorithm D11 and the encryption algorithm E12 are mounted in common on all the IC cards 72. Therefore, in order for the personal computer 71 to authenticate a specific one of the plurality of IC cards 72, a different key KC may be held for each IC card 72. In this case, if the present invention is applied, a different list 81 is generated for each different key KC. That is, since the list 81 is a dedicated list that is valid only for a specific key KC, the specific key KC and the list 81 dedicated to the specific key KC are used as a pair.

  For this reason, by generating a pair of a specific key KC and a list 81 dedicated to the specific key KC in advance, the decryption algorithm D11 and the encryption algorithm E12 used in the existing mutual authentication system are used as they are. The invention can also be applied. That is, the IC card 72 to which the present invention is applied can be easily realized by holding the specific key KC in the IC card on which the conventional decryption algorithm D11 and encryption algorithm E12 are mounted. On the other hand, the device for authenticating the IC card 72 only needs to hold the list 81 dedicated to the specific key KC, and the encryption key or encryption algorithm corresponding to the common key of the specific key KC or the decryption algorithm D11. There is no need to maintain a decoding algorithm corresponding to E12. Therefore, even a device that does not have a secure area, such as the personal computer 71, can execute the one-side authentication process for authenticating the IC card 72 only by holding the list 81 dedicated to the specific key KC. In other words, a function for performing one-side authentication of an IC card can be easily mounted on an existing apparatus that does not have a secure chip, without newly mounting a secure chip. In this case, the cost can be greatly reduced as compared with the case where a secure chip is newly installed. In this way, it is possible to perform one-side authentication by a device that does not have a secure area using the same system while preserving the functions and merits of an existing mutual authentication system.

  In this case, since the list 81 dedicated to the specific key KC is held outside the secure area, it may be stolen by a third party. However, even if the list 81 dedicated to the specific key KC is stolen, only the authentication system using the pair of the specific key KC and the list 81 dedicated to the specific key KC need only be exposed to the threat. That is, the combination of the challenge Ck and the response Rk stored in the list 81 dedicated to the specific key KC is encryption information generated using the encryption algorithm E11, the encryption algorithm E12, and the specific key KC. . With such encryption information alone, it is virtually impossible to obtain the decryption algorithm D11, the encryption algorithm E12, and the specific key KC. Furthermore, since another authentication system including the personal computer 71 and the IC card 72 of another user uses a completely different key KC and the list 81 dedicated to the other key KC, the other authentication system is a threat. There is no exposure.

  Thus, even if the list 81 dedicated to a specific key KC is stolen, the threat is limited to the authentication system configured by a pair of the specific key KC and the list 81 dedicated to the specific key KC. The Therefore, the security of other authentication systems and algorithms such as the decryption algorithm D11 and the encryption algorithm E12 are ensured.

[Example of generation method of list 81]
Next, a method for generating the list 81 will be described.

  FIG. 4 is a diagram for explaining an example of a method for generating the list 81.

  The list generation device 101 is installed in a generation factory of the personal computer 71, for example, and generates the list 81 in a secure environment in which keys and algorithms can be safely held.

  Note that, here, the list generating apparatus 101 includes the secure area 121, so that a “secure environment” is constructed. However, even if the list generation apparatus 101 does not have the secure area 121, a secure environment may be configured so that keys and algorithms can be safely held in the entire environment in which the list generation apparatus 101 is operated.

  The list generation device 101 generates a random number AXj (j is an arbitrary integer value from 1 to n) in the secure area 121. Next, the list generating apparatus 101 encrypts the random number AXj using the same key KC as the key KC included in the IC card 72 in accordance with the encryption algorithm E11 corresponding to the decryption algorithm D11 included in the IC card 72. Generates a challenge Cj. The list generation apparatus 101 generates a response Rj by encrypting the random number AXj using the key KC according to the same encryption algorithm E12 as the encryption algorithm E12 of the IC card 72. Then, the list generation device 101 stores the combination of the challenge Cj and the response Rj in the list 81.

  The list generation device 101 increments the number j by 1 and repeatedly executes such a series of processes while changing the random number AXj. When the number of repetitions of the series of processes is n, a list 81 in which n combinations are stored is generated in the list 81.

  The total number n of combinations in the list 81 is not particularly limited and may be arbitrary. That is, any number n of combinations can be easily generated simply by causing the list generation device 101 to generate random numbers AX1 to AXn of an arbitrary number n. Hereinafter, when it is not necessary to individually distinguish the random numbers AX1 to AXn, these are collectively referred to as a random number AX.

  In addition, the list generation device 101 may generate the lists 81-1 to 81-r independently for each of r keys (r is an arbitrary integer value equal to or greater than 1) KC-1 to KC-r. it can. That is, at the installation location of the list generation device 101, for example, the generation factory of the personal computer 71, a specific key KC-s (s is an arbitrary integer value from 1 to r) and the specific key KC- A pair with s-only list 81-s is generated. Therefore, the IC card 72-s holding the specific key KC-s may be generated at the factory or the like. In other words, a pair of the list 81-s and the IC card 72-s may be generated at the factory or the like. In this case, however, the paired list 81-s and the IC card 72-s need to be safely delivered to the user.

[Other examples of list generation methods]
FIG. 5 is a diagram for explaining another example of the method for generating the list 81.

  In the example shown in FIG. 5, the list 81 is generated in the personal computer 71 using the IC card 72.

  The personal computer 71 sequentially generates random numbers AXj (an integer value from j to n). Next, the personal computer 71 transmits a challenge Cj based on the generated random number Kj to the IC card 72.

  When the IC card 72 receives the challenge Cj from the personal computer 71, the IC card 72 transmits the response R corresponding to the challenge Cj to the personal computer 71 by executing the processing described above with reference to FIG.

  Therefore, the personal computer 71 receives the response R as the response Rj, generates one combination of the transmitted challenge Cj and the received response Rj, and stores the combination in the list 81.

  The personal computer 71 increments the number j by 1 and repeatedly executes such a series of processes while changing the random number AXj. When the number of repetitions of the series of processes is n, a list 81 in which n combinations are stored is generated in the list 81.

  The total number n of combinations in the list 81 is not particularly limited and may be arbitrary. That is, any number n of combinations can be easily generated simply by causing the personal computer 71 to generate any number n of random numbers AX1 to AXn.

  In addition, when the personal computer 71 individually authenticates each of the r IC cards 72-1 to 72-r, the personal computer 71 individually selects the corresponding lists 81-1 to 81-r as with the list generation device 101. Can be generated.

  As described above, when the method of generating the list 81 of FIG. 5 is applied, the list 81 can be generated using the personal computer 71, so that the user can easily change or add the list 81. . However, since the personal computer 71 does not have a security area, the user needs to establish a secure environment when the list 81 is generated under his / her own responsibility.

[Relationship between security strength and cost according to the number of challenge and response combinations]
Here, when the method for generating the list 81 of FIG. 5 is applied, an appropriate number of the total number n of combinations to be stored in the list 81 will be considered. In this case, it is necessary to consider from the viewpoint of security strength and the viewpoint of cost.

  FIG. 6 is a diagram illustrating an example of the relationship between security strength and cost in accordance with the total number n of combinations in the list 81.

  Hereinafter, when there is no need to individually distinguish the challenges C1 to Cn, these are collectively referred to as a challenge C. In this case, responses R1 to Rn are also collectively referred to as response R.

  When the personal computer 71 generates an 8-byte challenge C, the total number n of combinations is 2 to the 64th power at the maximum. However, the total number n of combinations of the list 81 is not particularly required to be 2 to the 64th power, and can be an arbitrary number of 2 to the 64th power or less. Therefore, the table of FIG. 6 shows, as an example, the relationship between the security strength and the cost when the total number n of combinations of the list 81 is 2 16 to 2 27. Note that one row (aggregation of items in the horizontal direction) in the table of FIG. 6 corresponds to the case where the total number n is one of 2 16 to 2 27.

  In the item “maximum number of trials until the same challenge appears” in a predetermined row of the table of FIG. 6, when the total number n corresponding to the row is adopted, authentication until the same challenge C appears Describes the maximum number of trials (times) of the process. That is, n combinations stored in the list 81 are used in order from the top, and when all the n combinations are used, the same n combinations are reused. In this case, the number of authentications until the challenge C once used is used again is described in the item. That is, since the number of times of authentication is equal to the total number n of combinations in the list 81, the same value as the total number n is described in the item.

  When the total number n corresponding to the row is adopted as the “storage area size required by the list” in a predetermined row in the table of FIG. 6, when it is assumed that 16 bytes are required for one combination, the list 81 Describes the size (M bytes) of the storage area required for storing.

  The “storage device cost” in the predetermined row of the table of FIG. 6 is a storage area for storing a list 81 when converted to 10,000 yen per 1 Tbyte when the total number n corresponding to the row is adopted The cost (yen) required to secure

  The “list generation time” of a predetermined line in the table of FIG. 6 describes the time (minutes) required to generate the list 81 when the total number n corresponding to the line is adopted. The time required to generate the list 81 is an estimate of the time executed in the C language based on the actual measurement time when the personal computer 71 having the following specifications is executed in the script language. That is, the specifications of the personal computer 71 are Microsoft Windows (registered trademark) XP Professional Version 2002 Service Pack 3, Pentium (registered trademark) D CPU 2.80 GHz, 2.00 GB RAM.

  In the “calculation cost” of a predetermined row in the table of FIG. 6, when the total number n corresponding to the row is adopted, the personal computer 71 corresponding to the row when converted to 1000 yen per hour corresponds to the row. The cost (yen) necessary for calculating the combination of the total number n is described.

  In the “time until the same challenge appears” in a predetermined row of the table of FIG. 6, when the total number n corresponding to the row is adopted, when the challenge C is used once per second, The time (day) until the challenge C once used is used next is described.

  In the “response collecting time” of the predetermined row in the table of FIG. 6, when the total number n corresponding to the row is adopted, the response R is transmitted after the personal computer 71 transmits the challenge C to the IC card 72. The time required to collect (see FIG. 5) is described. However, here, the time described in the item indicates that the time required to transmit the challenge C and collect the response R is 1 hour when the communication speed is 424 kbps. It is converted based on.

  As can be seen from the table in FIG. 6, the designer of the authentication system 61 or the user of the personal computer 71 determines the total number n of combinations to be stored in the list 81 in consideration of the balance between the security strength and the cost relationship. Good.

  For example, as shown in the fifth line of FIG. 6, when 2 20 is adopted as the total number n of combinations in the list 81, the maximum number of trials until the same challenge C appears is “1048576 times”. It can be seen that the storage area size required to record the list 81 is “16 Mbytes”. Further, in the case of the number of combinations, it can be seen that the cost of the storage device is “0.153 yen”, the list generation time is “0.042 minutes”, and the calculation cost is “0.7 yen”. Furthermore, in the case of the number of combinations, it can be seen that the time until the same challenge appears is “12.14 days”, and the time until the response is collected is “10.5 hours”.

  Therefore, in the case of introducing the list 81 whose total number n is 2 to the 20th power, in view of cost, in order to secure a storage area size of “16 Mbytes” and a list generation time of “0.042 minutes” Are "0.153 yen" and "0.7 yen", respectively. As is clear from comparison with the other rows in the table of FIG. 6, the cost can be reduced by reducing the total number n of combinations.

  On the other hand, a case where a list 81 whose total number n is 2 to the 20th power is introduced is considered from the viewpoint of security strength. For example, it is assumed that a third party has stolen the combination of the challenge Ci and the response Ri. If a third party transmits the stolen response Ri to the personal computer 71 when the same challenge C as the stolen challenge Ci is transmitted from the personal computer 71, the third party succeeds in causing the personal computer 71 to erroneously authenticate. . However, for this purpose, the third party must constantly monitor the transmission of the challenge Ci from the personal computer 71 during the maximum of “1048576” authentication, that is, for “12.14 days”. I must. As the time that such a third party must constantly monitor (that is, the number of times of authentication) increases, the security strength increases accordingly. As is clear from comparison with the other rows in the table of FIG. 6, as the total number n of combinations increases, the time that the third party must constantly monitor (that is, the number of authentications) increases, and the security strength increases accordingly. Can be increased.

  In summary, there is a merit that the security strength is increased when the total number n of combinations to be stored in the list 81 is increased, but there is a demerit that the cost is increased. On the other hand, when the total number n of combinations to be stored in the list 81 is small, there is a merit that the cost is lowered, but there is a demerit that the security strength is lowered. Therefore, it is preferable to determine the total number n of combinations to be stored in the list 81 in consideration of the two conflicting factors, that is, in consideration of the balance between security strength and cost.

  In addition, no matter what number is adopted as the total number n of combinations, as long as the key and algorithm for generating the list 81 are held in a secure environment, the security of the authentication system 61 is ensured. Can do. Extremely speaking, no matter how low the security strength is, and as a result, the list 81 is stolen by a third party, there is almost no risk that the key and algorithm of the authentication system 61 will be identified by the third party from the list 81. Absent.

  However, it is not desirable to leave the list 81 stolen by a third party. Therefore, security recovery when the list 81 is stolen by a third party will be described below.

[Security recovery when List 81 is acquired by a third party]
FIG. 7 is a diagram for explaining security recovery when the list 81 is stolen by a third party.

  As described above, the total number n of combinations when the 8-byte challenge C is generated is 2 64 to the maximum. Hereinafter, a set of combinations of n = 2 to the 64th power is referred to as a combination data group 141. The list 81 can be generated by storing any part of the combination data group 141.

  As shown in FIG. 7, it is assumed that the personal computer 71 holds a list 81A composed of a part of the combination data group 141 as a list 81 and uses it during the authentication process. When this list 81A is stolen by a third party, the personal computer 71 updates the list 81 to a list 81B composed of another part of the combination data group 141.

  Thereby, even if a third party creates the counterfeit IC card 142 based on the obtained list 81A, there is no possibility that the personal computer 71 erroneously authenticates the counterfeit IC card 142.

  That is, the counterfeit IC card 142 may be able to transmit the response Ri corresponding to the challenge Ci to the personal computer 71 as in the list 81A. However, even if a third party tries to authenticate the counterfeit IC card 142 to the personal computer 71, the personal computer 71 has the list 81B different from the list 81A, and thus authenticates the counterfeit IC card 142 by mistake. There is nothing.

  Specifically, when the counterfeit IC card 142 comes close to the personal computer 71, it can receive the challenge Cj in the list 81B transmitted from the personal computer 71. However, the forged IC card 142 cannot transmit the same response R as the response Rj corresponding to the challenge Cj in the list 81B.

  That is, the forged IC card 142 has only a function of recognizing the correspondence between the challenge C and the response R in the list 81A, and decrypts and re-encrypts the challenge Cj in the list 81B. It does not have a function of generating the corresponding response Rj in the list 81B. For this reason, even if the forged IC card 142 receives the predetermined challenge C included in the list 81B, it cannot decrypt the challenge C and re-encrypt it to generate a corresponding response R. For this reason, the personal computer 71 never authenticates the counterfeit IC card 142 by mistake.

  As described above, even when the list 81 is stolen by a third party, the personal computer 71 simply updates the list 81 and can easily perform security without changing the IC card 72 constituting the authentication system 61. Can be recovered.

  The outline of the principle of the present invention has been described above with reference to FIGS. Next, an embodiment of the present invention will be described.

[Configuration Example of Authentication System 151 to which the Present Invention is Applied]
FIG. 8 is a block diagram showing a configuration of an embodiment of an authentication system to which the present invention is applied.

  The authentication system 151 of FIG. 8 includes a list generation device 101, personal computers 71-1 to 71-N (N is an arbitrary integer value of 1 or more), and IC cards 72-1 to 72-N.

  In the present embodiment, it is assumed that the personal computer 71-Q (Q is any integer value from 1 to N) and the IC card 72-Q are used in pairs. For example, when a user operating the personal computer 71-Q holds the IC card 72-Q and activates the personal computer 71, the IC card 72-Q is held over the personal computer 71-Q. To do. In this case, when the personal computer 71-Q authenticates the IC card 72-Q, the personal computer 71-Q starts various processes such as an activation process.

  The list generation apparatus 101 is installed in a generation factory of the personal computer 71-Q, and in a secure environment in which keys and algorithms can be safely held, in this embodiment, the list 81-Q and the IC card 72-Q are paired. And generate The list 81-Q generated by the list generating apparatus 101 is safely delivered (for example, recorded) to the personal computer 71-Q. The IC card 72-Q is delivered to the user of the personal computer 71-Q safely together with the generated list 81-Q.

  The keys and algorithms used to generate the list 81-Q are held in the secure area of the IC card 72-Q, and other IC cards 72-P (P is any one of 1 to N). Is an integer value different from Q). Therefore, when the IC card 72-Q is used for the personal computer 71-Q holding the list 81-Q, the login is successful, but when the IC card 72-P is used, the login fails.

  Hereinafter, when it is not necessary to individually distinguish the personal computers 71-1 to 71-N, they are collectively referred to as a personal computer 71. Similarly, when it is not necessary to individually distinguish the IC cards 72-1 to 72-N, they are collectively referred to as an IC card 72.

  Hereinafter, each component of the authentication system 151 in FIG. 8, that is, each component of the list generation device 101, the personal computer 71, and the IC card 72 will be sequentially described in that order.

[Block diagram showing a functional configuration example of the list generation apparatus 101]
First, the configuration of the list generation apparatus 101 will be described.

  FIG. 9 is a block diagram illustrating a functional configuration example of the list generation apparatus 101.

  The list generation apparatus 101 in FIG. 9 includes a control unit 161, a random number generation unit 162, an encryption unit 163, a generation unit 164, and a storage unit 165.

  The control unit 161 performs overall control of the list generation device 101. For example, the control unit 161 manages the combination number i.

  The random number generation unit 162 generates a random number AX as original information for generating a combination of challenge C and response R. Here, as the random number AX, a pseudo random number or a genuine random number can be adopted. However, the pseudo-random numbers are numerically discrete numbers, but when the calculation formula becomes clear, the next generated random number can be calculated from the immediately preceding random number value. Therefore, it becomes difficult to ensure safety when stolen by a third party. For this reason, in this embodiment, a genuine random number is adopted as the random number AX. In this case, the random number generation unit 162 includes various types of information in the list generation device 101, such as time information, remaining battery information, acceleration sensor information, temperature sensor information, remaining memory capacity, CPU (Central Processing Unit) load information, and the like. A random number AX that is a true random number is calculated using the plurality of pieces of information as parameters. Thereby, since a random number AX that cannot be estimated from the outside is generated, safety can be ensured even if it is stolen by a third party.

  The encryption unit 163 generates a challenge C by encrypting the random number AX generated by the random number generation unit 162 using the key KC according to the encryption algorithm E11. Further, the encryption unit 163 generates a response R by encrypting the same random number AX using the key KC according to the encryption algorithm E12. The encryption unit 163 generates n combinations of the challenge C and the response R by repeating such a series of processes n times by changing the random number AX.

  The generation unit 164 generates the list 81. That is, the generating unit 164 repeats the process of adding the combination to the list 81 every time the encryption unit 163 generates a combination of challenge C and response R. When such processing is repeated n times, a list 81 storing n combinations of challenges C and responses R is generated.

  The storage unit 165 stores a key KC and encryption algorithms E11 and E12 necessary for generating the list 81.

The configuration of the list generation device 101 has been described above. Next, the configuration of the personal computer 71 will be described.
[Block diagram showing a hardware configuration example of the personal computer 71]
FIG. 10 is a block diagram illustrating a hardware configuration example of the personal computer 71.

  In FIG. 10, the CPU 181 executes various processes according to a program recorded in a ROM (Read Only Memory) 182. Alternatively, various processes are executed according to a program loaded from a storage unit 188 serving as a holding unit into a RAM (Random Access Memory) 183.

  The RAM 183 also appropriately stores data necessary for the CPU 181 to execute various processes.

  The CPU 181, ROM 182, and RAM 183 are connected to each other via a bus 184. An input / output interface 185 is also connected to the bus 184.

  The input / output interface 185 is connected to an input unit 186 including a keyboard and a mouse, and an output unit 187 serving as a presentation unit including a display. Further, a storage unit 188 composed of a hard disk or the like and a communication unit 189 composed of a modem, a terminal adapter or the like are connected. The communication unit 189 controls communication performed with other devices (not shown) via a network including the Internet. The communication unit 189 also controls non-contact communication using electromagnetic waves performed with the IC card 72 in the vicinity.

  A drive 190 is connected to the input / output interface 185 as necessary, and a removable medium 191 made of a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is appropriately mounted. Then, the computer program read from them is installed in the storage unit 188 as necessary.

[Block diagram showing functional configuration example of CPU 181]
FIG. 11 is a block diagram illustrating a functional configuration example of the function of authenticating the IC card 72 among the functions of the CPU 181 of the personal computer 71 of FIG.

  The CPU 181 in FIG. 11 includes a control unit 201, a selection unit 202, a transmission control unit 203, a reception control unit 204, a recognition unit 205, a storage control unit 206, and a display control unit 207 in order to execute authentication processing. Yes. The list generation unit 208 is provided in the CPU 181 when the above-described list generation method of FIG. 5 is adopted, that is, when the list 81 needs to be generated in the personal computer 71.

  In the present embodiment, the CPU 181 executes a predetermined program, whereby a control unit 201, a selection unit 202, a transmission control unit 203, a reception control unit 204, a recognition unit 205, a storage control unit 206, a display control unit 207, Each function of the list generation unit 208 can be exhibited.

  The control unit 201 controls the entire authentication process by appropriately controlling the selection unit 202 to the list generation unit 208. For example, the control unit 201 manages the authentication count i.

  When the authentication process for the number of times of authentication i is executed, the selection unit 202 refers to the list 81 stored in the storage unit 188 and selects a combination of the challenge Ci and the response Ri.

  The transmission control unit 203 controls the communication unit 189 to transmit, for example, the challenge Ci selected by the selection unit 202 at predetermined time intervals. Note that the transmission timing of the challenge Ci is not particularly limited to this. Other examples of the challenge Ci transmission timing will be described later.

  The reception control unit 204 controls the communication unit 189 to receive the response R transmitted from the IC card 72.

  The authentication unit 205 compares the response R received by the reception control unit 204 with the response Ri selected by the selection unit 202. If they match, the authentication unit 205 determines that the authentication is successful, and if they do not match, the authentication fails. judge. That is, when the response R and the response Ri match, the authentication unit 205 authenticates the IC card 72.

  The storage control unit 206 controls storage of the list 81 in the storage unit 188. That is, when the list 81 is generated by the list generation apparatus 101 before shipment, or when the list 81 is generated or updated by the list generation unit 208 in the personal computer 71, the storage control unit 206 operates. In addition, the storage control unit 206 controls storage of the authentication count i in the storage unit 188.

  The display control unit 207 controls the display of the output unit 187. For example, when the authentication unit 205 determines that the authentication has failed, the display control unit 207 causes the display unit of the output unit 187 to display an image indicating a predetermined warning.

  The list generation unit 208 as a combination generation unit includes a random number generation unit 221 and a generation unit 222 in order to generate the list 81 in the personal computer 71.

  The random number generator 221 generates a random number AXi as original information for generating a combination of challenge C and response R. As described above, in this embodiment, it is assumed that a genuine random number is adopted as the random number AX, and the random number generation unit 221 generates a random number AX that cannot be estimated from the outside.

  The generation unit 222 generates the list 81. That is, every time the random number generation unit 221 generates a random number AXi, the generation unit 222 generates a combination of challenge Ci and response Ri using the random number AXi, and adds the combination to the list 81. When such processing is repeated n times, a list 81 in which n combinations of challenges C and responses R are stored is generated.

  The configuration of the personal computer 71 has been described above. Next, the configuration of the IC card 72 will be described.

[Block diagram showing functional configuration example of IC card 72]
FIG. 12 is a block diagram illustrating a functional configuration example of the IC card 72.

  The IC card 72 in FIG. 12 includes a control unit 241, a storage unit 242, a reception unit 243, a decryption unit 244, an encryption unit 245, and a transmission unit 246. These functional blocks are provided in a secure area (not shown).

  The control unit 241 performs overall control of the IC card 72.

  The storage unit 242 as a holding unit stores information necessary for authentication processing, that is, a key KC, a decryption algorithm D11, and an encryption algorithm E12.

  The receiving unit 243 receives the challenge Ci transmitted from the personal computer 71.

  The decryption unit 244 decrypts the challenge Ci received by the reception unit 243 using the key KC stored in the storage unit 242 in accordance with the decryption algorithm D11 stored in the storage unit 242, thereby calculating the calculated value. Find Ai.

  The encryption unit 245 encrypts the calculated value Ai obtained by the decryption unit 244 using the key KC stored in the storage unit 242 according to the encryption algorithm E12 stored in the storage unit 242.

  The transmission unit 246 transmits the calculated value Ai encrypted by the encryption unit 245 to the personal computer 71 as a response R. As the IC card 72, FeliCa (registered trademark of Sony Corporation), Mifare (registered trademark), etc. that are actually used as electronic money, prepaid card, employee ID card, ID card, etc. can be applied. This card already has an encryption algorithm and a decryption algorithm for mutual authentication, and only a dedicated key KC needs to be newly assigned.

  Heretofore, each component of the authentication system 151 in FIG. 8, that is, each component of the list generation device 101, the personal computer 71, and the IC card 72 has been described in order.

  Therefore, hereinafter, each component of the authentication system 151 of FIG. 8, that is, each operation of the list generation device 101, the personal computer 71, and the IC card 72 will be sequentially described in that order.

  That is, first, a list generation process executed by the list generation apparatus 101 will be described with reference to FIG. Next, an authentication process executed by the personal computer 71 and the IC card 72 using the list 81 generated by the list generation process will be described with reference to FIGS. In the present embodiment, since the personal computer 71 is a one-side authentication process in which the IC card 72 is authenticated, the one-side authentication process executed by the IC card 72 is referred to as a one-side authenticated process.

[List generation process]
FIG. 13 is a flowchart for explaining an example of list generation processing by the list generation apparatus 101.

  In step S <b> 1, the control unit 161 sets the combination number i = 1 stored in the list 81.

  In step S2, the random number generator 162 generates a random number AXi of number i.

  In step S3, the encryption unit 163 generates a challenge Ci by encrypting the random number AXi using the key KC according to the encryption algorithm E11.

  In step S4, the encryption unit 163 generates a response Ri by encrypting the random number AXi using the key KC according to the encryption algorithm E12.

  In step S <b> 5, the generation unit 164 adds the combination of the challenge Ci and the response Ri to the list 81.

  In step S6, the control unit 161 determines whether an instruction to end the process is given.

  If the end of the process has not been instructed yet, it is determined as NO in step S6, and the process proceeds to step S7.

  In step S7, the control unit 161 increments the number i by 1 (i = i + 1). When the number i is incremented, the process is returned to step S2, and the subsequent processes are repeated. That is, unless the process is instructed, the random number AXi is changed, the loop process of steps S2 to S7 is repeated, and each time a combination of challenge C and response R is added to the list 81 one by one. Go.

  Thereafter, when the processes in steps S2 to S7 are repeated n times, it is determined that the process is instructed to be YES in step S6, and the list generation process ends. As a result, a list 81 in which n combinations are stored is generated.

  In this way, in the list generation process, the combination of challenge C and response R is sequentially added to the list 81 until the end of the process is instructed, so the total number of combinations of challenge C and response R stored in the list 81 n can be any number. That is, as described above with reference to FIG. 6, the user can generate the list 81 in accordance with the balance between security strength and cost required by the authentication system 61.

  The list 81 generated by the list generation process is safely delivered to the personal computer 71. In this embodiment, in a factory or the like where the list 81 is generated, the IC card 72 is generated together with the list 81. As described above, the IC card 72 includes the same key KC used for generating the list 81 in the secure area 91 and the decryption algorithm corresponding to the encryption algorithm E11 used for generating the list 81. D11 and the same encryption algorithm E12 used to generate the list 81. The list 81 and the IC card 72 generated as a pair in this way are each safely delivered to the user. The list 81 can be provided by being recorded on a removable medium such as a predetermined CD or a semiconductor memory.

  The list generation process has been described above. Next, one-side authentication processing in which the personal computer 71 authenticates the IC card 72 will be described as authentication processing using the list 81 generated by the list generation processing.

[One-sided authentication process of personal computer 71]
FIG. 14 is a flowchart for explaining an example of the one-side authentication process of the personal computer 71.

  Here, it is assumed that the authentication count i for the IC card 72 is stored and managed in the storage unit 188. In addition, it is assumed that the list 81 is also transferred and stored from the removable medium to the storage unit 188.

  In step S <b> 21, the control unit 201 determines whether the authentication count i is stored in the storage unit 188.

  If the authentication count i is not stored, that is, if it is the first authentication, it is determined NO in step S21, and the process proceeds to step S22.

  In step S22, the control unit 201 sets the number of authentications i = 1. If the authentication count i = 1 is set, the process proceeds to step S27. The processing after step S27 will be described later.

  On the other hand, when the number of times of authentication i is stored, that is, when it is not the first authentication, it is determined as YES in Step S21, and the process proceeds to Step S23.

  In step S <b> 23, the control unit 201 reads the stored authentication count i from the storage unit 188.

  In step S24, the control unit 201 increments the authentication count i by one.

  In step S <b> 25, the control unit 201 determines whether the authentication count i is larger than the total number n of combinations in the list 81.

  If the authentication count i is smaller than the total number n of combinations in the list 81, it is determined as NO in step S25, and the process proceeds to step S27. The processing after step S27 will be described later.

  On the other hand, when the number of times of authentication i is larger than the total number n of combinations in the list 81, it is determined as YES in Step S25, and the process proceeds to Step S26.

  In step S26, the control unit 201 sets the number of authentications i = 1. That is, the case where the authentication count i exceeds the total number n of combinations in the list 81 means that the previous authentication count (i−1) was the total number n of combinations in the list 81. In the present embodiment, a combination of a challenge Ci and a response Ri is used in the one-side authentication process with the number of authentications i. Therefore, the case where the number of times of authentication i exceeds the total number n of combinations of the list 81 means that the combination of the last challenge Cn and the response Rn of the list 81 is used in the authentication process of the previous number of times of authentication i. This means that all combinations in the list 81 are used. Therefore, in such a case, the control unit 201 allows the list 81 to be reused by resetting the authentication count i to 1. In this embodiment, the combinations in the list 81 are used in order from the top. This is because if a combination in the list 81 is selected at random, combinations used in the past may be used in duplicate. Note that such processing is merely an example, and for example, a new combination of a challenge Ci and a response Ri may be created.

  In step S <b> 27, the selection unit 202 selects a challenge Ci from the list 81.

  In step S28, the transmission control unit 203 controls the communication unit 189 to transmit the challenge Ci selected in step S27 to the IC card 72.

  As will be described later with reference to FIG. 15, the IC card 72 transmits a response R corresponding to the received challenge Ci (step S44 in FIG. 15). Therefore, in step S29, the reception control unit 204 determines whether or not the response R from the IC card 72 has been received.

  When the response R is not received, it is determined as NO in Step S29, the process returns to Step S28, and the subsequent processes are repeated. That is, until the response R is received, the challenge Ci is transmitted at predetermined time intervals by repeating the loop processing of steps S28 and S29NO. If the response R cannot be received even if the challenge Ci is transmitted a predetermined number of times, the processing may be stopped.

  Thereafter, when the response R is received, it is determined as YES in Step S29, and the process proceeds to Step S30.

  In step S30, the recognition unit 205 determines whether the received response R matches the response Ri corresponding to the challenge Ci selected from the list 81 in the process of step S27.

  If the response R matches the response Ri selected from the list 81, the process proceeds to step S31.

  In step S31, the authentication unit 205 authenticates the IC card 72. Thereby, login to the personal computer 71 becomes possible.

  In step S32, the storage control unit 206 controls the storage unit 188 to store the authentication count i. Thus, the one-side authentication process of the personal computer is completed.

  On the other hand, if the response R does not match the response Ri selected from the list 81, it means an authentication failure, and the process proceeds to step S33.

  In step S <b> 33, the display control unit 207 displays an image indicating an authentication failure warning on the display unit of the output unit 187. Thereby, a process progresses to step S32.

  In step S32, the storage control unit 206 controls the storage unit 188 to store the authentication count i. Thus, the one-side authentication process of the personal computer is completed.

  In contrast to the one-side authentication process of such a personal computer, the one-side authenticated process of the IC card 72 is executed as follows.

[Authentication process on one side of IC card 72]
FIG. 15 is a flowchart for explaining an example of the one-side authenticated process of the IC card 72.

  In step S <b> 41, the receiving unit 243 determines whether a challenge Ci has been received from the personal computer 71. This challenge Ci is transmitted in the process of step S28 in FIG.

  If the challenge Ci has not been received, it is determined as NO in step S41, the process returns to step S41, and the subsequent processes are repeated. That is, until the challenge Ci is received, the determination process of step S41 is repeated, and the one-side authenticated process of the IC card 72 enters a standby state.

  Thereafter, when the challenge Ci is received, it is determined as YES in Step S41, and the process proceeds to Step S42.

  In step S42, the decryption unit 244 obtains the calculated value Ai by decrypting the challenge Ci using the key KC according to the decryption algorithm D11.

  In step S43, the encryption unit 245 encrypts the calculated value Ai using the key KC according to the encryption algorithm E12.

  In step S44, the transmission unit 246 transmits the encrypted calculated value Ai as a response R to the personal computer 71.

  Thereby, the one-side authentication processing of the IC card 72 is completed.

  As described above, in the present embodiment, the authenticating personal computer 71 authenticates the IC card 72 without holding the key and the algorithm. On the other hand, the list generation device 101 and the IC card 72 hold keys and algorithms in a secure environment. As a result, the personal computer 71 on the authentication side can ensure safety even if the IC card 72 is authenticated in an insecure environment.

  The lists 81-1 to 81-N held by the personal computers 71-1 to 71-N are different from each other. Therefore, even if the list 81 held by one personal computer 71 is stolen by a third party, there is no possibility of affecting the security of other personal computers 71.

  Therefore, as described above, it is preferable to use the IC card 72 for login processing to the personal computer 71 having no secure area. The reason is as follows.

  First, since the personal computer 71 is locked, a third party who cannot log in to the personal computer 71 cannot obtain the list 81 held by the personal computer 71 in the first place. Even if a third party acquires the list 81 held by the personal computer 71 by some means, the key and the encryption algorithm that generated the list 81 cannot be acquired. This is because the key and the encryption algorithm that generated the list 81 are not stored in the personal computer 71 but are stored in a secure environment such as a generation factory of the personal computer 71.

  The lists 81-1 to 81-N held by the personal computers 71-1 to 71-N are different from each other. Therefore, even if the third party acquires the list 81-1 held by the personal computer 71-1 by some means, for example, the other personal computers 71-2 to 71- using the acquired list 81-1. You cannot log in to N.

  Furthermore, the list 81 of the personal computer 71 does not need to store all the combinations of the combination data group 141 described above, and may store some combinations of the combination data group 141. In such a case, even if the list 81 may be stolen by a third party, the user may update the list 81 using another partial combination of the combination data group 141. Thereby, even if the third party uses the stolen list 81 thereafter, the third party cannot log in to the personal computer 71.

  Further, it is very difficult for a third party to impersonate the paired IC card 72 based on the stolen list 81. That is, as described with reference to FIG. 6, for example, even if a third party knows the response Ri corresponding to the challenge Ci, the maximum number of trials until the same challenge Ci is used for authentication again is It is equal to the total number n of combinations in the list 81. Therefore, since the third party must constantly monitor the corresponding challenge Ci from a number of combinations and send the corresponding response Ri, the act of impersonating the paired IC card 72 Becomes very difficult.

[Improvement of security strength]
As described above, by employing the authentication system to which the present invention is applied, the security strength is high even if the one-side authentication process is executed in an insecure environment. However, as long as the environment is not secure, it is difficult to establish complete security. Therefore, some measures that can further improve the security strength will be described below.

  In the example of the one-side authentication process in FIG. 14 described above, the personal computer 71 periodically transmits a challenge Ci at predetermined time intervals. In this case, a third party who does not have the IC card 72 can easily acquire the challenge Ci. Therefore, in order to improve the security strength of the authentication system 61, the personal computer 71 transmits a control signal (hereinafter referred to as polling) for detecting the IC card 72 before transmitting the challenge Ci. May be. The IC card 72 that has received the polling transmits a control signal indicating a response to the polling to the personal computer 71. The personal computer 71 starts transmission of the challenge Ci only when this control signal is received.

  Furthermore, in order to further improve the security strength, it is preferable to include information on the card identifier Idm of the IC card 72 in a control signal indicating a response to polling. In this case, the personal computer 71 recognizes the card identifier Idm based on the control signal from the IC card 72, and only when the recognized card identifier Idm can be identified as that of the IC card 72, the challenge Ci. Start sending.

[Measures to limit list 81 combinations]
By the way, since the total number n of combinations stored in the list 81 is finite, some measures are required when the total number n of all combinations in the list 81 is used up to the end. As such a measure, in the above-described embodiment, the measure of reusing from the top combination of the list 81 is taken again.

  However, the present invention is not particularly limited to this measure. In addition, for example, when the current list 81 is used to the end, a new measure 81 may be generated and updated. In this case, as described with reference to FIGS. 4 and 5, the new list 81 may be generated by the list generation apparatus 101 or may be generated by the personal computer 71. The new list 81 generated by the list generation device 101 is provided again to the user.

  Further, the personal computer 71 may appropriately generate a new combination at an appropriate timing and add it to the list 81. At the next authentication, the personal computer 71 may take a measure using the list 81 to which the new combination is added.

  For example, the personal computer 71 can generate a new combination and add it to the list 81 when the IC card 72 has successfully logged in. Specifically, for example, when the IC card 72 has successfully logged in, the personal computer 71 newly generates M combinations (M is an arbitrary integer value) of the challenge C and the response R, and the list 81 Can be added.

  Here, the combination generated in the J-th (J is any integer value from 1 to M) upon successful login for the first time (I is any integer value from 1 to N) (challenge C (I, J ), Response R (I, J)), the following N × M combinations are newly generated for the first list 81 when the IC card 72 is successfully logged in for the Nth time. It will be.

(Challenge C (1,1), response R (1,1)),
(Challenge C (1,2), Response R (1,2)) ...
(Challenge C (1, M), Response R (1, M))

(Challenge C (2,1), Response R (2,1)),
(Challenge C (2,2), Response R (2,2)) ...
(Challenge C (2, M), Response R (2, M))

...
(Challenge C (N, 1), response R (N, 1)),
(Challenge C (N, 2), Response R (N, 2)) ...
(Challenge C (N, M), Response R (N, M))

  In this way, at the Nth login, N × M new combinations are added to the first list 81, and at the next authentication, the list 81 including these added new combinations is added. Used. In this way, it can be avoided that all the combinations of the list 81 are used.

  In this case, the personal computer 71 does not authenticate the IC card 72 by a single determination of validity using only one combination, but determines the validity multiple times using a plurality of arbitrary combinations. Thus, the IC card 72 may be authenticated. This improves the security strength.

  Furthermore, if a personal computer uses what was produced | generated at the discrete date and time as a several combination used when authenticating the IC card 72, a security strength will improve further.

Specifically, for example,
(Challenge C (I, 1), response R (I, 1)),
(Challenge C (I, 2), Response R (I, 2)) ...
(Challenge C (I, M), Response R (I, M)) is
It is generated almost simultaneously when the I-th login succeeds, and is transmitted between the personal computer 71 and the IC card 72 almost simultaneously. Therefore, the personal computer 71 does not authenticate the IC card 72 using these M combinations.

Instead, the personal computer 71 may use a combination generated at the time of login for L different times from 1 to N times in the N + 1th authentication. For example, the personal computer 71 is a combination generated at the time of authentication different from each other (challenge C (1, 1), response R (1, 1)),
(Challenge C (2,1), Response R (2,1)), ...
(Challenge C (L, 1), Response R (L, 1))
Can be used to authenticate the IC card 72.

In the next N + 2 authentication, the personal computer 71, for example,
(Challenge C (1,2), Response R (1,2)),
(Challenge C (2,2), Response R (2,2)) ...
(Challenge C (L, 2), Response R (L, 2))
The IC card 72 may be authenticated using.

Alternatively, at the time of N + 2 authentication, if the personal computer 2L ≦ N + 1, for example,
(Challenge C (L + 1, 1), response R (L + 1, 1)),
(Challenge C (L + 2, 1), Response R (L + 2, 1)) ...
(Challenge C (2L, 1), Response R (2L, 1))
The IC card 72 may be authenticated using.

  In short, it is necessary to authenticate the IC card 72 using a combination generated at each timing when login is successful at different times. For this purpose, for example, the personal computer 71 records the generation date and time of the combination or records the login success number. It is assumed that the login success number is incremented by 1 every time login is successful. That is, the login success number represents the number of successful logins. As a result, the personal computer 71 can reliably select a temporally discrete combination by selecting the combination using the generation date and time or the login success number at the next authentication.

  Furthermore, it is necessary that the combination used for authentication of the IC card 72 is not used for the subsequent authentication. For this purpose, for example, the personal computer 71 deletes the combination once used from the list 81. As a result, the combination once used is prevented from being used again, and the capacity of the list 81 is prevented from increasing.

  Further, the number of combinations to be added to the list 81 need not be the same every time, and may be automatically adjusted according to, for example, the free space of the list 81. For example, if login is not successful, the combination used for login is deleted from the list 81, but a new combination may not be generated. In such a case, the personal computer 71 can avoid running out of combinations by generating and adding more combinations than usual when the login succeeds next time.

  Heretofore, several examples have been described regarding measures for the total number n of combinations in the list 81 being finite. Of course, the measures described above are exemplary and other measures can be taken alone or in combination. For example, a measure may be taken to present some warning to the user when the last combination in the list 81 is approaching. A measure for presenting such a warning may be combined with the measures described above, for example, a measure for newly generating the list 81 and a measure for adding a combination upon successful login. That is, at the same time as the warning, the user may be notified that it is recommended to take a measure for newly generating the list 81 or a measure for adding a combination upon successful login. If the user takes no action and uses the last combination in the list 81 in spite of such a warning or notification, the login by the IC card 72 is invalidated. Also good. In this case, for example, it may be switched to login by other means using a conventional account name and password.

[Unauthorized authentication method]
By the way, when taking a measure to add a combination upon successful login as a measure for the total number n of combinations in the list 81 being careful. That is, the personal computer transmits a new challenge C immediately after login, and when the response R is transmitted from the IC card 72 that has received the challenge C, the personal computer generates a combination of the transmitted challenge C and response R. Add. At this time, if another IC card 72 approaches the personal computer, the personal computer 71 transmits a challenge C to the other IC card 72 and receives a response R from the other IC card 72. Note that there is a risk of creating and adding inappropriate combinations.

  Therefore, the personal computer 71 may authenticate the target IC card 72 during or immediately after generating and adding a new combination so that the response R from another IC card 72 is not received. . That is, the personal computer 71 selects a challenge Ci from the list 81 and transmits it to the IC card 72 and receives the response R. Then, the personal computer 71 authenticates the IC card 72 when the received response R is the response Ri corresponding to the challenge Ci. Such a method of authenticating the IC card 72 can be said to be a method of authenticating the IC card 72 by punching. Therefore, such a method is hereinafter referred to as “unsigned authentication method”.

  In the unauthenticated authentication method, the personal computer 71 determines that the authentication has failed when the received response R is different from the response Ri paired with the transmitted challenge Ci. If the personal computer 71 determines that the authentication has failed, for example, all the combinations newly generated and added to the list 81 after the previous login can be discarded. As a result, the inappropriate combination can be completely removed, so that the security strength is improved.

  Furthermore, the personal computer 71 can present a warning indicating an authentication failure to the user. As a result, the user can recognize that the personal computer 71 has been attacked by a third party.

  In this way, after taking measures against authentication failure, the personal computer 71 generates a new combination not only at the time of the login operation by the IC card 72 but also at an arbitrary timing by adopting the unauthenticated authentication method. It becomes possible to add to the list 81.

  Note that if the frequency of authentication processing by the unauthenticated authentication method is increased, all combinations in the list 81 may be used up. Therefore, in order to avoid such a fear, a dedicated combination can be used in the authentication process by the unauthenticated authentication method so that it is not deleted even if it is used once. In other words, when authenticating the IC card 72, the personal computer 71 first executes a so-called unauthenticated authentication process using a dedicated combination. Only when the authentication is successful, the personal computer 71 performs the formal authentication process again using the list 81. Execute.

  Alternatively, as described above, even if the card identifier Idm of the IC card 72 is used, it is possible to avoid the risk that the list 81 will be used up by adopting the unauthenticating authentication method. Specifically, the personal computer 71 stores the card identifier Idm of the IC card 72, and uses the list 81 only immediately after the control signal including information indicating the identifier Idm is transmitted from the IC card 72. Then, the IC card 72 is authenticated.

[Mechanism to understand that List 81 was stolen by a third party]
In order to further improve the security strength, when the list 81 is stolen by a third party, it is preferable to present a warning to that effect to the user. However, in order to present such a warning, the personal computer 71 needs to recognize that the list 81 has been stolen by a third party. Therefore, an example of a technique by which the personal computer 71 can recognize that the list 81 has been stolen by a third party will be described below.

  That is, in this method, when the personal computer 71 (or the list generation device 101) generates or updates the list 81, a combination including an erroneous response R is intentionally inserted into the list 81. In this case, the intentionally wrong command message (罠) is uniformly mixed in the list 81 so that it cannot be distinguished which command message is intentionally wrong (ie, 罠). However, the authentication unit 205 of the personal computer 71 ensures that the erroneous response R can be recognized intentionally. For example, the combination of a command message of 18 76 13 76 4a 5b d5 d3 and a command message of 6c 5d 73 76 26 3a be d3 in 8 bytes is set so that the personal computer 71 will handle it specially. deep. The personal computer 71 includes such a command message in the list 81 and uses it for authentication processing when the IC card 72 is logged in.

  Here, if a third party has stolen the list 81, the third party will transmit a response R based on the stolen list 81. In such a case, the personal computer 71 can recognize that the list 81 has been stolen at the time when a normal response R is transmitted. When the personal computer 71 recognizes that the list 81 has been stolen, for example, it presents a warning indicating that the list 81 has leaked to the outside, invalidates the authentication by the IC card 72, and logs in by other means. Can be switched. In this way, the security strength is further improved.

[Use of authentication system 151 for business]
By the way, the authentication system 151 described above can be applied to various fields and various businesses.

  In this case, in any field and any business, the personal computer 71 needs to hold the list 81, and the IC card 72 needs to hold a key or algorithm paired with the list 81 in the secure area. is there.

  It is assumed that the list 81 is sold at a factory where the personal computer 71 is produced and sold before the personal computer 71 is shipped, and when it is sold later.

  For example, a case where the user of the personal computer 71 requests that the list 81 is changed to a new list 81 because the list 81 may be stolen by a third party is assumed. Also, for example, when the user of the personal computer 71 has used up the combination of the list 81 to the end but does not want to use the same list 81 again, the user requests a new list 81, or when the user is sold later. Expected to be true.

  When the list 81 is sold later, the price of the list 81 can be changed according to the number of combinations.

  In this way, by allowing the list 81 to be sold not only before shipment but also later, it is possible to avoid the use of the list 81 only for sold-out business.

  Further, for example, a plurality of login keys and algorithm sets can be registered in the IC card 72 in advance. As a result, the user having the IC card 72 can use the authentication system 151 simply by purchasing the list 81 and software related to the list 81 and installing them on the personal computer 71 using the Internet. Become.

  For example, various IC cards as login application-compatible cards function as an IC card 72 by incorporating a plurality of login keys and algorithm sets. The key of the set may be changed on the Internet. In this case, when the user of the IC card purchases a set to function as the IC card 72, the user changes the key using the Internet. Thereby, after that, the business which enables it to purchase the list 81 only from the account which the said user used can be provided.

  In addition, keys and sets may be registered in advance in the IC card 72 so that the keys can be changed and the list 81 can be issued using the Internet. In this case, when the user accesses the server functioning as the list generation device 101 using the Internet via the personal computer 71 and pays a fee related to the IC card 72, for example, the user can connect the server and the IC card 72. Mutual authentication is performed. Then, the server reads a set of keys held in the secure area of the IC card 72 and generates a list 81 based on the keys. The list 81 generated in this way is delivered to the user's personal computer 71 via the Internet. The user can receive provision of various services by the authentication system 151 using the list 81 by holding the delivered list 81 in the personal computer 71. Even if the user loses the list 81, the user can continue to use the authentication system 151 by purchasing another list 81 based on a different random number. Thus, since the list 81 that can be purchased is different every time, even if a third party purchases the list 81, it does not pose a security threat.

  As described above, in the authentication system 151 of the present embodiment, the one-side authentication process in which the personal computer 71 in an insecure environment authenticates the IC card 72 can be executed.

[Application of the present invention to a program]
The series of processes described above can be executed by hardware or can be executed by software.

  When a series of processing is executed by software, a program constituting the software may execute various functions by installing a computer incorporated in dedicated hardware or various programs. For example, it is installed from a network or a recording medium into a general-purpose personal computer or the like.

  A recording medium including such a program is distributed to provide a program to the user separately from the main body of the apparatus, and includes a magnetic disk (including a floppy disk) on which the program is recorded, an optical disk (CD-ROM (Compact Removable media (package media) such as disk-read only memory (DVD) (including digital versatile disk), magneto-optical disk (including MD (mini-disc)), or semiconductor memory, such as the removable media shown in FIG. In addition to being configured by 191, it is included in a ROM in which a program is recorded, for example, a ROM 182 in FIG. 10 or a storage unit 188 in FIG. It consists of a hard disk.

  In the present specification, the step of describing the program recorded on the recording medium is not limited to the processing performed in chronological order according to the order, but is not necessarily performed in chronological order, either in parallel or individually. The process to be executed is also included.

  Further, in this specification, the system represents the entire apparatus constituted by a plurality of apparatuses.

  The present invention is widely applied to devices that have a one-side authentication function for authenticating the other party, such as a personal computer, a mobile phone, a reader / writer device, etc., as well as devices that do not have a secure area. be able to. Further, the present invention can be widely applied to devices having a secure area as devices to be authenticated, such as IC cards, IC tags, and the like, which have a function of communicating with devices on the authentication side. it can.

  61 authentication system, 71 personal computer, 72 IC card, 81 list, 91 secure area, 101 list generation device, 121 secure area, 141 combination data group, 151 authentication system, 161 control unit, 162 random number generation unit, 163 encryption unit , 164 generation unit, 165 storage unit, 188 storage unit, 181 CPU, 201 control unit, 202 selection unit, 203 transmission control unit, 204 reception control unit, 205 authentication unit, 206 storage control unit, 207 display control unit, 208 list Generator, 221 random number generator, 222 generator, 241 controller, 242 storage, 243 receiver, 244 decryptor, 245 encryptor, 246 transmitter

Claims (14)

Using a common key shared with the IC card to be authenticated, according to a first encryption algorithm corresponding to the decryption algorithm possessed by the IC card, a random number is encrypted in advance, and the value obtained as a result is taken as a challenge, Using a common key, the random number is pre-encrypted according to a third encryption algorithm that is the same as the second encryption algorithm of the IC card, and the resulting value is used as a response to change the random number. Holding means for holding a list in which combinations of the challenge and the response in the n ways (where n is a plurality of integer values) generated are stored,
Selecting means for selecting a set of combinations from the list held by the holding means;
Transmission control means for transmitting the challenge included in the combination selected by the selection means;
The challenge transmitted from the transmission control means is received by the IC card, decrypted according to the decryption algorithm using the common key, and a calculated value obtained as a result is obtained using the common key. Receiving control means for receiving the response when the value obtained as a result of the encryption is transmitted as the response.
An information processing apparatus comprising: an authentication unit that authenticates the IC card when the response received by the reception control unit matches the response included in the combination selected by the selection unit. Each of the n combinations stored in the list is given any number from 1 to n,
The information processing apparatus according to claim 1, further comprising: a presentation unit that presents a warning indicating that the nth approach has been approached to the user when the combination of a predetermined number or more is selected by the selection unit. Until the last combination of the n combinations is selected by the selection unit, when the IC card is authenticated by the authentication unit, a login process of the information processing apparatus is executed, and the selection is performed. After the last combination of n combinations is selected by the means, the authentication means prohibits execution of login processing using authentication of the IC card, and instead uses an account name and password. The information processing apparatus according to claim 2, wherein the authentication process is performed. A combination generation unit that executes a process of generating the combination of the challenge and the response at a predetermined timing;
The information processing apparatus according to claim 1, wherein at least a part of the list held by the holding unit is updated every time the combination is generated by the combination generation unit. The combination generation means generates n new combinations when the n selections included in the list are selected by the selection means,
The information processing apparatus according to claim 4, wherein the list held by the holding unit is updated to a new list in which the new n combinations generated by the combination generation unit are stored. The combination generation unit generates one or more combinations each time the authentication unit authenticates the IC card,
The information processing apparatus according to claim 4, wherein the list is updated by adding the one or more combinations generated by the combination generation unit to the list held by the holding unit. The processing by the selection means, the transmission control means, the reception control means, and the authentication means is repeated L times (L is an integer value of 2 or more), and the IC card is authenticated by the authentication means for all L times. The information processing apparatus according to claim 6, wherein the authentication of the IC card is successful. The information processing apparatus according to claim 1, wherein the combination including an intentionally erroneous response is stored in the list held by the holding unit. The reception control means receives the list when the list is transmitted from another information processing apparatus via a predetermined network;
The information processing apparatus according to claim 1, wherein the holding unit holds the list received by the reception control unit. Using a common key shared with the IC card to be authenticated, according to a first encryption algorithm corresponding to the decryption algorithm possessed by the IC card, a random number is encrypted in advance, and the value obtained as a result is taken as a challenge, Using a common key, the random number is pre-encrypted according to a third encryption algorithm that is the same as the second encryption algorithm of the IC card, and the resulting value is used as a response to change the random number. A selection step of selecting a set of combinations from a list in which combinations of the challenges and the responses of n types (n is a plurality of integer values) generated by
A transmission control step of transmitting the challenge included in the combination selected by the processing of the selection step;
The challenge transmitted by the process of the transmission control step is received by the IC card, decrypted according to the decryption algorithm using the common key, and a calculated value obtained as a result is obtained using the common key. A reception control step of receiving the response when encrypted according to the second encryption algorithm and the resulting value is transmitted as the response;
An information processing method comprising: an authentication step of authenticating the IC card when the response received by the process of the reception control step matches the response included in the combination selected by the process of the selection step . Using a common key shared with the IC card to be authenticated, according to a first encryption algorithm corresponding to the decryption algorithm possessed by the IC card, a random number is encrypted in advance, and the value obtained as a result is taken as a challenge, Using a common key, the random number is pre-encrypted according to a third encryption algorithm that is the same as the second encryption algorithm of the IC card, and the resulting value is used as a response to change the random number. A set of combinations is selected from a list in which combinations of the challenge and the response in the n ways (where n is a plurality of integer values) are stored,
Sending the challenge included in the selected combination;
The challenge transmitted by the IC card is received and decrypted according to the decryption algorithm using the common key, and the resulting calculated value is the second encryption algorithm using the common key. When the value obtained as a result is transmitted as the response, the response is received,
A program for causing a computer to execute a control process including a step of authenticating the IC card when the received response matches the response included in the selected combination. Random number generating means for generating a random number;
Challenge the value obtained as a result of encrypting the random number generated by the random number generating means using a first encryption algorithm corresponding to the decryption algorithm of the IC card using a common key shared with the IC card. As a response, a value obtained as a result of encrypting the random number using a third encryption algorithm identical to the second encryption algorithm possessed by the IC card using the common key, and the challenge and the response Encryption means for repeating the process of generating a combination with the random number,
Generation means for generating the list to be provided to the device for authenticating the IC card by repeating the process of adding the combination to the list each time the combination is generated by the encryption means; and
The random number generation means, the encryption means, and the generation means are arranged in a secure environment. A random number generation step for generating a random number;
A value obtained as a result of encrypting the random number generated by the processing of the random number generation step by using a first encryption algorithm corresponding to a decryption algorithm possessed by the IC card using a common key shared with the IC card As a response, and using the common key as a response, a value obtained as a result of encrypting the random number using a third encryption algorithm identical to the second encryption algorithm of the IC card, An encryption step of repeating the process of generating a combination with the response while changing the random number;
A step of generating the list to be provided to a device for authenticating the IC card by repeating the process of adding the combination to the list each time the combination is generated by the process of the encryption step; and
The random number generation step, the encryption step, and the generation step are performed in a secure environment. Generate random numbers,
Using the common key shared with the IC card as a challenge, a value obtained as a result of encrypting the generated random number with a first encryption algorithm corresponding to the decryption algorithm possessed by the IC card. The combination of the challenge and the response is generated by using a value obtained as a result of encryption by the third encryption algorithm same as the second encryption algorithm of the IC card using the common key as a response. To repeat the process of changing the random number,
A program for causing a computer to execute a control process including a step of generating the list to be provided to a device that authenticates the IC card by repeating the process of adding the combination to the list each time the combination is generated. And
A control process including steps for generating, encrypting, and generating a random number is a program executed in a secure environment.

Images