JP2019097032A - Secure element, client terminal, information processing method, and information processing program - Google Patents

Abstract

To provide a secure element connected to a client terminal, which is capable of securing sufficient security on the client terminal side in encrypted communication performed between a client terminal and a server.SOLUTION: A secure element stores some types of data or performs some processing according to the degree of risk of communication between a client terminal and a server for multiple types of data stored by the client terminal for encrypted communication with the server, and multiple types of processing performed by the client terminal for encrypted communication with the server.SELECTED DRAWING: Figure 7

Description

  The present invention relates to the technical field of using a secure IC chip for encrypted communication.

  In recent years, the IoT (Internet of Things) products that are beginning to become popular are, for example, acquiring data measured by sensors included in the IoT products with a server device (hereinafter sometimes referred to as "server") It may be used for the purpose of remote management. Therefore, IoT products are connected to servers through networks such as the Internet, but it is naturally required to communicate securely. In TLS (Transport Layer Security) generally used for the purpose of communicating safely, a server and a client terminal such as an IoT product (hereinafter sometimes referred to as “terminal”) are connected for the first time. In order to be able to communicate, both sides share a common key while using the public key encryption to confirm the other party, and then adopt a method of transmitting and receiving encrypted data with the other side using the common key encryption.

  Not limited to IoT products, terminals that perform TLS communication with the server perform multiple types of processing such as processing for generating key information and processing using key information to perform TLS communication. However, an attack on a terminal may leak information such as a key related to such processing, which may hinder safe communication.

  In Patent Document 1, for the purpose of establishing a secure communication path, a security chip is connected to a terminal, the security chip stores a client certificate, and decrypts an encrypted session key received from a server. Techniques for storing and storing are disclosed.

JP, 2006-129143, A

  However, the technology described in Patent Document 1 causes the security chip to store part of data necessary for establishing a secure communication path, or to execute part of processing. Security can not be secured.

  On the other hand, the CPU and memory included in the IC chip, which is regarded as a security chip, are generally of lower specifications than those included in a PC (Personal Computer) and the like, and all processing for TLS communication is performed. There is a problem that processing time becomes long.

  Therefore, the present invention provides a secure element or the like connected to a client terminal, which can ensure sufficient security on the client terminal side in encrypted communication performed by the client terminal with the server. The purpose is to

  In order to solve the above problem, the invention according to claim 1 is a secure element connected to a client terminal that performs encrypted communication with a server, wherein the client terminal is for the encrypted communication. And storage means for storing data of at least a part of the plurality of types of data to be stored according to the degree of risk of communication between the client terminal and the server, instead of the client terminal, and the client terminal And processing means for performing at least a part of the processing corresponding to the degree of risk of the communication among the plurality of processing performed for the encrypted communication, in place of the client terminal.

  The invention according to claim 2 is the secure element according to claim 1, wherein the plurality of types of data are a premaster secret, a master secret, and a session key.

  The invention according to claim 3 is the secure element according to claim 1 or 2, wherein the plurality of processes includes a process of generating a premaster secret, an encryption process of the premaster secret, and a process of generating a signature. It is characterized in that it is a master secret generation process and a session key generation process.

  The invention according to claim 4 is the secure element according to claim 2, wherein the storage means stores all of the plurality of types of data when the degree of risk is equal to or higher than a predetermined level. It features.

  The invention according to claim 5 is the secure element according to claim 3, wherein the processing means performs all of the plurality of processing when the degree of risk is the first level. Do.

  The invention according to claim 6 is the secure element according to claim 5, wherein the processing means, when the risk is a second level lower than the first level, the plurality of processes. Among them, it is characterized in that a premaster secret generation process, an encryption process of the premaster secret, a master secret generation process, and a session key generation process are performed.

  The invention according to claim 7 is the secure element according to claim 6, wherein the processing means is for the plurality of processes when the risk level is a third level lower than the second level. Among them, it is characterized in that a signature generation process is performed.

  The eighth aspect of the present invention is the secure element according to the fourth aspect, wherein, when the degree of risk is lower than the predetermined level, the storage means is the session among the plurality of types of data. It is characterized in that only the key is stored.

  The invention according to claim 9 is a client terminal which performs encrypted communication with a server and to which a secure element is connected, and among the plurality of types of data stored for the encrypted communication, First control means for transmitting to the secure element and storing at least a part of types of data according to the degree of risk of communication with the server, and a plurality of processes performed for the encrypted communication; And second control means for causing the secure element to perform at least a part of the processing according to the degree of risk of the communication.

  The invention according to claim 10 is an information processing method by a secure element connected to a client terminal for performing encrypted communication with a server, the storage element comprising a storage means and a processing means, wherein the storage means is the client terminal Among the plurality of types of data stored for the encrypted communication, at least some of the types of data corresponding to the risk of communication between the client terminal and the server are stored instead of the client terminal And at least a part of the plurality of processes performed by the client terminal for the encrypted communication according to the degree of risk of the communication, instead of the client terminal. And a processing step.

  The invention according to claim 11 is connected to a client terminal that performs encrypted communication with a server, and the client terminal and the client terminal among the plurality of types of data stored by the client terminal for the encrypted communication The client terminal includes a computer included in a secure element including storage means for storing instead of the client terminal at least some types of data according to the degree of risk of communication with the server, the client terminal performing the encrypted communication Among the plurality of processes to be performed, at least a part of the processes corresponding to the degree of risk of the communication is made to function as processing means to perform in place of the client terminal.

  According to the present invention, the secure element communicates with the client terminal with respect to a plurality of types of data stored by the client terminal for encrypted communication with the server and a plurality of processes performed by the client terminal for encrypted communication with the server. In encrypted communication performed by the client terminal with the server, by storing some types of data or performing some processing according to the degree of risk of communication with the server Sufficient security can be secured on the terminal side.

It is a block diagram showing an example of outline composition of communication system S concerning this embodiment. It is a block diagram showing an example of outline composition of terminal 1 concerning this embodiment. It is a figure which shows the structural example of danger degree determination table T memorize | stored in the memory | storage part 12 of the terminal 1 which concerns on this embodiment. It is a block diagram showing an example of outline composition of secure element 18 concerning this embodiment. These are block diagrams which show the example of a outline | summary structure of the server 2 which concerns on this embodiment. It is a flowchart which shows an example of the danger degree determination processing by the control part 11 of the terminal 1 which concerns on this embodiment. It is a sequence diagram which shows the operation example (in the case of danger "3") of the communication system S which concerns on this embodiment. It is a sequence diagram which shows the operation example (in the case of danger "2") of the communication system S which concerns on this embodiment. It is a sequence diagram which shows the operation example (in the case of danger "1") of the communication system S which concerns on this embodiment. It is a sequence diagram which shows the operation example of communication system S which concerns on the modification 1. FIG. It is a figure which shows the structural example of danger degree determination table T2 memorize | stored in the memory | storage part 12 of the terminal 1 which concerns on a modification 2. FIG.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. The embodiment described below is an embodiment in the case where the present invention is applied to an IC chip (referred to as “secure element (SE)”) mounted on a terminal in a communication system including a terminal and a server.

  First, the configuration and function outline of the communication system S and the terminal 1 according to the present embodiment will be described with reference to FIG. 1 and the like.

[1. Configuration of Communication System S]
FIG. 1 is a block diagram showing an example of a schematic configuration of a communication system S according to the present embodiment. Communication system S includes terminal 1, secure element 18, and servers 2-1, 2-2, 2-3 (servers 2-1, 2-2, 2-3 may be collectively referred to as server 2). The terminal 1 and each server 2 can transmit and receive data mutually via the network NW. The network NW is constructed by, for example, a LAN (Local Area Network), the Internet, a dedicated communication line (for example, a CATV (Community Antenna Television) line), a mobile communication network (including a base station etc.), and a gateway. ing.

  The terminal 1 is an IoT device that includes a temperature sensor and measures temperature data obtained by measuring the ambient temperature. The server 2-1 is a server installed outside the LAN to which the terminal 1 belongs, and is a server that updates key information held by the terminal 1. The server 2-2 is a server installed outside the LAN to which the terminal 1 belongs, and is a server that does not update key information held by the terminal 1. The server 2-3 is a server installed in the LAN to which the terminal 1 belongs.

[2. Configuration of terminal 1]
FIG. 2 is a block diagram showing an example of a schematic configuration of the terminal 1 according to the present embodiment. As shown in FIG. 2, the terminal 1 includes a control unit 11, a storage unit 12, a wireless communication unit 13, a display unit 14, an input unit 15, an SE (secure element) interface 16, etc. Are connected to one another via a bus 17. The secure element 18 is connected to the SE interface 16 so that data can be transmitted to and received from the terminal 1.

  The control unit 11 is configured by a central processing unit (CPU), a read only memory (ROM), a random access memory (RAM), and the like. The storage unit 12 is configured of, for example, a non-volatile memory such as a flash memory. The ROM or the storage unit 12 stores an OS (Operating System) and middleware. The storage unit 12 also stores application software (software configured with an application program language) or the like installed in the terminal 1.

  Further, the storage unit 12 stores a degree-of-risk determination table T. FIG. 3 is a diagram showing an example of a schematic configuration of the danger level determination table T. As shown in FIG. In the degree-of-risk determination table T, “address of server to be connected” and information indicating “degree of risk” corresponding thereto are defined. Specifically, "3 (high)" is defined in association with "address of external server updating key information", and "2 (middle)" is defined in association with "address of other external server" And “1 (low)” is defined in association with “the address of the server in the same LAN”. For example, the server 2-1 corresponds to "an external server that updates key information", the server 2-2 corresponds to an "other external server", and the server 2-3 "in the same LAN" It corresponds to "server".

  Furthermore, the storage unit 12 uses a client certificate used for communication with the server 2-1, a client certificate used for communication with the server 2-2, a client secret key, and communication with the server 2-3. The client certificate and server public key are stored.

  The wireless communication unit 13 has an antenna, and controls wireless communication performed with a wireless LAN router (or a base station in a mobile communication network). The display unit 14 includes, for example, a liquid crystal panel, and displays an operation screen and the like by performing display control of the liquid crystal panel. The input unit 15 has an operation button for receiving an operation instruction from the user, and outputs a signal corresponding to the operation instruction to the control unit 11. The SE interface 16 is responsible for the interface between the control unit 11 and the secure element 18.

[3. Configuration of Secure Element 18]
FIG. 4 is a block diagram showing a schematic configuration example of the secure element 18 according to the present embodiment. As shown in FIG. 4, the secure element 18 is an IC chip with tamper resistance, and comprises a CPU 181, a RAM 182, a flash memory 183, an I / O circuit 184, etc. Connected to each other.

  The RAM 182 stores, for example, data temporarily necessary for the OS, middleware, and various applications to function.

  The flash memory 183 is, for example, a NOR flash memory, and stores an OS, middleware, an application, and the like.

  The flash memory 183 also includes a server public key used for communication with the server 2-1, a client secret key, a server public key used for communication with the server 2-2, and a client used for communication with the server 2-3. The secret key is stored.

  The I / O circuit 184 has eight connection terminals C1 to C8 defined by ISO 7816 or the like. Here, the C1 terminal is a power supply terminal (VCC), and the C5 terminal is a ground terminal (GND). The C2 terminal is a reset terminal (RST), and the C3 terminal is a clock terminal (CLK). The C7 terminal is used for communication between the CPU 181 and the control unit 11.

  When the CPU 181 receives a command from the control unit 11, the CPU 181 executes a process corresponding to the command and sends a response to the command to the control unit 11. The CPU 181 has a slower processing speed than the CPU included in the control unit 11 of the terminal 1.

[4. Configuration of server 2]
Next, the configuration of the server 2 will be described. As shown in FIG. 5, the server 2 is roughly divided into a control unit 211, a storage unit 212, a communication unit 213, a display unit 214, and an operation unit 215.

  The storage unit 212 is configured by, for example, a hard disk drive, and stores an operating system (OS), a service providing program, and various data.

  The communication unit 213 is connected to the network NW to control the communication state with the terminal 1 and the like.

  The display unit 214 is configured by, for example, a liquid crystal display or the like, and is configured to display information such as characters and images.

  The operation unit 215 includes, for example, a keyboard, a mouse, and the like, receives an operation instruction from the operator, and outputs the instruction content to the control unit 211 as an instruction signal.

  The control unit 211 is configured of a CPU, a ROM, a RAM, and the like. Then, the CPU reads and executes various programs stored in the ROM and the storage unit 212 to realize various functions.

[5. Operation of Communication System S]
Next, in the communication system S, a flow when the terminal 1 connects to the server 2 and performs encrypted communication (TLS communication) will be described. First, the process of the terminal 1 determining the risk of communication will be described using FIG. 6, and then the handshake according to the risk (encryption of communication data with the common key is performed using FIG. 7 to FIG. 9). Pre-processing for communication) will be described.

[5.1. Operation of terminal 1]
The danger level determination process performed when the terminal 1 connects to the server 2 will be described with reference to FIG. FIG. 6 is a flowchart showing an example of the danger degree determination process by the control unit 11 of the terminal 1.

  When starting connection to the server 2, the control unit 11 of the terminal 1 acquires the address of the server 2 to be connected (step S1).

  Next, the control unit 11 refers to the degree-of-risk determination table T, determines the degree of risk based on the address acquired in the process of step S1 (step S2), and ends the degree-of-risk determination process.

  That is, the control unit 11 determines which of “1” to “3” the risk degree of communication between the terminal 1 and the server 2 is in accordance with the server 2 to be connected by the risk degree determination processing.

[5.2. Operation of Communication System S When Risk Level is "3"]
Next, the operation flow of the communication system S when the degree of danger is determined to be “3” by the degree of danger determination processing will be described using FIG. 7.

  First, the control unit 11 of the terminal 1 generates a random number A for generating a master secret described later (step S101B). Next, the control unit 11 transmits the message "Client Hello" including the random number A generated in step S101B to the server 2 (step S102B). The control unit 11 also transmits the random number A generated in step S101 to the secure element 18 (step S103B).

  The control unit 211 of the server 2 having received the message "Client Hello" generates a random number B for generating a master secret to be described later (step S101A). Next, the control unit 11 transmits a message "Server Hello" including the random number B generated in step S101A to the terminal 1 (step S102A).

  The control unit 11 of the terminal 1 having received the message “Server Hello” transmits the random number B included in the message “Server Hello” to the secure element 18 (step S104B).

  Next, the CPU 181 of the secure element 18 generates a random number called a premaster secret (step S101C). Next, the CPU 181 encrypts the premaster secret generated in step S101C using the server public key (step S102C), and transmits the encrypted data to the terminal 1 (step S103C). The CPU 181 stores the premaster secret in the flash memory 183.

  On the other hand, after the end of step S102A, the control unit 211 of the server 2 transmits a message "Certificate Request" to the terminal 1 (step S103A). The message “Certificate Request” is a message for requesting the terminal 1 to transmit a certificate for client authentication (client certificate). Next, the control unit 211 transmits the message "Server Hello Done" to the terminal 1 (step S104A). When the terminal 1 receives this, it becomes the side that sends the message.

  The control unit 11 of the terminal 1 transmits a message "Client Certficate" including the client certificate to the server 2 in response to the message "Certificate Request" (step S105B). The client certificate is stored in advance in the storage unit 12 of the terminal 1.

  On the other hand, when the control unit 211 of the server 2 receives the message "Client Certficate" from the terminal 1, the control unit 211 verifies the client certificate contained therein and acquires the client public key (step S105A).

  In addition, when receiving the encrypted premaster secret from the secure element 18, the control unit 11 transmits a message "Client Key Exchange" including the encrypted premaster secret to the server 2 (step S106B). On the other hand, the control unit 211 of the server 2 decrypts the encrypted premaster secret with the server secret key to acquire the premaster secret (step S106A).

  After the end of step S106B, the control unit 11 of the terminal 1 transmits the signature creation data to the secure element 18 (step S107B). The signature creation data is, for example, a total hash value of commands that have been exchanged with the server 2 so far.

  On the other hand, the CPU 181 of the secure element 18 generates a signature using the signature generation data and the client secret key (step S104C), and transmits it to the terminal 1 (step S105C).

  Also, the CPU 181 generates a master secret using the random number A received in step S103B, the random number B received in step S104B, and the premaster secret generated in step S101C (step S106C), and then generates a session key. (Step S107C). At this time, the CPU 181 reports to the terminal 1 that the session key has been generated. The CPU 181 stores the master secret and the session key in the flash memory 183.

  On the other hand, when the control unit 11 of the terminal 1 receives the signature from the secure element 18, the control unit 11 transmits a message "Certificate Verify" including the signature to the server 2 (step S108B). Also, upon receiving a report from the secure element 18 that the session key has been generated, the control unit 11 transmits a message "Client Finished" to the server 2 (step S109B).

  On the other hand, when the control unit 211 of the server 2 receives the message "Certificate Verify" from the terminal 1, the control unit 211 performs the verification of the signature included in this using the client public key acquired in the process of step S105A.

  Next, the control unit 211 generates a master secret using the random number A received in step S102B, the random number B generated in step S101A, and the premaster secret acquired in step S106A (step S108A), and then the session key It generates (step S109A). Then, the control unit 211 transmits the message "Server Finished" to the terminal 1 (step S110A).

  Thereafter, the terminal 1 and the server 2 perform communication by encrypting data using a session key (common key). However, since the terminal 1 stores the session key in the secure element 18, when receiving the encrypted data from the server 2, the terminal 1 transmits the encrypted data to the secure element 18, and uses the session key in the secure element 18 Receive the decrypted data. In addition, when the terminal 1 transmits data (for example, temperature data) to the server 2, the data is transmitted to the secure element 18, and the encrypted data encrypted by the secure element 18 with the session key is received. Sends this to the server 2.

[5.3. Operation of Communication System S When Risk Level is "2"]
Next, an operation flow of the communication system S in the case where the degree of danger is determined to be “2” by the degree of danger determination processing will be described using FIG. 8. However, except for a part of the processing, it is the same as the operation flow of the communication system S in the case where the degree of danger is determined to be “3” by the degree of danger determination processing. In FIG. 8, the same processing as that of FIG. 7 is denoted by the same reference numeral (step number) as that in FIG. 7.

  The difference between the case where the degree of risk is "3" and the case where the degree of risk is "2" is that the CPU 181 of the secure element 18 generates a signature (step S104C) when the degree of risk is "3". When the degree of danger is "2", the control unit 11 of the terminal 1 generates a signature.

  That is, after the end of step S106B, the control unit 11 of the terminal 1 generates a signature using the data for signature generation and the client secret key (step S201B), and transmits it to the terminal 1 (step S108B).

  On the other hand, after the end of step S103C, the CPU 181 of the secure element 18 proceeds to step S106C.

  As described above, when the degree of danger is determined to be “2” by the degree of danger determination processing, the signature generation is performed not by the CPU 181 of the secure element 18 but by the control unit 11 of the terminal 1. The processing time required to generate a signature can be shortened compared to when it is determined that "3". If the degree of risk is determined to be “2”, the flash memory 183 stores the premaster secret, the master secret and the session key among the premaster secret, the client secret key, the master secret and the session key. There are three data.

[5.4. Operation of Communication System S When Risk Level is "1"
Next, the operation flow of the communication system S in the case where the degree of danger is determined to be “1” by the degree of danger determination processing will be described using FIG. 9. However, except for a part of the processing, it is the same as the operation flow of the communication system S in the case where the degree of danger is determined to be “3” by the degree of danger determination processing. In FIG. 9, the same processing as that of FIG. 7 is denoted by the same reference numeral (step number) as that of FIG.

  The difference between the case where the degree of danger is "3" and the case where the degree of danger is "1" is that when the degree of danger is "3", the CPU 181 of the secure element 18 generates and encrypts a premaster secret (step S101C, In contrast to performing step S102C), and generation of a master secret (step S106C) and generation of a session key (step S107C), when the degree of risk is "1", the control unit 11 of the terminal 1 performs these processes. It is the point to do.

  That is, when the control unit 11 of the terminal 1 generates the random number A in the process of step S101B and receives the random number B from the server 2, the control unit 11 generates a random number called premaster secret (step S301B). To encrypt (step S302B). Then, the control unit 11 transmits a message "Client Key Exchange" including the encrypted premaster secret to the server 2 (step S106B).

  In addition, when generating the premaster secret, the control unit 11 of the terminal 1 generates a master secret using the random number A generated in step S101B, the random number B received in step S102A, and the premaster secret generated in step S301B. (Step S303B) Then, a session key is generated (step S304B). Then, the control unit 11 stores the session key in the storage unit 12.

  On the other hand, the CPU 181 of the secure element 18 stands by until the data for signature generation is received from the terminal 1, and when the data for signature generation is received, executes step S104C and step S105C.

  As described above, when the degree of danger is determined to be “1” by the degree of danger determination processing, the generation and encryption of the premaster secret and the generation of the master secret and the session key are not performed by the CPU 181 of the secure element 18. Since the control unit 11 performs the process, the processing time required for these processes can be shortened as compared to the case where the risk is determined as “3” or “2” by the risk determination process.

  As described above, the secure element 18 according to the present embodiment is connected to the terminal 1 (an example of a “client terminal”) that performs encrypted communication with the server 2, and the flash memory 183 (an example of a “storage unit”) Of the premaster secret, the master secret, and the session key (an example of “a plurality of types of data”) stored by the terminal 1 for encrypted communication, according to the degree of risk of communication between the terminal 1 and the server 2). Data of at least a part of the corresponding type is stored instead of the terminal 1 and the CPU 181 (an example of the “processing means”) performs a premaster secret generation process performed by the terminal 1 for encrypted communication, the premaster Secret encryption processing, signature generation processing, master secret generation processing, and session key generation processing (an example of “multiple processing”) Chi, at least part of the processing corresponding to the communication risk, performed in place of the terminal 1.

  Therefore, according to the secure element 18 of the present embodiment, the premaster secret, the master secret and the session key stored by the terminal 1 for encrypted communication with the server 2, and the encrypted communication between the terminal 1 and the server 2 For the premaster secret generation process, the premaster secret encryption process, the signature generation process, the master secret generation process, and the session key generation process, the secure element 18 performs processing between the terminal 1 and the server 2. In encrypted communication performed by the terminal 1 with the server 2 by storing some types of data or performing some processing according to the degree of risk of communication between the terminals Sufficient security can be secured.

  Further, when the degree of risk is “3 (high)”, the CPU 181 generates a premaster secret, encrypts the premaster secret, generates a signature, generates a master secret, and the session. Perform key generation processing.

  Furthermore, when the degree of risk is “3 (high)” or “2 (middle)” (an example of “prescribed level or higher”), the flash memory 183 of the secure element 18 includes the premaster secret, the master secret and Store session key. Further, when the degree of danger is “2 (middle)”, the CPU 181 generates premaster secret, encrypts the premaster secret, generates a master secret, and generates a session key. Do.

  Furthermore, when the degree of danger is “1 (low)”, the CPU 181 performs a signature generation process.

  As described above, the secure element 18 of the present embodiment stores more data to be stored for encrypted communication as the degree of risk is higher, and the process performed for the encrypted communication as the degree of risk is higher. Do a lot. As a result, in encrypted communication performed by the terminal 1 with the server 2, sufficient security can be secured on the terminal 1 side. In addition, since the CPU 181 of the secure element 18 does not secure security more than necessary on the terminal 1 side, the time due to the unnecessary processing of the CPU 181 of the secure element 18 whose processing speed is lower than that of the control unit 11 of the terminal 1 It is possible to reduce the waste of

[6. Modified example]
Next, modifications of the above embodiment will be described. In addition, the modification demonstrated below can be combined suitably.

[6.1. Modification 1]
Next, with reference to FIG. 10, a first modification of the operation of the communication system S in the case where the risk degree is determined to be “1” by the risk degree determination process will be described. In the first modification, as shown in FIG. 10, the control unit 11 of the terminal 1 performs the signature generation performed by the CPU 181 of the secure element 18 in FIG. 9 as in FIG. In FIG. 10, the same processes as those in FIGS. 8 and 9 are denoted by the same reference numerals (step numbers) as those in FIGS.

  In the first modification, when the degree of danger is determined to be “2” by the degree of danger determination processing (see FIG. 8) and when the degree of danger is determined to be “1” by the danger degree determination processing (see FIG. 9) As a combination example, the control unit 11 of the terminal 1 transmits the session key generated in the process of step S304B to the secure element 18 and stores it. That is, although the control unit 11 of the terminal 1 performs processing up to generation of a session key, the session key is stored not in the storage unit 12 of the terminal 1 but in the secure element 18. In the first modification, when it is determined that the degree of risk is “1” (an example of “lower than a predetermined level”), the flash memory 183 stores the premaster secret, the master secret, and the session key. , Session key only.

  In the first modification, the process of FIG. 10 is described as an example in the case where the degree of risk is determined to be “1”. For example, in the degree of risk determination process, the degree of risk is classified into four stages of “1” to “4”. (The risk determination table T also adds a row with a risk of “4”), and the process in FIG. 7 is executed when the risk is determined to be “4”. Process 8 is executed when the risk is determined to be “3”, and the process in FIG. 9 is executed when the risk is determined to be “2”, and the process in FIG. 10 is determined to be “1” It may be executed when it is determined that

[6.2. Modification 2]
In the above embodiment, the danger degree judgment table T of FIG. 3 is referred to for the danger degree judgment in the danger degree judgment processing of FIG. 6, but instead, the danger degree judgment table T2 of FIG. You may do it. FIG. 11 is a diagram showing an example of a schematic configuration of the degree-of-risk determination table T2. In the degree-of-risk determination table T2, information indicating “purpose of communication” and “degree of risk” corresponding thereto is defined. Specifically, "3 (high)" is defined in association with "update of terminal software", "2 (middle)" is defined in association with "transmission of temperature data", and "transmission of test data""1(low)" is defined in association with "."

6.3. Modification 3]
Although the control unit 11 of the terminal 1 determines the risk of communication between the terminal 1 and the server 2 in the above embodiment, the control unit 211 of the server 2 and the CPU 181 of the secure element 18 may also determine Good.

  If the control unit 211 of the server 2 determines the degree of risk, instead of the degree-of-risk determination table T, for example, “the address of the client terminal to be connected” and the degree of risk are classified into three stages (“3 (high)”, The storage unit 212 stores a degree-of-risk determination table (not shown) defined by “2 (middle)” and “1 (low)”. At this time, the degree-of-risk determination table defines, for example, "3 (high)" in association with "the address of the external terminal for which key information is to be updated" and associates it with "the address of the other external terminal". “2 (middle)” is defined, and “1 (low)” is defined in association with “address of terminal in same LAN”. Then, when connecting to the terminal 1, the control unit 211 acquires the address of the terminal 1 and determines the degree of danger with reference to the degree-of-risk determination table.

  When the CPU 181 of the secure element 18 determines the degree of danger, the danger degree determination table T is stored in the flash memory 183, and when the terminal 1 connects to the server 2, the control unit 11 controls the secure element 18 requests the hazard level determination process and receives the determination result. Specifically, when connecting to the server 2, the control unit 11 acquires the address of the server 2, and sends a request for risk degree determination processing to the secure element 18 together with the address. Then, the CPU 181 of the secure element 18 refers to the degree-of-risk determination table T stored in the flash memory 183, determines the degree of risk based on the address received from the terminal 1, and returns the degree of risk to the terminal 1. .

[6.4. Modification 4]
In the above embodiment, although the communication system S in which the terminal 1 includes the temperature sensor and the terminal 1 transmits the temperature data to the server 2 has been described, for example, a water meter which is an alternative to the terminal 1 has a communication function. And a secure element, and may be a communication system that transmits water consumption data to the server 2. Then, for example, when the water meter transmits water consumption data, communication is performed as "low", and when communication is performed to update software of the water meter, communication is performed as "high". You may do it.

  In the communication system of the smartphone and the server 2 having the USIM card as the secure element, when the smartphone performs communication for displaying the web page by the browser, the communication is performed with the risk level “low”, and the firmware of the smartphone When communication related to updating or credit settlement is performed, communication may be performed with a high degree of risk.

  In the above embodiment, the risk level is divided into three levels, but may be divided into four or more levels or in two levels according to the application and the security policy.

Reference Signs List 1 terminal 11 control unit 12 storage unit 13 wireless communication unit 14 display unit 15 input unit 16 SE interface 17 bus 18 secure element 181 CPU
182 RAM
183 flash memory 184 I / O circuit 185 bus 2 server

Claims (11)

A secure element connected to a client terminal that performs encrypted communication with a server,
Among the plurality of types of data stored by the client terminal for the encrypted communication, at least some types of data corresponding to the risk of communication between the client terminal and the server Storage means to store instead;
Processing means for performing at least a part of processing corresponding to the degree of risk of the communication among the plurality of processing performed by the client terminal for the encrypted communication, instead of the client terminal;
A secure element characterized by comprising: A secure element according to claim 1, wherein
The secure element characterized in that the plurality of types of data are a premaster secret, a master secret, and a session key. The secure element according to claim 1 or 2, wherein
The secure element characterized in that the plurality of processes are a premaster secret generation process, an encryption process of the premaster secret, a signature generation process, a master secret generation process, and a session key generation process. The secure element according to claim 2, wherein
A secure element characterized in that the storage means stores all of the plurality of types of data when the degree of risk is equal to or higher than a predetermined level. The secure element according to claim 3, wherein
A secure element characterized in that the processing means performs all of the plurality of processes when the degree of risk is at a first level. The secure element according to claim 5, wherein
The processing means, when the degree of risk is a second level lower than the first level, generates, among the plurality of processes, a process of generating a premaster secret, an encryption process of the premaster secret, and a master secret. A secure element characterized by performing generation processing and session key generation processing. The secure element according to claim 6, wherein
A secure element characterized in that, when the degree of risk is a third level lower than the second level, the processing means performs a signature generation process among the plurality of processes. The secure element according to claim 4, wherein
A secure element characterized in that the storage means stores only the session key among the plurality of types of data when the degree of risk is lower than the predetermined level. A client terminal that performs encrypted communication with a server and to which a secure element is connected,
First control to transmit and store at least a part of data of a plurality of types of data stored for the encrypted communication according to the degree of risk of communication with the server, to the secure element Means,
Second control means for causing the secure element to perform at least a part of the plurality of processes performed for the encrypted communication according to the degree of risk of the communication;
A client terminal characterized by comprising: An information processing method by a secure element connected to a client terminal that performs encrypted communication with a server, comprising storage means and processing means, comprising:
The storage means includes at least a part of data of the plurality of types of data stored by the client terminal for the encrypted communication according to the degree of risk of communication between the client terminal and the server. Storage step for storing instead of the client terminal
A processing step of performing at least a part of processing corresponding to the risk of the communication among the plurality of processes performed by the client terminal for the encrypted communication, instead of the client terminal;
An information processing method comprising: The risk degree of communication between the client terminal and the server among a plurality of types of data that is connected to a client terminal that performs encrypted communication with the server and the client terminal stores for the encrypted communication A computer included in a secure element comprising storage means for storing at least some types of data according to
A processing unit that performs at least a part of the plurality of processes performed by the client terminal for the encrypted communication in place of the client terminal according to the degree of risk of the communication;
An information processing program characterized in that it functions as:

Images