JP2606827B2 - Encryption device using IC card - Google Patents

Description

[Detailed Description of the Invention] [Object of the Invention] (Industrial application field) The present invention relates to an encryption device for securely and securely realizing a transaction in an online transaction system or the like.

(Prior Art) In recent years, with the advance of electronic technology, development of advanced communication network systems such as home banking, home shopping, and farm banking systems has been promoted. The most important point in implementing a communication network system related to such money transactions is that the confidentiality and security of the transactions on the network can be sufficiently ensured. In other words, in transactions or document communication between traders via a network, it is necessary to increase the evidential ability of transaction documents and correspondence documents.

By the way, typical fraud in transactions and document communication using a communication network is as follows.

(1) False declaration; declaring that the sender did not transmit to the receiver side even though the sender actually transmitted. In addition, declare that the message was sent to the recipient even though the sender did not send it.

(2) Counterfeiting of transaction documents: The recipient rewrites the communication document recorded on the receiver side without permission, or the recipient creates the communication document without permission.

 These frauds lead to fraud such as the embezzlement of money.

In order to prevent such fraud on the network, DES (Data Encrypti
It has been considered that a forgery of a communication document is prevented as much as possible by incorporating an encryption program such as an on-standard method.

That is, each terminal performs encryption / decryption (decr
yption) function, and the sender encrypts a message to be communicated using its own keyword in accordance with an encryption program on the transmission side. Then, the encrypted message is transmitted to the receiver terminal via the communication line. Then, on the receiver side, the decryption circuit decrypts the received encrypted message using the keyword unique to the sender stored in the key memory and records the decrypted message.

Therefore, if the receiving side manages the keyword recorded in the key memory so as not to leak to the outside, and if it can be assumed that the recipient does not perform fraud such as forgery of the communication document, the recorded cipher message is transmitted. Only the sender who knows the keyword can create it. Therefore, in this case, the evidential ability of the encrypted message recorded on the receiver side is high, and the digital signature of the communication document can be performed here.

However, if the communication party switches the operation mode of the receiving terminal from the decryption mode to the encryption mode, it is possible to illegally create an encrypted message using the keyword of the sender.

As described above, in the communication network system based on the encryption / decryption method, it is impossible to completely prevent fraud on both the transmitting side and the receiving side. For this reason, it is difficult to ensure the security of transactions.

(Problems to be solved by the invention) The present invention has been made in consideration of such circumstances.
It is an object of the present invention to provide a communication system capable of ensuring a secure digital signature on communication information and ensuring sufficient security of, for example, business transactions and document communication.

[Structure of the Invention] (Means for Solving the Problems) The present invention provides a first means for storing key information for encrypting input information and a second means for storing identification information unique to an IC card. Means for encrypting information obtained by combining the input information and the identification information in a re-separable state in accordance with the key information stored in the first storage means.
Card, decryption means for decrypting the information encrypted by the IC card, means for separating the decrypted information into the input information and the unique identification information, and pre-stored the identification information unique to the IC card And a terminal device including means for confirming the partner device by comparing the identification information separated from the decrypted information with the identification information stored in the storage means. An apparatus is provided.

(Operation) When a communication message is encrypted, it is always encrypted after information for identifying the encryption device is added. Therefore, on the receiving side, by examining the identification information after decryption, it is possible to identify the device (source) that encrypted the message. Also, by recording the ciphertext without decrypting it, it can be used as evidence indicating the content of the message and the source of the message.

(Example) Hereinafter, an example system according to the present invention will be described with reference to the drawings.

In this embodiment, an IC card is used as the encryption device.

FIG. 2 is a schematic configuration diagram of a communication network which is applied to home banking, home shopping, a farm banking system, etc., and performs encrypted communication using an IC card having an encryption / decryption function.

This communication network constitutes an (n: 1) system. For example, a plurality of customer-side terminals 11a, 11b, to 11n respectively installed in a home or a company are connected to a center side installed in a single center such as a bank or a department store via communication lines 13a, 13b, to 13n, respectively. Connected to terminal 12.

In this embodiment, a transaction message M is transmitted from the customer terminals 11a, 11b, to 11n to the center terminal 12.

Each of the customer terminals 11a, 11b, to 11n is provided with a portable IC card 14a, 14b, to 14n, which is an encryption device, in a form that can be inserted. Also, a portable IC card 15 as a decoding device is attached to the center terminal 12 in a form that can be inserted.

FIG. 3 shows the configuration of such a customer terminal. The terminals 11a, 11b, to 11n are basically constituted by information processing devices such as personal computers. On the other hand, the center side terminal has almost the same configuration, but on the center side, each user information is provided in the database 39 (see FIG. 4).

The central processing units (CPUs) 21 and 31 have memories 22 and 32 storing control programs, keyboards 23 and 33 constituting input devices, and a CRT display device 24 constituting output devices, similarly to ordinary personal computers. , 33, and printers 25, 35,
And floppy disk devices 26 and 36 are connected.

Card reader / writer loaded with IC card 14 (15)
27, 37 are connected to CPU21, 31 and IC information from CPU21, 31
The information is supplied to the cards 14 (15) and the information of the IC card 14 (15) is supplied to the CPUs 21 and 31. The CPUs 21 and 31 are connected to communication lines via modems 28 and 38.

The IC card 14 (15) is configured such that a semiconductor large-scale integrated circuit is hermetically sealed therein so that information other than specific information (encrypted communication information) cannot be taken out.

The IC card used in the system of the present invention is well known and has the same basic configuration as a conventional IC card. For example, as shown in FIG. 5, a microprocessor unit (MPU; one-chip microprocessor) A program memory 42 (preferably a mask ROM) containing an encryption (decryption) program and an operation program; a data memory 43 (preferably a permanent storage type PROM or EPROM);
An / O interface 44 and a contact unit 45 are provided.

The card readers / writers 27 and 37 have the IC card 14 (1
When 5) is loaded, an operation power supply voltage, an operation clock pulse, various function command codes and data are supplied from outside via the contact section 45. The MPU 41 has a RAM 41a therein.

The program memory 42 stores various programs for executing basic functions of the IC card. The basic function of this IC card is to read data from the data memory 43 or write data to the data memory 43, and to prevent leakage or falsification of communication messages when sending messages to other terminals via a communication circuit. In order to do so, it comprises an encryption / decryption function for encrypting a message and decrypting a received encrypted message, and a function for confirming the validity of a communication partner of an IC card such as a user, a terminal and a host.

The MPU 41 is a card reader / writer 27, 37 from the CPU 21, 31.
And interprets the function command code input through the function command code or the function command code to which data is added, and selects and executes a necessary function from the above basic functions.

Card readers / writers 27 and 37 are IC card 14 (15) and CPU
Function command codes and data are exchanged with the IC cards 21 and 31, macro commands from the CPUs 21 and 31 are decomposed into IC card commands, and these commands are supplied to the IC card.

The above is the outline of the system configuration. Next, communication between IC cards in this system will be described.

FIG. 1 schematically shows functions of the IC card.
The actual hardware configuration is as described above, and implements the following functions.

As described above, in this embodiment, an IC card is used as the encryption device. The IC card has encryption circuits 2a and 2b and decryption circuits 5a and 5b. By definition, the encryption circuits 2a, 2b
Indicates a function of converting a plaintext into a telegram on the line, and the decryption circuits 5a and 5b indicate a function of converting the telegram on the line into the plaintext.

Data is input to the encryption circuit 2a from a higher-level processing device or the reader / writer 27 via the combining means 4a.
The synthesizing means 4a synthesizes the identification word with the plain text from the reader / writer 27, and supplies the plain text to the encryption circuit 2a. In this synthesis, for example, the identification word is serially synthesized into a pit string which is a plain text. Here, the serial synthesis is to generate a new bit string by adding a bit string of an identification word immediately after a bit string which is a plain text. Specifically, as shown in FIG. 7, a transaction message M (m bits) Means that a new (m + n) -bit bit string is formed by adding an identification number N (n bits) immediately after.

The identification word is stored in an identification word register 3a, which is sealed together with other components in an IC card.

A key register 1a is provided together with the identification word register 3a, and a "key" is stored in the register 3a. The "key" defines an encryption / decryption algorithm in the encryption circuit 2a and the decryption circuit 5a. The technique used for encryption and decryption may use, for example, the DES method.

The data encrypted with the “key” is used for communication sent out of the IC card. And it was provided facing
Received by IC card.

Then, it is decoded in the decoding time 5b. This data is supplied to a host processing device and a reader / writer, where the identification word is separated and a predetermined process is performed.

 By doing so, the following effects can be obtained.

By setting the identification word unique to the IC card, it is possible to specify by which device the received data has been encrypted.

By recording the ciphertext without decrypting it, it can be used as evidence indicating the content of the message and the source of the message.

This is because if at least one of the encryption algorithm or the encryption key is undisclosed and the encryption device is secure in hardware, a ciphertext including identification information indicating a specific device can be created. Because it is only that particular device.

Even if the receiver attempts to forge the record, the receiver device can create another identification word (the identification word is unique to each device and IC card, and the identification word is encrypted by the encryption circuit 2). (Note that the message is forcibly synthesized at the time of input to the URL), and it is difficult to forge. Next, the transaction procedure will be described with reference to FIG.

In order to conduct a transaction, a transaction message sent from the customer terminal to the center is encrypted in the IC card, and the encrypted message C is transmitted to the communication line. This makes it difficult for a third party to forge the transaction message.

FIG. 6 shows an example of the key generation method. The key 65 for encrypting the transaction message is a personal keyword I62; a secret keyword S61,
Generated by the random number data R63.

The personal keyword is a number code set for each user, for example, an account number. The secret keyword is a number common to this communication network. The random number data is data generated on the center side and indicating a transaction number. The personal keyword I and the random number data are exchanged between the center and the user's IC card prior to the encryption communication.

According to these keywords I, S, R, the MPU 41, for example, (I
+ S + R) to generate a keyword K for encryption by executing an exclusive OR 64 operation. Then, the MPU 41 uses the encryption keyword K to perform encryption according to an encryption algorithm such as DES. If the secret keyword S is set to a random number that is not known by the center, the keyword K
Can be a completely secret keyword that is not known to a third party or even a user or sensor.

The transaction message M input to the IC card from the terminal first contains the IC
The identification number N unique to the card is synthesized by the synthesizer 70. One example is shown in FIG. The transaction message M71 (m bits) and the identification number N72 (n bits) are serially synthesized and serial data 7
In the case of synthesizing 4, M may be shifted by n bits in the synthesizer 70 and then added to N (73 is a bit shift means).

For example, when N71 is n bits, M72 is m bits, and the message after adding N is M ', M' may be determined as follows.

M ′ = 2 ⁿ · M + N M ′ is m + n where M is the upper bit and N is the lower bit
Bit data. The above example is the simplest method. If the receiving side can separate and extract M and N, any other method can be applied.

The message M 'to which N has been added is encrypted according to the keyword K and the encryption algorithm.

Since the ciphertext depends on N and M, this is written as E (N, M). E (N, M) is sent to the terminal via the reader / writer, and further transmitted from the terminal to the center.
The center terminal that has received the encrypted message E (N, M) sends it to the IC card loaded in the terminal, decrypts it by the decoder in the card, and receives the result M 'from the IC card. Further, the message M and the identification number N are separated from M ', and N is first checked to recognize the partner device. For this purpose, the center needs to store the identification number N of each IC card in a database together with the user name, account number, and the like. After confirming the identification number N, next, the transaction message M is checked and its contents are executed. Then, as a record of the transaction, a message E (N, M) before decryption and information I, R necessary for key generation are output to the printer together with information on the transaction such as a transaction date and a transaction number. At the same time, it is possible to leave a record in an electronic storage device such as a floppy disk.

Thus, by adding E (N, M): I, R to the record, the evidence of the record is remarkably improved. Before starting the description, it is necessary to clarify the premise of the present embodiment. First, it is assumed that the IC cards of the user and the center are complete in terms of hardware, and internal data cannot be taken out except by legitimate means. The card identifiers N are all different for each card. Although the encryption algorithm may be well known, the key for each transaction is completely secret, and it is assumed that not only the third party but also the user and the center administrator do not know. As described above, the secret parameter S for key generation may be a random number that is not known by the manager of the center. As a means for generating a random number in the IC card which is not known by the sensor, for example, a key SC generated by the center and a secret key SM generated by the card manufacturer and stored in the card may be added.

S = SM + SC (+: exclusive OR) Under such a premise, only a specific card having the identifier N can create E (N, M). This is because other user cards do not have N and key K, so E
(N, M) cannot be forged. Even if the center attempts to forge, as long as an IC card is used, it is difficult to duplicate E (N, M) as in the case of other users.

On the other hand, even if the center tries to encrypt outside with a card using N obtained from the database, it does not know the value of the limit K,
E (N, M) cannot be forged. From the above, the addition of E (N, M) greatly enhances the evidence capacity of the transaction record. Then, when a trouble relating to the transaction occurs at a later date, the record can be used to solve the trouble.

The description so far has dealt with the content proof of the message from the user to the center. In exactly the same manner, by recording the encrypted message from the center at the user side terminal, it is possible to prove that the message has been transmitted from the center. This is because, when a message is encrypted inside the center IC card, an identification number N 'unique to the center IC card is added to the message.

Next, as a second embodiment of the present invention, a case where the encryption and decryption algorithms are kept secret from the center administrator and the user will be described. In the second embodiment, the system configuration, the procedure for exchanging transaction messages, and the procedure for delivering the key K are the same as those in the first embodiment. However, in the second embodiment, the value of the key K may be known by a user who is a person skilled in communication and an administrator of the center. However, it is assumed that neither the user nor the center administrator knows the encryption / decryption algorithm. For example, this case corresponds to a case where the card manufacturer implements the algorithm with secrecy.

Even when the user sends the encrypted electronic message E (N, M) to the center under such conditions, E (N, M) can be generated only in the IC card having N as the identification number. Therefore, the center can use E (N, M) as evidence indicating the fact that the message M was transmitted from the user by recording E (N, M).

Conversely, as in the first embodiment, the user can record an encrypted message from the center as evidence indicating the fact that the message is transmitted from the center to the user.

As can be seen from the first and second embodiments, in order for the ciphertext generated by the encryptor according to the present invention to effectively act as evidence indicating the fact that a message has been transmitted, the numbering key and the encryption / decryption algorithm must be used. Must be a complete secret unknown to the user and the center. Otherwise, it is relatively easy, at least for the center, to create a fake electronic message E (N, M) using the key, the identifier N, and the algorithm outside the IC card. If the center is not sufficiently reliable, its ability as evidence of E (N, M) will be reduced.

In the embodiment described above, the function of re-separating the decrypted message into the message M and the card identification number N is realized outside the card, but this re-separation function is realized inside the card. However, even if the separated N and M are output to the outside of the card, the reality of the transaction proof which is the object of the present invention is achieved. One of the forms of the encryption device that best realizes the features of the present invention is a card-type portable device,
Specifically, it is an IC card, but there is no limitation as long as it is an arbitrary encryption device that can incorporate the same function as the embodiment of the present invention.

Further, the synthesizing means is not limited to a process of simply synthesizing two telegrams as in the embodiment, but any process can be used if it is known that the same process is performed at the source and the source. In principle, it does not matter. In other words,
It can also be called a re-separable process.

Note that the transmission source here indicates a level at which a received message is used as evidence, and it is not always necessary for all receiving terminals and operators to know.

In the above embodiment, the identification word unique to the device (IC card) is combined with the plain text, but it is technically valuable to add a word specifying the transaction to the message. For example, a plaintext is encrypted using a “key”, and the result is combined with the plaintext. It is preferable that the message thus obtained is encrypted by an encryption device and sent to the outside.

However, considering the processing capability of the encryption device (IC card), IC
It is also preferable to encrypt the synthesizing means by an encryption means provided outside the card. The encryption means here is
Normally, it refers to one that is provided when transmitting a telegram (signal) to an outside line.

Further, the encryption of the plaintext is performed by IC
This is realized by the MPU in the card.

[Effects of the Invention] According to the present invention, when a cryptographic message is decrypted, the cryptographic device that created the message is determined, and this is used for transaction proof, thereby solving a problem relating to a transaction between user centers. It is possible to do.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a case where an encryption device according to an embodiment of the present invention is used facing the other, FIG. 2 is a diagram showing a system configuration when the present invention is applied to an IC card, and FIG. FIG. 4 is a diagram showing a configuration of a user terminal in the system shown in FIG. 2, FIG. 4 is a diagram showing a configuration of a center terminal in the system, FIG.
FIG. 6 is a diagram showing a configuration of an IC card, FIG. 6 is a diagram for explaining a key generation method, FIG. 7 is a diagram showing a configuration of a synthesizing means, and FIG. It is a figure showing the concept of the procedure of. 1 ... key register, 2 ... encryption circuit, 3 ... identification word register, 4 ... synthesis means, 5 ... decryption circuit, 6 ...
… Encryption device

Continuation of the front page (72) Inventor Hiroyuki Mizutani 1 Toshiba-cho, Komukai-shi, Kawasaki-shi Toshiba Research Institute, Inc. (56) References JP-A-60-208137 (JP, A) JP-A-56-143744 (JP) , A) JP-A-59-769 (JP, A)

Claims (4)

(57) [Claims] A first means for storing key information for encrypting input information; a second means for storing identification information unique to an IC card; An IC card including means for encrypting the information combined in a separable state according to the key information stored in the first storage means; a decryption means for decrypting the information encrypted by the IC card; Means for separating the received information into the input information and the unique identification information; means for pre-storing the identification information unique to the IC card; and identification information separated from the decrypted information and storage in the storage means. And a terminal device including means for confirming the partner device by comparing the received identification information with the terminal device. 2. The method according to claim 1, further comprising a sealing means for sealing the first storing means, the second storing means and the encrypting means in the IC card. An encryption device using an IC card. 3. The key information is generated using a code set for each person who uses an IC card, and a code transmitted from the terminal device prior to communication of input information. An encryption device using the IC card according to claim 1. 4. The IC card according to claim 1, further comprising: means for giving a unique transaction signal for each communication prior to the communication of the input information;
The encryption unit synthesizes the input information, the identification information unique to the IC card, and the transaction information unique to each communication by the re-separable unit itself, and then stores the key information stored in the first storage unit. 2. An encryption device using an IC card according to claim 1, wherein encryption is performed according to the following.