JP5145143B2 - IC tag authentication information generation system and IC tag authentication information generation method - Google Patents

Description

  The present invention relates to an IC tag authentication information generation system and an IC tag authentication information generation method, and specifically, an identification that differs for each IC tag without constructing a server that manages the identification information or adding a function to the IC tag. The present invention relates to a technology that enables reliable allocation of information.

  As a standard for UHF band IC tags mainly intended for use in the distribution industry, the international standard ISO / IEC 18000-6 IC tag specifications have been published. In this specification, an authentication function is defined for an IC tag, which can be used to eliminate access from an unauthorized third party. The authentication information used in this authentication function is desirably changed for each IC tag in order to improve safety. In this case, the number of authentication information increases as the number of IC tags increases. . Therefore, it becomes difficult to manage the combination of the IC tag and the authentication information.

Therefore, a technique is known in which authentication information is dynamically generated using information for identifying a device (identification information) and authentication is performed (see Non-Patent Document 1). In this case, in order to change the authentication information for each IC tag, it is necessary to assign the identification information without duplication as much as possible. As a technique for solving this problem, a technique is known in which a server device that manages identification information set in a device is installed, the server is inquired when the device is initialized, and identification information that is not used is assigned (Patent Document) 1). Also, a technology is known in which the device itself acquires its own environment information (network information, connected device information, number of connected devices, etc.), automatically generates identification information from the information, and assigns it as its own identification information. (See Patent Document 2).
D. Boneh and M. Franklin. "Identity based encryption from the Weil pairing." Advances in Cryptology- Crypto 2001, LNCS vol. 2139, Springer-Verlag, 2001. JP 2005-306490 A JP 2007-200305 A

  As described above, in order to securely generate authentication information using the identification information of the IC tag, it is necessary to assign different identification information for each IC tag, and whether the identification information to be assigned is managed in advance by the server, It was necessary to add a function for dynamically acquiring information that is the basis for generating identification information to the IC tag itself. In addition, when the storage area of the identification information is small, it is difficult to store all the identification information even if the identification information is assigned using the above technique.

  Therefore, the present invention has been made in view of the above problems, and it is possible to reliably assign different identification information for each IC tag without constructing a server for managing the identification information and adding a function to the IC tag. The purpose is to provide technology.

  The IC tag authentication information generation system of the present invention includes a storage unit that stores key information, a communication unit that communicates with the IC tag, a ticketing information acquisition unit that receives designation of ticketing contents through an input interface and acquires the ticketing information as ticketing information. Identification information generating means for generating identification information combining the acquired ticket issuing information and a random number obtained from a random number generator, and storing the identification information in an identification information storage unit of an IC tag attached to the ticket to be issued; Authentication information generating means for generating authentication information from the identification information and key information stored in the storage means and storing the authentication information in an authentication information storage section of the IC tag.

  Further, in the IC tag authentication information generation system, the ticket issuing information acquisition means receives the specification of the ticket issuing contents through an input interface, acquires the date and time of ticket issuing data from a clock function provided in the IC tag authentication information generation system, It is good also as what acquires the ticketing content and the data of the said ticketing date as said ticketing information.

  Further, in the IC tag authentication information generation system, the ticket issuing information acquisition unit may acquire the ticket issuing information together with the ID of the input interface or the data of the installation position as ticket issuing information.

  Further, in the IC tag authentication information generation system, the identification information generation means generates identification information that combines a serial number incremented for each ticket issue and the ticket issue information instead of the random number and generates the identification information. It may be stored in the identification information storage unit of the IC tag attached to the ticket to be issued.

  In the IC tag authentication information generation system, the identification information generation unit generates a hash value by applying the acquired ticket issuing information and a random number to a hash function, and uses the hash value as identification information to issue a ticket to be ticketed. It may be stored in the identification information storage unit of the IC tag attached to the.

  Further, in the IC tag authentication information generation system, the identification information generation means obtains a pseudo random number value by applying to the pseudo random number generator using data obtained by combining the acquired ticket issuing information and a random number as a seed, A numerical value may be stored as identification information in an identification information storage unit of an IC tag attached to a ticket to be issued.

  In the IC tag authentication information generation system, the identification information generation unit accesses the IC tag by the communication unit, calculates a storage capacity of the identification information storage unit in the IC tag, and sets the calculated storage capacity to the calculated storage capacity. Identification information in which the number of digits is limited to an accommodable data size may be generated, and the identification information may be stored in the identification information storage unit of the IC tag.

  In the IC tag authentication information generation system, the authentication information generation means accesses the IC tag by the communication means, calculates a storage capacity of the authentication information storage unit in the IC tag, and sets the calculated storage capacity to the calculated storage capacity. Authentication information in which the number of digits is limited to an accommodable data size may be generated, and the authentication information may be stored in the authentication information storage unit of the IC tag.

  In the IC tag authentication information generation system, the communication means reads identification information from an IC tag attached to the ticket, generates authentication information from the identification information and key information stored in the storage means, An authentication instruction unit that transmits an authentication instruction using the authentication information as a key to the IC tag by the communication unit and acquires an authentication result corresponding to the authentication instruction from the IC tag may be provided.

  In the IC tag authentication information generation method of the present invention, the computer includes storage means for storing key information and communication means for communicating with the IC tag. And generating the identification information combining the acquired ticket issuing information and the random number obtained from the random number generator, and storing the identification information in the identification information storage unit of the IC tag attached to the ticket to be issued And processing for generating authentication information from the identification information and key information stored in the storage means and storing the authentication information in an authentication information storage unit of the IC tag.

  According to the present invention, it is possible to provide a technique for dynamically generating and assigning identification information of an IC tag on the system side. Further, even when the identification information storage area in the IC tag is small, identification information having a size corresponding to the storage area can be generated and stored on the system side. Specific processing for generating identification information is, for example, information that does not change in the life cycle of the IC tag among business information stored in the IC tag (for example, information corresponding to the contents printed on the face of the ticket to be issued, IC tag identification information is generated using a combination of a ticket type, ticket issue location / date and time, expiration date, usable location / section, amount, etc.) and a random number as identification information for the IC tag. Further, the IC tag authentication information generation system generates authentication information of the corresponding IC tag from the identification information thus generated and stores it in the IC tag. On the other hand, in a situation where the issued ticket is used, for example, in entrance / exit processing in a station or a predetermined facility, the IC tag authentication information generation system acquires identification information from the IC tag, and IC information is obtained from the identification information. Generate tag authentication information. Also, the authentication information generated here is transmitted to the IC tag to perform authentication processing.

  The authentication information is generated in the IC tag authentication information generation system by applying the identification information and key information to, for example, a hash function to obtain a hash value of a predetermined length, and using this hash value as authentication information. This process can be realized. Of course, the processing is not limited to such an example, and an algorithm that does not change if the original data, that is, the result value (= authentication information) obtained from the identification information and the key information is the same is adopted. Any processing method may be adopted as long as it can be processed.

  Further, the IC tag authentication information generation system executes, for example, an authentication process for a ticket issuing terminal (for example, a ticket issuing terminal installed at a station or the like) for issuing an IC tag-attached ticket and the IC tag-attached ticket. It can be assumed that it is composed of entry / exit terminals (eg, ticket gates installed at stations, etc.). In this case, the ticket issuing terminal includes the storage unit, the communication unit, the ticket issuing information acquisition unit, the identification information generation unit, and the authentication information generation unit, and the entry / exit terminal includes the storage unit, the communication unit, The authentication instruction means is provided and cooperates with each other.

  In addition, the problems disclosed by the present application and the solutions thereof will be clarified by the embodiments of the present invention and the drawings.

  According to the present invention, it is possible to assign different identification information for each IC tag without constructing a server for managing the identification information or adding a function to the IC tag. As a result, authentication information based on the identification information can be generated efficiently and reliably. In addition, by including the business information stored conventionally in the identification information, it is possible to assign identification information that avoids duplication as much as possible in accordance with the size of the identification information storage area in the IC tag.

--- System configuration ---
Embodiments of the present invention will be described below in detail with reference to the drawings. FIG. 1 is a network configuration diagram including an IC tag authentication information generation system 100 according to this embodiment. The IC tag authentication information generation system 100 (hereinafter referred to as the system 100) according to the present embodiment reliably assigns different identification information for each IC tag without constructing a server for managing the identification information or adding a function to the IC tag. It is a computer system that enables
For this reason, the system 100 according to the present embodiment is, as an example, for the ticket issuing terminal 200 (for example, a ticketing terminal installed in a station facility or the like) that issues the IC tag-attached ticket 5 and the IC tag-attached ticket 5. Assume that the terminal 300 is composed of an entry / exit terminal 300 that executes authentication processing (eg, a ticket gate installed at the boundary of an entry / exit management area such as a station premises that needs to be restricted).
In this case, the ticket issuing terminal 200 includes the storage unit 20c, the IC tag input / output device 20b serving as the communication unit, the ticket issuing information acquiring unit 110, the identification information generating unit 111, and the authentication information generating unit 112. The entry / exit terminal 300 includes the storage unit 30c, the IC tag input / output device 30b serving as the communication unit, and the authentication instruction unit 113. The ticket issuing terminal 200 and the entrance / exit terminal 300 cooperate with each other to realize the function of the system 100.

Next, the configuration example of each of the ticket issuing terminal 200 and the entrance / exit terminal 300 will be described. FIG. 2 is a diagram illustrating a hardware configuration of the ticket issuing terminal 200 in the present embodiment. The ticket issuing terminal 200 stores various buttons, an input / output device 20a such as a keyboard, LED, display, etc., an IC tag input / output device 20b (communication means) responsible for communication with the IC tag 10, and a key information 23. The means 20c, the CPU 20d, and the memory 20e are connected by an internal communication line 20h such as a bus.
The ticket issuing terminal 200 stores various programs stored in the storage means 20c such as a nonvolatile memory in the memory 20e so as to realize a function of executing the IC tag authentication information generation method in cooperation with the entry / exit terminal 300. Reading and execution are performed by the CPU 20d which is an arithmetic unit.
The storage means 20c stores an application program that implements the random number generator 25. When a random number value is required, it is called and executed by the CPU 20d to obtain a random number value.

Next, the means that the ticket issuing terminal 200 configures and holds based on various programs will be described. Each means may be provided integrally in one server device or the like, but is distributed and arranged in a computer group (including the server device corresponding to the ticket issuing terminal 200) arranged on the network, and one of the server devices (ticketing terminal 200). An example of collaboration under the leadership of
The ticket issuing terminal 200 includes a program for realizing the ticket issuing information acquiring unit 110 in the storage unit 20c. For example, the ticket issuing information acquisition unit 110 receives designation of ticketing contents (eg, ticket issuing date, boarding section, amount of money, etc.) such as a train ticket by the input / output device 20b (input interface) and acquires it as ticket issuing information.

  The ticket issuing terminal 200 includes a program for realizing the identification information generating unit 111 in the storage unit 20c. The identification information generation means 111 generates identification information A1001 that combines the acquired ticketing information and the random number obtained from the random number generator 25, and the identification information A1001 is attached to the ticket 5 to be ticketed. Stored in the identification information storage unit 17.

  Further, the ticket issuing terminal 200 includes a program for realizing the authentication information generating unit 112 in the storage unit 20c. The authentication information generation unit 112 generates authentication information A1002 from the identification information A1001 and the key information 23 stored in the storage unit 20c, and stores the authentication information A1002 in the authentication information storage unit 18 of the IC tag 10. .

  The ticket issuing information obtaining unit 110 receives designation of the ticket issuing contents by the input / output device 20b (input interface), acquires ticket date / time data from the clock function 24 provided in the ticket issuing terminal 200, and outputs the ticket issuing contents and the ticket issuing information. The ticket issue date and time data may be combined and acquired as the ticket issue information.

  In addition, the ticket issuing information acquisition unit 110 may acquire the ticket issuing information together with the ID of the input / output device 20b or the ticket issuing terminal 200 itself or the data of the installation position as ticket issuing information. Since a plurality of ticket issuing terminals 200 (or input / output devices 20b) installed at a station or the like are often installed at one station, a ticket issuing terminal 200 (or a ticket issuing request from a user who issued a ticket) is accepted. Information that distinguishes the input / output device 20b) from each other, that is, the ID of the ticketing terminal 200 (or the input / output device 20b) is used as ticketing information.

  In addition, the identification information generation unit 111 is a combination of the serial number incremented for each ticket issuance (that is, the ticket number incremented by one every time the ticket is issued) and the ticket issuing information instead of the random number. A1001 may be generated and the identification information A1001 may be stored in the identification information storage unit 17 of the IC tag 10 attached to the ticket 5 to be issued.

  Further, the identification information generating unit 111 generates a hash value by applying the acquired ticket issuing information and a random number to a hash function, and the IC tag 10 attached to the ticket 5 to be issued as the identification information A1001. It may be stored in the identification information storage unit 17. In this case, the ticket issuing terminal 200 stores the hash function application program 26 in the storage means 20c, and calls it when executing the process for obtaining the hash value as described above, and applies the ticket issuing information and the random number. A hash value shall be obtained.

  In addition, the identification information generation unit 111 applies the data obtained by combining the obtained ticket issuing information and a random number as a seed to the pseudo random number generator 27 to obtain a pseudo random number value, and issues the pseudo random value as identification information A1001. It may be stored in the identification information storage unit 17 of the IC tag 10 attached to the target ticket 5. In this case, the ticket issuing terminal 200 stores an application program corresponding to the pseudo random number generator 27 in the storage means 20c, and is called when executing the process for obtaining the pseudo random number value as described above, and the ticket issuing information and A pseudo random number value is obtained by applying a random number.

  Further, the identification information generating means 111 accesses the IC tag 10 by the IC tag input / output device 20b, calculates the storage capacity of the identification information storage unit 17 in the IC tag 10, and accommodates the calculated storage capacity in the calculated storage capacity. Identification information A1001 in which the number of digits is limited to a possible data size may be generated, and the identification information A1001 may be stored in the identification information storage unit 17 of the IC tag 10. In this case, the identification information generating unit 111 executes, for example, a confirmation process of a free area realized by a database or storage management technology, thereby storing the storage capacity (currently in the identification information storage unit 17 of the IC tag 10). Calculation of storage capacity). In generating the identification information A1001, when the number of digits is limited to the data size that can be accommodated in the storage capacity (for example, XX bytes), the identification information generation unit 111 may, for example, issue ticketing information or random numbers. It can be assumed that any one or a combination of the ticketing information and the random number is executed to delete other digits while leaving a predetermined number of digits. Further, for example, it can be assumed that the identification information generating unit 111 executes a process of deleting other digits while leaving a predetermined number of digits of a hash value or pseudorandom value generated as the identification information A1001.

  Similarly, the authentication information generation unit 112 accesses the IC tag 10 by the IC tag input / output device 20b (communication unit), calculates the storage capacity of the authentication information storage unit 18 in the IC tag 10, and calculates the calculation. The authentication information A1002 in which the number of digits is limited to the data size that can be accommodated in the storage capacity may be generated, and the authentication information A1002 may be stored in the authentication information storage unit 18 of the IC tag 10. The calculation processing of the storage capacity and the generation processing of the authentication information A1002 in which the number of digits is limited are the same as those in the generation processing of the identification information A1001 in the identification information generation means 111.

  Next, the entrance / exit terminal 300 will be described. FIG. 3 is a diagram illustrating a hardware configuration of the entry / exit terminal 300 in the present embodiment. The entry / exit terminal 300 includes an output device 30a such as an LED or a display device, an IC tag input / output device 30b (communication means) for communicating with the IC tag 10, a storage means 30c for storing key information 33, and a CPU 30d. And a memory 30e are connected by an internal communication line 30h such as a bus. The entry / exit terminal 300 stores various programs stored in the storage means 20c such as a non-volatile memory in the memory 30e so as to realize the function of executing the IC tag authentication information generation method in cooperation with the ticket issuing terminal 200. Reading and execution are performed by the CPU 30d which is an arithmetic unit.

Next, a description will be given of means configured and held by the entry / exit terminal 300 based on various programs, for example. The means included in the entry / exit terminal 300 may be integrally provided in one server device or the like, but is distributed and arranged in a group of computers (including the server device corresponding to the entry / exit terminal 300) arranged on the network. An example of cooperation under the initiative of the server device (entrance / exit terminal 300) may also be assumed.
The entry / exit terminal 300 includes a program for realizing the authentication instruction unit 113 in the storage unit 30c.

  The authentication instruction means 113 reads the identification information A1001 from the IC tag 10 attached to the ticket 5 by the IC tag input / output device 30b as the communication means, and the key information 33 stored in the identification information A1001 and the storage means 30c. Authentication information A1002a is generated from the above, and an authentication instruction using the authentication information A1002a as a key is transmitted to the IC tag 10 by the IC tag input / output device 30b as the communication means, and the IC tag 10 responds to the authentication instruction. Get the authentication result.

Further, the entrance / exit terminal 300 includes a program for realizing the entrance information generating unit 114 for generating entrance information stored in the entrance information storage unit 19 of the IC tag 10 attached to the ticket 5 in the storage unit 30c.
In addition, the entry / exit terminal 300 includes a program for realizing the entry information generation means 115 for generating the entry information stored in the participation information storage unit 20 of the IC tag 10 attached to the ticket 5 in the storage means 30c.

  In this case, the entrance / exit terminal 300 can be an entrance / exit management gate installed at a ticket gate at a station or the entrance of an event venue. A user who wants to enter the station through the ticket gate carries the ticket 5 (with the IC tag 10 attached) issued in advance at the ticketing terminal 200, and enters the entrance / exit terminal 300. Present. In the entrance / exit terminal 300, the reading operation is performed on the IC tag 10 attached to the presented ticket 5, and the identification information A1001 is read from the identification information storage unit 17 of the IC tag 10. Further, authentication information A1002a is generated from the read identification information A1001 and the key information 33 held in the storage means 30c, and an authentication request for the authentication information A1002a is made to the IC tag 10.

  In the following, assuming that the ticketing information itself is included in the identification information A1001, the hardware configuration of the IC tag 10, the ticketing process, and the entrance / exit process flow are described. On the other hand, if the ticket information itself is not included in the identification information A1001, the ticketing information output unit and the storage unit are added to the hardware configuration of the IC tag 10, and the ticketing information writing step is added to the ticketing process flow. An IC tag authentication information generation method is realized by adding a ticket information reading step to the entrance / exit processing flow. The additional correspondence may be performed by adding a necessary program or adding hardware in the IC tag 10, the ticket issuing terminal 200, or the entrance / exit terminal 300 by a general method.

--- About IC tag ---
Next, the IC tag 10 accessed by the ticket issuing terminal 200 and the entrance / exit terminal 300 constituting the system 100 will be described. FIG. 4 is a diagram illustrating a hardware configuration of the IC tag 10. The IC tag 10 communicates with the ticketing terminal 200 and the entrance / exit terminal 300 to receive input of commands, authentication information A1002, etc., and also outputs the input / output unit 10a for outputting identification information A1001, entrance information, etc. The processing unit 10b that executes various processes such as verification between the authentication information A1002a input from the participation terminal 300 and the authentication information A1002 originally stored in the storage unit 10c, and the IC tag 10 in the ticketing phase, the entrance phase, the participation phase, etc. And a storage unit 10c that stores data set in (2) are connected by an internal communication line 10d.

  Note that the IC tag 10 in the present embodiment may be configured to realize each unit described above and below when the CPU executes a program, or may be configured to realize each unit by hardware. . Further, the shape of the IC tag 10 may be a shape like a credit card as long as it has the above-described components, or a shape like a railroad ticket or a movie theater ticket. For example, it may be in the form of a memory card such as an MMC (MultiMedia Card) or an SD card.

  The IC tag 10 receives commands (commands for writing and reading identification information A1001, authentication information A1002, and A1002a) from the outside such as the ticketing terminal 200 and the entrance / exit terminal 300 via the input / output unit 10a, and the received command Processing is performed according to the contents of, and processing results are returned. The IC tag 10 includes a command analysis unit 12 that analyzes a command, an identification information output unit 13 that outputs identification information A1001 stored in the IC tag 10, authentication information A1002 such as a password of the IC tag 10, and the like. An authentication unit 14 that performs verification with the authentication information A1002a that has received an instruction from the entry / exit terminal 300; an entrance information output unit 15 that outputs the entrance information stored in the IC tag 10 in the entrance process at the entrance / exit terminal 300; And an entry information output unit 16 for outputting entry information stored in an IC tag in the entry process at the entry / exit terminal 300. The IC tag 10 includes an identification information storage unit 17 that stores identification information A1001 of the IC tag 10, and an authentication information storage unit 18 that stores authentication information A1002 generated from the identification information A1001 of the IC tag 10. The admission information storage unit 19 that stores the admission information stored in the IC tag in the admission process, the admission information storage unit 20 that stores the admission information stored in the IC tag in the admission process, and the state authenticated by the authentication unit And an authentication state holding unit 21 for holding.

  Each means in the ticket issuing terminal 200 and the entrance / exit terminal 300 constituting the system 100 described so far may be realized as hardware, or an appropriate storage such as a memory or an HDD (Hard Disk Drive). It may be realized as a program stored in the means. In this case, the CPU of the ticket issuing terminal 200 and the entrance / exit terminal 300 constituting the system 100 reads the corresponding program from the storage means to the memory in accordance with the program execution, and executes it. Similarly, the functional units 11 to 21 included in the IC tag 10 may be realized as hardware or may be realized as a program stored in an appropriate storage unit such as the storage unit 10c.

  In addition, the ticket issuing terminal 200 and the entrance / exit terminal 300 in the present embodiment are connected to devices such as a personal computer (PC), a smartphone, and a portable information device (PDA) with an IC tag reading device connected via an external interface such as a USB. It may be a configuration.

--- Processing flow example 1 ---
Hereinafter, the actual procedure of the IC tag authentication information generation method in the present embodiment will be described with reference to the drawings. Various operations corresponding to the IC tag authentication information generation method described below are realized by programs that are read out and executed by the ticket issuing terminal 200 and the entrance / exit terminal 300 constituting the system 100 in each memory. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below. In addition, each program may be stored in a storage device in advance, or when necessary via another storage medium or communication medium (a digital signal or a carrier wave propagating through the network) that can be used by the apparatus, It may be introduced from another device.
FIG. 5 is a flowchart showing a processing procedure example 1 of the IC tag authentication information generation method of the present embodiment. Here, a general flow of the IC tag authentication information generation method according to the present embodiment will be outlined. This flow means that the ticket issuing terminal 200 executes the ticket issuing process using the ticket 5 attached to the IC tag 10 for which no information is set (S501), and then the identification information and authentication are performed by the ticket issuing process. An entrance process for confirming the validity of the authentication information and the ticket issuing information is executed between the IC tag 10 (information attached to the ticket 5) storing the information and the entrance terminal 300 (S502). An entry process for confirming the validity of the authentication information, the ticket issuing information, and the entry information is executed between the IC tag 10 in which the entry information is stored by the entry process and the entry / exit terminal 300 (S503).

--- Processing flow example 2 ---
Next, the ticketing process in step S501 in the above processing flow example 1 will be described. FIG. 6 is a flowchart showing a processing procedure example 2 of the IC tag authentication information generation method of the present embodiment. First, it is assumed that the user inputs ticketing information stored in the IC tag 10 via the input / output device 20a (eg, touch panel) of the ticketing terminal 200. In this case, the ticket issuing information acquisition unit 110 of the ticket issuing terminal 200 receives and acquires the input of the ticket issuing information (S601). For example, in the case of a railway ticket, the ticket issuing information refers to information such as a valid period start date, a valid period end date, a ticketing station, a ticketing terminal, a ticket type, and an amount. In addition, it is not necessary to input all ticketing information from outside (that is, via the user), and some information is applied using time information, ticketing station information, ticketing terminal information, etc. held inside the ticketing terminal. Also good.

  Next, the identification information generating unit 111 of the ticket issuing terminal 200 generates a random number using the random number generator 25 (S602). Here, instead of a random number, the ticket issuing terminal 200 may generate a serial number that is counted up for each ticket issue. Further, the identification information generating unit 111 generates identification information A1001 from the ticket issuing information obtained from the input / output device 20a and the generated random number (S603). A specific configuration of the identification information A1001 is shown in FIG. Subsequently, the identification information generating unit 111 transmits the identification information A1001 generated in step S603 to the IC tag 10 together with a write instruction (S604). This IC tag 10 is attached to a ticket medium (predetermined shape medium such as paper or resin that is the basis of the ticket 5) that the ticket issuing terminal 200 has conventionally prepared for ticketing. It is what is provided. Further, the ticket medium is stored in a reel or the like, and the ticket medium to be issued is subjected to a feeding operation with the reel or the like every time the ticket is issued so that the identification information generating unit 111 can write the identification information.

On the other hand, the IC tag 10 stores the identification information A1001 received from the ticket issuing terminal 200 in the identification information storage unit 17 (S605). Further, the IC tag 10 transmits a response indicating a processing result related to the storage processing of the identification information A1001 to the ticket issuing terminal 200 (S606).
On the other hand, after receiving the response and recognizing the completion of storing the identification information, the authentication information generating unit 112 of the ticket issuing terminal 200 authenticates using the identification information A1001 and the key information 23 stored in the storage unit 20c. Information A1002 is generated (S607). A specific method for generating the authentication information A1002 is shown in FIG.

  Further, the authentication information generating means 112 of the ticket issuing terminal 200 transmits the authentication information A1002 generated in step S607 to the IC tag 10 together with a write instruction (S608). At this time, the IC tag 10 stores the authentication information A1002 received from the ticket issuing terminal 200 in the authentication information storage unit 18 (S609). Further, the IC tag 10 transmits a response indicating the processing result of the authentication information storage to the ticket issuing terminal 200 (S610). On the other hand, the ticket issuing terminal 200 receives the response from the IC tag 10, recognizes the completion of storing the authentication information by the response, outputs the ticket issuing process result to the input / output device 20a (S611), and ends the process. Of course, the ticket issuing terminal 200 issues an instruction to send the ticket 5 (from the ticket issuing slot) to the reel mechanism or the like that performs the ticket feeding operation in response to the ticket issuing process. Through a series of processes so far, the identification information and the authentication information are written into the IC tag 10, and the ticket 5 including the IC tag 10 is issued.

  The ticket issuing information obtaining unit 110 receives designation of the ticket issuing contents by the input / output device 20b (input interface), acquires ticket date / time data from the clock function 24 provided in the ticket issuing terminal 200, and outputs the ticket issuing contents and the ticket issuing information. The ticket issue date and time data may be combined and acquired as the ticket issue information.

  In addition, the ticket issuing information acquisition unit 110 may acquire the ticket issuing information together with the ID of the input / output device 20b or the ticket issuing terminal 200 itself or the data of the installation position as ticket issuing information. Since a plurality of ticket issuing terminals 200 (or input / output devices 20b) installed at a station or the like are often installed at one station, a ticket issuing terminal 200 (or a ticket issuing request from a user who issued a ticket) is accepted. Information that distinguishes the input / output device 20b) from each other, that is, the ID of the ticketing terminal 200 (or the input / output device 20b) is used as ticketing information.

--- Processing flow example 3 ---
Next, the admission process of step S502 in the process flow example 1 will be described. FIG. 7 is a flowchart showing a processing procedure example 3 of the IC tag authentication information generation method of the present embodiment. Here, it is assumed that the user who has the ticket 5 issued has presented the ticket 5 (with the IC tag 10) to the entrance / exit terminal 300 installed at the ticket gate of the station. Do.

  In this case, the authentication instruction means 113 of the entrance / exit terminal 300 detects the approach of the IC tag 10 attached to the ticket 5 and generates a tag access command for accessing the IC tag 10 (S701). Of course, this tag access command is generated in accordance with a predetermined protocol related to the IC tag 10, and this authentication instruction means 113 can use this protocol (for example, stored in the storage means 30c). Further, the authentication instruction means 113 transmits the tag access command to the IC tag 10 via the IC tag input / output device 30b.

On the other hand, the identification information output unit 103 of the IC tag 10 receives the access command from the entry / exit terminal 300, and acquires the identification information A1001 from the identification information storage unit 17 (S702). Then, the identification information A1001 acquired here is transmitted to the entry / exit terminal 300.
On the other hand, the authentication instruction unit 113 of the entry / exit terminal 300 receives the identification information A1001 from the IC tag 10, and uses the identification information A1001 and the key information 33 stored in the storage unit 30c to authenticate the information A1002a. Is generated (S703). Further, the authentication instruction unit 113 transmits the authentication information A1002a generated here to the IC tag 10 by the IC tag input / output device 30b.

  At this time, the IC tag 10 receives the authentication information A1002a from the entry / exit terminal 300, and compares the authentication information A1002a with the authentication information A1002 stored in the authentication information storage unit 18 of the IC tag 10. Then, an authentication process is performed (S704). When the authentication is successful, the IC tag 10 sets an authenticated flag in the authentication state holding unit 21. At the same time, the IC tag 10 transmits a response indicating that the authentication process is completed to the entry / exit terminal 300.

  The authentication instruction means 113 of the entrance / exit terminal 300 receives the response, that is, the authentication OK data from the IC tag 10, and the validity of the ticket issuing information included in the identification information A1001 read from the IC tag 10 of the ticket 5. Is verified (S705). In this verification process, for example, information such as the ticket type, valid period, ticketing station, valid section, etc. of the ticket 5 included in the ticketing information matches the prescribed information set in the storage means 30c of the entrance / exit terminal 300. It is executed by determining whether or not.

  The authentication instruction unit 113 of the entry / exit terminal 300 determines that the ticket issuing information such as the validity period and the ticketing station does not match the prescribed information set in advance at the entry / exit terminal 300 as a result of the verification in step S705 ( (S705: NG), the subsequent processing is stopped (S706). On the other hand, if the verification instruction means 113 results in the verification, if the ticketing information such as the validity period and the ticketing station coincides with the predefined information preset in the entrance / exit terminal 300 (S705: OK), the ticketing information is As justified, the entrance information is transmitted to the IC tag 10. Here, the entrance information is information generated by the entrance information generating means 114 of the entrance / exit terminal 300. For example, in the case of a railway ticket, it indicates information such as entrance time and entrance station.

On the other hand, the IC tag 10 receives the entrance information from the entrance / exit terminal 300 and verifies the authentication state set in the authentication state holding unit 21 (S707). As a result, if it is determined that the authentication process is incomplete (S707: NG), the IC tag 10 sends an authentication status verification error (that is, an error indicating that the authentication process is incomplete) to the entry / exit terminal 300. ). On the other hand, when it is determined that the authentication process is completed (S707: OK), the entrance information is stored in the entrance information storage unit 19 (S708). Further, the IC tag 10 transmits a response indicating a processing result to the entry / exit terminal 300.
The entrance / exit terminal 300 receives a response from the IC tag 10, and outputs an entrance processing result on the output device 30a based on the response (S709).

--- Processing flow example 4 ---
Next, the participation process in step S503 in the first process flow example will be described. FIG. 8 is a flowchart showing a processing procedure example 4 of the IC tag authentication information generation method of the present embodiment. In this case, first, the authentication instruction unit 113 of the entry / exit terminal 300 generates a tag access command in the same manner as in the above-described processing flow example 3 (S801). Next, this tag access command is transmitted to the IC tag 10.
On the other hand, the identification information output unit 13 of the IC tag 10 acquires the identification information A1001 from the identification information storage unit 17 (S802). Next, the entrance information output unit 15 of the IC tag 10 acquires the entrance information from the entrance information storage unit 19 (S803), and transmits the identification information A1001 and the entrance information to the entrance terminal 300.

Next, the authentication instruction unit 113 of the entry / exit terminal 300 generates authentication information A1002a using the identification information A1001 received from the IC tag 10 and the key information 33 stored in the storage unit 30c (S804). . Next, the authentication instruction unit 113 transmits the authentication information A1002a generated in the step S804 to the IC tag 10.
On the other hand, the IC tag 10 compares the authentication information A1002a received from the entry / exit terminal 300 with the authentication information A1002 stored in the authentication information storage unit 18 of the IC tag 10 and performs an authentication process (S805). ). If the authentication is successful, the IC tag 10 sets an authenticated flag in the authentication state holding unit 21 and transmits a response indicating that the authentication process is completed to the entry / exit terminal 300.

  At this time, the authentication instruction unit 113 of the entry / exit terminal 300 verifies the validity of the ticketing information included in the identification information A1001 received from the IC tag 10 in the same manner as in the above-described processing flow example 3 (S806). As a result, when the information such as the validity period and the ticketing station does not match the prescribed information set in the entry / exit terminal 300 (S806: NG), the subsequent processing is stopped (S807). On the other hand, if they match (S806: OK), the validity of the received admission information is verified assuming that the ticketing information is valid (S808).

  As a result of the verification, if the information such as the entry time and the entry station does not match the specified information set in the entry / exit terminal 300 (S808: NG), the subsequent processing is stopped (S809). On the other hand, if they match (S808: OK), the entry / exit terminal 300 transmits the entry information to the IC tag 10 assuming that the entry information is valid. Here, the participation information is information generated by the participation information generating means 115 of the entry / exit terminal 300. For example, in the case of a railway ticket, the entry information indicates information such as an entry time and an entry station.

  Next, the IC tag 10 verifies the authentication state set in the authentication state holding unit 21 (S810). As a result, when it is determined that the authentication process is not completed (S810: NG), the IC tag 10 transmits an authentication state verification error to the entry / exit terminal 300. On the other hand, when it is determined that the authentication process is completed (S810: OK), the IC tag 10 stores the entry information in the entry information storage unit 20 (S811), and indicates the processing result to the entry / exit terminal 300. Send a response. At this time, the entry / exit terminal 300 outputs an entry processing result to the output device 30a based on the response received from the IC tag 10 (S812).

--- Processing flow example 5 ---
Next, authentication information generation processing will be described. FIG. 9 is a flowchart showing a processing procedure example 5 of the IC tag authentication information generation method of the present embodiment. FIG. 9 is a diagram showing in detail a flow for generating the authentication information A1002 to A1002a shown in S607 of FIG. 6, S703 of FIG. 7, and S804 of FIG. In this case, the authentication information generation means 112 to the authentication instruction means 113 of the entrance / exit terminal 300 uses the key information 23 stored in the storage means or the identification information A1001 generated from the ticket issuing information and the random number or acquired from the IC tag 10. In step S901, cryptographic calculation processing is performed. As a result, the output data string is acquired as authentication information A1002 or A1002a.
Here, the algorithm used in the cryptographic operation processing S901 may be a common key cryptosystem such as AES (Advanced Encryption Standard), a public key cryptosystem such as RSA (Rivest Shamir Adleman), or SHA- A one-way function such as 1 (Secure Hash Algorithm 1) or a keyed one-way function for message authentication such as HMAC (Keyed-Hashing for Message Authentication code) may be used.

--- Identification information structure ---
Next, a structural example of the identification information A1001 will be described. FIG. 10 is a diagram showing a structure example of the identification information A1001. The identification information generating means 111 arranges the ticket issuing information A1003 input at the ticketing terminal 200 at the time of ticketing processing at the head, and then arranges the random number A1004 generated by the random number generator 25 of the ticketing terminal 200 to identify the identification information. A1001 is generated. Note that the hash value of the data shown in FIG. 10 may be used as the identification information A1001, or a pseudo random number may be generated using the data shown in FIG. 10 as a seed, and the data may be used as the identification information A1001.

--- Other examples ---
In addition to the above-described example, for example, an empty storage capacity in the IC tag 10 may be calculated, and identification information with the number of digits corresponding to the size of the storage capacity may be generated. In this case, the identification information generation unit 111 accesses the IC tag 10 by the IC tag input / output device 20b and calculates the storage capacity of the identification information storage unit 17 in the IC tag 10. Further, the identification information A1001 in which the number of digits is limited to the data size that can be accommodated in the storage capacity calculated here is generated, and the identification information A1001 is stored in the identification information storage unit 17 of the IC tag 10.

  Note that the identification information generation unit 111 performs a storage capacity (currently stored in the identification information storage unit 17 of the IC tag 10 by executing, for example, a free space confirmation process realized by a database or storage management technology or the like. Calculation of storage capacity). In generating the identification information A1001, when the number of digits is limited to the data size that can be accommodated in the storage capacity (for example, XX bytes), the identification information generation unit 111 may, for example, issue ticketing information or random numbers. It can be assumed that any one or a combination of the ticketing information and the random number is executed to delete other digits while leaving a predetermined number of digits. Further, for example, it can be assumed that the identification information generating unit 111 executes a process of deleting other digits while leaving a predetermined number of digits of a hash value or pseudorandom value generated as the identification information A1001.

  Similarly, an empty storage capacity in the IC tag 10 may be calculated, and authentication information having a number of digits corresponding to the size of the storage capacity may be generated. In this case, the authentication information generation means 112 accesses the IC tag 10 by the IC tag input / output device 20b and calculates the storage capacity of the authentication information storage unit 18 in the IC tag 10. The authentication information generation unit 112 generates authentication information A1002 in which the number of digits is limited to the data size that can be stored in the storage capacity calculated here, and the authentication information A1002 is stored in the authentication information storage unit 18 of the IC tag 10. Will be stored. The calculation processing of the storage capacity and the generation processing of the authentication information A1002 in which the number of digits is limited are the same as those in the generation processing of the identification information A1001 in the identification information generation means 111.

  As described above, according to the present embodiment, it is possible to assign different identification information for each IC tag without constructing a server for managing the identification information or adding a function to the IC tag. As a result, authentication information based on the identification information can be generated efficiently and reliably. In addition, by including conventionally stored business information in the identification information, it is possible to perform identification information allocation processing that avoids duplication as much as possible in accordance with the size of the identification information storage area in the IC tag.

  As mentioned above, although embodiment of this invention was described concretely based on the embodiment, it is not limited to this and can be variously changed in the range which does not deviate from the summary.

It is a network block diagram including the IC tag authentication information generation system in this embodiment. It is a figure which shows the hardware constitutions of the ticket issuing terminal of this embodiment. It is a figure which shows the hardware constitutions of the entrance / exit terminal of this embodiment. It is a figure which shows the hardware constitutions of the IC tag of this embodiment. It is a flowchart which shows process sequence example 1 of the IC tag authentication information generation method of this embodiment. It is a flowchart which shows process sequence example 2 of the IC tag authentication information generation method of this embodiment. It is a flowchart which shows process sequence example 3 of the IC tag authentication information generation method of this embodiment. It is a flowchart which shows process sequence example 4 of the IC tag authentication information generation method of this embodiment. It is a flowchart which shows process sequence example 5 of the IC tag authentication information generation method of this embodiment. It is a figure which shows the structural example of the identification information in this embodiment.

Explanation of symbols

5 tickets 10 IC tag 17 Identification information storage unit 18 Authentication information storage unit 100 IC tag authentication information generation system 20c, 30c Storage means 20e, 30e Memory 20d, 3-d CPU
20a I / O device 20b IC tag I / O device (communication means)
110 Ticketing Information Acquisition Unit 111 Identification Information Generation Unit 112 Authentication Information Generation Unit 113 Authentication Instruction Unit 114 Entrance Information Generation Unit 115 Entrance Information Generation Unit 200 Ticketing Terminal 300 Entrance Terminal A1001 Identification Information A1002 Authentication Information (Those Holding IC Tags)
A1002a Authentication information (received authentication instruction from entry / exit terminal)

Claims (10)

Storage means for storing key information;
A communication means for communicating with the IC tag;
Ticketing information acquisition means for receiving designation of ticketing content at the input interface and acquiring it as ticketing information;
Identification information generating means for generating identification information obtained by combining the acquired ticket issuing information and a random number obtained from a random number generator, and storing the identification information in an identification information storage unit of an IC tag attached to the ticket to be issued;
Authentication information generating means for generating authentication information from the identification information and key information stored in the storage means and storing the authentication information in an authentication information storage section of the IC tag;
An IC tag authentication information generation system comprising:   The ticket issuing information acquisition means accepts the specification of the ticket issuing contents through an input interface, acquires the ticket issuing date / time data from the clock function provided in the IC tag authentication information generation system, and combines the ticket issuing contents and the ticket issuing date / time data. The IC tag authentication information generation system according to claim 1, wherein the IC tag authentication information generation system is acquired as the ticket issuing information.   2. The IC tag authentication information generation according to claim 1, wherein the ticket issuing information acquisition unit acquires the ticket issuing contents together with the ID of the input interface or the data of the installation position as ticket issuing information. system.   The identification information generating means generates identification information combining a serial number incremented for each ticket issue and the ticket issue information instead of the random number, and identifies the IC tag attached to the ticket to be issued The IC tag authentication information generation system according to any one of claims 1 to 3, wherein the IC tag authentication information generation system is stored in an information storage unit.   The identification information generating means generates a hash value by applying the acquired ticket issuing information and a random number to a hash function, and uses the hash value as identification information in an identification information storage unit of an IC tag attached to a ticket to be issued. The IC tag authentication information generation system according to claim 1, wherein the IC tag authentication information generation system is stored.   The identification information generating means obtains a pseudo random number value by applying to the pseudo random number generator using the data obtained by combining the acquired ticket issuing information and a random number as a seed, and attaches the pseudo random value as identification information to the ticket to be issued. The IC tag authentication information generation system according to any one of claims 1 to 5, wherein the IC tag authentication information generation system is stored in an identification information storage unit of an IC tag.   The identification information generation means accesses the IC tag by the communication means, calculates the storage capacity of the identification information storage unit in the IC tag, and limits the number of digits to the data size that can be accommodated in the calculated storage capacity. 7. The IC tag authentication information generation system according to claim 1, wherein the identification information is generated and the identification information is stored in an identification information storage unit of the IC tag.   The authentication information generating means calculates the storage capacity of the authentication information storage unit in the IC tag by accessing the IC tag by the communication means, and limits the number of digits to the data size that can be accommodated in the calculated storage capacity. 8. The IC tag authentication information generation system according to claim 1, wherein authentication information is generated and the authentication information is stored in an authentication information storage unit of the IC tag.   The communication means reads identification information from an IC tag attached to the ticket, generates authentication information from the identification information and key information stored in the storage means, and issues an authentication instruction using the authentication information as a key. The IC tag authentication according to any one of claims 1 to 8, further comprising an authentication instruction unit that transmits to the IC tag by a communication unit and acquires an authentication result corresponding to the authentication instruction from the IC tag. Information generation system. Computer
Comprising storage means for storing key information and communication means for communicating with the IC tag,
Generates identification information that combines the process of receiving ticketing content specification via the input interface and acquires it as ticketing information, and the acquired ticketing information and a random number obtained from a random number generator, and uses the identification information as a ticket to be ticketed. Processing to store in the identification information storage unit of the accompanying IC tag,
Processing for generating authentication information from the identification information and the key information stored in the storage means and storing the authentication information in the authentication information storage unit of the IC tag;
An IC tag authentication information generation method characterized in that:

Images