JP5488659B2 - Electronic device and program - Google Patents

Description

The present invention relates to an electronic device and a program.

  In recent years, a terminal device including a SAM (Secure Application Module) having tamper resistance that ensures confidentiality of a password or the like is known. For example, a technique for configuring a SAM as a module that can be attached to and detached from a main body of a terminal device is known (see, for example, Patent Document 1).

  A settlement system using SAM is also known. The operation of the payment system 100 will be described with reference to FIG. FIGS. 16A and 16B show a payment system 100 including an electronic device 101 having a SAM 103 and a terminal device 104, and a center server 102. FIG.

  The SAM 103 and the center server 102 each have an authentication key 105. The authentication key 105 refers to an encryption key for encryption or decryption used for authentication. Authentication means that the center server 102 permits the terminal device 104 to use data held by the SAM 103. Authentication is performed using the authentication key 105 possessed by the SAM 103 and the authentication key 105 possessed by the center server 102. When the authentication is obtained (authentication OK), the terminal device 104 can use the data (for example, another key 106) included in the SAM 103. Thereby, for example, settlement processing or the like can be performed using another key 106 included in the SAM 103 (see FIG. 16A).

JP 2003-16527 A

However, in the above technique, it takes time and effort to authenticate with the center server when the electronic device recovers from the failure.
For example, it is assumed that a power failure due to a lightning strike occurs in the electronic device 101 during the settlement process using another key 106 of the SAM 103 after authentication. Here, the SAM 103 and the terminal device 104 are supplied with power from a power supply unit (not shown) of the electronic device 101 in conjunction with each other. For this reason, when a power failure occurs in the electronic device 101, the power supply to the SAM 103 is cut off. Then, the SAM 103 forgets the authentication state with the center server 102 (the state in which the center server 102 allows the terminal device 104 to use the data of the SAM 103). When the SAM 103 forgets the authentication state with the center server 102, the other keys 106 cannot be used (see FIG. 16B). For this reason, when recovering from a power outage (failure), it is necessary to communicate with the center server 102 (authentication apparatus) again for authentication.

  An object of the present invention is to eliminate the trouble of performing authentication when returning from a failure.

The invention according to claim 1 is an electronic device connected to the terminal device, wherein the storage device stores authentication information and data, and the terminal device permits authentication via the authentication device based on the authentication information. A determination means for determining whether or not the data can be used in the terminal device, and the data stored in the storage means when the determination means enables the data. And the first control means for storing the permission information indicating the use permission in the electronic device and storing the permission information in the terminal device, and the recovery after the occurrence of the failure in the terminal device Sometimes, the comparing means for comparing the permission information stored in the terminal device with the permission information stored in the electronic device, and the data stored in the storage means based on the comparison result in the comparing means On the terminal device A second control means for controlling whether the accessible, characterized by comprising a.

  According to the present invention, it is possible to eliminate the trouble of performing authentication when returning from a failure.

It is the schematic which shows the payment system which concerns on this invention. It is a block diagram which shows the internal structure of SAM. It is a block diagram which shows the internal structure of a terminal device. It is a block diagram which shows the internal structure of a center server. It is a flowchart which shows a 1st terminal management process, 1st information processing, and 1st SAM use permission process. 6 is a flowchart showing a continuation of the first terminal management process, the first information process, and the first SAM use permission process of FIG. 5. It is a flowchart which shows 2nd information processing and 1st authentication token comparison processing. It is a flowchart which shows a 2nd terminal management process, a 3rd information processing, and a 2nd SAM use permission process. 10 is a flowchart showing a continuation of the second terminal management process, the third information process, and the second SAM use permission process of FIG. 8. It is a flowchart which shows 4th information processing and 2nd authentication token comparison processing. It is a block diagram which shows the structure of a payment system. It is a block diagram which shows the internal structure of a time server. It is a flowchart which shows a 5th information processing and a 3rd authentication token comparison process. It is a flowchart which shows a time information transmission process, a 6th information processing, and a 4th authentication token comparison process. It is a flowchart which shows a continuation of a time information transmission process, a 6th information processing, and a 4th authentication token comparison process. 1 is a block diagram showing a payment system 100. FIG.

  DESCRIPTION OF EXEMPLARY EMBODIMENTS Hereinafter, a first embodiment, a second embodiment, a third embodiment, and a fourth embodiment according to the present invention will be described in detail with reference to the accompanying drawings. The present invention is not limited to the illustrated example.

(First embodiment)
A first embodiment according to the present invention will be described with reference to FIGS. First, the apparatus configuration of the present embodiment will be described with reference to FIGS. FIG. 1 shows the configuration of the payment system 1 of the present embodiment.

  As shown in FIG. 1, the payment system 1 includes a SAM 10 as an electronic device, a terminal device 30 as an electronic device, and a center server 40 as an authentication device. The center server 40 is communicatively connected to the terminal device 30 via the communication network N. The terminal device 30 is communicatively connected to the SAM 10.

  In the payment system 1, for example, the terminal device 30 and the SAM 10 are installed in a store or the like, and are managed by a center server 40 such as a card company. When a customer makes a payment for product purchase using an IC (Integrated Circuit) card such as a credit card having card information, the terminal device 30 reads the information on the IC card and transmits it to the center server 40. The center server 40 performs settlement processing after the IC card authentication. In the present embodiment, authentication of the terminal device 30 and the SAM 10 is performed, and when the terminal device 30 and the SAM 10 are valid, settlement processing including IC card authentication and the like is performed.

  The SAM 10 is a tamper-resistant module that detects an abnormal state where a third party reads or changes the data stored therein, and automatically stores the stored data when an abnormality is detected. to erase. The SAM 10 may be configured to stop the operation of the SAM 10 itself when an abnormality is detected.

  The communication network N is, for example, a WAN (Wide Area Network), but may be a communication network such as a LAN (Local Area Network), such as a telephone line, a dedicated line, a mobile communication network, a communication satellite network, a CATV (Cable Television). ) Lines, Internet providers, etc. may be included.

  Next, the internal configuration of the SAM 10 will be described. FIG. 2 shows the internal configuration of the SAM 10. As shown in FIG. 2, the SAM 10 includes a generation unit, a first control unit, an encryption unit, a CPU (Central Processing Unit) 11 as an update unit, a cryptographic operation unit 12, and a RAM (Random Access Memory) 13. , An abnormality detection unit 14, a ROM (Read Only Memory) 15, a communication unit 16 as a communication unit, and an EEPROM (Electrically Erasable Programmable Read Only Memory) 17 as a first storage unit. Are connected via a bus 18.

  The CPU 11 centrally controls each part of the SAM 10. The CPU 11 develops a program designated from the system program and various application programs stored in the ROM 15 and the EEPROM 17 in the RAM 13 and executes various processes in cooperation with the program expanded in the RAM 13.

  When the CPU 11 receives an operation OK signal as authentication permission information from the center server 40 via the communication unit 36 and the communication unit 16 of the terminal device 30 in cooperation with the first SAM use permission program, the authentication success information Generate an authentication token as. The authentication token refers to information indicating that the authentication with the center server 40 is successful. In the present embodiment, the authentication token is generated by a random number.

The CPU 11 stores the authentication token stored in the RAM 33 and the EEPROM 17 when the authentication token is stored in the RAM 33 of the terminal device 30 when the CPU 11 recovers from the failure in cooperation with the first authentication token comparison program. It is verified whether the authentication token matches, and if it matches, the authentication state with the center server 40 is continued.
The failure means, for example, a state in which a power failure occurs due to a lightning strike and power supply to the SAM 10 and the terminal device 30 is interrupted from a power supply unit (not shown). The authentication state means a state where the center server 40 permits the terminal device 30 to use the data of the SAM 10.

  The CPU 11 destroys (deletes) information stored in the RAM 13 and the EEPROM 17 when an abnormality is detected by the abnormality detection unit 14. Further, the CPU 11 uses the key stored in the EEPROM 17 to encrypt or decrypt information by the cryptographic operation unit 12.

  The cryptographic operation unit 12 encrypts various types of information and decrypts the various types of encrypted information using a key stored in the EEPROM 17 according to an instruction from the CPU 31.

  The RAM 13 is a volatile memory, has a work area for storing various programs to be executed and data related to these various programs, and temporarily stores the information.

  The abnormality detection unit 14 includes, for example, at least one of a voltage sensor, a temperature sensor, an optical sensor, and the like, and an abnormal voltage when a third party tries to read or change the data of the SAM 10 regardless of good or bad intentions, An abnormal temperature, an abnormal light amount, etc. are detected, and a detection signal indicating the abnormality is output to the CPU 11.

  The ROM 15 stores data that does not require rewriting in advance. For example, a system program of SAM10.

  The communication unit 16 includes a communication control unit, and communicates with the terminal device 30 in a wired or wireless manner to transmit and receive information.

  The EEPROM 17 is a non-volatile memory that stores various programs and various data in a readable or writable manner.

  The EEPROM 17 stores a first SAM use permission program, a first authentication token comparison program, an authentication token, a key, and a terminal ID. The key stores a plurality of keys. For example, the center server 40 is a key for authenticating the terminal device 30 and is unique to each electronic device (key T1), and a key for encrypting or decrypting data in the terminal device 30 (key D1). ) And a key (key R) for the card reader 38 to authenticate the terminal device 30 is stored. The terminal ID is unique identification information for each electronic device. Further, the first SAM usage program and the first authentication token comparison program may be stored in the ROM 15.

  Each key is encrypted and decrypted by using corresponding keys. For example, when information is encrypted using a certain key, the encrypted information can be decrypted by using a key corresponding to the key. In the present embodiment, description will be made assuming that encryption and decryption are performed using a common common key scheme in which the key to be encrypted and the key to be decrypted are the same. However, encryption and decryption may be performed using a public key method, a session key method, or the like. In the public key method, a pair of a public key and a secret key is a corresponding key.

  Next, the configuration of the terminal device 30 will be described. FIG. 3 shows an internal configuration of the terminal device 30. As shown in FIG. 3, the terminal device 30 includes a CPU 31, an input unit 32, a RAM 33 as a second storage unit, a backup battery 33A, a display unit 34, a flash memory 35, and a communication unit as a communication unit. 36, a connection unit 37, a card reader 38, a connection unit 39, and a time measuring unit 39a, each of which is connected via a bus 39b.

  The CPU 31, RAM 33, and flash memory 35 are the same as the configurations of the CPU 11, RAM 13, and EEPROM 17 of the SAM 10, and different portions will be mainly described.

  The CPU 31 stores the authentication token in the RAM 33 in cooperation with the first information program. Further, the CPU 31 determines whether or not an authentication token is stored in the RAM 33 of the terminal device 30 when the CPU 31 recovers from the failure in cooperation with the second information program.

  The input unit 32 includes a keypad having numeric input keys and various function keys, and outputs an operation signal indicating that each key has been pressed by the operator to the CPU 31.

  The RAM 33 stores an authentication token. The RAM 33 is non-volatile during the backup time. Here, the backup time refers to, for example, a time during which power can be supplied to the RAM 33 by the backup battery 33A when the terminal device 30 is powered off. During the backup time, the RAM 33 is non-volatile even when the terminal device 30 is powered off. The RAM 33 may be configured to use a non-volatile memory such as a flash memory.

  The backup battery 33A is a backup battery that supplies power to the RAM 33 during the backup time.

  The display unit 34 is configured by an LCD (Liquid Crystal Display) or the like, and performs screen display according to a display signal from the CPU 31. Further, the input unit 32 may constitute a touch panel integrally with the display unit 34.

  The flash memory 35 is a non-volatile memory that stores various programs and various data in a readable and writable manner. The flash memory 35 stores a first information program, a second information program, and encrypted data d1 encrypted with the key D1. The encrypted data d1 is, for example, card discrimination data used for payment processing. The card discrimination data is information for discriminating the function of the IC card 60, or including a list of card information of the IC card, and determining an IC card that cannot be used.

  The communication unit 36 includes a communication control unit, and transmits / receives information to / from the center server 40 via the communication network N.

  The connection unit 37 includes a socket and the like, is connected to the SAM 10, and transmits / receives information to / from the connected SAM 10 according to an instruction from the CPU 31.

  The card reader 38 includes a CPU, RAM, ROM, flash memory, connection unit, and the like (not shown). In the card reader 38, various processes are executed in cooperation with the CPU and the program read from the ROM and expanded in the RAM. The connection unit reads information on the connected IC card 60. In the card reader 38, a key R, which will be described later, is stored in the flash memory. The CPU encrypts information read from the IC card 60 using the key R, and the encrypted information is transmitted via the terminal device 30. To SAM10.

  The IC card 60 is a card as a payment recording medium possessed by each customer. The IC card 60 is a contact type or non-contact type card, and includes an IC chip that stores unique card information in each IC card. As a recording medium for settlement, instead of the IC card 60, another recording medium such as a magnetic card or a biometric card may be used.

  The connection unit 39 is composed of a socket or the like, to which a memory card 70 is connected, and in accordance with instructions from the CPU 31, various information recorded in the connected memory card 70 is read and information is written.

  The timer unit 39a counts signals input from an oscillation circuit unit (not shown) to obtain the current time. Then, the current time is output to the CPU 31.

  Next, the internal configuration of the center server 40 will be described. FIG. 4 shows the internal configuration of the center server 40. As shown in FIG. 4, the center server 40 includes a CPU 41 as a second control unit, an input unit 42, a RAM 43, a display unit 44, a storage unit 45, and a communication unit 46 as an authentication device side communication unit. And a time measuring unit 47, and each unit is connected via a bus 48.

  The CPU 41, the RAM 43, and the timing unit 47 are the same as the configurations of the CPU 11, the RAM 13, and the timing unit 39a of the SAM 10, and different portions will be mainly described.

  The CPU 41 receives the encrypted terminal ID and the terminal ID from the terminal device 30 in cooperation with the first terminal management program, and decrypts the encrypted terminal ID with the key T1. Then, the CPU 41 determines whether or not the decrypted terminal ID and the received terminal ID match and the permission information is permission. If the terminal ID matches and the permission information is permission, the authentication permission information (operation OK signal) is encrypted with the key T 1 and transmitted to the terminal device 30.

  The input unit 42 includes a keyboard having cursor keys, characters, numeric input keys, various function keys, and the like, and outputs an operation signal when each key is pressed by the operator to the CPU 41. The input unit 42 may include a pointing device such as a mouse, and may receive a position input signal and output it to the CPU 41.

  The display unit 44 is composed of an LCD, a CRT (Cathode Ray Tube) or the like, and performs screen display according to a display signal from the CPU 41.

  The storage unit 45 is configured by an HDD (Hard Disk Drive) having a magnetic storage medium, and stores various programs and various data so that they can be read and written from the recording medium.

  In addition, the storage unit 45 stores a first terminal management program, a key T1, and an authentication table (not shown). The authentication table has a login ID, a terminal ID, key information, and permission information. The login ID is a unique login ID for each electronic device. The terminal ID is a unique terminal ID for each electronic device. The key information is information that specifies an authentication key for each electronic device. The permission information is information indicating whether or not the operation of the electronic device is permitted.

  The communication unit 46 includes a modem, a TA (Terminal Adapter), a router, a network card, and the like, and transmits / receives information to / from an external device such as the terminal device 30 on the connected communication network N.

  Next, the operation of the payment system 1 will be described with reference to FIGS. FIG. 5 shows a flow of the first terminal management process, the first information process, and the first SAM use permission process. FIG. 6 shows the subsequent flow of the first terminal management process, the first information process, and the first SAM use permission process of FIG. In addition, a login process from the terminal device 30 to the center server 40 using the login ID is performed before each process is executed, but the description thereof is omitted.

  A first terminal management process executed by the center server 40 will be described. In the center server 40, for example, when the reception of the encrypted terminal ID and the terminal ID from the terminal device 30 is started via the communication unit 46, the data is read from the storage unit 45 and expanded in the RAM 43 as appropriate. The first terminal management process is executed in cooperation with the first terminal management program and the CPU 11.

  First, in step S <b> 11, the encrypted terminal ID and the terminal ID are received from the terminal device 30 via the communication unit 46, and an authentication table (not shown) is read from the storage unit 45. Then, the authentication table is referred to, the key corresponding to the received terminal ID is specified, and the specified key (key T1) is read from the storage unit 45. Then, the encrypted terminal ID is decrypted using the read key T1 (step S11).

  Then, the decrypted terminal ID and the received terminal ID are compared, and it is determined whether or not the decryption in step S11 is OK depending on whether or not they are the same (step S12). If it is decryption OK (step S12; YES), it is determined whether or not the permission information of the corresponding terminal ID is permission by referring to the authentication table (step S13).

  If permitted (step S13; YES), an operation OK signal indicating electronic device operation OK (authentication permission) is generated, and a key (key T1) corresponding to the terminal (terminal device 30) of the operation OK is used. The operation OK signal (authentication permission signal which is information for permitting authentication) is encrypted and transmitted as an encrypted OK signal to the terminal device 30 via the communication unit 46 (step S14), and the first terminal management process is performed. finish.

  If the decryption is not OK (step S12; NO), or if it is not permitted (step S13; NO), a reject signal indicating that the electronic device operation is rejected (authentication reject) is generated, and the terminal rejects the operation (terminal device 30). ) Is rejected using the key (key T1) corresponding to), and is transmitted as an encryption rejection signal to the terminal device 30 via the communication unit 46 (step S15), and the first terminal management process ends. . The refusal information is a signal indicating that the terminal device 30 is refrained from an operation involving the use of the SAM 10 data.

  Next, the first information processing executed by the terminal device 30 will be described. In the terminal device 30, for example, the first information processing is executed by the cooperation of the CPU 31 and the first information program read from the flash memory 35 and appropriately expanded in the RAM 33 with the power-on as a trigger. Is done.

  First, in step S21, a request for a terminal ID is transmitted to the SAM 10 via the connection unit 37, and the terminal ID is received from the SAM 10 (step S21). Then, the received terminal ID is transmitted (transmitted) to the SAM 10 for encryption via the connection unit 37, and the encrypted terminal ID is received from the SAM 10 (step S22). And corresponding to step S11, terminal ID and encryption terminal ID are transmitted to the center server 40 via the communication part 36 (step S23).

  Corresponding to step S14 or S15, an encrypted OK signal or an encryption refusal signal is received from the center server 40 via the communication unit 36, and an encrypted OK signal or encrypted via the connection unit 37. A rejection signal is transmitted to the SAM 10 (step S24).

  Corresponding to step S38, an authentication token is received from the SAM 10 via the connection unit 37, and the authentication token is stored (stored) in the RAM 33 (step S25).

  Then, at least one of the desired program and data stored in the flash memory 35 and the card reader 38 and encrypted with the key stored in the SAM 10 is read out, and the encrypted program and At least one of the data is transmitted to the SAM 10, and the decrypted program and data are received from the SAM 10 (step S26). Various processes are executed using the decrypted program and data (step S27).

  In steps S26 and S27, for example, card information read from the IC card 60 by the card reader 38 is encrypted with the key R and transmitted to the terminal device 30. Then, password information such as a password is input at the input unit 32. In the terminal device 30, the card information encrypted with the key R is transmitted to the SAM 10. The card information is decrypted with the key R by the SAM 10 and transmitted to the terminal device 30. In step S27, the decrypted card information and the password are transmitted to the SAM 10 and encrypted with the key T1.

  Further, in steps S26 and S27, for example, the encrypted data d1 of card information that is not used and is stored in the flash memory 35 is transmitted to the SAM 10. The SAM 10 decrypts the encrypted data d1 with the key D1, and using the decrypted data, it is determined whether the card information decrypted with the key R is unused or not. In some cases, settlement of the IC card 60 is prohibited.

  After execution of step S27, the authentication token is deleted from the RAM 33 (step S28). In order to protect security, at least one of the decrypted program and data is erased (step S29), and the first information processing ends.

  Next, the first SAM use permission process executed by the SAM 10 will be described. In the SAM 10, for example, corresponding to step S21, the first read out from the EEPROM 17 and appropriately expanded in the RAM 13 is triggered by the start of reception of the terminal ID request from the terminal device 30 via the communication unit 16. The first SAM use permission process is executed in cooperation with the SAM use permission program and the CPU 11.

  First, a terminal ID request is received from the terminal device 30 via the communication unit 16, and the terminal ID is read from the EEPROM 17 and transmitted to the terminal device 30 (step S31). Corresponding to step S22, the terminal ID is received from the terminal device 30 via the communication unit 16, the key for authenticating the terminal device 30 (key T1) is read from the EEPROM 17, and the key from which the terminal ID is read. Is encrypted via the cryptographic operation unit 12 and transmitted to the terminal device 30 as an encrypted terminal ID (step S32).

  Corresponding to step S24, the encrypted OK signal or the encryption refusal signal is received from the terminal device 30 through the communication unit 16, and is decrypted through the cryptographic operation unit 12 with the key (key T1). (Step S33). Then, whether or not the operation of the terminal device 30 is OK is determined based on whether or not the signal decoded in step S33 is an OK signal (step S34). When the operation of the terminal device 30 is OK (step S34; YES), the data of the SAM 10 is set to use permission (step S35). A signal indicating permission to use data of the SAM 10 may be transmitted to the terminal device 30.

  Then, a random number is generated, and the generated random number is set as an authentication token (step S36). After execution of step S36, the authentication token is stored (stored) in the EEPROM 17 (step S37). Then, the authentication token is output (transmitted) to the terminal device 30 via the communication unit 16 (step S38).

  Corresponding to step S26, at least one of the encrypted program and data is received from the terminal device 30 via the communication unit 16, and the key R or the key D1 is read from the EEPROM 17. Then, at least one of the encrypted program and data is decrypted with the key (key R or key D1) via the cryptographic operation unit 12 and transmitted to the terminal device 30 (step S39). After execution of step S39, the authentication token is deleted from the EEPROM 17 (step S40), and the first SAM use permission process ends.

  If the signal decoded in step S33 is a refusal signal or decoding fails and the operation of the terminal device 30 is not OK (step S34; NO), data use prohibition of the SAM 10 is set (step S41). 1 SAM use permission processing ends. The signal indicating that the use of the SAM 10 data is not permitted may be transmitted to the terminal device 30.

  Since the keys D1 and R cannot be used when the center server 40 has not given permission, the CPU 31 of the terminal device 30 cannot perform an operation using the keys D1 and R. For this reason, even if an attempt is made to steal a number such as a credit card from the terminal device 30 with malicious intent, the terminal device 30 does not operate and can be protected from malicious intent.

  Next, the operation of the payment system 1 when returning from a failure will be described with reference to FIG. FIG. 7 shows the flow of the second information processing and the first authentication token comparison process.

  The second information processing executed by the terminal device 30 will be described. For example, in step S25 of the first information processing, after the authentication token is stored in the RAM 33, the power supply to the SAM 10 and the terminal device 30 is interrupted due to a power failure or the like, and the power supply is restored after a predetermined time has elapsed. To do. In this case, the second information processing is executed in cooperation with the CPU 31 and the second information program read from the flash memory 35 and appropriately developed in the RAM 33, triggered by the power return.

  First, it is determined whether or not the authentication token is stored (remaining) in the RAM 33 (step S51). When it is determined that no authentication token remains (step S51; NO), the process proceeds to normal processing (step S52). When it is determined that the authentication token remains (step S51; YES), the authentication token is sent to the SAM 10 via the connection unit 37 (step S53).

  Corresponding to step S67, an authentication token is received from the SAM 10 via the connection unit 37, and the received authentication token is stored (stored) in the RAM 33 (step S54).

  Steps S55 to S58 are the same as steps S26 to S29 of the first information processing. After the execution of step S58, the second information processing ends.

  Next, a first authentication token comparison process executed by the SAM 10 will be described. For example, corresponding to step S53, the first authentication token comparison program read from the EEPROM 17 and appropriately expanded in the RAM 13 triggered by the start of reception of the authentication token from the terminal device 30 via the communication unit 16 The first authentication token comparison process is executed in cooperation with the CPU 11.

  First, an authentication token is received from the terminal device 30 via the communication unit 16, the authentication token is read from the EEPROM 17, and the received authentication token is compared with the authentication token read from the EEPROM 17 (step S61). . The comparison is performed based on whether the random numbers match.

  Then, whether or not the comparison is OK is determined based on whether or not the received authentication token is the same as the authentication token read from the EEPROM 17 (step S62). If the comparison is OK (step S62; YES), the process proceeds to step S63. If the comparison is not OK (step S62; NO), the process proceeds to step S64. Step S63 and step S64 are the same as step S35 and step S41 of the first SAM use permission process, respectively.

  After execution of step S63, a new random number is generated, and the generated random number is set as an authentication token to update the authentication token (step S65).

  Steps S66 to S69 are the same as steps S37 to S40 of the first SAM use permission process. After execution of step S69, the authentication token comparison process ends.

  As described above, according to the present embodiment, when the authentication token stored in the EEPROM 17 matches the authentication token stored in the RAM 33 when returning from the failure, the authentication state with the center server 40 is continued. As a result, it is possible to eliminate the trouble of performing authentication when returning from a failure. For example, when the electronic device (SAM 10 and terminal device 30) recovers from a power supply unstable state due to noise or the like, or when the electronic device (SAM 10 and terminal device 30) recovers after battery replacement due to battery life, it eliminates the trouble of performing authentication with the center server 40 again. Can do. In addition, since it is not necessary to perform authentication with the center server 40, it is not necessary to consider the problem of communication interruption with the center server 40.

  Also, the authentication token is updated to an authentication token using a new random number. As a result, the old authentication token cannot be reused, and the vulnerability of the authentication token can be avoided.

  Conventionally, if a failure occurs when authentication is performed with a password that only the administrator knows, re-authentication cannot be performed unless the administrator is at the site. However, according to the configuration of the present invention, it is not necessary to perform re-authentication, and therefore it is possible to prevent the function of processing (for example, settlement processing) from being stopped due to the absence of an administrator.

  Further, since the authentication state is continued by comparing the authentication tokens stored in the non-volatile memory (RAM 33, EEPROM 17), for example, even if a power failure occurs, the processing of the electronic device can be continued.

(Second Embodiment)
A second embodiment according to the present invention will be described with reference to FIGS. The apparatus configuration of the present embodiment is the same as that of the first embodiment, and the same reference numerals are given to the same parts, and the detailed description thereof is used. Hereinafter, different parts will be described.

  The CPU 11 receives the authentication time information from the center server 40 together with the operation OK signal via the communication unit 36 and the communication unit 16 of the terminal device 30 in cooperation with the second SAM use permission program. An authentication token is generated including the authentication time information. The authentication time information is information indicating the time when authentication is permitted. In the present embodiment, the authentication time information corresponds to the center server time information. The center server time information is time information timed by the time measuring unit 47.

  In addition, the CPU 11 cooperates with the second authentication token comparison program to calculate a difference time between the terminal device time information as the first time information timed by the time measuring unit 39a and the authentication time information included in the authentication token. calculate. Then, the CPU 11 verifies whether or not the calculated difference time is within a predetermined time, and is within the predetermined time, and the authentication token stored in the EEPROM 17 and the authentication token stored in the RAM 33 If they match, the authentication state with the center server 40 is continued.

  The EEPROM 17 stores a second SAM use permission program and a second authentication token comparison program. The flash memory 35 stores a third information program and a fourth information program. The storage unit 45 stores a second terminal management program.

  The operation of the payment system 1 will be described with reference to FIGS. FIG. 8 shows a flow of the second terminal management process, the third information process, and the second SAM use permission process. FIG. 9 shows a continuation of the flow of the second terminal management process, the third information process, and the second SAM use permission process.

  The second terminal management process executed by the center server 40 will be described. For example, when the reception of the encrypted terminal ID and the terminal ID from the terminal device 30 is triggered via the communication unit 46, the second read out from the storage unit 45 and appropriately expanded in the RAM 43 In cooperation with the terminal management program and the CPU 41, the second terminal management program is executed.

  Steps S71 to S73 are the same as steps S11 to S13 of the first terminal management process. In step S73, when it is determined that it is permitted (step S73; YES), the encrypted OK signal and the center server time information are transmitted to the terminal device 30 via the communication unit 46 (step S74). After execution of step S74, the second terminal management process ends.

  Step S75 is the same as step S15 of the first terminal management process. After execution of step S75, the second terminal management process ends.

  Next, the third information processing executed by the terminal device 30 will be described. In the terminal device 30, for example, the third information processing is executed in cooperation with the CPU 11 and the third information program read from the flash memory 35 and appropriately expanded in the RAM 33 with the power-on as a trigger. Is done.

  First, terminal device time information is sent to the SAM 10 via the connection unit 37 (step S81). The terminal device time information is time information timed by the time measuring unit 39a. Steps S82 to S84 are the same as steps S21 to S23 of the first information processing.

  After execution of step S84, the encrypted signal (encrypted OK signal or encryption refusal signal) and center server time information are received from the center server 40 via the connection unit 37, and the encrypted signal and The center server time information is sent to the SAM 10 (step S85).

  Then, corresponding to step S107, SAM time information is received from the SAM 10 via the connection unit 37, and the terminal device time information is calibrated to the received SAM time information (step S86). Here, the received SAM time information is set in the center server time information. That is, the terminal device time information is set in the center server time information.

  Steps S87 to S91 are the same as steps S25 to S29 of the first information processing. After the execution of step S91, the third information process ends.

  Next, a second SAM use permission process executed by the SAM 10 will be described. In the SAM 10, for example, in response to step S81, the second read out from the EEPROM 17 and appropriately expanded in the RAM 13 is triggered by the start of reception of the terminal device time information from the terminal device 30 via the communication unit 16. The second SAM use permission process is executed in cooperation with the SAM use permission program and the CPU 11.

  First, terminal device time information is received from the terminal device 30 via the communication unit 16, and the received terminal device time information is set as SAM time information (step S101). The SAM time information is stored in the EEPROM 17, for example.

  Steps 102 to S103 are the same as steps S31 to S32 of the first SAM use permission process. After execution of step S103, corresponding to step S85, the encrypted signal and the center server time information are received from the terminal device 30 via the communication unit 16, and the encrypted signal (encrypted OK signal or encrypted rejection signal) and The center server time information is decrypted with the key (key T1) via the cryptographic operation unit 12 (step S104).

  Step S105, step S106, and step S114 are the same as step S34, step S35, and step S41 of the first SAM use permission process. After execution of step S106, the SAM time information is calibrated (step S107). That is, the SAM time information is set as the center server time information. The calibrated SAM time information is transmitted to the terminal device 30 via the communication unit 16.

  A random number is generated (step S108). A random number and SAM time information are set as an authentication token (step S109). Here, the SAM time information corresponds to the center server time information. That is, a random number and center server time information are set as an authentication token.

  After execution of step S109, the authentication token is stored in the EEPROM 17 (step S110). Then, the authentication token is encrypted with the key (key B), and the encrypted authentication token is output (transmitted) to the terminal device 30 via the communication unit 16 (step S111). Here, the key B refers to a key for encrypting or decrypting an authentication token.

  Steps S112 to S113 are the same as steps S39 to S40 of the first SAM use permission process. After execution of step S113, the second SAM use permission process ends.

  Next, the operation of the payment system 1 when returning from a failure will be described with reference to FIG. FIG. 10 shows a flow of the fourth information processing and the second authentication token comparison process.

  The 4th information processing performed with terminal unit 30 is explained. For example, in step S87 of the third information processing, after the authentication token is stored in the RAM 33, the power supply is interrupted due to a power failure. It is assumed that the supply of power is restored after a predetermined time has elapsed. In this case, the fourth information processing is performed in cooperation with the CPU 31 and the second information processing program read from the flash memory 35 and appropriately expanded in the RAM 33, triggered by the return of power supply or the like. Executed.

  First, terminal device time information is sent to the SAM 10 via the connection unit 37 (step S121). Steps S122 to S129 are the same as steps S51 to S58 of the second information processing. After the execution of step S129, the fourth information process ends.

  Next, a second authentication token comparison process executed by the SAM 10 will be described. For example, in response to step S121, the second authentication token comparison read out from the EEPROM 17 and appropriately expanded in the RAM 13 is triggered by the start of reception of the terminal device time information from the terminal device 30 via the communication unit 16. A second authentication token comparison process is executed in cooperation with the program and the CPU 11.

  First, terminal device time information is received via the communication unit 16. Then, the SAM time information is set to the received terminal device time information (step S131). Corresponding to step S124, an authentication token is received from the terminal device 30 via the communication unit 16, and the received authentication token is decrypted with a key (key B) (step S132).

  Then, it is compared whether or not the authentication token stored in the EEPROM 17 matches the decrypted authentication token (step S133). Specifically, it is compared whether or not the random number included in the authentication token stored in the EEPROM 17 matches the random number included in the decrypted authentication token. Then, it is verified whether or not the authentication token issuance time (authentication time information) is within a predetermined time (step S134). Specifically, the difference time between the terminal device time information set as the SAM time information in step S131 and the center server time information included in the authentication token set in step S109 is calculated. Then, it is verified whether or not the calculated difference time is within a predetermined time. The predetermined time corresponds to the expiration date of the authentication token. Further, the predetermined time is an arbitrary time (for example, 24 hours) and is stored in the EEPROM 17.

  Whether the verification token is OK or not depends on whether the authentication token stored in the EEPROM 17 is the same as the decrypted authentication token, and whether the authentication token issuance time is within a predetermined time. A determination is made (step S135).

  Steps S136 to S137 are the same as steps S63 to S64 of the first authentication token comparison process. After execution of step S137, a new random number is generated (step S138). Then, the new random number and the terminal device time information set as the SAM time information in step S131 are set as the authentication token (step S139). That is, the authentication token is updated to an authentication token including a new random number and terminal device time information. Then, the authentication token is stored in the EEPROM 17 (step S140).

  Then, the authentication token is encrypted using the key (key B), and the encrypted authentication token is output to the terminal device 30 via the communication unit 16 (step S141). Steps S142 to S143 are the same as steps S68 to S69 of the first authentication token comparison process. After execution of step S143, the second authentication token comparison process ends.

  As described above, according to the present embodiment, the difference time between the terminal device time information and the center server time information is calculated, and the calculated difference time is within a predetermined time, and the authentication token stored in the EEPROM 17 And the authentication token stored in the RAM 33 match, the authentication state with the center server 40 is continued. Accordingly, it is possible to verify whether or not to continue the authentication state based on the expiration date of the authentication token, so that the security of the authentication token can be improved.

  Also, the authentication token is encrypted using the encryption key (key B). As a result, an attempt to analyze the key in the malicious SAM 10 can be surely prevented. Further, since the combination of the encryption key (key B) of the authentication token between the tamper resistant means (SAM 10) and the terminal device 30 is specified by the encryption key (key B), the validity of the authentication token can be confirmed. .

  Also, the authentication token is updated to an authentication token including a new random number and terminal device time information. As a result, the old authentication token cannot be reused, and the vulnerability of the authentication token can be avoided.

(Third embodiment)
A third embodiment will be described with reference to FIGS. In the device configuration of the present embodiment, the same parts as those of the device configuration of the first embodiment are denoted by the same reference numerals, and the detailed description thereof is incorporated. Hereinafter, different parts will be described. First, the apparatus configuration of the present embodiment will be described with reference to FIG. FIG. 11 shows the configuration of the payment system 2.

  As shown in FIG. 11, the payment system 2 includes a SAM 10, a terminal device 30, a center server 40, a time server 50, and a communication network N.

  The time server 50 is a server device that measures time. The time server 50 is communicatively connected to the terminal device 30 via the communication network N.

  As shown in FIG. 12, the time server 50 includes a CPU 51, an input unit 52, a RAM 53, a display unit 54, a storage unit 55, a communication unit 56, and a time measuring unit 57. The CPU 51, the input unit 52, the RAM 53, the display unit 54, the storage unit 55, the communication unit 56, and the time measuring unit 57 are the CPU 41 of the center server 40, the input unit 42, the RAM 43, and the display unit 44. The storage unit 45, the communication unit 46, and the time measuring unit 47 are the same.

  The CPU 51 transmits signed time server time information via the communication unit 56 in cooperation with the time information transmission program. The time server time information is the time measured by the time measuring unit 57. The signature refers to information obtained by encrypting fixed-length data (hash value) calculated from time server time information according to a certain rule with a key (key C). The key C is a key for encrypting or decrypting the hash value of the time server time information. The storage unit 55 stores a time information transmission program.

  The CPU 11 performs time server time information as second time information measured by the time server 50 via the communication unit 36 and the communication unit 16 of the terminal device 30 in cooperation with the third authentication token comparison program. Receive from the server 50 regularly or irregularly. Then, the CPU 11 calculates a difference time between the received time server time information and the authentication time information included in the authentication token, verifies whether the calculated difference time is within a predetermined time, and is determined in advance. If it is within the time and the authentication token stored in the EEPROM 17 matches the authentication token stored in the RAM 33, the authentication state with the center server 40 is continued. In the present embodiment, the authentication time information corresponds to the center server time information.

  The EEPROM 17 stores a third authentication token comparison program. The flash memory 35 stores a fifth information program.

  Next, the operation of the payment system 2 will be described. FIG. 13 shows the flow of time information transmission processing, fifth information processing, and third authentication token comparison processing. Before each process shown in FIG. 13, it is assumed that the second terminal management process is performed in the center server 40, the third information process is performed in the terminal apparatus 30, and the second SAM use permission process is performed in the SAM 10. This will be described below.

  The time information transmission process executed by the time server 50 will be described. In the time server 50, for example, the time server 50 is read from the storage unit 55 as triggered by the start of receiving from the terminal device 30 a signal indicating that the power supply of the terminal device 30 has been restored via the communication unit 56. A time information transmission process is executed in cooperation with the time information transmission program developed in the RAM 53 and the CPU 51.

  First, time server time information with a signature is transmitted to the terminal device 30 via the communication unit 56 (step S151). After execution of step S151, the time information transmission process ends.

  Next, fifth information processing executed by the terminal device 30 will be described. For example, in step S87 of the third information processing, after the authentication token is stored in the RAM 33, the power supply is interrupted due to a power failure. It is assumed that the supply of power is restored after a predetermined time has elapsed. In this case, the fifth information processing is performed by the cooperation of the CPU 11 and the fifth information processing program read from the flash memory 35 and appropriately developed in the RAM 33, triggered by the return of power supply or the like. Executed.

  First, time server time information with a signature is received via the communication unit 36. Then, the signed time server time information received via the connection unit 37 is sent to the SAM 10 (step S161).

  Steps S162 to S169 are the same as steps S122 to S129 of the fourth information processing. After execution of step S169, the fifth information process ends.

  Next, a third authentication token comparison process executed by the SAM 10 will be described. For example, in response to step S161, the third authentication read from the EEPROM 17 and appropriately expanded in the RAM 13 is triggered by the start of reception of the signed time server time information from the terminal device 30 via the communication unit 16. A third authentication token comparison process is executed in cooperation with the token comparison program and the CPU 11.

  First, time server time information with a signature is received from the terminal device 30 via the communication unit 16. Then, after the received signature check, the SAM time information is set as the time server time information (step S181). The signature check refers to comparing the hash value decrypted with the key (key C) with the hash value calculated from the received time server time information. After the signature check is confirmed (after confirming that the decrypted hash value and the calculated hash value match), the SAM time information is set in the time server time information. At this time, the signed time server time information is received regularly or irregularly.

  Steps S182 to S183 are the same as steps S132 to S133 of the second authentication token comparison process. After execution of step S183, it is verified whether or not the authentication token issuance time is within a predetermined time (step S184). Specifically, the difference time between the time server time information set as the SAM time information in step S181 and the center server time information included in the authentication token set in step S109 of the second SAM use permission process. Calculated. Then, it is verified whether or not the calculated difference time is within a predetermined time (the validity period of the authentication token).

  Steps S185 to S188 are the same as steps S135 to S138 of the second authentication token comparison process. After execution of step S188, a new random number and time server time information set as SAM time information in step S181 are set as authentication tokens (step S189). That is, the authentication token is updated to an authentication token including a new random number and time server time information. Steps S190 to S193 are the same as steps S140 to S143 of the second authentication token comparison process. After execution of step S193, the third authentication token comparison process ends.

  As described above, according to the present embodiment, the difference time between the time server time information and the center server time information is calculated, and the calculated difference time is within a predetermined time and the authentication token stored in the EEPROM 17 And the authentication token stored in the RAM 33 match, the authentication state with the center server 40 is continued. Accordingly, it is possible to verify whether or not to continue the authentication state based on the expiration date of the authentication token, so that the security of the authentication token can be improved. In addition, since the time server time information can be received irregularly, it is possible to verify whether or not to continue the authentication state using the time server time information with high time accuracy.

  Also, the authentication token is updated to an authentication token including a new random number and time server time information. As a result, the old authentication token cannot be reused, and the vulnerability of the authentication token can be avoided.

  Further, since the signature check of the time server time information is performed, it is possible to ensure that the time has not been altered. Furthermore, since the authentication token is updated including the time server time information, the authentication token can be updated using the time information that is guaranteed not to be falsified.

(Fourth embodiment)
A fourth embodiment will be described with reference to FIGS. 14 and 15. In the device configuration of the present embodiment, the same parts as those of the device configuration of the first embodiment and the third embodiment are denoted by the same reference numerals, and the detailed description thereof is incorporated. Hereinafter, different parts will be described.

  The CPU 41 of the center server 40 receives the payment data and the authentication token related to the payment process from the terminal device 30 through the communication unit 46 in cooperation with the validity confirmation program, and is included in the authentication time information and the received authentication token. A difference time with the time server time information is calculated, whether or not the calculated difference time is within a predetermined time is verified, and if it is not within the predetermined time, the terminal device 30 is invalidated. In the present embodiment, the authentication time information corresponds to the center server time information.

  The flash memory 35 of the terminal device 30 stores a sixth information program. The EEPROM 17 of the SAM 10 stores a fourth authentication token comparison program. The storage unit 45 of the center server 40 stores a validity confirmation program.

  Next, the operation of the payment system 2 will be described. FIG. 14 shows a flow of time information transmission processing, validity confirmation processing, sixth information processing, and fourth authentication token comparison processing. FIG. 15 shows a continuation of the flow of the time information transmission process, the validity confirmation process, the sixth information process, and the fourth authentication token comparison process. 14 and 15, a second terminal management process is executed in the center server 40, a third information process is executed in the terminal device 30, and a second SAM use permission process is executed in the SAM 10 in advance. This will be described below.

  The time information transmission process in the time server 50 of this embodiment is the same as the time information transmission process in the third embodiment.

  The validity confirmation process executed by the center server 40 will be described. For example, in response to step S222, with the trigger of the start of reception of data from the terminal device 10 via the communication unit 46, the validity check program read from the storage unit 45 and appropriately expanded in the RAM 43, and the CPU 41, The validity confirmation process is executed in cooperation with

  First, corresponding to step S222, data is received from the terminal device 30 via the communication unit 46 (step S201). Data refers to payment data, an authentication token, and a signature. The payment data means a card number, a password, and a payment amount. The authentication token corresponds to the authentication token (authentication token including new random number and time server time information) updated in step S239 of the fourth authentication token comparison process. The signature is information obtained by encrypting a hash value obtained by collecting payment data and an authentication token with a key (key X). Further, the payment data and the authentication token are encrypted with a key (key Y), and the encrypted payment data and the authentication token are received. In step S201, when data is received, the encrypted payment data and authentication token are decrypted with the key Y, and a hash value is calculated from the decrypted payment data and authentication token. Then, a comparison (signature check) is performed between the calculated hash value and the hash value of the signature decrypted with the key (X). Here, the key X refers to a key for encrypting or decrypting a hash value obtained by collecting payment data and an authentication token. The key Y is a key for encrypting or decrypting the payment data and the authentication token.

  Then, it is determined whether or not the validity of the data is OK (step S202). Specifically, the difference time between the center server time information, which is the authentication time information set in step S74 of the second terminal management process, and the time server time information included in the authentication token of the received data is calculated. The That is, the time (difference time) from the time when the authentication is performed by the center server 40 to the time when the settlement process is performed is calculated. Then, it is determined whether or not the calculated difference time is within a predetermined time (data expiration date). When the difference time is within a predetermined time, it is verified (determined) that the data is valid. That is, it is determined that the data expiration date has not passed. If the difference time is not within a predetermined time, it is determined that the data is not valid (NG). That is, it is determined that the data expiration date has passed.

  If the validity of the data is OK (step S202; OK), the process proceeds to normal processing (step S204). When the validity of the data is not OK (step S202; NG), an invalidation signal for invalidating the terminal is transmitted to the terminal device 30 via the communication unit 46 (step S203). After the execution of step S203 and step S204, the validity confirmation process ends.

  Next, sixth information processing executed by the terminal device 30 will be described. For example, in step S87 of the third information processing, after the authentication token is stored in the RAM 33, the power supply is interrupted due to a power failure. It is assumed that the supply of power is restored after a predetermined time has elapsed. In this case, the sixth information processing is executed by the cooperation of the CPU 31 and the sixth information program that is read from the flash memory 35 and appropriately developed in the RAM 33, triggered by the return of power supply or the like. Is done.

  Steps S211 to S217 are the same as steps S161 to S167 of the fifth information processing.

  After execution of step S217, the processing result (settlement data) is sent to the SAM 10 via the connection unit 37 (step S218). In response to step S244, data is received via the connection unit 37. The received data is stored in the flash memory 35 (step S219).

  Steps S220 to S221 are the same as steps S168 to S169 of the fifth information processing. After step S221 is executed, data is transmitted to the center server 40 via the communication unit 36 (step S222).

  Then, corresponding to NG in step S203, an invalidation signal is received from the center server 40 via the communication unit 36, and the terminal device 30 is invalidated (step S223). After the execution of step S223, the sixth information process ends.

  Next, a fourth authentication token comparison process executed by the SAM 10 will be described. For example, corresponding to step S211, the fourth authentication read from the EEPROM 17 and appropriately opened in the RAM 13 is triggered by the start of reception of the signed time server time information from the terminal device 30 via the communication unit 16. A fourth authentication token comparison process is executed in cooperation with the token comparison program and the CPU 11.

  Steps S231 to S242 are the same as steps S181 to S192 of the third authentication token comparison process. After execution of step S242, payment data is received from the terminal device 30 via the communication unit 16 (step S243). The received payment data and the authentication token set in step S239 are collectively signed with the key X (step S244). At this time, the settlement data and the authentication token are encrypted with the key Y. Then, the data is transmitted to the terminal device 30 via the communication unit 16.

  Step S245 is the same as step S193 of the third authentication token comparison process. After execution of step S245, it is determined whether an invalidation signal has been received from the terminal device 30 via the communication unit 16 (step S246). When it is determined that the invalidation signal has not been received (step S246; NO), the process proceeds to step S246. If it is determined that the invalidation signal has been received, the keys (eg, keys T1, B, C, D, R, X, Y, etc.) stored in the EEPROM 17 are invalidated (step S247). After execution of step S247, the fourth authentication token comparison process ends.

  As described above, according to the present embodiment, the difference time between the center server time information and the time server time information is calculated, and it is verified whether or not the calculated difference time is within a predetermined time. As a result, the time (difference time) from the time when the authentication is performed by the center server 40 to the time when the settlement process is performed is estimated and the validity of the data is examined, so that the stability of the data can be improved. In addition, when the difference time is not within a predetermined time (that is, when the expiration date of the data has passed), the terminal device 30 is invalidated (use of the terminal device 30 is stopped). It is possible to prevent damage such as unauthorized use of the device 30 from spreading.

  Also, the authentication token is updated to an authentication token including a new random number and time server time information. As a result, the old authentication success information cannot be reused, so that the vulnerability of the authentication success information can be avoided.

  The description in each of the above embodiments is an example of the electronic device, the payment system, and the program according to the present invention, and is not limited to this.

  For example, in the first embodiment, the authentication token is output (transmitted) to the terminal device 30 without being encrypted. However, the encrypted authentication token may be transmitted to the terminal device 30.

  Moreover, in the said 3rd Embodiment and 4th Embodiment, although the time server 50 was set as the different structure from the center server 40, it is not limited to this. For example, the center server 40 may include the time server 50.

  In the third embodiment and the fourth embodiment, the authentication time information is the center server time information, but the present invention is not limited to this. For example, the authentication time information may be time server time information. In this case, an operation OK signal is transmitted from the center server 40 to the terminal device 30, and at the same time, time server time information is transmitted from the time server 50 to the terminal device and the SAM 10 via the communication unit 56. When the SAM 10 receives time server time information corresponding to the authentication success time via the communication unit 16, the SAM 10 generates an authentication token including the time server time information. Then, when recovering from the failure, the time difference between the time server time information set as the SAM time information and the time server time information included in the generated authentication token is calculated, and the calculation time is predetermined. Verify whether it is within the time (authentication token expiration date). In this case, the time accuracy is determined only by the interval at which the time server time information is received from the time server 50.

  In addition, the detailed configuration and detailed operation of the payment system in the above embodiment can be changed as appropriate without departing from the spirit of the present invention.

1, 2 Payment system 10 Terminal device 11, 31, 41 CPU
12 Cryptographic operation unit 13, 33, 43 RAM
14 Anomaly detector 15 ROM
16, 36, 46 Communication unit 17 EEPROM
18, 39b, 48 Bus 30 Terminal device 32, 42 Input unit 33A Backup battery 34, 44 Display unit 35 Flash memory 37 Connection unit 38 Card reader 39 Connection unit 39a, 47 Timekeeping unit 40 Center server 45 Storage unit 50 Time server 60 IC Card 70 Memory card 100 Payment terminal N Communication network

Claims (7)

An electronic device connected to a terminal device,
Storage means for storing authentication information and data;
A determination means for determining whether or not the data can be used in the terminal device when the terminal device obtains authentication permission via the authentication device based on the authentication information;
When it is made available by the determination means, the data stored in the storage means is controlled so that it can be used by the terminal device, and permission information indicating the availability is stored in the electronic device, and First control means for storing the permission information in a terminal device;
Comparing means for comparing the permission information stored in the terminal device with the permission information stored in the electronic device at the time of recovery after a failure occurs in the terminal device;
Second control means for controlling whether or not the data stored in the storage means can be reused in the terminal device based on the comparison result in the comparison means;
An electronic apparatus comprising: The storage means without obtaining the authentication permission in the authentication device when it is determined in the comparison by the comparison means that the permission information matches, and the second control means controls the data to be reusable. Third control means for issuing and storing new permission information that permits the use of the data stored in
The electronic apparatus according to claim 1 , further comprising: After a predetermined process using the data stored in the storage means ends in the terminal device, a deletion means for deleting the permission information;
The electronic device according to claim 1 or 2, wherein, further provided with the. The data stored in the storage means is key data required when executing predetermined processing in the terminal device.
The electronic device according to claim 1 , wherein the electronic device is an electronic device. The permission information stores time information when the permission information is issued,
The comparing means further compares the time information of the permission information stored in the terminal device and the time information of the permission information stored in the electronic device;
The electronic device according to claim 1 , wherein the electronic device is an electronic device. The comparing means compares whether the permission information stored in the terminal device matches the permission information stored in the electronic device, and further compares the time information of the permission information stored in the terminal device with the time information Compare whether the time difference with the time information of the permission information stored in the electronic device is within a predetermined time,
The electronic device according to claim 5 , wherein: A program for controlling a computer of an electronic device connected to a terminal device,
The computer,
Storage means for storing authentication information and data;
A determination unit that determines whether or not the data can be used in the terminal device when the terminal device obtains authentication permission via the authentication device based on the authentication information;
When it is made available by the determination means, the data stored in the storage means is controlled so that it can be used by the terminal device, and permission information indicating the availability is stored in the electronic device, and First control means for storing the permission information in a terminal device;
Comparison means for comparing the permission information stored in the terminal device with the permission information stored in the electronic device at the time of recovery after the occurrence of a failure in the terminal device,
Second control means for controlling whether or not the data stored in the storage means can be reused in the terminal device based on the comparison result in the comparison means;
A computer-readable program designed to function as a computer.

Images