JP6751545B1 - Electronic signature system and anti-tamper device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To realize an electronic signature system having a high security level by preventing misuse of a signature key by a system administrator. SOLUTION: A user sets authentication information conceived by the user himself / herself about his / her signature key stored in an anti-tamper device (5) via a terminal device (2). When electronically signing an electronic document, the user transmits his / her own authentication information to the tamper-resistant device (5) via the terminal device (2) and requests permission to use the signature key. The anti-tamper device (5) verifies the input authentication information, permits signature only when the correct authentication information is input, and performs electronic signature. As a result, a signature system is constructed in which only a person who has a proper authority to use the signature key can digitally sign it. [Selection diagram] Fig. 1

Description

The present invention relates to a remote signature type electronic signature system.
Furthermore, the present invention relates to an anti-tamper device used in a remote signature type electronic signature system.

A remote signature system has been proposed in which a user's signature key is installed on the operator's server, the user remotely logs in to the server, and digitally signs on the operator's server using his / her own signature key. The remote signature system is expected to be a highly convenient signature system for users because it can perform electronic signatures remotely and the user does not need to manage the signature key.

As a remote signature type electronic signature system, an electronic signature system including a key management system for managing a signature key, a certificate issuing system for issuing a certificate, and a terminal device used by a user has been proposed (for example). , Patent Document 1). In this known digital signature system, user authentication is performed by a combination of a user ID and a password based on the user's account set in the key management system.

As another remote signature system, Non-Patent Document 1 discloses the following system configuration example. The signer sends his / her signature ID and signature target data to the signing application to make an authentication request. If the signer is successfully authenticated by the signing application, the signing application sends the signing device a signing key ID and associated data to sign. In the signing device, signature is performed using the signature key specified by the signature key ID, and the signed data to be signed is output.

Further, Non-Patent Document 1 also describes that two-factor authentication is performed in a remote signature system. As two-factor authentication, information for activating the signature key is transmitted from the terminal device to the signature device.
Japanese Patent No. 6465426 "Status of consideration of remote signatures" (Network Security Forum 2017)

In the electronic signature system currently in practical use, the actual situation is that only user authentication using a user ID and password is performed. However, there is a high risk of spoofing only by user authentication using a user ID and password, and it is required to further raise the security level.

In a remote signature system, it is important that only the person can sign, and it is desirable that the system can logically prove it. However, since the signature key is stored on the operator's server and the electronic signature is performed on the operator's server, there is a risk that the signature key may be misused by a malicious system administrator. That is, even if the electronic signature is performed by a tamper-resistant device such as HSM, various information is sent to the tamper-resistant device via the key management server that manages the tamper-resistant device. Therefore, the system administrator who manages the key management server can steal or extract various information on the key management server. At present, in the system described in the above document, the system administrator is positioned as a person who protects information, and the protection target is directed to the attack of a third party. Therefore, it is undeniable that the system administrator has the risk of stealing and misusing the signature key and the information that controls the signature key, and as a result, a system that can logically prove that only the person can sign can not be established. That is, remote signing systems are also strongly required to protect users from malicious system administrators.

An object of the present invention is to prevent the system administrator from misusing the signature key and to realize an electronic signature system having a higher security level.
Another object of the present invention is to provide an electronic signature system in which only a person having a proper authority for a signature key can digitally sign.
Further, another object of the present invention is to provide an anti-tamper device used in a remote electronic signature system having a high security level.

Electronic signature system according to the invention, one or more than one tamper has a function of generating and managing a signature key, and a signature system having a key management server having the function of controlling the tamper resistant device, use the electronic signature system of the remote signature scheme comprising a user to use the terminal apparatus,
The tamper-resistant device has a function of generating a key pair of a private key and a public key as a signing key, a function of storing the generated signing key together with authentication information indicating usage authority for the signing key, and received encryption. A function of decrypting the authentication information using the private key of the key pair or the private key of the key pair set in the tamper resistant device as a decryption key for performing public key encrypted communication, a function of verifying the decrypted authentication information, And has a function to digitally sign using the signing key based on the verification result.
The terminal device uses a means for inputting authentication information indicating the authority to use the signing key, and an encryption key for the public key of the key pair in which the private key serves as the signing key or the public key of the key pair set in the tamper-resistant device. Has an encryption means to encrypt using
The authentication information input to the terminal device by the user is encrypted by the encryption means and sent to the tamper-resistant device, and is decrypted by the tamper-resistant device using the decryption key.
The anti-tamper device generates a key pair of a private key and a public key as a signature key in response to a key pair generation request or a signature key generation request from the terminal device.
The signature key of each user is stored in the anti-tamper device in relation to the authentication information of the user.
In the case of electronic signature, the tamper-resistant device matches the authentication information included in the received signature request with the authentication information stored in association with the signature key specified by the signature key identification information included in the signature request . If these authentication information match, the signature key is used for digital signature.

In the present invention, the user sets the authentication information that the user himself / herself has come up with for his / her signature key stored in the anti-tamper device via the terminal device. On the other hand, when electronically signing an electronic document, the user transmits his / her own authentication information to the tamper-resistant device via the terminal device and requests permission to use the signature key. The tamper-resistant device verifies the input authentication information, permits signature only when the correct authentication information is input, and digitally signs the signature. As a result, a signature system is constructed in which only a person who has a proper authority to use the signature key can digitally sign it. Therefore, an electronic signature system having a higher security level than the conventional electronic signature system is realized.

However, in this type of electronic signature system, if the authentication information set by the user is stolen by another person, there is a risk that the signature key will be misused. For example, if the signature key ID and authentication information are stolen and a signature request with a falsified hash value is made, the tamper-resistant device determines that the entered authentication information is valid, so the signature request is valid. Is determined, and the tampered hash value is digitally signed. Therefore, in order to effectively utilize this electronic signature system, it is extremely important to protect the authentication information indicating the legitimate authority to use.

In the present invention, the following two measures are adopted in order to protect the authentication information. As a first measure, the authentication information transmitted from the terminal device to the anti-tamper device is encrypted by using an encryption method that cannot be decrypted by a third party. As a second measure, not only the subject of the signing key is verified, but also the hash value to be signed is also verified.

The electronic signature system of the present invention described above is equipped with the first measure. In the present invention, the authentication information is transmitted from the terminal device to the anti-tamper device via the key management server. In this case, since the authentication information goes through the key management server, there is a risk that the authentication information will be stolen by the system administrator at the key management server. Therefore, in the present invention, the private key and the public key of the key pair created to generate the signature key are used for public key cryptography. That is, the private key of the key pair generated to create the signing key is used as the decryption key, and the public key is used as the encryption key to perform public key cryptography communication. The authentication information encrypted with the public key of the key pair is decrypted only by the corresponding private key, and the private key which is the decryption key is securely stored in the tamper-resistant device. Therefore, even if the encrypted authentication information or signature request is stolen by the system administrator, it will not be decrypted. Moreover, since the public key of the key pair is generated by the tamper-resistant device and then transmitted to the terminal device, the advantage of eliminating the complexity of address setting of the tamper-resistant device in the terminal device is also achieved.

Another digital signature system of the present invention is one or more tamper-resistant devices having a function of generating and managing a signature key, and a key management server connected to a network and having a function of controlling the tamper-resistant device. A remote signature system electronic that includes a signature system that has a signature system, a certificate issuing system that generates an electronic certificate, an editing server that has a function of generating signature target data from an electronic document, and a terminal device used by the user. It's a signature system
The tamper-resistant device has a private key and a public key key pair set for performing public key cryptography, a function of generating a key pair of a private key and a public key as a signing key, and a generated signing key. The function of storing the key together with the authentication information indicating the usage authority for the signature key, the function of decrypting the received encrypted authentication information, the function of verifying the decrypted authentication information, and the signature based on the verification result. It has the function of digitally signing with a key,
The terminal device is a means for inputting authentication information indicating the authority to use the signature key, a means for encrypting the authentication information input by the user, and a means for transmitting the encrypted authentication information to the tamper-resistant device. Have,
When generating the signing key
The user inputs the authentication information that he / she has come up with into the terminal device, and the terminal device encrypts the authentication information input by the user using the public key of the tamper-resistant device to generate and generate the encrypted authentication information. Send a signature key generation request containing the encrypted authentication information to the tamper-resistant device,
In response to the reception of the signature key generation request, the tamper-resistant device generates a key pair of a private key and a public key as a signature key, and decrypts the received encryption authentication information using its own private key as a decryption key. , Store the decrypted credentials and the generated signing key in association with each other,
For digital signature
The user inputs his / her own authentication information into the terminal device, and the terminal device encrypts the authentication information input by the user using the public key of the tamper-resistant device as an encryption key, and the encrypted authentication information. Is sent to the editing server together with the electronic document and the signature key identification information.
The editing server generates signature target data from the electronic document, generates a signature request including the generated signature target data, the encrypted authentication information, and the signature key identification information, and sends the generated signature request to the tamper resistant device. Send and
The tamper-resistant device decrypts the received encrypted authentication information using the private key of the key pair as a decryption key, and stores the decrypted authentication information and the signature key specified by the signature key identification information in association with each other. Verify the consistency with the existing authentication information and
When the decrypted authentication information and the authentication information stored together with the signature key match each other, the tamper-resistant device is characterized in that the signature target data is digitally signed using the signature key.

The private key (decryption key) of the public key cryptographic communication key pair set in the tamper-resistant device is safely stored in the tamper-resistant device and does not leak to the outside. Therefore, if the public key set in the tamper-resistant device is used as the encryption key to encrypt the authentication information and the encrypted authentication information is decrypted using the private key as the decryption key, it is created when the signature key is generated. A security level similar to that of the key pair is achieved.

The electronic signature system of the present invention equipped with the second measure controls one or more tamper-resistant devices having a function of generating and managing a signature key, and connected to a network to control the tamper-resistant device. It includes a signature system having a key management server having a function, a certificate issuing system for generating an electronic certificate, an editing server having a function for generating data to be signed from an electronic document, and a terminal device used by a user. It is a remote signature type electronic signature system.
The tamper-resistant device has a function of generating a key pair of a private key and a public key as a signature key, a function of storing the generated signature key together with an authentication information indicating the usage authority for the signature key, and a received encrypted function. It has a function of decrypting the authenticated authentication information, a function of verifying the decrypted authentication information, and a function of digitally signing using the signature key based on the verification result.
The terminal device is a means for inputting authentication information indicating the authority to use the signature key, a means for encrypting the authentication information input by the user, and a means for transmitting the encrypted authentication information to the tamper-resistant device. Have,
When generating the signing key
The anti-tamper device generates a key pair between the private key and the public key, which are the signature keys, and sends the generated public key to the terminal device.
The user inputs the authentication information that he / she has come up with into the terminal device, and the terminal device encrypts the authentication information input by the user using the public key of the key pair as an encryption key, and obtains the encrypted authentication information. Send to tamper resistant device,
The tamper-resistant device decrypts the received encrypted authentication information using the private key of the key pair as a decryption key, and stores the decrypted authentication information and the signature key in association with each other.
For digital signature
The user sends an electronic document to be digitally signed to the editing server via the terminal device, the editing server generates the same two signature data from the received electronic document, and the first signature data is The reference data for verification is used, the second signature target data is the signature target data that is the target of the signature request, and the first signature target data is transmitted to the terminal device.
Further, the terminal device encrypts the authentication information input by the user and the received first signature target data using the public key to generate encrypted data, and transmits the generated encrypted data to the editing server. And
The editing server forms a signing request including the received encrypted data and the second signing target data to be the target of the signing request, and sends the signature request to the anti-tamper device.
The tamper-resistant device decrypts the received encrypted data using the private key of the key pair as a decryption key, and the authentication is stored in association with the decrypted authentication information and the signature key specified by the signature key identification information. In addition to verifying the consistency with the information, the matching between the decrypted first signature target data and the second signature target data included in the signature request is verified.
When the authentication information matches and the signature target data matches, the tamper-resistant device is characterized in that the signature target data is digitally signed using the signature key.

The signature request transmitted from the terminal device to the tamper-resistant device includes at least a hash value to be signed, a public key or a signature key ID that identifies the signature key, and authentication information. When such a signature request is extracted by the key management server and a new signature request in which only the hash value is tampered with is sent to the tamper-resistant device, the tamper-resistant device determines that the authentication information is normal and is tampered with. There is a problem that the hash value is digitally signed. In order to solve this problem, in the present invention, not only the usage authority of the user is verified, but also the signature target data (hash value) which is the target of signature is verified. That is, the hash value (first hash value) generated and encrypted from the electronic document to be digitally signed is compared and verified with the hash value (second hash value) to be digitally signed. To do. In this case, the first hash value and the second hash value are the same when the signature request is generated in a normal procedure. On the other hand, since the first hash value is encrypted, it cannot be tampered with. Therefore, when the second hash value to be digitally signed is tampered with, the second hash value is different from the first hash value. Therefore, by verifying the hash value, the signature request whose hash value has been tampered with can be excluded from the target of the electronic signature. As a result, an electronic signature system with a higher security level is constructed.

The tamper-resistant device according to the present invention is a tamper-resistant device used in a remote signature type electronic signature system.
The tamper-resistant device has a function of generating a key pair of a private key and a public key as a signing key, a function of storing the generated signing key in association with authentication information indicating usage authority for the signing key, and receiving. A function of decrypting the encrypted authentication information using the private key of the key pair or the private key of the key pair set in the tamper-resistant device as a decryption key for performing public key encrypted communication, and the decrypted information. It has a function to verify and a function to digitally sign using a signing key based on the verification result.
The tamper-resistant device generates a key pair of a private key and a public key as a signature key in response to a key pair generation request or a signature key generation request from a terminal device, and uses the generated signature key of the user. Store it in relation to the user's authentication information
At the time of digital signature, the encrypted authentication information included in the received signature request is decrypted using the decryption key, and the decrypted authentication information and the signature key specified by the signature key identification information included in the signature request are used. It is characterized in that it verifies the consistency with the authentication information stored in association with each other, and if these authentication information match, digitally signs using the signature key.

In the tamper-resistant device of the present invention, the private key of the key pair for generating the signature key is used as the decryption key, and the public key is used as the encryption key. Since the decryption key is safely stored in the tamper-resistant device, even if the signature request including the authentication information is stolen by the system administrator, the signature information cannot be decrypted and the signature key cannot be misused. Therefore, by using the tamper-resistant device of the present invention for a remote type electronic signature system, it is possible to construct an electronic signature system in which the system administrator is prevented from misusing the signature key.

Another anti-tamper device according to the present invention is an anti-tamper device used in a remote signature type electronic signature system.
The tamper-resistant device has a private key and a public key key pair set for performing public key encrypted communication, a function of generating a key pair of a private key and a public key as a signing key, and a generated signature. A function to digitally sign using a key, a function to store the generated signature key together with authentication information indicating the usage authority for the signature key, and a function to use the received encrypted authentication information as a decryption key of its own private key. It has a function to decode using and a function to verify the decoded information.
The anti-tamper device
In response to the reception of the signing key generation request, a key pair of a private key and a public key to be a signing key is generated, and the encrypted authentication information included in the signing key generation request is decrypted using its own private key. Store the decrypted credentials in association with the generated signing key
In response to the reception of the signature request, the encrypted authentication information included in the signature request is decrypted using its own private key as the decryption key, and it is specified by the decrypted authentication information and the signature key identification information included in the signature request. Verify the matching of the signing key and the credentials stored in association with it
When the decrypted authentication information and the stored authentication information match each other, the signature key is used for digital signature.

In the present invention, the private key of the key pair set in the tamper-resistant device for performing public key cryptographic communication is used as the decryption key, and the public key is used as the encryption key. Since the private key is securely stored in the tamper-resistant device, even if the signature request is stolen by the system administrator, the authentication information contained in the signature request is not decrypted and the signature key is not misused.

Another tamper-resistant device of the present invention is a tamper-resistant device used in a remote signature type electronic signature system.
The tamper-resistant device has a function of generating a key pair of a private key and a public key as a signing key, a function of storing the generated signing key together with authentication information indicating usage authority for the signing key, and authentication information and. A function to decrypt the encrypted information including the data to be signed by using the private key of the key pair or the private key of the key pair set in the tamper-resistant device as a decryption key for performing public key encrypted communication, and the decrypted authentication. It has a function to verify information, a function to verify the decrypted signature target data, and a function to digitally sign using the signature key based on the verification result.
The tamper-resistant device generates a key pair of a private key and a public key as a signature key in response to a key pair generation request or a signature key generation request from a terminal device, and uses the generated signature key of the user. Store it in relation to the user's authentication information
In response to the reception of the signature request, the encrypted authentication information and the encrypted signature target data included in the signature request are used as the secret key of the key pair whose signature key is the private key or the key pair set in the tamper-resistant device. Decrypt each using the private key of
In addition to verifying the consistency between the decrypted authentication information and the authentication information stored in association with the signature key specified by the signature key identification information included in the signature request, it is included in the decrypted signature target data and the signature request. Verify the consistency with the signature target data that is the target of the signature request
When the authentication information matches each other and the signature target data matches each other, the signature target data is digitally signed using the signature key.

In the present invention, not only the authentication information indicating the authority to use the signature key but also the hash value that is the target of the digital signature is verified. Therefore, it is possible to exclude the signature request whose signature value has been tampered with from the target of the digital signature. it can. As a result, by using the tamper-resistant device of the present invention in a remote electronic signature system, it is possible to construct an electronic signature system in which the system administrator is prevented from misusing the signature key.

Another tamper-resistant device according to the present invention has a function of generating and managing a signature key, and is used in a remote signature type electronic signature system.
The tamper-resistant device has a key pair of a private key and a public key set for performing public key encrypted communication, and also has a function of generating a key pair of a private key and a public key which is a signing key, and is generated. A function to digitally sign using a signing key, a function to store the generated signing key together with authentication information indicating the usage authority for the signing key, and a function to use the encrypted information as a decryption key using its own private key. It has a function to decrypt and a function to verify the decrypted information.
The anti-tamper device
In response to the reception of the signing key generation request, a key pair of a private key and a public key to be a signing key is generated, and the encrypted authentication information included in the signing key generation request is used as a decryption key. Decrypt and store the decrypted credentials in association with the signing key
Upon receiving the signing request, the encrypted authentication information and the data to be signed contained in the signing request are decrypted using their own private key.
In addition to verifying the consistency between the decrypted authentication information and the authentication information stored in association with the signature key specified by the signature key identification information included in the signature request, it is included in the decrypted signature target data and the signature request. Compare and verify the consistency with the signature target data that is the target of the signature request
When the authentication information matches each other and the signature target data matches each other, the signature target data is digitally signed using the signature key.

In the present invention, authentication information indicating the authority to use the signature key is set for each signature key, and the presence or absence of the authority to use the signature key is verified for each signature request. Therefore, only a person who has a proper authority to use the signature key can digitally sign. An electronic signature system that cannot be built is built.
Further, in the present invention, the public key cryptosystem is used when the authentication information is transmitted from the terminal device to the tamper-resistant device, and the public key in which the private key as the decryption key is stored in the tamper-resistant device is used as the encryption key. By adopting this configuration, even if a signature request for signature permission is relayed to the tamper-resistant device via the key management server, the terminal device and the tamper-resistant device are in a communication state equivalent to that directly interconnected. Is maintained at. As a result, while utilizing the usefulness of the tamper-resistant device, the problem of relaying the key management server, which is a drawback caused by relaying the key management server and controlling the tamper-resistant device, is solved, and the system administrator signs it. Key misuse is prevented and higher security is achieved.
Furthermore, by verifying not only the authentication information indicating the use authority but also the signature target data that is the target of the electronic signature, the signature request whose hash value has been tampered with can be excluded from the target of the electronic signature.

It is a figure which shows the whole structure of the electronic signature system by this invention. It is a figure which shows the algorithm of the signature key generation process of the electronic signature system by this invention. It is a figure which shows the algorithm of the signature process of the electronic signature system by this invention. It is a figure which shows the modification of the signature key generation process. It is a figure which shows the modification of the electronic signature process. It is a block diagram which shows an example of a terminal device. It is a figure which shows an example of a key management server. It is a figure which shows an example of the tamper resistance device. It is a block diagram which shows an example of an editing server. It is a figure which shows the modification of the electronic signature system by this invention.

In the present invention, in addition to user authentication, the authority to use the signature key is also verified. An activation code signal (“Activation Code signal”, hereinafter referred to as “AC signal”) is used as authentication information indicating the legitimate authority to use the signature key, and an AC signal known only to the signer is set for each signature key. That is, when generating the signature key, the user conceives an AC signal and inputs it to the terminal device. This AC signal is code information known only to the user. The terminal device encrypts the input AC signal and transmits it to the anti-tamper device provided in the signature system. The anti-tamper device decodes the received encrypted AC signal and stores it in association with the signature key stored in the anti-tamper device.

When a signature request is made by the user, the user is made to input an AC signal, and whether or not the correct AC signal is input is verified by the anti-tamper device. Then, only when the correct AC signal is input, the digital signature is permitted using the signature key. In this signature system, only a person who knows the AC signal can sign, so an electronic signature system is constructed in which only the true owner of the signature key can sign. Therefore, even if the signature key is stolen, it will not be misused.

However, in the case of a signature system in which the signature key is controlled by the AC signal, even if the signature key is strongly protected, if the AC signal is passed to the system administrator, the system administrator uses the obtained AC signal as the key management server. It is possible to activate the signature key by entering in. That is, when a signature request including a stolen AC signal is transmitted to the tamper-resistant device, the AC signal itself is normal, so the tamper-resistant device determines that the signing request is from a person who has a proper usage authority, and digitally It will be signed. Therefore, strict protection of AC signals from plagiarism is an important issue. In order to solve this problem, a transmission process for transmitting an AC signal from a terminal device to a tamper-resistant device and a processing process for performing signal processing such as signature and verification will be examined.

First, the processing process is considered. In the present invention, various processes such as digital signatures are executed using the anti-tamper device. The anti-tamper device can perform signal processing including generation, signing, decryption and verification of a signature key inside the anti-tamper device. Further, the tamper resistant device is configured so that the signature key and the input information are not leaked to the outside. Moreover, the anti-tamper device can safely protect the stored information even if it is attacked from the outside. Therefore, by using the anti-tamper device, the signature key and the AC signal are safely stored, and there is no risk of leaking to the outside of the anti-tamper device and passing it to the system administrator.

Next, the transmission process will be examined. The user must transmit an AC signal to the anti-tamper device for each signing request. The AC signal transmitted from the terminal device to the tamper-resistant device is input to the tamper-resistant device via the key management server that manages the tamper-resistant device. That is, the anti-tamper device is hardware and does not have a communication function via a network. Therefore, signals are transmitted and received via the key management server. That is, since the AC signal transmitted from the terminal device always passes through the key management server, there is a risk that the signing request including the AC signal may be stolen or extracted by a malicious system administrator at the key management server. That is, even if the signature key is robustly managed by using a tamper-resistant device such as HSM, there is a risk that the AC signal will be extracted while being transmitted from the terminal device to the tamper-resistant device. As described above, although the anti-tamper device has excellent usefulness, there is a problem caused by transmitting and receiving through the key management server.

Therefore, in the present invention, the AC signal input by the user is appropriately encrypted and transmitted to the anti-tamper device. In the present invention, public key cryptographic communication is used as a method of transmitting an AC signal. As a key pair of a public key and a private key that act as an encryption key and a decryption key, a key pair in which the private key is always stored in an anti-tamper device is used. In this case, since the encrypted information is decrypted only by the private key stored in the tamper-resistant device, the AC signal is not decrypted even if the signing request including the AC signal is extracted by the key management server. Therefore, the AC signal can be maintained at a security level substantially equal to that of the signature key.

As a public key that can be used for public key cryptography communication with the tamper-resistant device, the public key of the key pair set in the tamper-resistant device itself and the key pair created when the signature key is generated are disclosed. I have a key. In the present invention, both of these public keys can be used. However, when encrypting with the public key of the anti-tamper device, it is necessary to obtain the public key of the anti-tamper device in advance and read it into the program of the terminal device, which causes a problem that the setting work becomes complicated. That is, in the case of a system using a plurality of anti-tamper devices, the public key of the anti-tamper device in which the user's signature key is stored is obtained in advance from the plurality of public keys, and the obtained public key is read into the program. I need to let you. However, this work is complicated and has a drawback that it imposes a heavy burden on the user.

On the other hand, the public key of the key pair generated at the time of the signature key generation request is sent from the tamper-resistant device to the terminal device together with the signature key generation notification after the signature key is generated. Therefore, complicated setting work in the terminal device becomes unnecessary. Therefore, it is an extremely useful technique to encrypt using the public key of the key pair generated when the signature key is generated.

As described above, the present invention maintains a communication state equivalent to that of directly interconnecting the terminal device and the tamper-resistant device by adopting an appropriate encryption method while effectively utilizing the advantages of the tamper-resistant device. To do. As a result, the drawbacks of the tamper-resistant device are eliminated while effectively utilizing the advantages of the tamper-resistant device, and an electronic signature system with a higher security level is realized.

FIG. 1 is a diagram showing an overall configuration of an electronic signature system according to the present invention. Terminal devices 2-1 to 2-n are connected to network 1. These terminal devices are devices used by users to perform electronic signatures, and for example, personal computers and smart phones are used. The terminal device has a user authentication means, a signature key generation request, and a means for creating and transmitting a signature request. Further, the terminal device has a means for inputting an activation code signal (“AC signal”) indicating the legitimate authority to use the signing key and a means for encrypting the input AC signal.

The signature system 3 is connected to the network 1. The signature system 3 generates a signature key in response to a signature key generation request from the terminal device, and uses the signature key specified in response to the signature request sent from the editing server to sign data such as a hash value. Digitally sign. The signature system 3 has a key management server 4 and one or more anti-tamper devices 5 connected to the key management server. The key management server 4 is connected to a network and has a function of managing or controlling the tamper resistant device 5. The anti-tamper device performs various functions such as signature key generation and electronic signature.

The tamper-resistant device 5 has a function of safely generating and managing the signature key without leaking it to the outside, and can be, for example, a Hardware Security Module (HSM). The tamper-resistant device has a key management module, which is a key management program, generates a key pair of a private key (signature key) and a public key, digitally signs with a signature key, stores a signature key, and encrypts an AC signal. The function of decoding and verifying the decoded AC signal is executed. Further, the anti-tamper device 5 has a key pair of a private key and a public key for performing public key cryptographic communication with the terminal device.

Further, a certificate issuing server 6 provided in the certificate authority is connected to the network 1. The certificate issuance server 6 generates a certificate issuance request (CSR) in response to the certificate issuance request sent from the terminal device to generate a digital certificate.

Further, the editing server 7 is also connected to the network 1. The editing server 7 generates signature target data such as a hash value from an electronic document that is a signature target sent from the terminal device. In addition, the editing server edits the electronic document, embeds the electronic signature generated by the signature system in the electronic document, and generates a signed electronic document. The generated signed electronic document is stored in the editing server 7.

Next, an algorithm for generating a signed electronic document will be described. FIG. 2 is a flowchart showing the signature key generation process, and FIG. 3 is a flowchart showing the signature process. In this example, the public key corresponding to the signature key (private key) is used as the encryption key to encrypt the AC signal.

With reference to FIG. 2, the user makes an authentication request to the key management server 4 of the signature system 3 via the terminal device 2. The authentication request is user authentication using a user ID and password. If the user's account has not been created, the key management server 4 creates a new account for the user. Further, as a user authentication method, not only a method of authenticating a combination of a user ID and a password but also an authentication can be performed by transmitting a token stored in an IC card to a key management server. After the user authentication, the key management server 4 sends an authentication response to the terminal device 2.

If the user authentication is successful, the user sends a key pair generation request from the terminal device to the key management server 4. The key management server 4 transmits a key pair generation request to the anti-tamper device 5. The anti-tamper device generates a key pair of a private key and a public key in response to receiving a key pair generation request. The generated private key becomes a signature key and is used for digital signature. Further, the public key functions as an encryption key for encrypting the authentication information and also functions as a signature key identification information. The tamper-resistant device sends a key pair generation notification including the generated public key to the key management server, and the key management server sends the received key pair generation notification to the terminal device. The terminal device stores the received public key. In this example, since the public key of the generated key pair is used as the signature key identification information, the signature key is searched using the public key. Of course, it is also possible to set the unique identification information generated by the anti-tamper device as the identification information of the signature key.

In response to the reception of the key pair generation notification, the user conceives an AC signal and inputs the conceived AC signal to the terminal device via an input device such as a keyboard. As the AC signal, for example, 8-digit code information can be used. Alternatively, the user sets the authentication information of a simple code signal that is easy to memorize, performs a combination calculation of the e-mail address and the terminal-specific constant in the terminal device, converts it into a complex code signal of many digits, and converts it. It is also possible to use a multi-digit code signal as an AC signal. For example, when performing SHA256 hash calculation, the user only stores simple code information, so that the case of forgetting the authentication information is reduced, and the code becomes a 32 byte (256 bits) random code, which is an AC code. Security is greatly improved.

The terminal device encrypts the AC signal input by the user using the public key of the key pair as the encryption key, and generates a signature key generation request including the public key. The terminal device transmits the generated signature key generation request to the anti-tamper device via the key management server.

The anti-tamper device decrypts the received encrypted AC signal using the private key of the key pair as the decryption key. The tamper-resistant device searches for the corresponding signature key using the signature key identification information (public key of the key pair), and stores the decrypted AC signal in association with the corresponding signature key. Subsequently, the AC signal storage completion notification is transmitted to the terminal device via the key management server. If the number of key pairs to be stored becomes large and overflows, some key pairs can be encrypted and stored in a database outside the anti-tamper device.

Subsequently, the terminal device transmits an authentication request to the certificate issuing server 6 in order to acquire the digital certificate. This user authentication is also a combination of a user ID and a password. An authentication response is sent from the certificate issuing server to the terminal device.

If the user authentication is successful, the terminal device sends a digital certificate issuance request including the user ID and the public key of the key pair to the certificate issuance server. The certificate issuance server creates a certificate issuance request (CSR) using the received public key and necessary information, digitally signs the generated certificate issuance request, and generates an electronic certificate. The generated digital certificate is sent to the terminal device. The terminal device stores the received digital certificate.

FIG. 3 shows a signature process in which an electronic signature is performed using the generated signature key. The user requests user authentication from the editing server 7 via the terminal device 2. User authentication is performed by combining a user ID and password. When the user authentication is normally performed, the editing server sends an authentication response to the terminal device. Subsequently, the user transmits the electronic signature generation request to the editing server provided in the editing system via the terminal device. The electronic signature generation request includes an electronic document to be signed, an electronic certificate, and a public key used as signature key identification information.

The user edits the electronic document, such as setting the edit field. The editing server also generates a hash value from the electronic document. Subsequently, the editing server requests the terminal device to input an AC signal.

The user inputs the stored AC signal to the terminal device. The terminal device encrypts the input AC signal using an encryption key (public key) and transmits the encrypted AC signal to the editing server. The editing server forms a signing request including the received encrypted AC signal, hash value, and public key, and transmits the generated signing request to the tamper-resistant device via the key management server. The public key is used to search for the signature key.

The anti-tamper device decrypts the received encrypted AC signal using the private key of the key pair as the decryption key. In addition, the signature key is searched using the signature key identification information (public key). Subsequently, the decoded AC signal is compared and verified with the AC signal stored in association with the searched signature key. As a result of the verification, when the decoded AC signal matches the stored AC signal, the received hash value is digitally signed and an electronic signature is generated. The signature result including the electronic signature and the public key is transmitted to the editing server via the key management server. If the AC signals do not match, it is treated as an error.

The editing server embeds the received electronic signature (signature value) in the edited electronic document and creates a signed electronic document (signature document). The signed electronic document is stored in the editing server and transmitted to the terminal device as needed. In this embodiment, since the public key corresponding to the private key (signature key) stored in the tamper-resistant device is transmitted from the tamper-resistant device to the terminal device, the work of setting the encryption key for public key cryptography is performed. It becomes unnecessary and workability is greatly improved.

Next, an example in which the public key and the private key for public key cryptographic communication set in the tamper-resistant device are used as the encryption key and the decryption key will be described. FIG. 4 shows an algorithm for explaining a signature key generation process for encrypting an AC signal using a public key for public key cryptography set in a tamper-resistant device.

The user makes an authentication request to the key management server via the terminal device. The authentication request is user authentication using a user ID and password. If the user authentication is successful, the user sends a signature key generation request from the terminal device to the key management server. The key management server sends an AC signal input request to the terminal device as a reply.

The user conceives an AC signal and inputs the conceived AC signal through an input device. The input AC signal is encrypted using the public key of the key pair set in the anti-tamper device. Therefore, the user obtains the public key of the anti-tamper device in advance and loads it into the program of the terminal device. The terminal device generates a signature key generation request including an encrypted AC signal together with the user ID, and transmits the request to the tamper-resistant device via the key management server.

The anti-tamper device generates a key pair of a private key and a public key in response to receiving a signature key generation request. The generated private key becomes a signature key and is used for digital signature. Further, the anti-tamper device decrypts the received encrypted AC signal by using its own private key as a decryption key. Subsequently, the generated key pair and the decoded AC signal are stored as a pair.

Subsequently, the anti-tamper device transmits a signature key generation completion notification including the generated public key to the corresponding terminal device.

Upon receiving the signature key generation completion notification, the terminal device saves the received public key.

Subsequently, the user accesses the certificate issuing server via the terminal device and acquires the digital certificate based on the above-described processing. The obtained digital certificate is stored in the terminal device.

In the signature process, an electronic signature is formed based on the algorithm shown in FIG. 3, and a signed electronic document is created. In the signing process, the encrypted AC signal transmitted from the terminal device to the tamper-resistant device is encrypted using the public key for public key cryptographic communication set in the tamper-resistant device. Further, the anti-tamper device decodes the received AC signal by using its own private key as a decryption key.

Next, a modified example of the signature process will be described. In the above-described embodiment, the AC signal is verified, and when the AC signal included in the signature request matches the AC signal stored in association with the signature key, digital signature is performed. However, in a system that verifies only the signing key, there is a risk of signing an incorrect hash value if the signing request is stolen or extracted by the editing server or key management server. That is, the signing request includes a hash value, a signing key ID and an encrypted AC signal. On the other hand, since the anti-tamper device verifies only the AC signal, if the AC signal is normal, the digital signature is performed even if the hash value is tampered with. Therefore, if the signing request is stolen by the system administrator, a signature request with a falsified hash value is created and sent to the tamper-resistant device, the signing request is judged to be valid and the wrong hash value is signed. Problems occur. That is, there is a risk that the electronic signature will be misused.

In order to solve the above-mentioned problems, in this example, both the AC signal and the data to be signed (hash value) are verified. Then, the digital signature is performed only when both the AC signal and the hash value are normal.

FIG. 5 shows an algorithm that verifies both the AC signal and the hash value. The user sends an authentication request to the editing server via the terminal device. The editing server authenticates the user and sends an authentication response to the terminal device. Subsequently, the user sends an electronic signature generation request to the editing server. The electronic signature generation request includes an electronic document to be signed, an electronic certificate, a public key acting as signature key identification information, and a tamper-resistant device ID.

The editing server edits the electronic document and generates two identical hash values, the first and the second, from the electronic document to be digitally signed. The first hash value is used as a reference for verification. The second hash value is the hash value that is the target of the signing request. Subsequently, the editing server transmits an AC signal input request including the first hash value to the terminal device.

The user inputs an AC signal to the terminal device via the keyboard. The terminal device encrypts both the input AC signal and the first hash value, and transmits the encrypted data including the encrypted AC signal and the encrypted first hash value to the editing server. Here, since the first hash value is encrypted, it cannot be tampered with. When public key cryptography is performed using the private key and public key set in the tamper-resistant device, the public key of the tamper-resistant device is used for encryption. When public key cryptography is performed using the signature key and the corresponding public key, the public key of the generated key pair is used for encryption.

The editing server generates a signing request containing the received encrypted data and a second hash value that is the subject of the signing request. The generated signature request is sent to the anti-tamper device. The second hash value, which is the target of the electronic signature, is a hash value generated from the electronic document sent from the terminal device, that is, a hash value equal to the first hash value when the system is operating normally. That is, the first hash value and the second hash value are equal to each other. On the other hand, when the signature request is stolen and the hash value is tampered with, the second hash value becomes a different hash value from the first hash value.

The anti-tamper device decrypts the received encrypted data to form an AC signal and a first hash value. Subsequently, the signature key is searched using the signature key identification information, and the consistency between the decrypted AC signal and the AC signal stored in association with the searched signature key is verified. Further, the second hash value and the decrypted first hash value are compared and verified. By verifying the AC signal, it is determined whether or not the signature request is made by a person who has a proper authority to use the AC signal. In addition, by verifying the hash value, it is determined whether or not the signature target has been tampered with. As a result of the verification, if both the AC signal and the hash value match, it is determined that the signing request is valid, and the data to be signed is digitally signed. The signature result including the generated digital signature is transmitted to the editing server via the key management server. On the other hand, if the AC signal or hash value does not match, the signature request is treated as an error.

In this example, the hash value generated from the electronic document to be signed is encrypted together with the AC signal and cannot be tampered with. Therefore, even if the signature request is stolen and the hash value is tampered with, the hash value is different and the signature request is determined to be invalid. Therefore, even if the signing request is stolen, there is no problem of signing an erroneous electronic document. In this way, a higher security level can be obtained by verifying both the signing requester and the signature target.

FIG. 6 is a block diagram showing a functional configuration of the terminal device. Note that FIG. 6 shows only the portion related to the electronic signature of the embodiment shown in FIGS. 2 and 3. The terminal device includes a communication means 10, a control unit 11, an input device 12, and a storage unit 13. The communication means 10 is connected to a network and transmits / receives data to / from a key management server or the like. The control unit 11 has an authentication request unit 14 and transmits an authentication request using a user ID and a password to a key management server or the like of a signature system. Subsequently, the signature system is logged in, and the key pair generation request unit 15 transmits the key pair generation request to the anti-tamper device. The public key of the key pair generated by the anti-tamper device is stored in the public key storage unit 16 of the storage unit via a communication means.

The user inputs an AC signal to the terminal device via an input device 12 such as a keyboard. The input AC signal is supplied to the encryption unit 17 of the control unit, encrypted with the public key (encryption key) stored in the public key storage unit, and sent to the signature key generation request creation unit 18. The signature key generation request creation unit 18 creates a signature key generation request including an encrypted AC signal and transmits the signature key generation request to the anti-tamper device via a communication means.

The digital certificate issuance request unit 19 generates an electronic certificate issuance request including the public key received from the anti-tamper device and sends it to the certificate issuance server. The created digital certificate is received via a communication means and stored in the digital certificate storage unit 20.

The electronic document uploading unit 21 creates an electronic signature generation request including an electronic document stored in the electronic document storage unit 22 and a stored electronic certificate, and transmits the electronic signature generation request to the editing server.

When a signed electronic document is created by the editing server, the created signed document is stored in the signed electronic document storage unit 23 of the storage unit.

FIG. 7 shows the functional configuration of the key management server. The key management server has a communication means 30, a control unit 31, and a user information database 32. The control unit has a user authentication processing unit 33, authenticates the authentication information (user ID and password) displayed on the authentication screen of the terminal device, and transmits an authentication response to the terminal device.

The key pair generation request and the signature key generation request sent from the terminal device and the signature request sent from the editing server are supplied to the tamper-resistant device control unit 34, and instructions corresponding to the designated processing are sent to the tamper-resistant device. Information such as data generated by the tamper-resistant device is sent to the terminal device or the like via the tamper-resistant device control unit. The key management server and the anti-tamper device can be connected via the internal bus or the external bus. Alternatively, it is also possible to connect via a LAN.

FIG. 8 shows the functional configuration of the tamper resistant device. The anti-tamper device has a management unit 40, a processing unit 41, and a storage unit 42. The information signal transmitted from the terminal device or the editing server is input to the management unit 40 via the key management server. The management unit 40 controls each functional unit provided in the processing unit and executes a designated function according to the input information signal. In response to the reception of the key pair generation request, the key pair generation unit 43 operates to generate a key pair of a private key and a public key as a signature key. The generated key pair is stored in the storage unit 44, and the public key is transmitted to the terminal device via the management unit.

In response to the reception of the signature key generation request, the AC signal is taken out and decrypted by the decoding unit 45 using the private key. The decoded AC signal is sent to the storage unit 44. The storage unit forms key pair data by pairing the generated key pair and the AC signal. This key pair data is stored in the key pair data storage unit 46 provided in the storage unit 42.

When the signature request is input, the decryption unit 45 operates to decrypt the encrypted AC signal included in the signature request. In addition, the corresponding signature key is searched using the signature key identification information (public key). The decrypted AC signal and the AC signal stored together with the searched signature key are sent to the verification unit 47 for comparative verification. Signing is permitted if these AC signals match each other. Then, the digital signature unit 48 digitally signs the hash value included in the signature request using the corresponding signature key.

FIG. 9 is a block diagram showing a functional configuration of the editing server. The editing server has a communication means 50, a control unit 51, and a storage unit 52. The communication means 50 is connected to a network, and information is transmitted and received between the terminal device and the anti-tamper device. The user authentication processing unit 53 uses the user information stored in the user information storage unit 54 to process the authentication request sent from the terminal device.

The electronic document, the electronic certificate, and the like included in the electronic signature generation request sent from the terminal device are received by the electronic signature generation request receiving unit 55. The received electronic document is sent to the hash value generation unit 56, and a hash value is generated from the electronic document to be signed. The generated hash value is supplied to the signing request generation unit 57. The public key that functions as the signature key identification information is sent from the electronic signature generation request receiving unit 55 to the signature request generation unit 57. Further, the received encrypted AC signal is sent to the signing request generation unit 57. The signing request generator generates a signing request including an encrypted AC signal, a hash value, and a public key, and transmits the signing request to the anti-tamper device. The electronic document and the digital certificate are also sent to the editorial department 58. The user accesses the editorial department, edits the electronic document, and sets the arrangement method and arrangement position of the field of the electronic signature to be formed.

The signature result sent from the tamper-resistant device is sent to the signature data embedding unit 59, the electronic signature is embedded in the edited electronic document, and the signature document is generated. The signature document (signed electronic document) is stored in the signature document storage unit 60.

FIG. 10 is a diagram showing a modified example of the electronic signature system according to the present invention. In this example, a VPN connection is provided between the key management server 4 and the certificate issuing server 6 and between the key management server 4 and the editing server 7, respectively. By providing the VPN connection, the key management server and the certificate issuing server are equivalent to those directly interconnected, and the key management server and the editing server are also equivalent to those directly interconnected. As a result, the public key of the key pair can be transmitted from the tamper-resistant device to the terminal device via the VPN connection and the certificate issuing server, and the tamper-resistant device can be transmitted from the terminal device via the certificate issuing server and the VPN connection. Credentials, key pair generation request and signature key generation request can be sent to. Further, by providing the VPN connection between the key management server and the editing server, the signing request including the signature target data and the authentication information can be more safely transmitted to the tamper-resistant device via the VPN connection.

In this example, the information transmission between the terminal device and the key management server is performed via the certificate issuing server and the VPN connection, and the information transmission between the editing server and the key management server is performed via the VPN connection. Therefore, the tamper-resistant device is less susceptible to attacks by attackers, and the protection function against the signature key and the authentication information is significantly improved.

The present invention is not limited to the above-described embodiment, and various modifications and changes can be made. For example, the validity of the signing request can be verified by using the challenge code in the signature process. That is, when requesting a signature, the terminal device requests a challenge code from the anti-tamper device. The generated challenge code is sent to the terminal device, encrypted together with the AC signal, and transmitted to the anti-tamper device. The anti-tamper device decodes the challenge code together with the AC signal and compares and verifies it with the stored challenge code. By verifying the challenge code in this way, the validity of the signature request itself can be determined.

1 Network 2 Terminal device 3 Signature system 4 Key management server 5 Tamper-resistant device 6 Certificate issuance server 7 Editing server 10, 30, 50 Communication means 11, 31, 41 Control unit 12 Input device 13, 42, 52 Storage unit 40 Management Unit 70,71 VPN connection

Claims (12)

A signature system having one or more tamper-resistant devices having a function of generating and managing a signature key, and a key management server having a function of controlling the tamper-resistant device, and a terminal device used by a user. In the remote signature type electronic signature system
The tamper-resistant device has a function of generating a key pair of a private key and a public key as a signing key, a function of storing the generated signing key together with authentication information indicating usage authority for the signing key, and received encryption. A function of decrypting the authentication information using the private key of the key pair or the private key of the key pair set in the tamper resistant device as a decryption key for performing public key encrypted communication, a function of verifying the decrypted authentication information, And has a function to digitally sign using the signing key based on the verification result.
The terminal device comprises means for inputting the authentication information indicating the use permission of the signature key, and the encryption key a public key of the key pair the private key is set to the public key or the tamper resistant device key pair as the signature key Has an encryption means to encrypt using
Authentication information input to the terminal device by the user, said encrypted by the encrypting means is sent to the tamper resistant device, is decrypted using the decryption key in the tamper resistant device,
The tamper resistant device, in response to said key pair generating request or signature key generation request from the terminal device, generating a key pair of a signature key and becomes a secret key and a public key,
Signing key of each user is stored in the tamper resistant device associated with a credential of the user,
Upon electronic signature, the tamper resistant device, the authentication information included in the signature request received, coincides with the authentication information stored in association with the signature key identified by the signature key identification information included in the signing request An electronic signature system characterized by verifying and digitally signing using the signature key when these authentication information match. A signature system having one or more tamper-resistant devices having a function of generating and managing a signature key, and a key management server connected to a network and having a function of controlling the tamper-resistant device, and a digital certificate. It is a remote signature type electronic signature system that includes a certificate issuing system to generate, an editing server having a function of generating signature target data from an electronic document, and a terminal device used by a user.
The tamper-resistant device has a function of generating a key pair of a private key and a public key as a signature key, a function of storing the generated signature key in association with authentication information indicating the usage authority for the signature key, and encryption. It has a function of decrypting the authenticated authentication information using the private key of the key pair as a decryption key, a function of verifying the decrypted authentication information, and a function of digitally signing using the signature key based on the verification result.
The terminal device has a means for inputting authentication information indicating the authority to use the signature key, and an encryption means for encrypting using the public key of the key pair as an encryption key.
When generating the signing key
The tamper resistant device, in response to said key pair generation request from the terminal device, generating a key pair of a signature key and becomes a secret key and a public key, and sends the generated public key to the terminal device,
The user inputs the authentication information that it has arrived at the terminal device, the terminal device, encrypted with the encryption means the authentication information input by the user, the tamper authentication information encrypted Send to
The tamper-resistant device decrypts the received encrypted authentication information using the private key of the key pair as a decryption key, and stores the decrypted authentication information and the signature key in association with each other.
For digital signature
The user inputs the authentication information thereof to the terminal device, the terminal device, the user authentication information inputted encrypted by said encryption means by the electronic document and the signature key identifies the authentication information encrypted Send it to the editing server with the information
Editing server generates signature object data from the electronic document, generated signature target data to generate a signature request including the authentication information and the signature key identification information encrypted, the tamper resistant device the generated signature request Send to
The tamper-resistant device decrypts the encrypted authentication information included in the signature request using the private key of the key pair as a decryption key, and associates the decrypted authentication information with the signature key specified by the signature key identification information. Verify the consistency with the stored credentials and
If these credentials are matched with each other, the tamper resistant device, an electronic signature system, characterized in that the digital signature for the signature target data using the signature key. A signature system having one or more tamper-resistant devices having a function of generating and managing a signature key, and a key management server connected to a network and having a function of controlling the tamper-resistant device, and a digital certificate. It is a remote signature type electronic signature system that includes a certificate issuing system to generate, an editing server having a function of generating signature target data from an electronic document, and a terminal device used by a user.
The tamper-resistant device has a private key and a public key key pair set for performing public key encrypted communication, and also has a function of generating a key pair of a private key and a public key as a signing key, and a generated signing key. A function to store the encrypted authentication information in association with the authentication information indicating the usage authority for the signature key, a function to decrypt the encrypted authentication information using its own private key as a decryption key, a function to verify the decrypted authentication information, In addition, it has a function of digitally signing using the signing key based on the verification result.
The terminal device includes means for inputting authentication information indicating permission to use the signature key, and has an encryption means for encrypting using a public key of the tamper resistant device as an encryption key,
When generating the signing key
The user inputs the authentication information that it has arrived at the terminal device, the terminal device encrypts to generate encrypted authentication information by the encryption means the authentication information input by the user, the generated sends a signature key generation request including the encrypted authentication information in the tamper resistant device,
The tamper-resistant device generates a key pair of a private key and a public key as a signing key in response to a reception of a signing key generation request, and decrypts the received encryption authentication information using its own private key as a decryption key. , Store the decrypted credentials and the generated signing key in association with each other,
For digital signature
The user inputs the authentication information thereof to the terminal device, the terminal device, the user authentication information inputted encrypted by said encryption means by the electronic document and the signature key identifies the authentication information encrypted Send it to the editing server with the information
Editing server generates signature object data from the electronic document, generated signature target data to generate a signature request including the authentication information and the signature key identification information encrypted, the tamper resistant device the generated signature request Send to
The tamper-resistant device decrypts the encrypted authentication information included in the signature request using its own private key as a decryption key, and stores the decrypted authentication information and the signature key specified by the signature key identification information in association with each other. Verify the match with the credentials provided
If these credentials are matched with each other, the tamper resistant device, an electronic signature system, characterized in that the digital signature for the signature target data using the signature key. A signature system having one or more tamper-resistant devices having a function of generating and managing a signature key, and a key management server connected to a network and having a function of controlling the tamper-resistant device, and a digital certificate. It is a remote signature type electronic signature system that includes a certificate issuing system to generate, an editing server having a function of generating signature target data from an electronic document, and a terminal device used by a user.
The tamper-resistant device has a function of generating a key pair of a private key and a public key as a signature key, a function of storing the generated signature key in association with authentication information indicating the usage authority for the signature key, and a received encryption. A function to decrypt the decrypted authentication information using the private key of the key pair as a decryption key, a function to verify the decrypted authentication information, and a function to digitally sign using the signature key based on the verification result. Have and
The terminal device includes means for inputting authentication information indicating permission to use the signature key, and has an encryption means for encrypting using a public key of the key pair as the cryptographic key,
When generating the signing key
The tamper resistant device generates a key pair of public key and private key as a signature key, and sends the generated public key to the terminal device,
The user inputs the authentication information that it has arrived at the terminal device, the terminal device, encrypted with the encryption means the authentication information input by the user, the tamper authentication information encrypted Send to
The tamper-resistant device decrypts the received encrypted authentication information using the private key of the key pair as a decryption key, and stores the decrypted authentication information and the signature key in association with each other.
For digital signature
The user, via said terminal device transmits the electronic document is an electronic signature of the subject to the editing server, generates the same two data to be signed from the editing server electronic document received, the first signature The target data is the reference data for verification, the second signature target data is the signature target data to be the signature request, and the first signature target data is transmitted to the terminal device.
Further, the terminal device encrypts to generate encrypted data of the first signature object data by the authentication information and receiving input by the encryption means by a user, the generated encrypted data to the editing server Send and
The editing server decrypts the received encrypted data, signing request form to include a second signed data and the signature key identification information to be signed request sent to the tamper resistant device,
The tamper-resistant device decrypts the encrypted data included in the signature request using the private key of the key pair as a decryption key, and stores the encrypted data in association with the decrypted authentication information and the signature key specified by the signature key identification information. In addition to verifying the consistency with the authenticated authentication information, the matching between the decrypted first signature target data and the second signature target data included in the signature request is verified.
If the authentication information is signature target data coincide with match, the tamper resistant device, an electronic signature system, characterized in that the digital signature for the signature target data using the signature key. A signature system having one or more tamper-resistant devices having a function of generating and managing a signature key, and a key management server connected to a network and having a function of controlling the tamper-resistant device, and a digital certificate. It is a remote signature type electronic signature system that includes a certificate issuing system to generate, an editing server having a function of generating signature target data from an electronic document, and a terminal device used by a user.
The tamper-resistant device has a private key and a public key key pair set for performing public key encrypted communication, and also has a function of generating a key pair of a private key and a public key as a signing key, and a generated signing key. A function to store the key in association with the authentication information indicating the usage authority for the signing key, a function to decrypt the received encrypted authentication information using its own private key as a decryption key, and a function to verify the decrypted authentication information. It has a function and a function of digitally signing using the signing key based on the verification result.
The terminal device includes means for inputting authentication information indicating permission to use the signature key, and has an encryption means for encrypting with the public key of the key pair that has been set in the tamper resistant device as an encryption key,
When generating the signing key
The user inputs the authentication information that it has arrived at the terminal device, the terminal device encrypts to generate encrypted authentication information by the encryption means the authentication information input by the user, the generated sends a signature key generation request including the encrypted authentication information in the tamper resistant device,
The tamper-resistant device generates a key pair of a private key and a public key as a signing key in response to a reception of a signing key generation request, and decrypts the received encryption authentication information using its own private key as a decryption key. , Store the decrypted credentials and the generated signing key in association with each other,
For digital signature
The user, via said terminal device transmits the electronic document is an electronic signature of the subject to the editing server, wherein the editing server generates the same two data to be signed from the electronic document received, the first signature target data as reference data for verification, a second signature object data is the signature object data to be signed request, transmits the first data to be signed to the terminal device,
Further, the terminal device encrypts the first signature object data by the authentication information and receiving input by the user by the encryption means, and transmits the generated encrypted data to the editing server,
The editing server transmits the received encrypted data, the second signature object data is the signature request of the target, and a signature request including a signature key identification information to the tamper resistant device,
The tamper-resistant device decrypts the encrypted data included in the signature request using its own private key as a decryption key, and stores it in association with the decrypted authentication information and the signature key specified by the signature key identification information. In addition to verifying the consistency with the existing authentication information, the matching between the decrypted first signature target data and the second signature target data included in the signature request is verified.
If the authentication information is signature target data coincide with match, the tamper resistant device, an electronic signature system, characterized in that the digital signature for the signature target data using the signature key. The electronic signature system according to any one of claims 2 to 5, wherein the key management server and the certificate issuing server are interconnected by VPN connection, the public key of the key pair generated by the tamper resistant device transmitted from the tamper resistant device to the terminal device via the VPN connection and the certificate issuing server, authentication information and the signature key generation request contemplated by the user via the certificate issuing server, and the VPN connection from the terminal device electronic signature system, characterized in that it is sent to the tamper resistant device. The electronic signature system according to any one of claims 2 to 6, wherein the key management server and the VPN connection is provided between the editing server, signing request via a VPN connection from the editing server the An electronic signature system characterized by being transmitted to a tamper resistant device. In the electronic signature system according to any one of claims 2 to 7, the editing server further has a function of embedding an electronic signature in an electronic document to generate a signed electronic document.
The tamper resistant device transmits the electronic signature generated in the editing server,
The editing server, an electronic signature system and generates a signed electronic document using an electronic signature transmitted from the electronic document and the tamper resistant device transmitted from said terminal device. In the electronic signature system according to any one of claims 2 to 8, the anti-tamper device is characterized in that a key pair is generated in advance and a key pair generated earlier is assigned instead of generating the key pair. Electronic signature system. In the anti-tamper device used in the remote signature type electronic signature system
The tamper-resistant device has a function of generating a key pair of a private key and a public key as a signing key, a function of storing the generated signing key in association with authentication information indicating usage authority for the signing key, and receiving. A function of decrypting the encrypted authentication information using the private key of the key pair or the private key of the key pair set in the tamper-resistant device as a decryption key for performing public key encrypted communication, and the decrypted information. It has a function to verify and a function to digitally sign using a signing key based on the verification result.
The tamper-resistant device generates a key pair of a private key and a public key as a signature key in response to a key pair generation request or a signature key generation request from a terminal device, and uses the generated signature key of the user. Store it in relation to the user's authentication information
At the time of digital signature, the encrypted authentication information included in the received signature request is decrypted using the decryption key, and the decrypted authentication information and the signature key specified by the signature key identification information included in the signature request are used. A tamper-resistant device characterized in that it verifies the consistency with the authentication information stored in association with each other, and if these authentication information match, digitally signs using the signature key. In the anti-tamper device used in the remote signature type electronic signature system
The tamper-resistant device has a function of generating a key pair of a private key and a public key as a signing key, a function of storing the generated signing key together with authentication information indicating usage authority for the signing key, and authentication information and. a function of decoding using the signature object data private key of the set key pair to those resistant tamper device to the encrypted information performing secret key or a public key encryption communication of the key pair including a decryption key, authentication is decoded It has a function to verify information, a function to verify the decrypted signature target data, and a function to digitally sign using the signature key based on the verification result.
The tamper-resistant device generates a key pair of a private key and a public key as a signature key in response to a key pair generation request or a signature key generation request from a terminal device, and uses the generated signature key of the user. Store it in relation to the user's authentication information
In response to the reception of the signature request, the encrypted authentication information and the encrypted signature target data included in the signature request are used as the secret key of the key pair whose signature key is the private key or the key pair set in the tamper-resistant device. Decrypt each using the private key of
In addition to verifying the consistency between the decrypted authentication information and the authentication information stored in association with the signature key specified by the signature key identification information included in the signature request, it is included in the decrypted signature target data and the signature request. Verify the consistency with the signature target data that is the target of the signature request
A tamper-resistant device characterized in that when the authentication information matches each other and the signature target data matches each other, the signature target data is digitally signed using the signature key. The tamper-resistant device according to claim 10 or 11, wherein the tamper-resistant device is configured by a Hardware Security Module (HSM).

Images