JP7157864B2 - Authenticator of dynamic passwords generated based on distributed ledger - Google Patents

Description

Application of Article 30, Paragraph 2 of the Patent Act On February 22, 2020, note. Katsuya Nishizawa, the inventor of the invention with the application number, posted at the address (https://note. com/toshiyasingular/n/n7a9e0fd0f767) published the idea of TOTP and a pseudo-random number generator using the block number of the blockchain. And on February 23, 2020 (https://note.com/toshiyasingular/n/n6c4e08b578e5) and February 24 (https://note.com/toshiyasingular/n/n55367ad4d1bc), the same note. com, we published the concept and program code of TOTP authentication using the block number of the block chain that uses the OTP token using the user identifier. In addition, Katsuya Nishizawa developed an OTP authentication system and implemented the invention, and on April 17, 2020, deployed a contract for generating and authenticating TOTP based on block number Bn to the public blockchain Ethereum Ropsten testnet. It was released to the public, and on May 26, 2020, GitHub. com (operated by Github.inc, San Francisco, Calif., USA) has made a basic disclosure of the TOTP and OTP certification programs on its website. (Published to https://github.com/NZRI-AZRI/ERC721LT-OTP-GEN-AUTH.) On July 9th of the same year, the OTP authentication system contract, website and web application were released. Furthermore, on July 13, 2020, the concept related to the concept of application to website login, paper ticket, and encrypted data decryption using the OTP authentication system was posted on https://github. com/NZRI-AZRI/cryhon and https://github. com/NZRI-AZRI/cryhon/blob/master/Crybon-ERC721KI. Published in pdf.

Application of Article 30, Paragraph 2 of the Patent Act In addition, while posting the source code using GitHub, the number Bn-based TOTP intended to collect IP addresses at the time of OTP authentication on the Heroku website development platform of the US company Heroku. A web page regarding certification will be posted on April 26, 2020 at https://otp-ropsten-test. heroku app. com/. On July 29 of the same year, https://cryhon.com was released as an example of a content browsing site. heroku app. com/ is open to the public.発明者の用いたコントラクトをブロックチェーンにデプロイするために用いたイーサリアムテストネットのアドレスは０ｘ０ｆ３９８８０３ＢＥ４３１９Ｂ９８Ｆ１６４ｃａｅ４７５８９７９７ａＣ５ｃＦ９０６と０ｘ７Ｅ８６ｅＦＥ６６０Ｄ７７ＦＡ８７４３３８ａＤＡｆ８ｂｅ８８ｆ８ｃＡＥＤ３ｃ２７と０ｘ８６９０４３３９Ｄ２３ＢＦ３４６Ｃ１ＦＦＦ３１Ｃｃ３Ｂｂ７２６２ｆａ５９ｄ８３７を用いており、前記イーサリアムアドレスについて本発明に関するトランザクションが記録され公開されている。 Next, two search URIs for the first address are shown below. https://ropsten. etherscan. io/address/0x0f398803BE4319B98F164cae47589797aC5cF906, https://rinkeby. etherscan. io/address/0x0f398803BE4319B98F164cae47589797aC5cF906.

The present invention relates to systems and devices for user authentication.

With the spread of the Internet, it has become possible to provide services in the real space in the digital space using computers and networks, from commercial transactions to electronic commerce, from face-to-face banking transactions to Internet banking (net banking). Web services that require login by authentication, such as browsing e-mail, browsing video music sites, social networking services, Internet banking, and logging into electronic commerce sites, are expanding.
When providing services to customers on the website using Internet services, allow customers who have registered for the service to register their telephone number, user ID (or user nickname), e-mail address and password, and log in to the website. . After you log in to the website here, you may be working with more valuable data.
For example, in Internet banking, when transferring money to another person's bank account, it is necessary to have an authentication method different from the password used for login to confirm whether the person logging in is the user himself/herself. If only the password is leaked and misused by others, Internet banking may be illegally accessed, the transfer of assets may be supported, and the assets may be stolen by a malicious person.

Therefore, it is necessary to combine a method other than a password with the method of confirming the user's identity.
Methods for confirming and authenticating an individual are mainly divided into the following three categories: 1. 2. knowledge that the person knows; Personal belongings; 3. There are three biological characteristics of the person himself. Examples include:
1. The knowledge that the person knows is a password, a password, a four-digit personal identification number, and the like.
Passwords are static. It is also assumed that an attacker illegally obtains a password or performs a password brute force attack. Against the password brute force attack, the person needs to periodically update the password at different times and make it a dynamic password. As for the four-digit personal identification number, it is assumed that a brute force attack will be carried out by inputting personal identification numbers from 0000 to 9999 by brute force.
To combat this, a method is adopted in which the number of unsuccessful authentications is recorded, and authentication is not performed if three to five consecutive authentication failures occur. It is conceivable to record the number of times authentication by PIN is performed, reset the number to zero when the number is successful, and prevent the execution of authentication itself when the number of times exceeds a certain number. For example, in Japan. If you enter the wrong PIN three to five times on your personal number card, the card will be deactivated.
2. The possessions that the person has are a dynamic password generator, an IC cash card, and an individual number card. (Outside the field of electronic computers, keys and seals made of wood, metal, etc. also belong to possessions used for authentication.)
In the present invention, a password that is too long and random to be memorized by ordinary people, for example, when using 256-bit secret key data for public key cryptography, the secret key is printed on paper or recorded in a digital device for use. so it is considered owned. Among the IC cards, the individual number card contains the data of the electronic certificate, and the data and information of the private key recorded in the IC chip of the individual number card cannot be taken out to the outside, so it can be regarded as possession.
In general, the number of numbers and letters that humans can memorize is said to be 7 plus or minus 2 (Note 1). A 32-byte secret key that can express a number exceeding 7, for example, a number to the power of 2 to the 256th power with 256 bits, and a 2048-bit secret key that is used in personal number cards cannot be memorized by humans, and secret key data (secret key data) cannot be stored. Key information) must be printed on paper or stamped on a plate, recorded on a record board or magnetic tape, or stored in a digital device such as an optical disk, magnetic disk, semiconductor memory, etc., rather than the knowledge that the person knows It is owned by the person himself/herself.
A private key, like a seal or a metal key, has the risk of being duplicated if the data representing it is leaked. On the other hand, unlike biometric authentication information, which cannot be updated, at the request of the user, the use of the illegally used private key is stopped, and a new private key is assigned to the user and associated. can be used to switch private keys. The information of the private key does not have to be set to one.
Private keys and dynamic password generators can be updated periodically between the user and the service provider to improve security. Dynamic password generators and updating of private keys are performed by individuals or corporations that provide authentication means corresponding to corresponding services. In addition to dynamic passwords, there is also an authentication method that sends a number table to the customer and checks if the correct numeric character input according to the number table can be entered on the website after login.
In these methods, it is important to continue consensus building between the service provider (bank, etc.) and the user, and the digital authentication means, including the present invention, is used as a means to help consensus building. The present invention is merely a tool like a TOTP token, a paper valuable paper sheet, a metal key, etc. Whether or not a user can receive a service using them is based on an agreement between a user and a service provider or the laws of each country.
(Note 1) Miller, GA (1956). The magical number seven, plus or minus two: some limits on our capacity for processing information. Psychological Review, 63(2), 81-97.
3. The biometric features of a person include physical information such as fingerprints, face, iris, voice, vein pattern information, and genetic information, and behavioral features such as handwriting, walking, and speaker authentication.
Since biometric authentication uses information possessed by the user, the information that serves as the authentication key stays with the user as long as the user's body is in good health, and is less likely to be lost than a metal key. This characteristic is used for simple login in software such as computer terminal equipment.
On the other hand, changing biometric information is difficult. When biometric information is leaked, it is difficult to change like a metal key or password. It is also conceivable to copy fake biometric features based on biometric data, which is the key to biometric authentication, and break through by misidentifying the authentication sensing device that serves as a lock.
Fingerprints and the like can unlock the device even if the user does not want to log in. In other words, there is a possibility that an attacker may use the user's body to forcibly authenticate the user when the user's intention is not clear.
In biometric authentication, it can be seen that the person's data has been transmitted to the authenticating device, and further factors are required to determine whether it was the person's will. Therefore, when biometric features are used for authentication, multi-factor authentication is preferably combined with authentication based on knowledge or possession.
When dealing with assets such as Internet banking services provided by banks, biometric authentication is used instead of a login password, and a method (password generator) that uses the person's possessions for authentication is used together to create a multi-factor, multi-stage system. are authenticated to enhance security.

Here, a hardware-type dynamic password generator can be mentioned as one of the means of using the property owned by the person for authentication. The RFC6238 standard is known as a dynamic password generation algorithm. The RFC6238 standard utilizes dynamically changing one-time passwords that are generated based on the time of day. Such a one-time disposable password that changes with time is called a time-based one-time password (TOTP). TOTP is available for hardware and software one-time password indicators. TOTP changes every predetermined time.
One-time password (OTP, One-Time-Password) sent to the person using TOTP Enter the 7- to 6-digit numeric password displayed on the display on the Internet banking website or smartphone application, etc., and enter the TOTP By performing authentication and performing operations on the website, it is assumed that the identity has been verified, the instructed program is operated, and important processing such as transfer to the bank account of another bank is performed.
Two-factor authentication can be realized by using a one-time password generator owned by the person and a password of knowledge known by the person in combination, and security can be improved.

On the other hand, existing one-time password generators also had problems. For example, in the existing hardware-type one-time password indicator (hardware-type TOTP token) that provides services such as Internet banking, it is necessary to synchronize the time between the server terminal of the bank and the password indicator. The battery used to maintain the clock function of the token and synchronize the time will wear out, so it will be necessary to replace the battery periodically. There was a problem that it was necessary to mail or deliver a hardware-type TOTP token, which required a shipping fee. (However, since the hardware TOTP token is something that can be owned like a seal and is not connected to the network, it can be expected that the secret key information used for TOTP calculation will not be easily leaked via the network.)
According to the RFC6238 standard (Non-Patent Document 3), the hash value of the password is calculated using time T as an argument of the hash function and key information K (seed value K or secret variable K) that must be kept secret. , K is compromised, all of the user's hardware TOTP tokens need to be updated. Therefore, it is possible to maintain security by updating K with each token when the battery is periodically replaced, regardless of the presence or absence of leakage.
In addition, although the display integer of the authentication password of the known hardware TOTP token is 6 to 7 digits, the display integer may be increased if the processing power of the computer performing the brute force attack of the one-time password (OTP) token increases. The inventor thought that it would be good if the number of digits could be increased and updated to 12 digits or the like, and that the time displayed could also be updated and changed. (In the future, the inventor thought that it would be good if the number of OTP token display digits could be increased or decreased and the display time could be increased or decreased in order to counter brute force attacks by computer terminals with processing power surpassing that of known computers in the future.)

In addition, the inventor was searching for a means of performing a login method using an OTP token on a website using an encrypted file. We thought that if we could encrypt a plaintext data file that we wanted to convey to a specific individual corporation or organization and decrypt it using a key that would be the access right, it would be very useful for distributing confidential information and contents.
It is common to use a fixed password to browse encrypted files, but this is decrypted using TOTP, and after decryption, it can be browsed, executed, and used, and the encryption is broken. By tokenizing and exchanging viewing rights, which is the key to making it possible, like hardware tokens, transactions of confidential information, information within a certain community, use like e-books, decryption, viewing, and use of office processing software, etc. There was a problem of wanting to provide a device provided with software to perform. Furthermore, we thought it necessary to make it possible to view the content even when offline, such as in the event of a disaster.
In addition to viewing files, we thought it necessary to have a login system for websites such as Internet banking sites, a ticket and ticket reading system in the real world, an unlocking system for locks, and a starting system for vehicles, devices, and computer terminals. And we wanted to be able to use an access control system that could be used in both the real world and web services and digital worlds.

Here, as in Non-Patent Document 1 and Non-Patent Property 2, it has a block chain type or directed acyclic graph type data structure, and uses a distributed ledger system DLS that is difficult to tamper between distributed terminals. A technology called a smart contract (contract) has become available, which records issuance and transfer transactions, records program code in transactions on DLS, and stores and operates it in a data structure that is difficult to tamper with, such as a blockchain.
Patent Document 1 is one example of using blockchain or distributed ledger technology DLT for music rights, and Patent Document 2 is also an example of a system that manages information of multiple file management systems with one contract of a distributed ledger. is. Using a contract, program information such as variables and functions belonging to the contract are recorded in a distributed ledger without being tampered with, and terminals that become nodes via the network can be distributed all over the world. Distributed ledger technology and distributed ledger systems are characterized by the ability to deploy programs called contracts in the ledger system DLS around the world and provide services across national borders.

Patent No. 6757042 Japanese Patent Application Laid-Open No. 2020-144586

Vitalik Buterin, "Ethereum White Paper A NEXT GENERATION SMART CONTRACT & DECENTRALIZED APPLICATION PLATFORM", [online], [Searched on November 16, 2020, Reiwa], Internet <URL: https://cryptorating.eu/ whitepapers/Ethereum/Ethereum_white_paper.pdf> IOTA Foundation, "Differences between the Tangle and blockchain", [online], [Searched on November 16, 2020, 2020], Internet <URL: https://docs.iota.org/docs/getting- started/1.1/the-tangle/tangle-vs-blockchain Internet Engineering Task Force (IETF), "TOTP: Time-Based One-Time Password Algorithm", [online], [Searched on November 16, 2020, Reiwa], Internet <URL: https://tools .ietf.org/html/rfc6238>

The problem to be solved is that known hardware TOTP tokens require battery replacement and the token's key information K cannot be updated by the service provider or token administrator. Another problem is that there are few methods for viewing content such as encrypted books using OTP. Furthermore, there is also the issue that OTP tokens that solve these problems are not provided, for example, for website login tickets, ticket gates, entrance tickets to movie theaters, etc., and for locking and unlocking systems for facilities and buildings. there were.

The present invention mainly uses the block number Bn of the blockchain in a distributed ledger system as the value of T in generating TOTP, or changes K and T in a distributed ledger system such as a blockchain by the smart contract administrator. A major feature is that dynamic passwords can be generated by
The value of T is a value Tm or TB that changes at a certain time, and Tm uses a block number Bn that automatically changes according to the time change (time change) of the distributed ledger system, or the smart contract (contract) administrator is manually changed and updated by sending a data value change transaction for changing Tm or K to the distributed ledger system. It is a necessary element in the present invention because the contract manager manually changes and updates K by sending transactions to the distributed ledger system, which leads to updating K in the TOTP token.
(In the present invention, it is assumed that the contract administrator manually changes and updates the transaction by sending it to the distributed ledger system, but in addition, the transaction sent by the user who owns the OTP token and the OTP token It may also be possible to change the TOTP K value using data values from transactions sent by users who are not the owner of the TOTP.)

The present invention will be described. The present invention focuses on the block number of the blockchain. For the sake of explanation, the block number is called block number Bn in the present invention. The present invention has devised to use the block number Bn for the time-based numerical value T used in TOTP. In the present invention, this method and the one-time password are called BnTOTP. (Embodiments of the present invention use Ethereum, which is one of the distributed ledger systems that use a blockchain-type data structure, and in Ethereum, the block number Bn is called a block number.)
This name is because TOTP is operated using the number Bn when the block chain is in the Bn-th position counting from the first block data (when the block number is 0) as a variable Bn representing time and time change BnTOTP called. Note that Bn is a number that is the basis of the calculation of BnTOTP, and BnTOTP may be generated using a processed value (a variable that changes according to Bn by obtaining a hash value using a hash function based on Bn).
Also, in addition to generating dynamic one-time password (OTP) tokens based on time, such as TOTP, among the contract variables that access the blockchain at any time and compute OTPs deployed on the blockchain. Focusing on the fact that a dynamic password OWP (Owner Password) can be used by changing the key information K and updating the seed value of the OTP token without using information based on the time T, both TOTP (BnTOTP) and OWP devise and implement an authentication system using
In the present invention, OWP does not use information about the latest time of the block chain such as block number, but the contract manager who manages the contract on the block chain of the authentication system can rewrite the state of the internal variable of the contract at any time A dynamic password scheme in which the password generation values of all OWP scheme OTP tokens belonging to a contract are updated is called OWP.
In both TOTP (BnTOTP) and OWP, the contract internal variables are not limited to one contract, and may be called from different contracts.
BnTOTP uses the fact that the block number Bn automatically changes on the block chain for the clock, and OWP changes by accessing and rewriting by administrators and general users at any time when there is a variable on the block chain. Take advantage of what you are given.
OWP can operate similarly to BnTOTP and TOTP when the user of the administrator can update the seed value by periodically sending signed transactions to the blockchain at the user terminal in OWP. However, while BnTOTP does not require a seed value change transaction, OWP requires a transaction. For example, if OWP and BnTOTP are used as a password generator that is updated every 60 seconds, in the case of OWP, it is necessary to manually or automatically send transaction data every 60 seconds, and the amount of data accumulated on the blockchain is BnTOTP. and occupies the storage area of the terminal storage device that becomes a node of the blockchain. Therefore, in the present invention, BnTOTP and OWP are selectively used depending on the application.
BnTOTP is used for web services connected to the network that wish to update the BnTOTP value every tens of seconds via the network, and OWP is used when disconnected from the network or for a long period of time (from several months to several years). It is used for web services that may have an OWP value of , valuable paper sheets using paper or NFC tags, and keys for unlocking locks.

In addition, in the present invention, an OTP token that generates and authenticates BnTOTP and OWP using blockchain and smart contract using Ethereum (Ethereum, Non-Patent Document 1), which is one of the blockchain infrastructures, and an authentication system that uses the contract. devised and implemented. The present invention is developed based on Ethereum, and part of the description of the terminal that will be the node that constitutes the blockchain and the description of the user terminal are as described in Non-Patent Document 1, and the details are described in this patent application. Not described.
In addition, the explanations and diagrams described in this patent application are explanations on the basis on which Ethereum can be used, and all the explanations necessary for execution on Ethereum are not described, and Ethereum operates as a distributed ledger system. Regarding, the known non-patent document 1 will be mainly described. FIG. 9A illustrates the operation of the inventive contract on the Ethereum blockchain. FIG. 9B is an explanatory diagram of the operation of the present invention in a directed acyclic graph type distributed ledger system.
In Figures 9A and 9B, OWP password behavior is enabled from smart contracts. Since there is information derived from the block number of the latest data block and block data in the block chain of FIG. 9A, it can be used to calculate TOTP, but also in FIG. Hash values and timestamps are entered in each data block (chunk), and if time information can be obtained from the latest data chunk or if time information can be given to a distributed ledger system, BnTOTP type or TOTP type password can be generated.
The main feature of the present invention is to use an OWP type password. By changing K inside the OTP token contract on the blockchain, it is possible to change all the passwords displayed by the token issued by the OTP token contract. Pseudo TOTP can be realized by changing the OWP password every certain time.
OWP passwords, on the other hand, require transactions to be sent to a distributed ledger system. In order to implement TOTP on a distributed ledger, when a contract manager or the like sends transactions to a distributed ledger system, network traffic can increase. Also, the amount of transaction data increases, and the storage capacity of the node terminal may increase.
OWP type password that allows the contract administrator to change the K value when necessary or when necessary (once every few weeks, months, or years), and an interval of 60 seconds, etc. For TOTP applications where you want to update your password frequently, use a BnTOTP type password that mainly uses a block number and a BnTOTP type password that combines a BnTOTP type password with an OWP type password that can change the K value to generate a dynamic password. Authentication helps reduce network traffic and reduces the amount of space used by the block chain part of the storage device. Therefore, the present invention is characterized by using either or both of the BnTOTP type and the OWP type.

The present invention is a software TOTP token based on the blockchain and its network instead of a hardware type TOTP token, so that the service provider can update the key information of the token without battery replacement. The most important feature is that it is an authentication system in which the time-based variable Tm is changed in the block data to the time-varying variable T in the RFC6238 standard.
Furthermore, the main feature is that it is an authentication system that uses the block number variable Bn for the latest block data on the block chain as the time-varying variable T in the RFC6238 standard of the TOTP token.

The present invention includes a variable that can be accessed and changed at any time by the administrator of the token, and means such as a function that can change the variable. Its main feature is that it can be updated by an administrator.
Here, when the key information K can be changed by the administrator, even if the variable T of the RFC6238 standard is not set or is a constant that does not change with time, the administrator designates and changes the value K at any time as a variable. It may be T. (In the present invention, it is preferable that the administrator can update the key information K, but a user who is not an administrator can change the K of the contract on the blockchain. All users involved in the token can change their Even if the indicated value is entered into the blockchain and voted, the authentication system of the present invention can operate as a dynamic password generation token according to the value voted by the user.)

Using a software type password generator token (OTP token) and an authentication system using a distributed ledger system such as a blockchain, a blockchain type token (OTP token) is issued to the user, and the OTP token is encrypted, for example. It can be used as a token that is the key to decrypting data, used for website login purposes, admission tickets for ticket gates and movie theaters, pass permits at entrances and exits, valuable paper sheets and NFC tags, and can be used for facilities and buildings The main feature is that it is an authentication system and an access control system that locks and unlocks the door.

Also, in the present invention, it is possible to change the owner of the OTP token on the blockchain and transfer the OTP token between different users. It is also possible to transfer an OTP token between different users, which enables decryption of data obtained by encrypting a text, book, audio, video, or software content.
However, in the present invention, the OTP token contract may have a function that limits the transfer function, and has a control unit that enables or disables the transfer of the OTP token at any time according to the wishes of the contract manager. The main feature is that it is an authentication system using OTP tokens.
The function of restricting the transfer function provided in the contract of the OTP token is assumed to be a case where the right holder of the content obtained at the time of decryption of the encrypted data wants to control the distribution of information. This is because there may be applications where the transfer itself is prohibited, such as a certain ticket or a hardware type one-time password card for Internet banking at a bank. A transfer restriction function can be incorporated into the program of the OTP token contract to prevent the OTP token from being transferred in violation of the terms of service.
In the present invention, a control unit for restricting transfer can be set, and the transfer of the OTP token can be restricted at an arbitrary time (current time) according to the wishes of the service provider who is the user of the present invention, and the transfer cannot be performed. It is characterized by having a function to enable transfer. Further, according to the present invention, a control section for restricting transfer can be set, and the control section can be eliminated according to the wishes of the service provider, who is the user of the present invention, so that the transfer of the OTP token is always disabled.

In addition to the transfer restriction, the present invention can forcibly cancel the correspondence relationship between the token of the user who violates the service provider's terms and the identifier on the user's blockchain and remove the one-time password token from the user. Another feature is that it can be used in an authentication system having a control unit. However, this function is a function that can be realized in the ERC721 standard of Ethereum and is a known technology.
In addition, this OTP token removal function can forcibly remove an OTP token with a certain token number having a user identifier calculated from a user's secret key by the contract administrator, so that the user, service provider, and OTP token contract can be forcibly removed. Assume that it requires agreement with the administrator and is not normally used.
By restricting the transfer of OTP tokens between users and issuing and removing OTP tokens from a certain user, the user can generate OTPs of the present invention using OTP tokens and authenticate the OTPs, while the OTP tokens are substantially It is possible to store and transfer OTP tokens in which ownership, management and circulation are performed by the contract manager. It is assumed to be used for OTP token custody transfer by a third party who is qualified to custody OTP tokens, such as OTP token custody transfer.
The concept of custody transfer is similar to the concept of centralized custody of securities and name change of the Japan Securities Depository Center, and it may be a well-known concept, but one of the forms that realizes it on the blockchain according to the ERC721 standard is transfer restrictions and tokens. We thought that it might be possible to combine the issuance and removal of , and decided to adopt it in the present invention.

The authentication system of the present invention connects and distributes the block chain units built on server terminals (terminal 3A in FIG. 3A and terminal 3B in FIG. 3B) that are nodes that can be installed all over the world through a network 20, and distributes software one-time passwords. Holds token information. Since a distributed ledger is used, even if a disaster occurs in one region, data can be disseminated from server terminals in other regions around the world. In addition, it will be possible to distribute services compatible with the authentication system of OTP tokens all over the world.
The smart contract, which is the one-time password program of the present invention, is sent in the form of bytecode or the like from the terminal of the contract manager as a transaction to a distributed ledger system such as a blockchain, and is stored in block data with a block chain, and past block data It is connected to a blockchain that is a concatenated body of a chain, making it difficult to tamper with and immutable due to the characteristics of the blockchain. There is an advantage that it becomes difficult to falsify the correspondence with the identifier and the possession state of the OTP token.

In addition, it is difficult to lose OTP tokens as long as there is a private key that the user and the user terminal use for access and the node terminal of the blockchain (the network to which the node terminal is connected). This is less likely to be lost than a hardware token or a software token that is installed on existing computers or smartphones, and has the advantage of being accessible worldwide and being able to manage node terminals in a distributed manner.

Hardware tokens require a battery to synchronize the time and date, and when the battery level is low, the time shifts and the user has to adjust the time. On the other hand, the blockchain used in the present invention has the advantage that servers distributed around the world act as nodes and are driven while synchronizing the time, so there is no need for time synchronization.
The passage of time in the blockchain corresponds to the fact that blocks including new transactions are linked to the original blockchain at regular intervals, and the information Tm reflecting the time in the latest linked block is Time synchronization is unnecessary by using the seed variable T for calculating the TOTP of the TFC6238 standard.

In hardware tokens, it is difficult to change K in the seed value and it is disposable for each device, but the password generator using the blockchain of the present invention has the advantage that K can be updated. If you send a transaction to update K to the blockchain, you can rewrite and update the K value of all OTP tokens involved in that K.
By updating K, the seed value used for OTP calculation is changed, and the appearance of future OTP calculation results is renewed.

The present invention allows for the transfer of OTP tokens if permitted by the OTP token and the corresponding service provider. It is also possible to prohibit or allow the transfer of OTP tokens included in the contract between users. Encrypted content and tokens that can be used to decrypt and view it can be sent domestically and internationally. This may make it easier to sell data such as books, audio and video, membership sites and software overseas while restricting the transfer of usage rights. Even though it has a transfer restriction function, it will be sold among users as the right or the book itself while owning the e-book etc. as data.

In addition to the transfer restriction function, if a token removal function is implemented, it is possible to control and manage illegal resale and prevent tokens from being transferred to countries where sales should be refrained from. In addition, when the private key is lost or leaked and the token cannot be used normally, the user can notify the administrator of the token and the token can be assigned to a user identifier calculated from the new user's private key.
(In the present invention, content and tokens can be easily transferred from domestic to foreign countries, so transfer restrictions and token removal functions are described. Regarding the case where the token administrator and the token user can agree on the terms of use of the token preferably used.)

FIG. 1 is an explanatory diagram showing a method of generating and authenticating a one-time password using a blockchain. FIG. 1A is an explanatory diagram showing the concept of applying the one-time password (OTP) generation and authentication method using the blockchain of the present invention to a server terminal. FIG. 1B is an explanatory diagram showing the concept of a method of decrypting encrypted data through the OTP authentication system using blockchain of the present invention. FIG. 2A is an explanatory diagram of a terminal DA of a user UA that authenticates using the authentication system of the present invention. FIG. 2AA is an explanatory diagram of a storage unit (storage device), a control unit (control device), an input/output device, etc. of the terminal DA of the user who authenticates using the authentication system of the present invention. FIG. 2B is an explanatory diagram of the terminal DB of the user UB different from FIG. 2A. The functions of terminal DA and terminal DB are equivalent. Private key information is different. FIG. 2C is an explanatory diagram of the terminal DC of the user UC that deploys and manages the contract in the blockchain unit. The functions of terminals DA and DC are equivalent. Private key information is different. FIG. 3A is an explanatory diagram of a server terminal 3A, which is a block chain node connected to a network 20 and has a block chain unit that constitutes the distributed ledger system DLS. FIG. 3AA is an explanatory diagram of the control unit and storage unit of the terminal 3A in FIG. 3A and the smart contract of the block chain unit recorded in the storage unit. FIG. 3AB is one of explanatory diagrams of the contract of the block chain unit recorded in the storage unit of the terminal 3A of FIG. 3A. FIG. 3AC is an explanatory diagram of a specific example of a contract of a block chain unit that can change the transfer restriction function, the number of characters/digits of OTP, and the authentication standby time of OTP recorded in the storage unit of terminal 3A of FIG. 3A. FIG. 3B is an explanatory diagram of a terminal 3B that has the same block chain unit as the server P (3A) in FIG. FIG. 3C is an explanatory diagram of a server terminal 3C that performs a service when performing authentication according to the present invention by logging in to a website (web page, web application) or the like. FIG. 3D is an explanatory diagram of a terminal 3D that performs authentication by reading printed matter, a display screen, valuable paper sheets and keys on which the authentication information of the present invention recorded on NFC tags is recorded, and providing services. FIG. 3DA is an explanatory diagram relating to the storage unit (storage device, 30D) and input/output devices (34D, 35D) of the server SVLog (terminal 3D) shown in FIG. 3D. FIG. 3E is an explanatory diagram of a server terminal 3E that performs a service of purchasing OTP tokens or outputting OTP authentication information to paper and NFC tags to issue tickets, valuable paper sheets, keys, and the like. FIG. 3F is an explanatory diagram of a server terminal 3F that searches, monitors, and notifies a user terminal of transaction information and OTP token information from block chain information recorded in the server P (3A). FIG. 4A is an explanatory diagram of a terminal (4A) that decrypts encrypted data using the authentication system of the present invention for browsing, viewing, or using. FIG. 4B is an explanatory diagram (embodiment) relating to the storage device of the terminal (4A) that decrypts the encrypted data using the authentication system of the present invention and browses, views, or uses the data. FIG. 4C is an explanatory diagram when plaintext data 4035A is encrypted or obfuscated in the storage device of terminal 4A in FIG. 4B and incorporated in 4030A of software 403A. FIG. 5A is an explanatory diagram of a server terminal that decrypts encrypted data using the authentication system of the present invention and distributes an advertisement to a terminal (4A) that browses, views, or uses the data. FIG. 5B is an explanatory diagram of a server terminal 5B that decrypts encrypted data using the authentication system of the present invention and distributes the encrypted data to a terminal (4A) that browses/views or uses the encrypted data through a network. FIG. 5C is an explanatory diagram of a server terminal 5C that decrypts encrypted data using the authentication system of the present invention and sends the encrypted data by broadcasting to a terminal (4A) that browses, views, or uses the data. FIG. 6A is a flow chart diagram illustrating the processing of a function that generates an OTP for an OTP token holder in the present invention. Basic OTP generation function. FIG. 6B is a flow chart diagram showing processing of a function for generating an OTP having a function of recording the number of OTP generations for the holder of the OTP token in the present invention. FIG. 6C is a flow chart diagram of a function for authenticating OTP in the case of limiting the accessor to be authenticated to the user identifier of the token owner with the function of recording the number of times of OTP authentication in the present invention. FIG. 6D is a flow chart diagram of a function for authenticating OTP in the case of not limiting an accessor to be authenticated with a recording function such as the number of times of OTP authentication in the present invention. FIG. 6E is a flowchart of a function for authenticating an OTP when the OTP authentication count recording function is removed from FIG. 6C in the present invention. FIG. 6F is a flow chart diagram of a function for authenticating an OTP when the authenticated accessor is not limited in the present invention. Basic OTP authentication function. FIG. 6G is a flow chart showing processing of a function for determining whether an access is made by an owner of an OTP token having a function of recording the number of times of OTP authentication, etc., and authenticating the OTP in the present invention. FIG. 6H is a flow chart diagram showing processing of a function for determining whether an access is made by an OTP token owner and authenticating the OTP in the present invention. FIG. 6X shows a data structure recorded when a user terminal (1A or 4A) accesses a server terminal (3C, 3D, 3E, 3F, 5A, 5B) that provides services using the authentication system of the present invention. It is a chart. FIG. 7A is one of sequence diagrams explaining the authentication system of the present invention (TB mainly uses block number Bn. It is also an explanatory diagram of BnTOTP type password). FIG. 7B is an explanatory diagram of the authentication sequence when the contract manager can change the contract internal variables KC and BC, which are the seed values for calculating the password OWP in the present invention, using the function fscb. FIG. 7CA is a sequence diagram when the encrypted data is decrypted and the decrypted plaintext data is browsed/viewed/executed as a program in the present invention. FIG. 7CB is a sequence explanatory diagram for encrypting plaintext data and distributing/distributing the encrypted data in the present invention. FIG. 7CC is a sequence explanatory diagram for decrypting browsed encrypted data in an off-line state not connected to a network and browsing as plaintext data in the present invention. FIG. 7D is a sequence diagram illustrating the operation of the authentication system when logging into a web-based service such as a website/web application in the present invention. FIG. 7E is a sequence diagram for explaining how a valuable paper or NFC tag is used as an example in the present invention to authenticate with a password OWP and to enter, unlock, and start a service. FIG. 8A is a diagram for explaining connection of terminals when logging in to a website. (Example 1, Embodiment 1) FIG. 8B is a diagram illustrating connection of terminals when using valuable paper sheets or keys using printed matter and NFC tags. (Example 2, Embodiment 2) FIG. 8C is a diagram for explaining connection of terminals using software CRHN (403A) when delivering (distributing) encrypted data through a communication network. (Example 3, Embodiment 3) FIG. 8D is a diagram for explaining connection of terminals using software CRHN (403A) when encrypted data is broadcast by data broadcasting. (Another Example of Embodiment 3) BRIEF DESCRIPTION OF THE DRAWINGS It is a figure explaining the outline|summary of the authentication system by the OTP token which used the block chain type data structure for distributed ledger system DLS (distributed ledger system DLS). BRIEF DESCRIPTION OF THE DRAWINGS It is a figure explaining the outline|summary of the authentication system by the OTP token using the directed acyclic graph type data structure for distributed ledger system DLS (distributed ledger system DLS).

The invention consists of several elements. A representative illustration is FIG. 8A, 8B, 8C, and 8D are explanatory diagrams of connection of terminals used in FIG. A computer terminal (computer terminal) such as a server terminal or a user terminal used in the present invention comprises a control arithmetic device (control device, arithmetic device), a storage device, an input device, and an output device as five major computer devices. In the terminal, the control arithmetic device, the storage device, the input device and the output device are connected by wiring such as a patterned conductor circuit or an electric wire. Further, the connection between the control arithmetic device (control device, arithmetic device), the storage device, the input device and the output device may be by wire (electrical cable or optical fiber) or wirelessly. The terminal includes a wireless or wired communication control device (communication device) and is connected to the network 20, an external terminal, etc., and may also be connected to an external storage device and an input/output device. The terminal is equipped with a power supply and supplies power to drive the computer terminal.
Even if it is a computer that uses some kind of quantum rather than an electronic computer, or a classical computer that uses machines such as gears that use mechanical energy without using electric power or electron movement, that is, a computer terminal that is not bound by the framework of an electronic computer. Anything that uses a storage device such as printed information on paper, a semiconductor memory, a magnetic disk, an optical disk, a hash function, and a distributed ledger described in the present invention may fall within the scope of the present invention.
1. User UA terminal DA (terminal 1A)
A user UA having a computer terminal DA or a terminal 1A (terminal 1A in FIGS. 1, 2A and 2AA) that displays or authenticates an OTP using an OTP token of the present invention, and its terminal 1A.
The terminal 1A stores a program for accessing a block chain server 3A, etc., a URI indicating a server P to be accessed (server 3A in FIG. 3A), etc., a private key PRVA (in FIG. 2AA Private key information 101A) is provided. A terminal 1A has a communication device 12A and accesses a server 3A via a network 20. FIG.
When accessing the server 3A to request OTP generation, the present invention assigned to the user identifier A calculated from the private keys PRVA101A and PRVA101A as described in the flow chart of the OTP generation function in FIGS. 6A and 6B. requires an OTP token with a token number TIDA of An OTP token with a token number TIDA of the present invention assigned to user identifier A calculated from private keys PRVA101A and 101A may also be required when requesting authentication of the OTP (FIGS. 6C, 6E, FIG. 6G, FIG. 6H), and the flow chart of the OTP authentication function in FIGS. 6F and 6D may not require the process of determining whether User Identifier A or an OTP token is assigned to User Identifier A and possesses it. can.
In addition to the user UA of the terminal 1A, there are also a user UB of the terminal 1B, a user UC of the terminal 1C, and a user UP of the terminal 4A. The terminal 4A, like the terminal 1A, is one type of user terminal that performs this authentication system. In the present invention, user UP and user UA are the same person, and secret key 101A and secret key 401A are the same, but symbols are sometimes changed for explanation.

2. Server P (Server 3A)
<Specific premises in the examples, etc.>
In the present invention, as shown in FIG. 1, a server P (3A), a server B (3B), etc., which are nodes equipped with a block chain unit that constitutes a distributed ledger system DLS such as a block chain, can be encrypted through a network 20 interconnected. Ethereum was used for distributed ledger system DLS such as blockchain. A known Ethereum is created approximately every 15 seconds (15 seconds is the value set when creating a blockchain such as Ethereum, and the creator of the blockchain can create it in any number of seconds, such as 15 seconds or 4 seconds. ), a new block is connected to the blockchain, and approximately block number Bn×15 seconds have elapsed since the time when the block number was zero.
Proof-of-work type (PoW type) for consensus building and consensus algorithm between nodes that make up the blockchain such as terminals 3A and 3B for connecting new data blocks to the blockchain on the Ethereum mainnet and testnet , Proof of Work) or Proof of Authority type (PoA type, Proof of Authority) or Proof of Stake type (PoS type, Proof of Stake) exists, and other blocks Chain-type distributed ledger systems also include Practical Byzantine Fault Tolerance (PBFT). In order to implement the present invention, the proof of authority type, practical byzantine fault tolerance type, and proof of stake type, which can be expected to consume less power and process more transactions, may be used.
The present invention preferably uses a consensus building method with low power consumption and high transaction processing speed, and for that purpose, a consensus building algorithm similar to a centralized distributed ledger management method may be used. Since the present invention is not an invention related to consensus building algorithms for distributed ledger systems, consensus building will not be discussed in depth, but in the embodiments of the present invention, testing of Ethereum using proof of work type or proof of authority type The net was used to develop and implement the present invention.
Here, in the present invention, it is assumed that the control unit (31A) and the storage unit (30A) of the server P (3A) are equipped with equipment capable of forming and processing Ethereum, which is one of the blockchain infrastructures, in the blockchain unit. do. In the present application, all the elements that implement the blockchain system using Ethereum are not described, but in the present invention, user terminals (1A and 4A in FIGS. 1A and 1B) and server terminals 3A, 3B, 3C, 3D, 3E, 3F, 5A, 5B, 5C, etc. may have blockchain controllers and blockchain data recorders that can become Ethereum nodes. The server P (3A) is connected to the network 20 through the communication device 32A and is connected to another block chain node terminal 3B and a plurality of terminals corresponding to 3B via the network 20 to form a distributed ledger system.

A user's computer terminal DA (terminal 1A) or terminal DC (terminal 1C) accesses a server 3A having a block chain part through a network NT (network 20) (Fig. 1A).
It is assumed that the server 3A is installed with an operating system and web browser software and can execute ECMAScript (ISO/IEC 16262) and the like. Then, install client software such as Ethereum client software geth (Go Ethereum, https://github.com/ethereum/go-ethereum, viewed January 3, 2021), which will be an Ethereum node, and run the client software. and is working. And as an example, the Ethereum block chain is recorded in the recording unit.
Ethereum has two types of accounts: user accounts (EOA: Externally Owned Accounts) and contract accounts. In the present invention, the user account EOA is called a user identifier, and the contract account is called a contract identifier as the address of the smart contract.
In the present invention, Ethereum is used as the foundation of the blockchain, and the contract is based on the smart contract standard for non-fungible tokens of the ERC721 standard. The following three references are cited for the ERC721 standard. 1. Ethereum Foundation, https://eips.ethereum.org/EIPS/eip-721, accessed December 11, 2020, 2. OpenZeppelin, https://docs.openzeppelin.com/contracts/3.x/erc721, accessed 11 December 2020, 3. 0xcert.org, https://github.com/0xcert/ethereum-erc721, 2020. Viewed on December 11th.
In Ethereum, in the smart contract of the ERC721 standard, the administrator of the contract (with the user identifier C calculated from the secret key 101C) issues a token in one unit and sends it to the user identifiers A and B who are users. A token conforming to the ERC721 standard is issued to a user identifier A by associating a token ID represented by an unsigned integer type variable with a user identifier A who is the holder of the token ID.
Here, in the present invention, a token ID in the ERC721 standard is called a token number. Information that user identifier A owns token number TIDA is recorded in the contract.
For example, like 3014A in FIG. 3AC, user identifier A records ownership information (3015A) of a token having a TIDA number, and user identifier B records ownership information (3016A) of a token having a TIDB number. It records the final ownership information such as tokens issued from the contract for a certain identifier or transferred between different user identifiers.
On the blockchain, transactions related to contract creation, transfer records, and changes to contract internal variables are recorded in a state that is difficult to falsify, and past token holding history information cannot be erased. The contract program once recorded and deployed on the blockchain will not be tampered with.

<Token on distributed ledger used in the present invention>
In implementing the present invention, Ethereum was used as the foundation of the blockchain. In addition, ERC721 standard tokens used in Ethereum are considered to be usable for issuing non-fungible tokens with OTP on Ethereum, and were adopted when implementing the present invention.
A smart contract (contract) in which a one-time password (OTP)-related program is provided in an ERC721 standard token is used as the contract for the OTP token of the authentication system of the present invention. Although the ERC721 standard is used in the implementation here, this is one embodiment of the present invention, and any smart contract that can provide the functionality of the OTP token of the present invention on a distributed ledger can implement the present invention. . The OTP tokens of the present invention are not limited to ERC721 standards or similar tokens and token smart contracts.
In the present invention, an OTP token or an OTP generation token/OTP generation contract indicates a contract that performs processing such as ownership of a token that generates an OTP, token issuance processing, token transmission processing, and display of information such as the name of the token. The OTP authentication contract or the OTP authentication function inside the OTP authentication contract has variables and a processing unit for calculating an OTP that matches the OTP generation function of the OTP generation contract, and can perform OTP generation and authentication processing. FIG. 3AA, FIG. 3AB, and FIG. 3AC are explanatory diagrams of the contract, and FIG. 3DA shows an example when the terminal 3D has the authentication function instead of the terminal 3A.
In the diagram for explaining the server group (3A, 3B, etc.) having the blockchain part and the terminal (1A, 1C, etc.) connected to the blockchain part, the Ethereum blockchain used in the example and the control part ( processing unit) and a storage unit (recording unit).
The details of the controller and storage will follow the Ethereum specification and apply to systems with similar blockchain infrastructure. In the present invention, an ERC721-standard token is provided with an OTP generation function, and a contract (OTP generation contract) that can issue an ERC721-type OTP generation token is used. Then, the OTP generation contract is provided with an OTP authentication function that can be set to the same value as the seed value used for OTP generation in the OTP generation contract, or an OTP authentication contract is created separately and the OTP authentication contract is provided with the OTP authentication function. ,
The OTP generated by the OTP generation function is output to the user terminal 1A or 4A, etc., and the output OTP and information necessary for OTP authentication are transmitted from the user terminal 1A or 4A to the OTP authentication function of the contract related to OTP authentication or to the terminal 3D. The OTP is input to the installed OTP authentication function to verify whether or not the OTP is correct.
In this way, the OTP generation token of the present invention is obtained by equipping the ERC721 standard with an OTP generation function. It is something that can be owned and used on a distributed ledger such as.

<Token number and token issuance of non-fungible token of ERC721 standard>
In the one-time password generation function of the present invention and the contract including it, one token number TIDA is issued (mint) to a user with a certain user identifier A for tokens of the ERC721 standard. An issue function (3042A in FIG. 3AC) inside the contract is used for token issuance. In principle, 3042A cannot operate token issuance unless it is the contract manager's secret key PRVC (101C in FIG. 1C).

<Token transfer and transfer restrictions>
According to the ERC721 standard, token transmission/transfer can be freely performed between different user identifiers.
Since the OTP generating token (OTP token) of the present invention conforms to the ERC721 standard, the token number TIDA can be sent to a user such as user identifier B if the user with user identifier A desires. Token transmission is performed using the token transmission function (3040A in FIG. 3AC) in FIG. 3AC. In the ERC721 standard, there is no function for the contract manager to prohibit the transmission of tokens, but in the present invention, it is possible to stop or permit the execution of 3040A using transfer restriction variables and functions (3041A).
In the present invention, it was also necessary to limit the transfer of tokens such as bank one-time password tokens, tickets and membership rights that are prohibited from being transferred, or tokens that are not transferable. function), and a group of functions (approve function) related to permission of transmission are provided. Made it possible to change and restrict transfer.
Specifically, a true/false variable that controls the execution of the transfer function and a true/false variable that controls the execution of the approve function are set in the contract (true/false as a global function that can be accessed from all functions within the contract). value variable), has a function taf which is a setter accessible only by the identifier C of the contract manager (C is calculated from 101C of terminal 1C), and taf controls the execution of the transfer function. By rewriting the false value variable and the true/false value variable that controls the execution of the approve function, it is possible to switch between the transferable state and the non-transferable state.
(The token transfer restriction restricts the rewriting of token ownership information between different user identifiers. The user identifier corresponds to the user's secret key, and the token transfer restriction actually restricts the token transfer between different secret keys.) limit interactions).

<Contracts related to one-time passwords (smart contracts)>
In the present invention, one-time password tokens (OTP tokens) are issued to users on the blockchain (token allocation, correspondence), token transmission (token transfer between users), rating information acquisition, token name Acquisition of information, acquisition of URI information of tokens, etc. can be performed. Then, the secret value KC, a variable TB that changes with time (the block number Bn is used as TB in the present invention), the token number TIDA, and the seed value S generated based on the user identifier A are used as arguments of the hash function fh. There is a one-time password generation contract (3008A or 3008AG shown in FIGS. 3AA, 3AB, 3AC) with a one-time password generation function that takes a value and returns it as a one-time password.
Further, in the function or contract for authenticating the one-time password of the present invention, the seed value S and the hash function fh used in the function for generating the one-time password are used to verify the function input as an argument in the function for authenticating the one-time password. If you can synchronize the seed value and hash function used for , you can confirm that it matches when it is the correct password. (Flowcharts explaining the processing of the one-time password OTP generation function 3009A are shown in FIGS. 6A and 6B. Flowcharts explaining the processing of the one-time password OTP authentication function 3018A are shown in FIGS. 6C, 6D, 6E, and 6F. 6G and Figure 6H.)
The OTP authentication function may be embedded in the OTP generation contract containing the OTP generation function, or the OTP authentication function may be embedded in the OTP authentication contract in order to store the OTP generation contract and the OTP authentication function separately. The OTP authentication contract may be separated and recorded in block data with the same block number or different block numbers on the blockchain.
Alternatively, the terminal 3D, which is not connected to the network, may have the OTP authentication function and the terminal 3A on the network may have the OTP generation function, and the terminal 1A may use the OTP obtained at the terminal 3A for authentication at the terminal 3D.
The contract may be recorded in other blockchains with different authentication functions and generation functions, and the system may divide OTP generation and authentication between the two blockchains. The calculation method, hash function fh, and seed value S used for password calculation of the recorded OTP generation function and OTP authentication function must match.
As an example, the seed values A, TIDA, KC, and Bn of the function arguments used in the flow charts of the OTP generation function in FIG. 6A and the OTP authentication function in FIG. It is necessary that the same OTP can be calculated by the function and the OTP authentication function, and after obtaining the hash value from the seed value and the hash function in F107 of FIG. In the case of an N-digit unsigned integer OTP, the OTP authentication function also obtains the remainder in the same way. The OTPs calculated by the generating function must match and synchronize.
Among the seed values, A and TIDA are token numbers corresponding to OTP token holders and serial numbers of owned tokens and are user-derived variables, but KC is a value that can be updated by the contract administrator, so the KC value can be matched by the OTP generation function and the OTP authentication function.
Also, the variable Tm that changes at a certain time T, such as the seed value Bn and BC, must also match. It is necessary to provide means for matching when a phenomenon occurs in which the generation functions do not match.
Contracts with OTP authentication functions and OTP generation functions deployed on the same blockchain (same blockchain identifier, distributed ledger system identifier) can use the same Bn, but the OTP authentication function can be used between different blockchain identifiers. and OTP generation function, when operating by adding or subtracting a correction value to Bn that differs between blockchain identifiers, if Bn does not match, setter so that Bn will match It is necessary to provide some means, such as a function, to allow matching.

<Calculation of one-time password>
The terminal 3A performs processing according to access from the terminal DA (terminal 1A) of the user UA. A user identifier A is calculated from the private key PRVA (private key 101A) recorded in the storage device of the terminal 1A.
As a supplement, in Ethereum, the public key is calculated from the private key, the hash value of the public key is calculated using a hash function, and the hash value is cut off and used as the user identifier. Specifically, Ethereum creates a 64-byte public key from a 32-byte private key using a method called Secp256k1, which is based on an elliptic curve. It is also used for signatures (Elliptic Curve Digital Signature Algorithm, ECDSA). Then, for the 64-byte public key, a 32-byte hash value is obtained using a hash function similar to SHA-3 called Keccak-256, and a part of it is removed, and the remaining information is the user identifier (anonymized identifier). and
In the contract of the present invention programmed in the block chain according to the data in the block chain part and the block chain recording part of the server P (terminal 3A), the OTP generation function is contracted by the user identifier A who is the executor of the function. It is confirmed whether the issued one-time password token (OTP token) is held, and the token holder receives the token number TIDA and the KC value 3011A of the secret variable of the contract (the internal A variable KC 3011A) and a variable TB that fluctuates on the blockchain at a certain time T are used as a key value (key value, seed value) for password generation, and a hash function fh (hash function fh described in FIGS. 3AA, 3AB, and 3AC 3010A). An example calculation is OTP=fh(TIDA, KC, TB). The same is true for confirming possession of the user identifier A and the OTP token when executing the OTP authentication function.
Here, the embodiment adds the user identifier A to the key value, which is calculated as OTP=fh(A, TIDA, KC, TB) in the present invention.
A one-time password BnTOTP=fh (A, TIDA, KC, Bn) based on the block number using the latest block number Bn (3001A shown in FIG. 3AA is the block number Bn) is used for the TB. The present invention uses an OTP token that uses an OTP calculation method that
When Bn is used for Tm (or TB), OTP=fh (A, TIDA, KC, TB) or OTP=fh (TIDA, KC, TB) may be used. Specifically, OTP=fh (A, TIDA, KC, Bn) or OTP=fh (TIDA, KC, Bn) may be used.
Here, OTP = fh (TIDA, KC, TB) is acceptable because, for example, in the case of OTP that is updated every 60 seconds for a short period of time, Bn changes every 60 seconds even if the possessing user is changed. This is because OTP=fh(TIDA, KC, Bn) calculated in the past 60 seconds ago can be invalidated. In the embodiment of the present invention, the user identifier A (and the private key 101A for calculating the user identifier A) is also intended to be used for monitoring unauthorized use of the private key for logging into web services, etc. OTP=fh (A, TIDA, KC, TB) were preferably used.
In addition, the internal variable BC value 3013A (internal variable BC3013A described in FIGS. 3AA, 3AB, and 3AC) of the contract of the OTP generation token is used for the TB, and the secret key 101C of the administrator terminal 1C of the contract is used for the 3013A. The administrator sets the one-time password OWP = fh (A, TIDA, KC, BC) by changing it to any value at any time using the setter function 3012A that can access the blockchain and rewrite 3013A. The present invention uses an OTP token using an OTP calculation method, which is characterized in that the password can be changed according to the BC value.
OTP=fh(A, TIDA, KC, TB) may be preferable to OTP=fh(TIDA, KC, TB) when using BC for Tm (or TB). Specifically, OTP=fh(A, TIDA, KC, BC) may be preferable to OTP=fh(TIDA, KC, BC).
Here, OTP = fh (A, TIDA, KC, TB) is preferable to OTP = fh (TIDA, KC, TB). Depending on the judgment of the person, there is a risk that it may not be changed for a long period of time exceeding several years or never, and if the above KC and BC are not updated for a long period of time or never, OTP = fh (TIDA, KC, BC) will be held by token transfer OTP unique to the token number but not unique to the user identifier is generated and authenticated when the user identifier to be used is changed. There is a problem that the value OTP = fh (TIDA, KC, BC) can be shared, duplicated and recorded (a problem similar to duplication of a duplicate key in a metal key), whereas OTP = fh (A, TIDA, KC, BC ), an OTP unique to the user identifier and token number can be generated and authenticated.
Similarly to the BC value 3013A, the KC value 3011A can be changed to any value at any time using the setter function 3012A that can access the blockchain using the private key 101C of the contract administrator terminal 1C and rewrite 3011A. By changing the secret variables KC of both the one-time passwords BnTOTP and OWP, the key values KC of all OTP tokens belonging to the contract can be updated with arbitrary numerical values at arbitrary times. The BC and KC values that can be changed can be regarded as the same, and the BC and KC values can be regarded as the same and OTP can be calculated as one variable. A unique KC value (mapping variable KCA, described later) may be set for the usage, user identifier or token number and used for those KC values.

<Calculation of a one-time password consisting of an n-digit integer>
Information BnTOTP calculated by a hash function is type-converted to an unsigned integer to create a 7- to 6-digit integer password used in banking transactions such as Internet banking, and the integer value is n. It is also possible to find the remainder when dividing and use it as an n-digit integer password.
Here n may take a value of 6 to 7. If the contract has a function fOTPN where variable n is a setter that can only be overwritten by the administrator of the contract (if variable n and function fOTPN are recorded in 3031A), then set n as 6. After recording and deploying the contract on the blockchain with , it is possible to increase n from 6 to 12, resulting in a 12-digit password, in order to increase the computational power required for a brute force attack. This is a difficult method to implement with a hardware TOTP token. Although it is not preferable in terms of security, if a small number of digits is acceptable, n can be changed from 6 to 3 after the contract is created, and the number of digits of the OTP to be displayed can be set to 3 digits.
In addition, the contract is equipped with multiple OTP generation functions and authentication functions, and an OTP authentication function and an OTP generation function for important operations (for example, high-value transfers and payments at banks), and an OTP generation function for less important operations. An OTP authentication function requiring authentication and an OTP generation function can be provided in the contract or in the terminal 3D. When performing important operations in the above, increase the value of n, and when performing less important operations, decrease the value of n to change the number of digits at the time of input, and the effort required for the number of input characters required for OTP authentication. can be adjusted to make it easier for humans to input from the input device of the terminal with their hands.
When the same 3031A is set in the generation contract and authentication contract (or authentication function) so that the OTP authentication function and OTP generation function have the same seed value, and the value of 3030A is changed after deploying the contract to the blockchain. In order for the generation contract and the authentication contract to match, the terminal 1C, which is the contract manager, needs to send a setting change transaction to 3A and rewrite variables and the like.
The one-time password of the present invention can be expressed as an unsigned integer or as a hexadecimal number. Numeric characters, alphabetic characters, symbols, and the like can be used for passwords.

<Processing related to block number>
In the block chain, a new block is connected every certain time such as 15 seconds or 10 minutes, and the block number Bn is incremented by one. When the time required for the user UA to generate an OTP from the server P (3A) to the terminal 1A, call it, and display it for authentication (the standby time for OTP authentication) is too short, for example, the terminal DA (1A) can be displayed on a web page such as an Internet banking site. Although it is desired to input the OTP displayed on the display, it is assumed that the OTP is updated every 15 seconds and the manual input by a human cannot catch up and the OTP cannot be input. In fact, when developing the present invention, we used a blockchain on the Ethereum test network where the block number changes every 15 seconds, but it was sometimes confirmed that it was difficult for the inventor to enter it manually.
Therefore, using a variable n that increases the display interval based on the block number Bn, as Bn mod n, the remainder m obtained by dividing Bn by n is obtained, and m is subtracted from Bn to obtain Bnr (as Bn-m=Bnr), Instead of Bn, Bnr was used as an argument of the hash function for calculating OTP. For example, when the block number is 15 seconds and n is 2, the password can be changed when the block number Bn is an odd or even number, and the password display time can be increased from 15 seconds to 30 seconds. By increasing n from 2 to 3, 4, 5, etc., the display time and the authentication time can be further increased. Functions and variables for increasing the time during which this OTP can be generated, authenticated, displayed, and waited for input are shown at 3030A in FIG. 3AC. Note that n is an unsigned integer of 1 or more. n=0 is not allowed.
Set the same 3030A in the generation contract and the authentication contract (or authentication function) so that the seed value in the authentication function and the generation function match, and even after deploying the contract to the blockchain, when changing the value of 3030A, generate In order for the contract and the authentication contract to match, the terminal 1C, which is the administrator of the contract, needs to send a setting change transaction to 3A and rewrite variables and the like.

<OTP using value determined by blockchain>
In the embodiment, a one-time password OTP token issuing unit, an OTP token and user ownership relationship recording unit, and OTP generation in the form of a smart contract in which the OTP authentication part of the present invention is added to the EERC721 standard, which is an example of the Ethereum testnet. and an authentication part that verifies and authenticates the generated password in the blockchain contract. A block number Bn can be used in the block chain part.
In Ethereum, voting on the GasLimit value (BlockGasLimit value) is performed between the nodes that make up the blockchain. Ethereum has the feature that the block size is variable depending on the GasLimit value. The V value 3004A and the block size BSZ value 3005A determined by this voting are also used as seed values for the block chain in the present invention. For example, to perform all, the one-time password BnTOTP is BnTOTP=fh(A, TIDA, KC, Bn, BC, V), or BnTOTP=fh(A, TIDA, KC, Bn, BSZ), or BnTOTP=fh( A, TIDA, KC, Bn, BC, BSZ) can be used to generate an OTP using a plurality of arguments that are seed values for generating an OTP. Also, the OTP can be regarded as a pseudo-random number and used as a pseudo-random number generator.
BnTOTP=fh(KC, Bn), BnTOTP=fh(Bn), or BnTOTP=fh(fh(Bn)) when used for smart contracts for TOTP-based pseudo-random number generators that simply use block number Bn on Ethereum In the present invention, after confirming that a TOTP-based pseudorandom number generator using block number Bn can be implemented, the pseudorandom number generator is applied to an OTP authentication system. When used as a pseudo-random number, a token number TIDA or a mapping variable VU of a voting value on the user side, which will be described later, may be used as a seed value.

Ethereum in the example includes web3. There is an ECMAScript module that connects the blockchain part such as js and the web browser of the user terminal. Using the ECMAScript module, using the user's secret key, the specified user identifier, the contract identifier, the blockchain identifier, and the name of the token, access the Ethereum blockchain on the web browser and execute the OTP generation function and OTP authentication function of the present invention. Operate, obtain OTP etc. and return value CTAU of authentication result, log on to website (Fig. 8A), enter with paper ticket 18A or near field communication (NFC) tag 19A, lock electronically with NFC tag It may also be used as a typical unlocking key (FIG. 8B).
Furthermore, in the OTP authentication system of the present invention, the software CRHN (403A in FIG. 4A) is used to execute the OTP authentication function, and the return value data CTAU obtained when the authentication result is correct (CTAU is the block chain described in FIG. 3AA etc. 3021A recorded in the contract of FIG. 3AA and 4031A in FIG. 4B obtained by OTP authentication of 3021A in FIG. 4032A in FIG. 4B) and key data TTKY (40302A in FIG. 4B) for performing common key encryption (symmetric key encryption) according to the program of 403A using the software secret key data CRKY (40302A in FIG. 4B) recorded inside 403A. 4033A) and the data 4035A encrypted with its key data TTKY (4033A in FIG. 4B) can be distributed, and the access right can be decrypted by the user given as an ERC721 type token with a one-time password authentication function. The OTP authentication system of the present invention can be used for a system that distributes and decrypts encrypted data.
The return value CATU 3021A of the OTP authentication functions 3018A, 3018A and 3018DA may be modified with means for the administrator of the contract to be modified, may return one or more return values CTAU 3021A, and may also include the user identifier A and token number. A mapping variable CATU 3021A (mapping variable 3021A called CTAU[TIDA] or CTAU[A]) with TIDA as a key and a setter function for changing the value of the variable with a token number or user identifier as a key may be provided.

3. Communication between the computer DA (terminal 1A) of the user UA and the server P (terminal 3A) is preferably encrypted in the network 20, which is a network communication path. In the present invention, a one-time password is exchanged between the terminal 1A and the server terminal 3A. At this time, it is preferable that the communication path connecting the terminal 1A and the terminal 3A to the network 20 is encrypted. Interactions with the blockchain over network 20 can be read if not encrypted.
In addition, it is preferable that there is a method that can conceal the information of transaction and contract processing contents and contract variables on the foundation of blockchain.
Both wired and wireless communication methods may be used when configuring the network. Two-way communication is required when using the token of the present invention in generating and authenticating one-time passwords. However, depending on the form of use, only the generation of a one-time password is performed by two-way communication, and authentication is performed by a terminal 3D (the form of use of 3D is shown in FIG. 8B) that reads a paper ticket or an NFC tag for locking/unlocking. can be made
Further, in the application of decrypting encrypted data, it is possible to authenticate and decrypt the encrypted data obtained by one-to-many broadcasting by the authentication system of the present invention according to the generated OTP. A broadcasting station is a station 5C in space and a station 5CC operating it uses the network 2 to perform wireless communication and communicate. The network 20 or the like is used for decrypting encrypted data by two-way data communication.

4. Services using passwords 4A. Website login usage <login processing>
When the authentication system of the present invention is used for login or operation of a website, login processing is performed using the server SVLogin (terminal 3C in FIG. 8A). FIG. 8A shows a connection diagram of the terminals. A terminal 1A, a terminal 3A, and a terminal 3C are connected via a network 20. FIG. The server terminal 3C may be a real server terminal 3C, a virtual server terminal 3C, or a virtual machine terminal 3C.
The storage device data of the server terminal 3C is stored in the terminal 1A, and the server terminal 3C is constructed in the terminal 1A as a virtual machine. By connecting, it becomes possible to log in to the virtual machine terminal 3C constructed in the terminal 1A. For example, the terminal 3C may be an e-book service or an online game server service that requires login after the service has ended.
Web application and website data that can be communicated and exchanged between the block chain part of the server 3A and the user's terminal 1A using ECMAScript or the like on the terminal 3C, is sent to the user and displayed, and the wallet software has the information of the private key 101A held by the user. (if there is no wallet software, the private key information 101A itself is input, described, and output to the website), and the token number that can be used to log in to the server terminal 3C owned by the user is input to the website data, and the information and From the wallet software information, the one-time password generation function of the one-time password generation contract uses the user identifier A and the token number TIDA as arguments to generate a block number-based one-time password BnTOTP, and when you enter BnTOTP on the website, the input value is authenticated by the one-time password authentication function of the one-time password authentication contract.
BnTOTP calculated by the authentication function and generation function of OTP is represented by the argument and function BnTOTP = fh (A, TIDA, KC, Bn) using the hash function fh, the contract internal variable KC, and the above A and TIDA. .
Here, the wallet software can calculate private key information and user identifier information calculated from the private key, and some can display the number of ERC721 tokens owned by a given private key and user identifier. (An example of wallet software is Metamask, a browser extension software wallet software on https://metamask.io. Some can communicate with the hardware wallet DWALT1603A that records the private key.)
When the authentication result is correct, block chain information such as the user identifier A and the token number TIDA that accessed the server 3A, the IP address or location information of the terminal 1A, the device ID (device ID) unique to the terminal 1A, or the terminal 1A It is also possible to store the sensor value of the sensor 144A of the input device 14A as the terminal environment value IPV in the data structure shown in FIG. 6X in the server 3A and monitor whether there is unauthorized access.
The sensor values of the sensor 144A of the terminal 1A mainly use the sensor values of the sensor 144A, the environment sensor 1440A, the position sensor 1441A, the motion sensor 1442A, and the biometric authentication sensor 1443A with the consent of the user. If it is unavoidable although it is not preferable from the viewpoint of privacy, the input itself of the input device 14A such as 140A, 141A, 143A and 142A may be used. When an input device such as 143A, 142A, 141A, or 140A is used as a sensor value, it cannot be used without the consent of the user to provide information.
Here, the environment sensor 1440A is a sensor capable of measuring information related to the environment around the terminal using physical means, such as a temperature sensor, humidity sensor, atmospheric pressure sensor, pressure sensor, illuminance sensor, light sensor, chemical sensor, and odor sensor. be.
The position sensor 1441A includes a magnetic sensor, a geomagnetic sensor, or an accelerometer, measures acceleration and magnetism as physical quantities, and measures the position that is also used for the magnetic compass function that indicates the direction of the terminal using gravitational acceleration and the direction to geomagnetism. It is a sensor that The motion sensor 1442A includes both an accelerometer and a gyro sensor (angular velocity sensor), and is a sensor that detects motion such as acceleration of the terminal, and measures motion of the terminal.
The biometric authentication sensor 1443A is a sensor when the terminal 1A has an image sensor such as a camera or a thermography and uses the image sensor to perform authentication derived from the structure of the face, or a fingerprint sensor for performing fingerprint authentication using a scanner. Also, it is a sensor for authentication derived from the structure of the ear, and a sensor for authentication using motion and pressure signals that a terminal worn when walking or the like feels. A known method can be used for biometric authentication.

<Login execution and post-execution processing>
The website and web application data after login are sent from the terminal 3C to the terminal 1A. Also, the server terminal SVLogin terminal 3C records through the network the values input by the user using the input device of the terminal 1A on the page after login, and the user data is manipulated according to the input values. Specific examples include transfer processing after login in Internet banking, processing such as data recording/change and voting in member sites, voting processing in online shareholders' meetings, and processing in online games. Depending on the processing after OTP authentication, the user and the user terminal 1A are accessed by the blockchain, and when the processing is performed, the OTP generation function is executed to obtain the OTP, and then the obtained OTP is used as an argument by the authentication function. is executed, variables such as 3017A and 3017AA are changed.
When 3017A and 3017AA are used for website authentication and login, points or currency balances of members who can use the service are recorded, and when information such as login rights and electronic tickets of the present invention is presented at the time of service provision Alternatively, the balance may be deducted by the amount of points or currency corresponding to the service. Important data such as online game data that should not be falsified may be recorded, in addition to membership points, membership-dedicated numerical values, and currency balance. 3017A and 3017AA may change the balance according to the instructions of other users in the contract or the contract administrator, and may perform transfer/transfer processing to add part of the balance of one user to the balance of another user.
(Here, when presenting a paper and electronic ticket or a terminal that can be a login right to a service providing device such as a terminal 3D and authenticating it, the points or currency balance of the member who can use the service are recorded in the 3017DA, and the electronic ticket of the present invention , When presenting the paper ticket information at the time of service provision, the balance may be deducted by the amount of points or currency corresponding to the service.Of the data in the storage device in the terminal 3D, other users and The balance may be changed according to instructions from the manager of the terminal 3D, and transfer/transfer processing may be performed by adding part of the balance of one user to the balance of another user. If it is possible to connect to the node terminal 3A, terminal 3F or 3E, the terminal 3D is considered to be equivalent to the terminal 3C and performs the same processing as the terminal 3C)
3017A and 3017AG mean the asset balance and data amount of the OTP token corresponding to the token number, and they may be manipulated after executing the authentication function. 3021A, 3022A, and 3023A in FIG. 3AB may be included as processing included in execution of the authentication function 3018A (or processing linked after the processing of the authentication function and separately performed) when the OTP authentication function 3018A is executed.
The above 3018A, 3021A, 3022A, and 3023A specifically have an authentication contract for Internet banking, and the contract records the customer's asset balance. 3022A has a process of making a transfer to a number (assuming that the token number and bank account number are associated) when the OTP authentication function matches the transfer destination within the range of the balance recorded in 3017AA. There may be.
3022A may be processing for performing settings such as transfer processing, time deposit, and transfer limit setting. In addition to banking applications, financial fields such as securities and insurance, manifesting intentions such as voting on private or public or private member sites, changing important matters, or important user data such as online games Can be used for recording.

<Detection of unauthorized login>
In the present invention, the IP address of the logged-in user (hashed or processed value of IP address), location information (hashed or processed value of location information), computer device ID (or hash value), and token number , the user identifier is recorded in 3011C of the storage device 30C of SVLogin (terminal 3C in FIG. 3C) in the data structure or data format shown in FIG. , or a processing unit (3110C, 3111C, 3112C, 3113C in FIG. 3C) that monitors location information (a value obtained by hashing or processing location information) or a device ID (or hash value) of a computer. The processing unit (Fig. 3C 3110C, 3111C, 3112C, 3113C).
Here, as for the device ID of the computer, in addition to the computer manufacturing ID such as the device ID, the operating software ID, the web browser ID, the acceleration sensor, the magnetic sensor, the pressure sensor (atmospheric pressure sensor), the temperature IPV value (data structure shown in FIG. 6X) including sensor 144A (sensors shown in 1440A, 1441A, 1442A and 1443A in FIG. 144A) information of terminal 1A including sensors etc., and hashed IPV good too. This method is used in another application of the invention, 4B. 4C. Can be used for 4T.
For example, when the terminal 1A is a smartphone equipped with a magnetic sensor in the position sensor 1441A of 144A and capable of detecting magnetism in three-dimensional directions capable of measuring geomagnetism, the orientation of the magnetic sensor built into the smartphone is determined by the user terminal. changes depending on the direction of If the access is normal, there is only one access information from the user terminal corresponding to the value of the magnetic sensor, but if another user illegally obtains the private key and tries to log in, the attacker is on a distant earth Spoofing is difficult because it must match the value of the magnetic sensor of the user's computer at a certain location. Not only one sensor but also a plurality of sensors can be used. For example, it is possible to combine a geomagnetic sensor and a temperature sensor, or a temperature and an atmospheric pressure sensor (temperature and pressure sensor). It is preferable to be able to use IP addresses (and hash or anonymized values of IP addresses) and sensor values.
Here, the sensor built into the terminal 1A will also be explained. It is not necessary to have all the sensors built into the terminal, and it is preferable to employ one or more sensors.
The environmental sensors of 1440A include a temperature sensor, an air pressure sensor (pressure sensor), a humidity sensor, and an illuminance sensor, and the measured values of the above four sensors can be individually input to the terminal 1A.
The position sensor of 1441A includes a magnetic sensor that detects magnetism and an accelerometer that detects acceleration, and is a sensor capable of detecting the position of the terminal. Measured values of magnetic sensors and accelerometer sensors can be individually input to the terminal 1A.
The 1442A's motion sensor includes an accelerometer and a gyro sensor that detects angular velocity, a sensor that can detect the movement of the terminal. Measured values of the accelerometer (acceleration sensor) and the gyro sensor can be individually input to the terminal 1A.
For the biometric sensor of 1443A, for example, the camera 142A is used for face and blink information, the fingerprint scanner is used for fingerprints, and the vein pattern iris, ear structure, etc. are detected by sensors that detect them. If it is information related to walking, it may be measured using a motion sensor device such as a shoe last corresponding to an acceleration sensor of an external terminal that can communicate with the 1442A of the terminal 1A or the communication device 12A of the terminal 1A, or a group of motion sensors attached to clothes. . In a terminal equipped with a microphone/sound sensor 143A for voice authentication, it is also possible to hash the acoustic information as unique acoustic information that allows the terminal to perceive sounds around the terminal and use it as an IPV value while protecting individual privacy. sell. When biometric authentication or privacy-related information is used for the information in FIG. 6X, it may be preferable to hash, process, and anonymize the information acquired by the sensor.
However, for financial purposes such as banks and securities, it may be preferable to record information such as IP addresses as they are for security reasons.

<Measures against unauthorized access using multiple private keys>
In the embodiment of the authentication system of the present invention, a single secret key 101A may be used, or a secret key different from 101A such as a secret key 101A2 may be used, and two or more secret keys may be used to authenticate the user terminal 1A or 1B, contract The contract functions and variables of the server 3A having the block chain part may be accessed from the administrator terminal 1C or the like, or the terminals 3C and 3D that provide services may be accessed. The authentication system of the present invention may be used for decrypting encrypted data.
When the token number of the OTP token associated with 101A using the secret key 101A of the terminal 1A is TIDA, BnTOTP calculated by the OTP authentication function and generation function is the hash function fh, the contract internal variable KC, and the above A, Using TIDA, it is represented by an argument and a function of BnTOTP-1=fh(A, TIDA, KC, Bn).
Here, in addition to the secret key 101A installed in the terminal 1A, there is a second secret key 101A2, and the user identifier A2 calculated from the secret key 101A2 and the token number TIDA2 of the OTP token issued in correspondence with it. , the second BnTOTP-2=fh(A2, TIDA2, KC, Bn) can be calculated.
After generating BnTOTP-1 and BnTOTP-2 with the OTP generation function, in the authentication function in the contract with the authentication function, the function arguments are in the form of A, TIDA, BnTOTP-1, A2, TIDA2, BnTOTP2-2, A user identifier calculated from the two secret keys 101A and 101A2, a token number of an OTP token, and an OTP (BnTOTP-1 and BnTOTP-2 are shown as examples here, but in the case of OWP, OWP-1 and OWP-2). format is also conceivable.) may be used to perform authentication by executing the authentication function. When one of the two secret keys is leaked by using two secret keys as described above, for example, when 101A is leaked and abused and used, if the other secret key 101A2 is not leaked, the function Since the argument BnTOTP-2 (OWP-2 in the case of OWP) is unknown to the attacker, the authentication function cannot be executed, and an effect of preventing unauthorized access is expected.
Here, when a plurality of private keys are used for OTP token authentication, the user identifier A calculated from the private key 101A and the user identifier A2 calculated from the private key 101A2 are used by the user UA in the contract for OTP token authentication. is the user identifier to be used, it must be registered in the variable inside the contract or in the database of the service provider/service provider. In addition to the user identifier, it may have a part for registering in the contract containing the OTP authentication function that token numbers TIDA and TIDA2 are distributed to the same user UA. The number of secret keys is not limited to two, and may be three or more.

Two identifiers A and A2 of UA or token numbers TIDA and TIDA2 are registered in a terminal such as a server terminal 3C or 3D that serves as a service provider in the present invention, and A, TIDA and BnTOTP-1 are registered when logging in to a website. After performing the authentication requesting the input, the authentication requesting the input of A2, TIDA2 and BnTOTP-2 may be performed.
BnTOTP-1 = fh (A, TIDA, KC, Bn) and BnTOTP-2 = fh (A2, TIDA2, KC, Bn) separately at the server terminal 3C or 3D at the website login destination instead of the blockchain server 3C Authentication processing can be performed on the login screen of the website to be distributed, and OTP input and authentication of a plurality of OTP tokens can be requested on the server terminal 3C or 3D. In this case, 3C and 3D need to associate user identifiers A and A2 derived from a plurality of secret keys of user UA, and TIDA and TIDA2, and record them in the recording devices of 3C and 3D.
When the server terminal 3C or 3D is used to authenticate an OTP token using a plurality of private keys, the user identifier A calculated from the private key 101A and the private key 101A2 at the server terminals 3C and 3D that authenticate the OTP token. It is necessary to register the user identifier A2 to be used as the user identifier used by the user UA. Alternatively, it may have a part for registering in the server terminal 3C or 3D including the OTP authentication function that the token numbers TIDA and TIDA2 are distributed to the same user UA. It should also be recorded if the contract identifier of the OTP token is different. The number of secret keys is not limited to two, and may be three or more.
A database of correspondence between multiple secret keys and OTP tokens issued for them may be recorded only in the server terminal, only in the contract on the blockchain, or both. A form in which multiple private keys are used to access both the server terminal 3C or 3D and the contract on the blockchain is also conceivable.

Ethereum used in the implementation of the present invention uses a 256-bit secret key for each user identifier, but if two secret keys are used in the embodiment of the OTP authentication system of the present invention, it becomes a 512-bit secret key, and N pieces are used. For example, OTP authentication can be performed with a secret key of 256×N [bits], and the substantial data length of the secret key can be extended.
By increasing the data length, it is possible to increase resistance to attacks by those who attempt unauthorized access. As an example, if three secret keys are used, even if one of the three secret keys is leaked, access to contract functions and variables can be prevented unless the remaining two keys are leaked. If more than half of the private keys cannot be obtained, the OTP tokens assigned to those private keys cannot be authenticated, and service provision can be blocked. This is a kind of multisig technology. (Multisig: multiple signatures with multiple private keys.)
By performing OTP authentication by combining a plurality of private keys, it may be possible to perform operations related to private key identification. For example, when there are two secret keys, one is a secret key 101A2 shared with a third-party organization whose identity has been confirmed, and the other is a secret key 101A generated inside the terminal 1A by the user, and the use of the secret key immediately after the start of , when it is assumed that there will be no leakage of the private key, the user identifiers A2 and A calculated with the private keys of both 101A2 and 101A are used by a third party or a real person UA Using the TIDA and TIDA2 tokens on the server terminal 3C of the third party organization that performs the association with the third party organization Third party organization and the website of the organization that performs the association OTP authentication and login sign up.
With the OTP tokens of token numbers TIDA and TIDA2 assigned to A and A2 or A and A2, the administrator of terminal 3C knows A2's secret key 101A2 that has been communicated to user UA. , it is found that A has a private key 101A corresponding to A. At this time, it is assumed that A, A2, and the user UA are linked and the identity can be easily verified. Then, for A, it is determined that the user identifier corresponds to the secret key owned by the user UA, and the user identifier A is used as the destination address for tokens and the like, and for example, the right to log in to a certain membership site or an admission ticket to a certain venue.・It may be possible to issue and distribute keys to lock and unlock, and OTP tokens to decrypt encrypted data.
When issuing the OTP token of the present invention, it is necessary to confirm whether the user identifier A or A2 is the identifier of a real user UA. is issued, and it is necessary to check whether the OTP token destination user identifier is a person who can record and use the private key of the actual user, such as user UA, UB, or UC. Since we think that confirmation is necessary, the above-mentioned identity verification method is shown. However, this is only one form, and it is not always the case that personal identification using OTP tokens using a plurality of private keys is performed when the present invention is implemented. Other known methods may be used as the identity verification method.

<Information that will serve as a signboard for the contract, including the rating and contact information for the contract administrator>
Signboard variable 3024A (KNBN, 3024A in FIG. 3AC) may record the name of the service provided by the contract, the name of the token, and explanatory items in addition to the rating information, and may be published as public variables as signboard information. . Also, the information used as the signboard may be rewritten by the contract manager.
Specifically, in the case of Internet banking, 3024A should include the name of the bank, postal code, address of the bank's head office, corporate number, representative telephone number (facsimile number), contact information for the nearest ministries and agencies that have jurisdiction over the bank, etc. You may enter the necessary information regarding to the variable of the contract and publish it as a public variable. You may enter legally required items in the one-time password generation token contract and the one-time password authentication contract when providing the service, and program the contract so that the contract administrator can rewrite it.
The signboard information 3024A may be entered in the contract of the present invention as necessary, and may be rewritten by the contract manager. 3024A may include a setter function necessary for rewriting that allows access only to the private key 101C of the contract manager's terminal 1C.

<Rating>
Rating information is recorded in the contract of the one-time password generation token to indicate the age for which the service is intended. Rating information is described in the public variable KNBN (3024A described in FIGS. 3AA to 3AC) that serves as a signboard. The rating information written in 3024A describes the intended audience for the service of the OTP token. As an example, when the invention is used for car keys, it is stated as such because it is a service that licensed users of a certain age or older would use. Whether it targets minors or adults, and whether a license or other qualification is required depends on the service.
Here, it is preferable that the variable of the contract that stores the rating information is a public variable that can be viewed by all users. Ratings may also be overridable by contract administrators.

4B. Use as a paper or IC admission ticket, use ticket, or unlocking key for entrances and building facilities Server SVLog (described in Figure 8B and Figure 3D) when used for locking and unlocking tickets, admission tickets, and building facilities server terminal 3D) is used. FIG. 8B shows a connection diagram of the terminals. The server SVLog (terminal 3D) does not necessarily have to be a server if there are few users to process entry, etc., and may be a computer SVLog (terminal 3D) with smaller computing power, storage capacity, and physical size than the server. . The terminal 3D may be a built-in type terminal that operates a building locking device, an automobile locking device, or a motor starting device. 3D may be a terminal (Micro Control Unit, microcontroller, microcomputer) with an MCU for embedded systems.
In the present invention, the recorded information of the IC tag/IC card type ticket 19A or the paper ticket 18A (and the display surface 1500A of the display displaying the same OTP authentication information as the paper ticket 18A) equipped with a communication function such as NFC. A password OWP generated from a blockchain is used (here, IC is an integrated circuit).

19A is a contactless NFC tag or an IC card with a contact terminal, and the user may set a PIN or the like as a password to 19A to prevent unauthorized use by a user other than the user of 19A. When communicating between 19A and terminal 3D and transmitting authentication information such as OWP, password authentication by PIN set in 19A is requested, and if the password is successfully authenticated, the information of the NFC tag is sent to communication device 32D of terminal 3D. may be transmitted to the terminal 3D through

Here, PIN is an abbreviation for personal identification number, and PIN is a four-digit integer password, for example. The PIN of 19A is used as the final means of confirming the intention of use when using the service using 19A. Since 19A communicates wirelessly, a PIN may be used to prevent the information of 19A from being transmitted to terminal 3D without the knowledge of the user who owns 19A. 19A may encrypt the content of communication when performing wireless or wired communication with 3D. The PIN or the like may be used to encrypt the authentication information using the OWP recorded in 19A (the OWP may be encrypted using means such as common key encryption using the PIN as a key). With 18A and 1500A, the user's intention to use them can be confirmed by manually presenting them, but with 19A, there is a risk that payment can be made even from a certain distance due to wireless communication, etc., so a PIN code is set. You can.
Using a PIN improves the security of 19A, but requiring PIN entry every time a service is authenticated requires the user to enter the PIN, which may lead to a decrease in user convenience. Maybe. Therefore, the NFC communication device 341D (the communication device is 341D or 32D) that reads the wireless communication signals of 19A and 19A is non-contact but has a communication distance of 10 cm (specifically, a communication distance of 10 cm using a frequency such as 13.56 MHz). known short-range wireless communication technology), and the service provider indicates the above conditions (19A with a communication distance of about 10 cm) for 19A, and the authentication system of the present invention using the NFC tag 19A is used even without a PIN. If it is allowed to provide services according to the authentication result obtained, PIN etc. are not set, and OTP authentication is performed simply by holding 19A over 32D or 341D of 3D, and service is provided according to the authentication result. The present invention may be practiced. (You can also set a PIN on 19A for security purposes. And you can also use 19A without setting a PIN. If you do not set a PIN, you can improve the speed of payment at entrances and ticket gates. , It is also possible to prioritize ease of use, usability, and convenience.)
Automobile keyless entry, remote (communication distance exceeds 10 cm and exceeds 1 m) lock/unlock key 19A used for unlocking automobile doors and building door remote (communication distance exceeds 10 cm and exceeds 1 m) The locking/unlocking key 19A used for unlocking also has uses that require the use of a PIN and uses that do not. A PIN may not be required for 19A in automotive applications where the communication range exceeds 10 cm and exceeds 1 m.
It may be preferable to use the PIN for locking and unlocking of buildings, safes, and vaults where the communication distance exceeds 10 cm and exceeds 1 m.

Password OWP is calculated as OWP = fh (A, TIDA, KC, BC) using hash function fh, user identifier A, token number TIDA, contract internal secret variable KC value 3011A, and variable BC value 3013A that can be changed by the contract administrator. be done. The OWP is calculated and generated by the OTP generation function 3009A using the hash function fh and arguments. 3009A includes a calculation process that can be expressed as OTP=OWP and OWP=fh(A, TIDA, KC, BC) in this example of use.
The paper ticket 18A is manufactured by printing the OWP information acquired using the one-time password OWP generation function 3009A of the present invention on paper or the like. Information recorded in 18A includes at least user identifier A, token number TIDA and password OWP. The information described in 18A can be displayed at 1500A. When a device such as a camera that reads 18A or 1500A is provided in the service providing terminal 3D, in addition to valuable papers such as tickets, it is possible to lock and unlock safes, vaults, building doors, entrances and exits, Vehicles such as automobiles and computer terminals can be made to read the authentication information, and entrance/exit and locking/unlocking can be performed.
The NFC tag 19 can be manufactured by storing authentication information including a user identifier A, a token number TIDA, and a password OWP possessed by the terminal 1A in the terminal 1A via the communication device 12A of the terminal 1A, and can be manufactured using valuable paper such as a ticket. It is used as a leaf, an entry/exit tag, a lock/unlock key, or a device for unlocking access control.
As shown in FIG. 8B, the NFC tag 19A on which A, TIDA and OWP are recorded, the display screen 1500A of the terminal 1A displaying A, TIDA and OWP, and the paper ticket 18A on which the screen 1500A is printed may be used.

As shown in FIG. 8B, 18A and 1500A are read by terminal 3D's camera/scanner 340D. At this time, 18A and 1500A may display character string information connecting A, TIDA, and OWP, or may display bar code information (one-dimensional and two-dimensional bar codes).
As shown in FIG. 8B, 19A may communicate with 32D of terminal 3D and transmit string information concatenating A, TIDA, and OWP. It is assumed that NFC is used for communication between 19A and 32D.
The password OWP authentication function 3018DA (3018DA in FIG. 3DA) provided in the control unit and storage unit (31D and 30D) of the terminal 3D that received A, TIDA, and OWP from 1500A, 18A, and 19A is shown in FIGS. 6F and 6D. VeriOWP = fh (A, TIDA, KC, BC) calculated using the KC and BC values recorded in the terminal 3D according to the flow chart regarding the processing of the OTP authentication function in When it is verified and matched, it is determined that the authentication has been completed, and the terminal 3D operates the opening/closing device 350D, locking device 350D (locking/unlocking device 350D), starting device 350D, or access control device 350D of the device in which the terminal 3D is incorporated. Then, it performs entry processing at ticket gates and entrances, unlocks vehicles such as locked buildings and automobiles, and containers such as safes, and starts vehicles, computers, machines, and equipment.

The authentication function 3018DA receives OWP (as OWP=ArgOWP), A and TIDA from the information of 1500A, 18A and 19A as arguments according to the flow charts of FIGS. 6F and 6D relating to the processing of the OTP authentication function. VeriOWP=fh (A, TIDA, KC, BC) is calculated using the 3D KC value 3011DA, BC value 3013DA, and hash function 3010DA shown in FIG. 3DA. Here, the hash function fh, the KC value, and the BC value used to calculate VeriOWP and ArgOWP are the seed values KC, BC, and Hash functions fh, etc. must all match.
If the return value of the authentication function 3018DA is a correct value of the authentication result, the terminal 3D can open the opening/closing device of 350D, unlock the locking device (locking/unlocking device), or start the device, and the authentication is completed. If it fails, close the opening/closing device, do not operate the locking device (locking/unlocking device), and do not start the device.
(If the variables and procedures used to calculate OWP in 3A on the blockchain do not match the variables and procedures used to calculate OWP in terminal 3D, 1500A, 18A and 19A including correctly generated OWP Even if it is presented to the terminal 3D, an incorrect authentication result is calculated and entry processing, unlocking processing, etc. cannot be performed.Specifically, the user UA with the NFC tag 19A containing the correct authentication information records an incorrect 3011DA or 3013DA. Even if it is presented to the terminal 3D, the terminal 3D uses the wrong 3011DA or 3013DA to verify the OWP by the wrong authentication function 3018DA, and from the execution result of the authentication function, 19A is illegal, entry or unlocking can be performed. It judges that there is no such thing, and keeps the opening/closing device or locking device closed, or sounds a warning buzzer, etc.)

The administrator of the contract and the administrator of the service and terminal 3D match the hash function 3010A of the node terminal 3A of the blockchain with 3010DA of the terminal 3D, match the KC value 3011A of the terminal 3A with 3011DA of the terminal 3D, and The BC value 3013A of the terminal 3D and the 3013DA of the terminal 3D are matched, and if other variables and functions are used for OWP calculation, they are matched. must match and synchronize. By matching the OTP calculation method and the variables used for calculation, the OTP authentication service of the present invention can be realized in the real world using paper using 1500A, 18A, or 19A and NFC tags.
When the terminal 3D is a terminal incorporated in a building door or a safe that manages locking, when the secret values KC and BC are changed, the user of the door, safe, etc. in which the terminal 3D is incorporated is locked. Wired or wireless communication device 32D of lock management terminal 3D provided at a position that can be accessed after unlocking the equipment (specific examples are the back side of the door of the safe, the back side of the door of the building, the indoor side of the door of the building) and update the 32D KC value 3011DA and BC value 3013DA according to software provided by the terminal 3D manufacturer.

Comparing the present invention with a metal key, where OWP=ArgOWP, the information of A, TIDA and ArgOWP is the key, and the information of A, TIDA and VeriOWP corresponds to the lock. In the present invention, the information of the key and the lock is variable, and the information of the key and the lock cannot be synchronized, and authentication cannot be performed unless the conditions for calculating the key and the conditions for calculating the lock match. (For reference, in the case of BnTOTP, which is assumed to be used for website login, etc., the information of A, TIDA, and ArgBnTOTP is the key, and the information of A, TIDA, and VeriBnTOTP corresponds to the lock.)
The OTP token that is the key to the blockchain and the OWP type password generated by the OTP token can be shared by distributed ledger technology and can be stored in a state that is difficult to tamper with. When doing so, the administrator of terminal 3D updates the information to be the lock to the latest information, or provides information that can authenticate the OWP type password, user identifier A, and token number TIDA of terminal 1A at 1500A, 18A, and 19A. required to be set.

In order to match the OWP calculated by the terminal 3D and the terminal 3A, it is possible to consider a mode of use in which the KC values 3011A and 3011DA and the BC values 3013A and 3013DA are not changed after the contract is deployed. Although passwords are not updated in the above usage mode, which poses a security problem, it is expected to be used, for example, as a one-time admission ticket for a certain event that is used in a limited community of a small number of people. A form of use in which the KC value and the BC value can be changed but are not actually changed can reduce the labor of the service provider and may make the present invention easier to use.
In this case, it is preferable to specify the expiration date and warranty period on the OTP token. When used for products such as simple safes and locks, there may be a form of providing the service in the form of a disposable contract, using a method of setting a product warranty period and not managing the contract beyond that period.

When using 1500A, 18A and 19A as admission tickets for limited community events, 1500A, 18A and 19A are manufactured or produced in addition to the three essential information of user identifier A and token numbers TIDA and OWP. The time and expiration date, the address of the place where the admission ticket can be used, the name and contact information of the person responsible for issuing the admission ticket and providing the service, etc. may be recorded in 1500A, 18A, and 19A, and such information may be recorded as character string information. It is preferable that a person can visually check the information of the valuable paper sheet by displaying and printing on 1500A or 18A and displaying it as a character string on the display of the terminal 1A in the case of 19A.
The three essential information, user identifier A, token number TIDA, and OWP, are displayed as a two-dimensional barcode so that they can be read by a camera or scanner, so that the 3D 340D can read the information necessary for authentication. Also, since the OWP can be used illegally if it is read, the user identifier and token number are described in character strings, and the three essential information of the user identifier A, token number TIDA and OWP for authentication are printed or printed as a two-dimensional barcode. Only the displayed or recorded OWP may be 1500A or 18A in the form of being recorded as a two-dimensional bar code.
With regard to 1500A, the terminal 1A may have a function of visually or audibly reading out information other than the OWP to notify the user of the token number, user identifier, service expiration date, and service provider information. If security is maintained, there may be an image recognition terminal that reads out 18A.
(OWP is confidential information that must not be input to anything other than the service providing terminal 3D. Using software with security problems, 18A and 1500A containing OWP can be read, read aloud, photographed, image recognized, and PIN If 19A information that is not protected by such as is read, OWP etc. may be leaked and used illegally.)

<Processing to use the OTP token at the time of entry, etc.>
The user performs the OTP authentication of the present invention, executes the authentication function, and is authenticated. Whether the service is used or not, whether the ticket is valid or not, or the integer value of the number of times the ticket is used may be recorded. Alternatively, if the currency balance is charged and the information of the electronic ticket 19A, the paper ticket 18A, or the screen display type ticket 1500A of the present invention is presented at the time of service provision, the balance will be deducted by the amount of points or currency corresponding to the service. It can be in the form of being worn.
3021A, 3022A, and 3023A in FIG. 3AB (or 3021DA, 3022DA, 3023DA) may be performed.
In the case of OTP tokens, which are used upon agreement between the service provider and the user, the service provider and the user use the function to mark the end of use. 3017A and 3017AA (or 3017DA) may be rewritten by the setter function set in the contract using the key 101C.
For example, at a ticket gate or a service providing window, the numerical value of 3017A or 3017AA (or 3017DA) is added to the truth value indicating the presence or absence of admission or the integer indicating the number of times, and the currency is set to the variable 3017A or 3017AA (or 3017DA) in advance payment. The administrator terminal 1C gives an OTP token that can be accessed from the terminal 1A of the user UA to charge the balance like a means and increase the variable 3017A or 3017AA (or 3017DA) according to the value of the charged currency. can.
Then, it is possible to reduce the amount equivalent to the service fee from the balance of the 3017A or 3017AA (or 3017DA) charged with the amount equivalent to money according to the usage amount of the service. In this case, in the authentication function 3018A (or 3018DA), it is determined at F115 or F116 in the flowchart of FIG. requires processing such as stopping the execution of the authentication function, prompting the balance to be recharged, or contacting the service provider.

<Function to detect and notify normal or unauthorized entry>
In order to determine whether or not the private key PRVA (101A of terminal 1A) is leaked and the service is used illegally, the token number and The appearance of the user identifier may be captured by security camera 342D and saved. Appearance is preferably biological information such as face, physique, body shape, motion, and walking. The intention of using the biometric information is, for example, to prevent unauthorized entry into the venue where the service is provided. Here, by copying 1500A, 18A, and 19A including the same OWP authentication information, user identifier A, and token number TIDA and duplicating the OWP, different people can enter using the same authentication information (A, TIDA, and OWP). Do the same for monitoring.
A monitoring camera 342D (342D in FIG. 8B) that records the appearance of the user is shown in FIG. 8B as an example of recording biometric information. However, the recording of biometric information is not an essential function for the present invention, but is a necessary function for entrance processing at station ticket gates and entrance gates. It is possible, but due to restrictions on the battery capacity used for the power supply unit 37D of the terminal 3D and economic considerations, when the terminal 3D is incorporated in a container such as a small safe or a handbag, the security camera 342D may be difficult to use or may not be necessary. There is Whether or not the 342D can be installed can be determined depending on the application and embodiment.
Similarly, when the terminal 3D is used for locking an automobile or a building locking device, the 342D may not be installed in consideration of privacy. Sometimes 342D is installed for crime prevention while sacrificing privacy. For example, it may be preferable to have a security camera in applications such as taxis and buses, and in applications such as car lending, rental cars, and car sharing. Depending on the service, it is necessary to notify the user of the use of means for recording the presence of the user, such as a security camera, when the service is provided or when the contract is signed.

For 3D, when the security camera 342D is not used, as a function that can be used for crime prevention, the light emitting element 351D such as a lamp or the sound emitting element 352D such as a buzzer in FIG. Set and use the action when it fails and the action when it fails. Specifically, when the terminal 3D is used in a container such as a safe, information used for authentication is recorded in the NFC tag 19A, and the terminal 3D inside the safe receives the information of the NFC tag 19A using the communication device 32D. If the read authentication result is correct, the lock of the safe can be unlocked, and if not correct, a warning sound can be generated by a buzzer. Instead of the buzzer, the communication device 32D may wirelessly emit a radio wave beacon or a radio signal to the surroundings.
A security camera 342D and a light emitting element 351D such as a lamp or a sound generating element 352D such as a buzzer may be used together.
For example, 1500A, 18A, and 19A, which are used in ticket gates at stations, have been authenticated, used, and invalidated. When a user UA appears to attempt authentication by re-presenting the token number that has been used and invalidated, the ticket gate opening/closing device 350D is in a closed state. Then, the UA is kept on the spot, and the security camera 342D and the light-emitting element 351D such as a lamp or the sound-emitting element 352D such as a buzzer are used together to inform the surroundings, and the station employee is notified of whether or not the token is being used illegally. User UA can be asked.

Not only when the terminal 3D is a container such as a safe, but also when the terminal 3D is in a ticket gate, an entrance, an automobile, or a building, the light emitting element 351D and the sound generating element 352D are operated according to the output of the authentication result to determine whether the authentication result is correct. It is used to notify the surroundings of the terminal 3D (the surroundings are within the distance where the signals can be transmitted from the terminals 351D, 352D and 32D to the user and the terminal) and the service provider. The light-emitting element 351D may be a semiconductor element such as a light-emitting diode that emits light when an electric current flows, instead of a lamp such as a light bulb.

<When detecting the number of times of authentication and the person who performed authentication>
1. When the terminal 3D is connected to the internetwork and connected to the server 3A at the ticket gate or the entrance.
The user UA, who has the original right to use the secret key PRVA, has the 1500A, 18A, and 19A read by a 3D input device or communication device and presents them. It is assumed that the private key PRVA (101A) is obtained by some means, duplicated and recorded in one's own terminal, and illegally used to pass through the entrance. Alternatively, illegal use of OWP due to outflow and reuse can be considered.
Image data that enables identification and tracking of the person by recording the appearance of the UB in the event of unauthorized use, time at the time of authentication payment, location and terminal number of the authentication terminal (station name at the ticket gate, etc.), walking behavior, etc. get Then, the occurrence of authentication is recorded by incrementing variables 3017A and 3017AA that record the number of executions of the authentication function 3018A of the authentication contract on the blockchain.
Also, the user UA is notified by e-mail or the like that the service has been used at the entrance where the service is located. The user UA can make a claim to the service provider that the ticket has been used illegally, and compare it with the face, body structure, walking information, etc. of the UB who has entered illegally, and it can be used to judge whether the user UA has entered illegally.
Here, when server 3D is a block chain node like server 3A, 3D has the same function as 3A, so authentication function 3018A is recorded in the 3D block chain part (300D and 310D), and 3D is not 3A. The terminal 1A of the user UA may access the block chain part of , and execute the authentication function 3018A.
At the time of unauthorized use, it may be necessary to stop the use of the user UA's OTP token to limit the spread of damage caused by unauthorized use. Therefore, a variable that allows the service provider to stop using the OTP token of the user UA using the terminal 1C may be provided in the contract of the OTP token of the terminal 3A and changed using a setter function. Alternatively, if the main server terminal of the service provider manages the balance of each token separately from the blockchain at ticket gates, etc., it can be handled by changing the settings of the main server terminal for each customer.

2. When terminal 3D is connected to a local area network (LAN) and connected to server 3A at a ticket gate or an entrance.
When connected to a local area network of a certain station or facility and disconnected from the internetwork 20, the memory of the terminal 3D is matched with the hash functions 3010A and 3010DA used to generate 1500A, 18A and 19A, The KC values 3011A and 3011DA are matched, the BC values 3013A and 3013DA are matched, and if other variables and functions are used for OWP calculation, they are matched, and the OWP type OTP calculation method for terminals 3A and 3D and the variables used for calculation must be matched and synchronized. Then, the number of times of successful authentication by the authentication function 3018D or data changed at the time of authentication may be recorded in 3017DA or 3016D.
Through a LAN in a facility such as a movie theater or a station, a staff member of the facility has a terminal with access rights to the terminal 3D, accesses the database 3116D (including 3114D and 3115D) of the terminal 3D, and obtains the user identifier and token number. As a key, it is possible to retrieve and grasp the service provision status for the OTP token with that token number. Also, if the information required for authentication cannot be read from the paper valuable paper sheet printed on 18A, the user identifier and token number are obtained from 18A and compared with the customer information of 3116D. Determine if the user can provide it (ID may be required for this procedure).

3. When the terminal 3D is offline without connecting to the network.
Even when the terminal 3D incorporated in a ticket gate, an entrance, or a locking device of a vehicle, a building locking device, a container locking device such as a safe is not connected to the network 20, the storage device of the terminal 3D stores 1500A or 18A. Match the hash functions 3010A and 3010DA used to generate 19A, match the KC values 3011A and 3011D, match the BC values 3013A and 3013DA, and use other variables and functions to calculate the OWP. They must be matched, and the OWP type OTP calculation method and variables used for the calculation must be matched and synchronized in the terminals 3A and 3D. Then, the number of times of successful authentication by the authentication function 3018DA or data changed at the time of authentication may be recorded in 3017DA or 3016D.
There is a terminal 3D in the part that can be accessed after locking and unlocking, and the 3D communication device 32D is equipped with a connector or terminal for wired communication or a wireless communication device that can limit accessible terminals, and is the terminal of the user or administrator. Change the KC value 3011DA or BC value 3013DA of the storage device 30D from the communication device (1A or 1C) via the communication device 32D of the terminal 3D or change the hash function fh, and the OWP generated by the OTP generation function 3009A of the terminal 3A and the OWP generated by the authentication function 3018DA are changed to be the same. By leaving a margin for updating the KC value 3011DA or BC value 3013DA used for calculating the OWP, for example, the data that becomes the unlocking key of the locking device of the car or building can be updated periodically, and the key of the locking device of the car or building can be updated.

<When detecting the number of one-time password generation and authentication>
In the present invention, one-time password generation and authentication are not performed in the same function of the contract. It is possible to provide a variable and a processing unit that count and increment (increase) the number of executions of each OTP generation function and OTP authentication function at the time of generation and authentication. less likely to be tampered with. By monitoring the variables 3017A and 3017AG that are used at the time of generation among the variables that count the number of executions, it is possible to prevent unauthorized use. (Although it is not on the blockchain, it is a variable that also counts 3017DA of terminal 3D)

For example, when generating OWP (18A) as a paper ticket, if there is a function to increment the number of OWP generations on the blockchain, the paper ticket data including OWP (or display screen data 1500A) is It is also possible to receive notification prior to fraudulent use and authorization at the entrance. In that case, a processing unit 3111D that monitors the blockchain is provided in SVLog (terminal 3D), etc., and a recording variable 3017AG (number of calls) of the number of times the one-time password is generated for the token of the token number TIDA of the user who provides the service, or It is necessary to detect a change in the authentication count recording variable 3017AA or 3017DA and notify the user who owns the token by e-mail, notification application, telephone line, etc. via the network. In addition to e-mail, a non-fungible token indicating that the one-time password generation function has been used may be sent to user identifier A, who is the owner of token number TIDA.

If the user does not have an email address, send a non-fungible token (unauthorized use notification type token, notification postcard type token) different from the OTP token that indicates that the one-time password has been generated or authenticated to user identifier A. You can also In this case, the non-fungible token acts like a usage receipt. (This fraudulent use notification type token can be used for other embodiments and applications of the present invention. Website login, paper or NFC tag tickets/value sheets, decryption of encrypted data described later. It is difficult to notify the unauthorized use of a terminal 3D built into a safe, etc. In this case, it may be possible for the terminal 3D to emit a wireless beacon to notify the surroundings.)
In the case of services that are provided to a large number of people at ticket gates and entrances to facilities at high speed, in addition to taking pictures of their appearance with security cameras, the service provider stops unauthorized visitors and asks for identification such as personal number cards and passports. It is also assumed that personal information such as presentation and date of birth is confirmed and authenticated. When using it as an accommodation ticket for an event that accommodates a small number of people or an accommodation facility such as a hotel, you can provide and use the service by confirming and authenticating 1500A, 18A, and 19A after filling in your name at the reception desk. Maybe.

<Rating and signboard information>
As with the service using the server terminal 3C, in the authentication system using valuable paper using paper or NFC tags and the terminal 3D that authenticates it, the one-time password generation token is used to indicate the target age of the user. Rating information of 3024A is recorded in the contract. Signboard information 3024A of the OTP token contract is also set in the same manner. Examples include rating information such as qualification/license information required for users of vehicles such as automobiles, ships, and heavy machinery, equipment/devices, and rating information of movie theaters.
Also, when 18A and 19A are attached to a product by pasting it, the rating information is based on the product. For example, if 18A is affixed to manage the distribution of alcoholic beverages, rating information such that only adults can drink may be recorded.

4C. Decryption and Viewing of Encrypted Data and Files Software CRHN (Software 403A) is available to decrypt encrypted data using the blockchain-based OTP authentication system of the present invention. Here software CRHN is software 403A in FIG. 4B. FIG. 8C shows a connection diagram of the terminal.
When decrypting and viewing data 4034A (4034A in FIG. 4B) such as an encrypted file, the server terminal 3A is accessed using the computer DP (terminal 4A in FIG. 4A) used by the user UP, and the secret of the terminal 4A is accessed. BnTOTP is generated and authenticated using the OTP token assigned to the key 401A, and the return value CTAU4031A of the OTP authentication function 3018A is obtained. Private key CRKY 40302A and software 403A Generate common key TTKY 4033A that can encrypt and decrypt files based on the calculation method, software 403A that encrypts and decrypts files, and viewing, viewing, and printing information using software 403A In the present invention, an authentication system capable of decrypting and using the encrypted data that performs the above can be used.
In addition to TTKY4033A calculated from CTAU4031A and AKTB4032A, TTKY4033A calculated from obfuscated or encrypted key CRKY40302A built into CTAU4031A and AKTB4032A and software CRHN is preferably used for decryption.
Furthermore, in addition to the key information, using a key CAPKY40303A obtained from a contract with a contract identifier APKY40301A recorded in a terminal that is a node of a block chain such as terminal 3A according to a program recorded in software CRHN so as to make it difficult to identify TTKY4033A Alternatively, the programs may be obfuscated and encrypted by complicating the process so as to make it difficult to identify 4033A.
At this time, the present invention functions as an access control technique to contents included in encrypted data.

<Distribution of encrypted data>
The encrypted data 4034A is distributed from the server terminal 5B called SVCRHNdrive to the computer terminal 4A through the network 20 and stored in the storage device 40A. The server terminal 5B may be a real server, a virtual server, or a virtual machine terminal. A cloud-type data storage service may also be used. It may also have a version management function, record the update history of the encrypted data and the hash value of the encrypted data, and display it to the user.
The terminal 5B may have a function of searching for encrypted data that can be decrypted by the OTP-generated token of the present invention that the user owns. In addition, for token issuers (issuers are assumed to be individuals, corporations, publishers, and software companies), keywords presented by the issuer (data name, creation time, keyword, classification of books, etc., rating information) A function that can retrieve the contract identifier of the OTP token and the encrypted data corresponding to it may be provided.
The terminal 5B has a function to sell books, audio/video, and software to a customer on an e-commerce website or web application in the form of issuing an OTP token to a user identifier A calculated from the private key of the customer's terminal 4A. be prepared for When the customer user conducts electronic commerce, the OTP token and the encrypted data search function corresponding to the OTP token, the notification of AKTB4032A and the encrypted data download function, the customer's name, e-mail address, user identifier, when purchasing the token A database may be provided to register and store personal and contact information of OTP token purchasers, such as phone numbers. The terminal 5B may record the address of the user and notify the user of the AKTB4032A notification or the OTP token purchase in the form of mail delivery.

Then, using the contact information such as the customer's user name, e-mail address, address information, and user identifier recorded in the database, any arbitrary data necessary to decrypt the file 4034A encrypted by 4032A, 4031A, 40302A, and 403A The key information AKTB 4032A may be sent by e-mail together with the file 4034A encrypted by 4032A, 4031A, 40302A and 403A.
Alternatively, send a file 4034A encrypted with 4032A, 4031A, 40302A and 403A by e-mail, and AKTB 4032A will be sent by means other than block chain or e-mail (sent the text containing 4032A as a letter, by SMS of the phone number AKTB4032A is sent as a message by facsimile, etc., or a transaction describing AKTB3042A is received on a blockchain based on a blockchain different from the one on which the OTP token exists, using the private key 401A. It is transmitted to the user UP of the terminal 4A, and the UP inputs 4032A to 403A of 4A, so that the OTP token calculates TTKY 403A from the return value 4031A and the calculation procedure of the key information 40302A and 403A of the software 403A, and decrypts the encrypted file 4034A. Then, the decrypted plaintext file 4035A is obtained, and the data of 4035A can be viewed and executed.

<Function to restrict circulation of tokens that decrypt encrypted data>
The distribution of tokens may be subject to transfer restrictions by the rights holder who is the administrator of the tokens. In the embodiment, the token can be transferred to others according to the ERC721 standard of Ethereum, but when the token is transferred, a variable and a process 3041A are added for the right holder to control the execution of the transfer function (transmission function 3040A). . The OTP token of the present invention was invented in the process of using the non-transferable TOTP token for internet banking on the blockchain, and is characterized by being basically equipped with a function to restrict transfer. If the service provider or content provider corresponding to the OTP token does not permit the transfer of the OTP token between different user identifiers of the present invention, the OTP token contract transfer restriction variable and related function 3041A is the transmission function. Takes the value of a variable that prevents execution of 3040A.
When the right holder of the data or file content corresponding to the OTP token is the contract manager (or when the right holder entrusts the management of the contract to the contract manager), the execution of the contract transmission function 3040A is stopped. When the contract variable value 3041A is changed from the state of being in a state to being in an executable state, it becomes transferable between users with different user identifiers.

An example of an OTP token transfer is shown. User UP (user of terminal 4A) and user UB (user of terminal 1B) can exchange OTP token information on the blockchain via network 20 and server P (server terminal 3A). An OTP token can also be transferred from the UP to the UB using send function 3040A.
UB to which the UP sent the OTP (in fact, 3A receives access from 4A using the secret key 401A, and the database or ledger 3014A that describes the correspondence between the OTP token and the user identifier in the OTP token contract is stored by 3040A. (Owner information is rewritten from UA to UB), an encrypted file is downloaded from terminal 5B, or the encrypted data that UP, who was the owner of the token, has in terminal 1A is duplicated and used. It is possible to obtain an encrypted file that is distributed and decrypt the encrypted data.
Here, if AKTB4032A is used when encrypting an encrypted file, 4032A must be obtained from User UP. Contents for which AKTB 4032A is not set can be decrypted using encrypted file 4034A, CTAU 4031A obtained by OTP token authentication, software 403A, and secret key 40302A inside the software. When user UB obtains OTP token transfer from user UP, notification of AKTB, encrypted data, and software 403A for viewing the encrypted data, UB can view the content data that UP has been viewing, and can view the data. can acquire the right or ownership.
In the embodiment of the present invention, to decrypt the encrypted data, when the file encryption and decryption key TTKY 4033A can be generated based on the CTAU 4031A, AKTB 4032A, the secret key CRKY 40302A inside the viewing software 403A, the software 403A, etc. Can decrypt files.

The OTP token transfer function using the transfer restriction function of the present invention is not limited to decryption tokens for encrypted data, and can be used for all OTP tokens belonging to contracts having OTP generation functions of the present invention. OTP token for logging in to the website of the terminal 3C described in , OWP token for generating a password OWP for creating a key such as paper, NFC tag type ticket, valuable paper sheet and unlocking described in FIG. 8B can.
OTP tokens can be transferred on the contract program, but depending on the service to which the OTP token corresponds, it is assumed that there will be restrictions on the use of the service by the right holder of the service, as well as domestic and foreign laws and regulations. The contract manager changes 3041A when imposing transfer restrictions.

<Encrypted data version management>
Encrypted file distribution server terminal 5B is provided with a so-called block chain type storage that attaches data and files to transactions to the block data and records them in a distributed ledger on the block chain platform where the block size and upper limit of transaction data can be extremely large. may Not limited to blockchain, it can be a storage system that is difficult to tamper with and can be versioned. (Concrete examples of existing technologies and services that implement desirable functions when included in terminal 5B include platforms such as Github.
The terminal 5B receives access from the user terminal, displays an encrypted file and an OTP token corresponding to the search key information requested by the user terminal, and issues an OTP token with a certain contract identifier using the OTP token using the electronic commerce function. Presenting the user identifier of the issuing and sending destination to the terminal 5B or the contract manager terminal 1C of the corresponding contract identifier, performing settlement of the purchase price, etc., purchasing the OTP token, and instructing the user identifier of the OTP token purchaser to issue the token; If AKTB 4032A is required, AKTB 4032A may be used during encryption to create and distribute encrypted file 4034A.
When the 4034A is distributed, the AKTB 4032A and the encrypted content file may be attached to the user's e-mail and sent. Alternatively, AKTB4034A may be notified to the user by e-mail, and the corresponding encrypted file may be downloaded from a download-only URI that can be accessed by a terminal such as 5B. If the site is also a member site with functions, etc., the URI may be displayed on the user-dedicated display screen after login and transmitted to the user.

In an online storage where tampering can be detected or version management can be performed, the encrypted data 4034A is a book that is open to the public and sold to the general public, and it may be necessary to revise the data of the book and distribute a different version. In this case, the revised version can be uploaded and distributed as encrypted data to 5B having a version management function while preserving the data of the version before the revision so as not to be tampered with.
At this time, the new encrypted data of the revised version can be decrypted with the OTP token of the old version, which can decrypt the old encrypted file of the existing version. For example, if there is a problem in a computer game, etc., instead of a book, it is preferable to be able to decrypt it with the old version of the OTP token when distributing a revised version to improve it. It is assumed to be used for decrypting software data. In this case, the new version and the old version remain the same contract identifier.
Alternatively, the right holder can sell the old version of the token while encrypting the new version so that it can be decrypted with a new version of the token different from the old version and distributing the encrypted data. For example, in the case of paper books, this corresponds to the fact that both old editions of printed and circulated books and revised new editions of books are sold as commodities in bookstores and antiquarian bookstores. OTP token contracts with different contract identifiers are deployed for the new version token and the old version token, and the user is notified. It is up to the consumer to decide whether or not to purchase the new version of the OTP token. (Computer software can also deploy OTP token contracts for each version)

<Content Rating>
Rating information 3024A of the content of the encrypted file that can be decrypted with the token is recorded in the contract of the one-time password generation token in order to indicate the appropriate age for viewing the information of the encrypted data. Ratings may be recorded in 40351A and 40352A in FIG. 4B.
The rating of the content is recorded on the blockchain, and others can directly access the rating on the blockchain or search and view it from a server terminal such as 5B or 3F, and consider purchasing tokens.
<Certificate of content>
It is preferable to have a certificate from a third party that indicates that when the encrypted data is decrypted, the plaintext does not contain malicious programs. This is information described in 40351A and 40352A in FIG. 4B.
This is also related to the rating of content, and it may be necessary to have a third party censor the plaintext data of the content and investigate whether there are any problems with the operation of the program.

<Environment for viewing content>
Even if a content certificate is used, a third party may unintentionally overlook the existence of a malicious program and issue a content certificate (40351A and 40352A in FIG. 4B). Therefore, the execution environment of software 403A may preferably be executed within a virtual machine environment.

<Function to detect browsing from multiple environments at a certain time (unauthorized access detection function)>
In the present invention, when the encrypted contents are decrypted and browsed with this software CRHN, or when the software CRHN is browsed,
A program for connecting to the advertisement server CRHNcm (server terminal 5A in FIG. 5A) is executed, advertisements are distributed from the terminal 5A, and the IP address of the user who viewed the content or executed the software (hashed or processed IP address value),
Location information (hashed or processed value of location information), computer device information (or its hash value), terminal sensor value (or its hash value),
Then, the token number and user identifier are recorded in the terminal 5A as data as shown in FIG. 6X, and for a certain token number and user identifier,
It is possible to provide a processing unit that determines at any time whether access is made with different IP addresses, different location information, different device IDs, and sensor information from different terminal-attached input devices.
Here, the device information of the computer and the device ID of the computer include, in addition to the computer manufacturing ID such as the device ID, the operating software ID, the web browser ID, the acceleration sensor, the magnetic sensor, the pressure sensor, A measured value of a temperature sensor or the like or a hashed value of the measured value may be used.
This assumes that the advertisement server will be used as a server for monitoring unauthorized use of simple contents. However, it is used only when the right holder who distributes the software 403A or the encrypted content requests the unauthorized use monitoring function of the content.
When the software 403A is browsed, encrypted data can be decrypted by the OTP authentication system of the present invention without executing a program for connecting to the server terminal 5A. Then, in the embodiment, the right holder of the software 403A of the present invention or the right holder of the plaintext data of the encrypted data records a program for connecting to the server terminal 5A when the user of the software 403A or the content agrees. A program can be run that makes a connection to the .
(Here, right holders are mainly copyright holders of software and content. Plaintext data is protected from the viewpoint of copyright and other intellectual property rights. In addition, confidential information such as corporate trade secrets is protected as an intellectual property right.Plaintext data created by an individual is protected by copyright.)

In addition, the advertising function using 5A may not be necessary in the case of encrypting and decrypting confidential information such as design drawings of products before sale with the software of the present invention and using it as an encryption tool for internal documents. In the case of providing this software to the association, it is conceivable that the function of displaying advertisements and the function of monitoring unauthorized use of contents using an advertisement distribution server are not used. When an individual uses it as a hobby, the right holder can install an advertisement display function and an illegal use monitoring function of content by advertisement, and for business use by an individual or a corporation, the advertisement function is not installed and the software and apparatus of the present invention can be used. Available.

Data and files are decoded and executed by software CRHN (403A) of terminal 4A, and the result is displayed on display screen 450A, which is an output device.
It is difficult to screen-capture the image on the display screen of the software CRHN (in this case, if the display 450A is copied with a silver salt or digital camera, it can be copied), and the file that will be the content or the printing by the printer from the software side can be set to disallow Printing can be disabled or enabled depending on the request of the content right holder. The user identifier of the viewer can always be displayed on the player screen of the content.

<Browsing data while offline>
In the present invention, even if the terminal 4A goes offline due to a disaster or the like and is disconnected from the internetwork and isolated, it is conceivable that there is data that the terminal 4A wants to view using the software 403A. For example, it is assumed that a user would like to use a file of a book such as an encyclopedia that is useful for an evacuation route or a disaster in case of a disaster. The blockchain itself is a globally distributed database of servers and is resistant to localized disasters. However, it was assumed that the device of the disaster victim could not connect to the network and the software 403A at hand could not connect to the blockchain, so that the encrypted file could not be decrypted.
Therefore, in the present invention, when a file is decrypted by the software 403A in advance before a disaster occurs, the viewed certificate data 4036A (4036A shown in FIG. 4B; bookmark data, OFBKMK in this text) is transferred to The key information encrypted with the user private key PRVP (401A in FIG. 4B) recorded inside the certificate data is decrypted and used as a key for browsing. Again, the present invention functions as an access control technique to content.

<Browsed certificate data to be used when offline>
In an embodiment of the invention,
First, key information TTKY4033A for file encryption and decryption is calculated, TTKY4033A is encrypted using the user's secret key 401A or key information based on it to make CTTKY40361A, and 40361A is used with the secret key 40302A built into the software 403A. Encrypted to ACTTKY40360A.
Next, the block chain information such as the block number and the contract identifier of the one-time password generation and authentication contract at the time when the terminal 4A is OTP-authenticated and the data can be decrypted and browsed are collected as one object data or file 40362A.
Next, a secret key 40302A is used as HMAC key information, and data obtained by concatenating 40360A and 40362A is used as an HMAC message, and a MAC value 40363A is obtained by HMAC.
Data obtained by concatenating 40360A, 40362A and 40363A is used as viewed certificate data OFBKMK4036A.

<Browsing when offline>
TTKY4033A is obtained by decryption using the viewed certificate data OFBKMK4036A, the user's private key 401A, and the key information 40302A inside the software 403A.
Specifically, software 403A decodes ACTTKY40360A described in OFBKMK4036A using 40302A to obtain CTTKY40361A. CTTKY 40361A is decrypted using 401A to obtain TTKY 4033A, and the encrypted data and files are decrypted using TTKY to enable browsing. For encryption of information inside 4036A, encryption such as common key encryption and public key encryption may be used, but common key encryption may preferably be used.
Here, it may not be necessary to restrict viewing in the event of a disaster, but when the network is disconnected, it is difficult to distinguish whether the reason for the disconnection is a disaster or the user's convenience, and there are files that you want to restrict viewing even in the event of a disaster. Therefore, the software 403A may have a function of limiting the browsing time.

Some users may try to abuse the browsing function using 4036A when terminal 4A is disconnected from network 20 and offline. Therefore, in order to protect the content of the right holder, it is sometimes desirable to restrict the use of the offline browsing users by using the certificate data that has already been browsed. (It should be noted that, at the discretion of the content right holder, it is also conceivable to use 4036A without restrictions on browsing.)
As a specific countermeasure example and embodiment, the software 403A detects the time information of the computer or smartphone on which 403A is installed and the time when the certificate data OFBKMK4036A is authenticated and the content can be viewed when used offline, After confirming that the time is past the current time of the computer terminal such as a smartphone, decrypt the information contained in the information of 4036A to obtain 4033A, decrypt the encrypted data and file 4034A, and obtain 4034A. The time at which the decryption was performed using 4036A (the current time at which the browsing was started with 4036A) is recorded, and the browsing is limited to a specified time in the future from the current time at which the browsing with 4036A is started. allow When a certain specified time has passed, processing to stop reading is performed, software 403A is stopped, and use of plaintext data 4035A is stopped.

Among the computer terminals 4A, most of the smartphone type terminals 4A are provided with a radio signal receiver 422A or 423A from the global positioning satellite system GNSS for positioning of position information, and provide this function because the time is updated. Cheap. Signals from GNSS include time information. In a computer that does not have a built-in means of obtaining time information such as GNSS in a state that is difficult to remove, the time is set to a value different from the original time in the BIOS (Basic Input Output System) of the computer offline, and the software 403A is correct. There is a risk that the software 403A will prevent the time from being acquired, and allow the browsing even when the time to stop browsing has come.
In order to browse using the certificate data OFBKMK4036A that has been browsed in the software 403A, it is necessary to be able to receive from broadcasting stations such as NITZ (Network ID and Time Zone, network ID and time zone), JJY, GNSS that transmit the time even in the event of a disaster. preferable. Moreover, it is preferable that the device capable of receiving the time information is difficult to remove. For example, the wireless communication device 422A or the broadcast receiving device 423A of the terminal and the CPU (Central Processing Unit) in the control calculation units 41A and 43A are sealed with a metal shield, and the shield has an authentication number as a wireless device (Japanese wireless device construction design certification, the United States Federal Communications Commission FCC wireless device certification ID, etc.) may be stamped, it may be sealed as a semiconductor package, or the internal parts may be sealed with a transparent adhesive or the like. It may be sealed in a visible form.
A CPU including 41A and 43A and a receiving device 422A or 423A of GNSS or JJY or NITZ are mounted on the same semiconductor package or on the same semiconductor substrate, and the CPU or system-on-chip (SoC) device is used as a terminal for control and control. It is preferable to mount it as an arithmetic unit. (Some SoC chips installed in smartphones and tablet terminals sold as of 2020 have a CPU and a modem to a wireless communication station that transmits NITZ and receive wireless signals from GNSS (GPS in the United States and QZSS in Japan). There is a SoC with a built-in modem, such as the SoC of Qualcomm in the United States.)
In SoC, it is one semiconductor chip, but it may be a semiconductor component called SIP (System in Package) in which a plurality of IC chips are mounted in one package and sealed.
In addition, NITZ (Network Identity and Time Zone), which uses base stations for mobile phones and smartphones, may not function if the base station for mobile phones is damaged and stopped in the event of a disaster. It is preferable that the time can be corrected using the time data of radio stations on the ground (such as JJY in Japan) or the time data of radio stations in outer space such as GNSS.
In addition to GNSS and JJY among systems that use broadcasting, it may be possible to acquire the time through satellite broadcasting. It is assumed that the user terminal receives time information transmitted from weather observation satellites and broadcasting satellites in geostationary orbit. There may be a radio station 5C that broadcasts the time on the moon or the like.

Among the storage devices of the user terminal, a volatile RAM that records the secret key information of the program 403A when the program 403A is executed, and a ROM or non-volatile memory NVRAM that can record the user's secret key information are mounted on the SoC etc. together with the CPU as a package. May be sealed. This is read when the terminal is disassembled and the signal exchange of the storage device is measured from the parts where the parts constituting the terminal are joined by soldering etc. using an electrical signal measuring device and the secret key of 403A etc. is executed Inevitably, it is intended to prevent attacks by measurement and reverse engineering of electrical signals at the terminals of components. In order to prevent reverse engineering in the connection path between the memory device and the control arithmetic device, it is preferable that the memory section and the processing section used in the present invention are formed on the same substrate or sealed in the same package. (This requirement also applies to Terminal 1A, Terminal 4A, and Terminal 3D.)
It is preferable to make it difficult to access the signal processing unit of the storage device and the control device, and to do so may destroy the storage device and the control device of the terminal. The control unit and storage unit of the terminal may be sealed with a sealing resin or adhesive, or may be sealed with a sealing resin or adhesive so that the terminal cannot be disassembled into the storage unit or control unit.
However, among the storage devices, it is sufficient to seal the storage device corresponding to the capacity of the information necessary for the operation of the software. A non-volatile semiconductor memory may be added to increase the capacity. A magnetic disk such as a hard disk drive or an optical disk may be used as the external storage device. Also, the storage device recording 4034A may be removed from the terminal 4A and handed over to others for distribution.

<Restrictions and permissions for printing and duplicating content>
According to the permission of the content right holder of encrypted data and files, etc., the content right holder describes information to the effect that permission is given to the plaintext data 4035A and 403A decrypted from the encrypted data 4034A, and only for personal use, 403A is Content can be printed using the printer of the output device. 403A can print the user identifier, token number, printing time, content name, contract identifier, block number and TOTP at the time of printing for each page at the time of printing, like a time stamp. can. This is for confirming the printing time and printing person of the printed text. A person who prints is represented by a user identifier.

The content obtained by decrypting the encrypted data displayed on the display screen of the terminal 4A can be copied as an image or moving image using a terminal such as a film camera, a film camera, a digital camera using an imaging device, or a smartphone equipped with a digital camera. may be possible.
Therefore, the content obtained by decrypting the encrypted data displayed on the display screen of the terminal 4A can be simply prevented from being copied as an image or a moving image using a terminal such as a smartphone equipped with a silver-salt camera or an image pickup device equipped with a digital camera. uses a head-mounted display 453A (head-mounted display 453A). The present invention does not necessarily use the head-mounted display 453A, but may use the display 450A mounted on conventional desktop terminals, laptops, notebook terminals, mobile phones, and smart phone terminals.
Here, when the head mounted display 453A is worn, biometric authentication functions such as face authentication, iris authentication, authentication derived from the structure of the ear, illuminance sensor or optical sensor, and thermographic image of body temperature distribution are performed by the sensor 4530A of the head mounted display 453A. You can use it. The primary purpose of the authentication function is to confirm whether or not a real living body is wearing the 453A. Accompanying this, it is also possible to acquire personal biometric information and perform biometric authentication.

Software 403A may define output device 45A that outputs the decoded data. Specifically, 453A is used to simply prevent the display screen from being copied as an image or moving image using a film camera or digital camera. On the other hand, if the content on the display screen is shared with a plurality of people for viewing, and the shooting of the display screen is permitted in that scene, the 450A is used. The right holder of the content contained in the encrypted data can decide to limit the output method. limit the device that outputs the decoded data to The output of decrypted data/files/contents can be restricted for each output device, such as a display device/display device such as the head-mounted display 453A or the display 450A, a printer of 452A, and a speaker of 451A.

Even if the 453A is used, the manufacturer of the software 403A may output to the 450A in addition to the 453A if it is necessary to duplicate the screen. For example, when duplicating by means of obtaining evidence for resolving a dispute over the content of encrypted data, the software setting information should be disclosed to the investigative agency so that the output is in 450A even if output in 453A is specified. make it available for viewing. Even if head-mounted display 453A is used to restrict copying, upon request the provider of software 403A will provide a copyable version of screen 403A to help resolve disputes. can.
For example, if the information displayed on the display violates laws and regulations (for example, information that infringes on portrait rights) and there is a victim due to that information, when providing information to investigative authorities, lawyers, etc. Data that is available only on the head-mounted display 453A of 403A may be displayed on the normal display 450A so that information can be shared for dispute resolution.

From the viewpoint of information retention, it may be preferable for users who have viewed certificate data to be able to record the data on paper or the like within the scope of their personal use even when they are offline. Technologies such as computers, storage devices, and blockchains used in the present invention are not information recording media with a long track record like recording means invented in the past such as paper, clay tablets, and stone tablets. It is preferable that the data used in the present invention and the information about ownership of the token can be recorded on paper or the like if the right holder of the information desires. If music video data and software data can also be stored as plaintext files in storage devices such as magnetic tapes and magnetic disks, the information may continue to remain.
The present invention is designed under the assumption that it will function for as long as the actual paper is stored, i.e. over 100 years and over several centuries. The software of the present invention is designed from the viewpoint of preserving the data of modern culture and life, with an emphasis on data ownership, protection of content right holders, and information recording, so that information can be passed on to future generations. thinking.
In the present invention, files can be distributed all over the world in the form of encrypted files, and an information distribution form is adopted in which encrypted data is decrypted using a key called an OTP token. It is preferred that a right holder responsibly store the plaintext data that is the original of the encrypted data. The inventor does not intend to stop preserving the originals just because there is data on the books sold all over the world.
In addition, the issued OTP token and the corresponding encryption data 4034A, software 403A, AKTB 4032A, and other key information for decryption are collectively recorded in a library or the like as a book or video/audio information. May make it easier to store for months.

4T. Use in broadcasting (distribution of non-bidirectional encrypted data)
As an application of FIG. 8C, there is a use for encrypted data broadcasting. FIG. 8D shows a connection diagram of the terminals. As shown in FIG. 8D, the encrypted data may be the encrypted data of audio and video broadcasted by one-to-many wireless broadcasting, and the data of radio broadcasting and television broadcasting (television broadcasting) is encrypted and sent to the broadcasting station. The encrypted data transmitted from 5C (5C in FIG. 8D) and received by the wireless receiver 423A built in the terminal 1A of the user UP can be decrypted and applied to viewing audio and video.
Distribution of content by television broadcasting or the like involves exchanging data and files in two-way communication and on-demand distribution by computers and computer networks shown in FIG. It is a live broadcast/live distribution on the terminal 4A (television with a receiver).
Here, it is preferable that a plurality of receivers 4A (television-type computer terminals 4A with broadcast receivers) can be connected to the Internet in the present invention, and have an authentication system using a one-time password of the present invention and an encrypted content browsing function. If the receiver cannot connect to the Internet or the global blockchain, the broadcasting station may add time information, block number Bn, one-time password authentication, and content decryption to the broadcast data in addition to the secret key information stored in the receiver. need to send some of the key information required for
This method enables one-to-many data transmission in which data can be transmitted from one broadcasting station to a plurality of users. If radio waves can be independently secured as a communication path, information can be transmitted to the public without worrying about congestion of smartphones and computer networks 20, and public data information such as newspapers, official gazettes, textbook data, and voice There are advantages to sending videos, etc. (In existing Japanese satellite and terrestrial digital broadcasting, IC cards are used and access control using common key encryption is performed.)

When the OTP token of the present invention is used as the right to watch the broadcast and the encrypted broadcast data is decrypted and viewed, access can be made using the secret key and the token assigned to the secret key even without an IC card. control becomes possible. Tokens can be additionally issued/issued without reissuing the IC card, and key information used for encryption can be changed on the contract side.
Encrypted data (contents) is transmitted from the broadcasting station in a one-to-many manner, but OTP acquisition and authentication and acquisition of the return value of the authentication function are performed through the internetwork 20 . Therefore, it is desirable that the broadcast data viewing terminal 4A of this system be equipped with both a radio receiving device from the broadcasting station and a communication device with the Internet. In the present invention, an embodiment like the terminal 4A shown in FIG. 8D is assumed for the television terminal 4A, the smartphone terminal 4A, or the tablet-type portable terminal 4A having a communication function.

The terminal 4A is not limited to a mobile terminal such as a smart phone, and may be a large-screen television terminal 4A that cannot be carried by humans. When the television type terminal 4A is used, the secret key may be recorded in the external recording device 46A and used as 401A. This embodiment is similar to an existing television set with an IC card reader having an access control function.
Alternatively, the private key 401A can be recorded in the storage device 40 of the television terminal 4A and used. However, in this case, when the terminal 4A is discarded or transferred, it may be necessary to record the information of the private key 401A in a separate storage device and then erase 401A from 40A. In the present invention, a private key stored in the terminal 1A or terminal 4A without using a storage device for storing the private key such as a hardware wallet or an IC card (an IC card or NFC card having a private key such as a personal number card) is used. In such a case, it is necessary to erase the data in the storage device of the terminal after copying the private key to a new terminal or recording medium when the terminal is discarded or transferred.

<Receiving terminals not connected to the network>
Although the terminal 4A is not connected to the Internet in FIG. 8D, when the terminal 4A has a wireless communication device that cooperates with the smartphone type terminal 1A, the terminal 4A may connect to the Internet 20 through the terminal 1A.

If you do not have a means of connecting to the Internet and cannot communicate with a terminal that can connect to the Internet, there are methods A and B below.
A. When using the method using OWP shown in FIG. 8B.
As an example, an OTP token for generating an OWP is acquired at the terminal 1A, and a password OWP is generated while accessing the terminal 3A using the OTP token. Enter the generated password OWP, token number, and user identifier into the television terminal 4A, or have the NFC tag 19A on which the password is recorded be read by the 420A. The broadcast encrypted data is decrypted using the returned value CTAU, and if the decryption is successful, the content is viewed.
B. Similar to FIG. 8B, when the seed value is included in the broadcast data and the decryption password is generated according to the change in the seed value, in the example shown in A, the information that is the basis of TTKY4033A that performs decryption is only CTAU4031A. Become. Therefore, information corresponding to AKTB4032A may be input to terminal 4A, and a key used for calculating TTKY4033A may be broadcast in encrypted data during data broadcasting. The broadcast key information may be anonymized or encrypted so that only 403A can decipher it.

In the case of the television terminal 4A or the like having only a radio receiving device, time information or block number Bn read by 5C from 3A or the like is added to the transmission information of the broadcasting station 5C, and Bn is received by the television terminal 4A. , an OTP is generated and authenticated from the authentication function provided in the terminal 4A and an internal secret variable used for the authentication function, and a key required for decrypting the encrypted data is generated, and the broadcast encrypted data may be decrypted at any time. The broadcast data may include part of the key information for decrypting the encrypted content inside the broadcast data.

Broadcast data can be recorded in encrypted form in the storage device (corresponding to the recording terminal of the television device) of the receiver (television receiver), and if you want to watch it again, authenticate with the OTP token required for decryption A later return value CTAU is obtained, information such as AKTB is input, a decryption key TTKY 4033A is calculated, and using 4033A, the content of the encrypted data that has been recorded can be decrypted and viewed.

<TV type computer, TV type game machine, computer connected to TV and game machine>
Here, if the receiver terminal 4A is a television device, it is a device that can be used for entertainment by sharing information with family members at home. A television device with a large screen is more suitable for sharing information with a plurality of people than the head mounted display 453A. It can also be assumed that the computer terminal 4A is equipped with a television viewing function that can be connected to the Internet. In that case, viewing of television broadcast data encrypted by software 403A and execution of computer game software in the form of encrypted data can be performed on the same terminal.
A private key 401A corresponding to an OTP token to which a broadcast viewing right, a computer game playing right, and a website login right are assigned is recorded in the terminal 4A, and viewing/encryption of a television broadcast in which the OTP token is encrypted. It is also possible to provide a multimedia terminal 4A that can execute encrypted game software, read newspapers and magazines by decrypting encrypted book data, and log in to the online game server terminal 3C using OTP tokens. be done.

<Installation location and form of broadcasting station>
Although terminal 5C can use both cable and wireless broadcasts, this section preferably assumes a service that distributes information wirelessly in one direction to a plurality of recipients.

The installation location of the broadcasting station 5C may be an artificial satellite in outer space regardless of whether it is on the ground or in the air. The orbit of the satellite may be a geostationary orbit. It may be a satellite that moves along an orbit. An artificial satellite that actively uses a propellant or the like to move by thrust may be used. It may be used for radio stations such as JJY that broadcast time information and positioning satellite systems that include time information such as GNSS. It may be on a satellite such as the moon. It may be on a planet such as the earth.

<Broadcasting station for GNSS with built-in blockchain that uses one-time password as a simple time stamp>
The broadcasting station 5C or 5C is a satellite type terminal 5C with a function of becoming a block chain node like 3A, and the data for broadcasting is the encrypted data part and the time stamp of the positioning data of the global positioning satellite system GNSS Partial use is also possible. The terminal 5C for positioning or time broadcasting may be a satellite terminal that moves along a certain orbit or a terminal installed on a natural celestial body such as the moon.
In this case, the broadcasting station 5C has a clock that calculates time such as an atomic clock, has time data according to the clock or a local block chain on the server in the satellite, and the blockchain system of the present invention recorded in the contract Using a one-time password, time information and a hash value calculated using TB and KC values can be attached and transmitted as radio waves containing a signal for GNSS positioning. In addition to location information, you can also send your own encrypted data and timestamp information. The terminal 4A may be able to receive time information from the terminal 5C that has become the GNSS broadcasting station.
By attaching BnTOTP and a message authentication code MAC value to the positioning navigation data broadcast by the GNSS broadcasting station 5C, OTP authentication is performed using 3A at the time of distribution of the positioning information, which leads to checking the authenticity of the positioning information. . By attaching the BnTOTP and OWP of the present invention to the positioning signal and the navigation data for positioning, tampering with the navigation data for positioning is prevented, and incorrect calculation of position information due to spoofing of the positioning signal and incorrect navigation due to incorrect position information are prevented. can lead to Terminal 4A can know the authenticated location information and time information by the above method.
When 5C is in space, another broadcasting station 5CC can conduct two-way communication and change part of the key information K of 5C's block chain according to 5CC's instructions.

<Rating>
If a rating is required, specify it in the contract and issue a token to the user from the contract.
In the present invention, a contract is provided with a variable KNBN that can describe rating information in the contract.

5. Service provider, token manager (Owner)
A user UA who is qualified to provide services (for example, a bank account holder who has signed an OTP token contract with the right to log in to a website/web application for Internet banking) and its private key to its terminal 1A From 101A to the user identifier A calculated from the block chain part of the terminal 3A, the administrator UC generates an OTP from the terminal 1C (terminal DC) to the server P (terminal 3A), which is a node of the block chain, through the network 20 (network NT). Issue a token.
OTP-generated tokens are recorded on the blockchain as smart contracts. A smart contract (contract) behaves as a program that is difficult to repair and falsify, and once the contract is deployed to the blockchain part of the blockchain system DLS such as terminals 3A and 3B, variables that can be changed using setter functions etc. Others may not be altered, altered, modified or erased. The service manager changes the values of the KC value 3011A and BC value 3013A of the contract through a function fscb 3012A that serves as a setter for changing internal variables provided inside the contract.
Contract functions can be programmed with user identifiers and conditions under which they are authorized to execute. In the present invention, an internal seed value (internal secret variable) KC value 3011A and BC value 3013A for calculating an OTP that can be executed only by an administrator and a function fscb 3012A that allows only an administrator to access KC3011A or BC3013A are set, and a contract is executed. Only the administrator can rewrite and update the secret key information for calculating the OTP of the contract. The function fscb 3012A may exist individually in both the KC value 3011A and the BC value 3013A, or may be a function that simultaneously rewrites the KC value 3011A and the BC value 3013A.
The present invention provides the user with a dynamic password OWP by updating the KC value 3011A or BC value 3013A of the password secret value generated by the OTP token. Since the one-time password BnTOTP using the block number Bn is also characterized by updating the seed value KC value 3011A, the contract includes the seed values KC3011A and BC3013A rewritten by the functions fscb and fscb. Characterized by

When issuing a token, the contract manager of the token sets the token-specific URI or character string information in the form of a mapping variable with the token number as the key, separately from the token number, and assigns the character string information to the token with a certain token number. can also The manufacturing number of the OTP token can be displayed in the form of a one-dimensional bar code or the like on software that handles the token from the URI information.
This URI information conforms to ERC721 and is a known function. The URI or character string information can include the serial number of the token, the URI of the image information unique to the token (URL of the image file of the web server containing the image information), and the like.

<Measures against leakage of private key of contract administrator>
The service manager has a private key 101C for accessing the blockchain part like other users, and the private key 101C (private key PRVC) recorded in the terminal 1C (terminal DC) of the contract manager UC is If leaked, the contract that manages the OTP token may be attacked to rewrite mutable contract internal variables or maliciously issue the OTP token. Therefore, the contract may include a portion that controls the execution of the contract with a plurality of secret keys when rewriting the variables of the contract.
A technique of controlling access using a secret key other than the secret key 101C may be applied to the contract. In addition to 101C, multi-sig technology may be used that uses one or more private keys different from 101C and 101C to access functions that can only be used by the administrator in the contract, and can view and rewrite variables.

Alternatively, when executing a function with high importance in operating an OTP token such as an internal variable of a contract that manages OTP or a token issuance function in order to improve security, the secret key 101C is used to execute the function. There is a contract internal variable that can be accessed and set from a secret key that has user identifier C and user identifiers D, E, F, and G other than user identifier C, and changes the token issuing function, KC value 3011A, and BC value 3013A. When executing a function, determine whether the variables that can be set by the user identifiers D, E, F, and G are executable values, and any one of the set values of D, E, F, and G will execute the function. When it is a variable value to be stopped (obstructed), it is possible to interrupt the execution of the token issuing function, the setter function of the KC value / BC value, and other functions that change the state of the contract and can only be changed by the contract administrator. .

The concept of accessing and setting from the user identifier C and the secret key having the user identifiers D, E, F, and G other than the user identifier C can be compared to an existing device, which has a plurality of dials and keys. It is the same as the idea of a safe or a vault that can only be opened when the key is unlocked. A safe has a plurality of dials, metal keys and locks, and unless these multiple elements are unlocked correctly, the locked safe cannot be unlocked. Identifiers D, E, F, and G cannot be locked unless multiple elements can be unlocked (if multiple secret keys are not available, an attacker can use a setter function that rewrites the contract variables, functions that perform critical operations, such as the token issue function, cannot be unlocked).
In addition to the contract administrator's private key 101C (101C indicates user identifier C), there are one or more private keys owned by other users (auditor's user identifiers D, E, F, and G), all of which are individual It has a true/false value that can be set by accessing , and it is possible to prevent the function for the contract manager from being executed unless the true value set by the user identifier D, E, F, G is taken. This is the storage of variables or processing units such as 3042A at 3008A, 3008AG, 3008AA in FIG. 3AC.

In addition, instead of setting the variable to a true value of the boolean value with all the user identifiers D, E, F, and G agreeing, as an example, 11 auditor users are set and the mapping type corresponding to those users is set. Equipped with a boolean variable, aggregates the true number (the number of true or false votes) of the mapping type variable, and executes a contract function that can be operated by the administrator if the majority of the 11 users is not reached. It can be programmed to stop (again, at 3008A, 3008AG, 3008AA in FIG. 3AC, a variable or processor store such as 3042A).
<Simple measures to prepare for the leakage of the private key of the contract administrator>
In the specific example, five secret keys of users C, D, E, F, and G are used, but two different secret keys are used to make it impossible to operate the contract easily during unauthorized access. You can access it as an administrator. A secret key 101C of the contract manager and a secret key 101B for stopping the issuance of OTP tokens when 101C is leaked are prepared, and a function execution stop variable and its setter variable that can be accessed only by 101B are provided, and the function execution is stopped. The OTP token issuing function and contract internal variables (3042A, 3043A, 3024A, 3030A, 3031A, and 3011A in FIG. 3AC , 3013A).
Under the condition that secret key leakage does not occur or if leakage is acceptable, only the single secret key 101C may be used to access the contract of the OTP token and change the state of the contract.
However, it is preferable to use some kind of multiple private keys to take measures against leakage of the contract manager's private key.

6. Supplementary notes on OTP tokens By using the URI information of the token, it is also possible to create symbols and patterns from the URI information. Of the 32-byte URI information that conforms to the ERC721 standard, 1 byte is separated from the beginning, and each byte has a numerical value so that it can be used as a card game number.
When used as a login ticket for a website, the website may change its operation according to the URI information of the token after logging in to the website. When using a token as a ticket, the URI barcode may be displayed on the display and printed. Further, remark information at the time of token issuance may be written in the URI portion. The URI information may be character string information in the ERC721 standard or 32-byte hexadecimal information. The data length of URI may be variable.
When printing as a paper ticket, necessary information such as service name, contract identifier, user identifier, token number, password information, date and time of printing (user name and contact information if necessary) in the application software used for printing In addition, part of the printed design of the ticket paper may be changed according to the URI information of the token and printed.

<Generation and calling of one-time password based on time using block number Bn>
The basic operation of one-time password generation and authentication in the present invention will be described. An authentication method using BnTOTP in the system shown in FIG. 1 will be described.
The user terminal 1A, the server terminal 3A, and the network 20 are used to generate and authenticate the OTP. In the user terminal 1A, a secret key 101A, a URI or the like in the network 20 of the server terminal 3A as a designated block chain node, a contract identifier 3019A of an OTP token that generates a designated OTP, and a block chain unit from the secret key 101A. The OTP generation function 3009A described in FIG. 3AA, FIG. 3AB, and FIG. Through the blockchain access program, the blockchain part of the server 3A is accessed through the network 20 and the function is called. The terminal 1A accesses the block chain part of the terminal 3A and performs processing according to the program of the OTP generation function 3009A of the contract recorded in the block chain part.
When the block number Bn is used for OTP generation in the embodiment of FIG. 1, the OTP generation function 3009A described in FIGS. , Bn, and A as arguments for the hash function fh, pass the arguments to the hash function, generate the hash value BnTOTP as BnTOTP=fh (A, TIDA, KC, Bn), and use the OTP authentication function 3009A. Alternatively, 3009A notifies terminal 1A of BnTOTP as the return value of function 3009A. If the arguments input to the terminal 1A or the user calling the function do not match the conditions of F101, the execution of the OTP generation function is stopped. The hash function fh is, for example, SHA256 of SHA-2.
In process F100 of the flowchart, the two arguments of the user identifier A and the token number TIDA are received as argument inputs of the OTP generation function 3009A. It should be noted that a plurality of arguments such as the third and fourth arguments may be used depending on the application.
Here, if the BnTOTP generated in F104 is not used as a return value, as shown in F107, BnTOTP is type-converted as an unsigned integer, and the n-digit password is divided by 10 to the power of n, and the remainder is the n-digit password. It can be transmitted as BnTOTP-n, and it is also possible to use the return value of the OTP generation function 3009A as a 7-digit integer OTP where n is 7. The OTP authentication function should be programmed to verify the
In the embodiment, an OTP generation function that generates a 32-byte OTP using the processes from F100 to F105 and an OTP generation function that generates an n-digit unsigned integer OTP that uses the processes from F100 to F107 are provided in the same contract. It is possible to create an OTP token contract that generates an OTP, and usually authenticates with an OTP generation function of n digits (at least the number of digits is good) and an OTP authentication function corresponding to it, and when performing a highly important operation, data Authentication can also be performed using an OTP generation function of 32 bytes (integer is a maximum of 2 raised to the 256th power, and brute force attacks are assumed to be difficult), which is larger than the amount, and an OTP authentication function corresponding thereto.

In the embodiment of the present invention, Ethereum is used as the blockchain base, the SHA256 function that outputs a return value with a hash value of 32 bytes is used as the hash function fh, and BnTOTP is used without providing the option of F104 in the processing program of the OTP generation function. = fh (A, TIDA, KC, Bn), an OTP generation function that calculates a 32-byte OTP (in FIG. 6A, the function operates through the flowchart in the order of F100, F101, F102, F103, F104, and F105; or 6B, functions that operate through the flowchart in the order of F100, F108, F101, F102, F103, F104, and F105);
An OTP generation function (F100, F101, F102, F103, F104, and F107 in FIG. 6A in the order of F100, F101, F102, F103, F104, and F107 in the flowchart of FIG. or a function that operates through the flowchart in the order of F100, F108, F101, F102, F103, F104, and F107 in FIG. 6B) in the OTP generation token contract. was carried out.
Here, the difference between FIGS. 6A and 6B is that the variables 3017A and 3017AG that store the number of times of execution of the OTP generation function 3009A are stored, and the number of times of execution of the function 3009A is recorded or increased, or It is the presence or absence of change processing F108 such as increase/decrease of numerical balance.
In F101, the user identifier of the function executor (function executor, message sender, msg.sender user identifier) that executes the OTP generation function 3009A of the OTP token from the input argument is associated with the OTP token of token number TIDA. It is determined whether it matches the identifier of the user who owns it (here, user identifier A). Without this process F101, a user who is not the owner of the OTP token can execute the OTP function, so when the message sender executes 3009A, the process of determining whether the message sender is the owner of the OTP token. is required.
In F100, it is also possible to input only TIDA and perform processing. . Since the user identifier of the sender is input to the OTP generation function as A, A is assumed to be used as an argument and described in F101.
(Note) In the conditional statement F101 for OTP token generation, it is judged whether or not the owner of the OTP token is present. It is also possible to generate an OTP using the token number as an argument. The user identifier sender is used to check the token balance (remaining number) of that user identifier (msg.sender=A if the executor is user identifier A), so it can be considered that the user identifier is used for function execution. Maybe. What is described here is only an example.

The hash function fh is SHA256 or SHA-3 of SHA-2 in the embodiment, and MD5, RIPEMD, SHA-1, SHA-2 and SHA-3 can be used. fh may be a cryptographic hash function. For example, when fh is SHA256, BnTOTP=SHA256(A, TIDA, KC, Bn). In the embodiment, the variables are encoded in the order of the arguments, combined, and the hash value of the data is obtained by the SHA256 function or the like.
A specific example is processing such as SHA256 (EncodePacked (A, TIDA, KC, Bn)). Here, the function EncodePacked (WXY, Z) is a function, library, or processing method that wraps (packs) the variables W, X, Y, and Z in order, encodes them, and outputs a message Mes.
If the order in which the arguments are packed by the EncodePacked function changes, the data changes, the internal message Mes changes, and the SHA256 (Mes) argument value changes, so the hash value calculated therefrom also changes. For example, SHA256(EncodePacked(A,TIDA,KC,Bn)) and SHA256(EncodePacked(TIDA,A,KC,Bn)) produce different hash values BnTOTP.

The embodiment described here is characterized in that it is based on TIDA, KC, Bn, and A as arguments. The four variables processed by hash values based on TIDA, KC, Bn, and A may be processed in the OTP generation function and then used as arguments of the hash function fh. That is, in the case of TIDA, KC, Bn, and A, the arguments of the function for calculating the OTP may be derived from the above four.
TIDA and A may lead to personal information, and if the service provider and user agree to use them, A and TIDA can be used, but if not, or the handling of personal information is prohibited by law If it should be strict, it may be necessary to anonymize A and TIDA and use them as arguments of the OTP authentication function. (A, TIDA needs to be used directly as an EOA or token number on Ethereum, and there is a risk that the current blockchain based on Ethereum will not be able to meet that demand.)
Also, from the viewpoint of personal information protection, it is preferable that the blockchain infrastructure is kept secret so that only a few people can understand the transaction sent to the blockchain when purchasing or issuing an OTP. In Ethereum, user identifiers and token numbers of certain contract identifiers can be viewed from all over the world, and by associating that identifier with the user's personal information, it is possible to guess which user is the user of which OTP token service. . The user identifier A, the token number TIDA, and the contract identifier of the OTP token can be retrieved at the server terminal 3F.
In a known example, a service corresponding to terminal 3F is provided as a blockchain search service such as Etherscan and a server terminal for blockchain search that performs it. The terminal 3F may be equipped with a function of restricting searches for privacy protection or the like. For example, when user identifier A accesses and searches 3F, contract identifiers and transaction information related to A can be displayed, and information on transactions and contract identifiers permitted to be disclosed can be viewed.
When the present invention is performed in a public network block chain system such as Ethereum in which all transactions are open to the public, the service provider records the correspondence between user identifier A and user UA when verifying the identity of the user of the user identifier. Service providers and OTP token issuers may be required to manage information so as not to leak it to the outside.
Customer information and services are owned by service providers, OTP tokens are issued by OTP token management organizations, and only service providers and users have a corresponding relationship between the OTP token token number and the user's personal information. It may be possible to protect personal information by not disclosing information to both parties.

<Separation of OTP generation terminal and OTP authentication terminal>
In the present invention, the same terminal 1A can be used as the OTP generation terminal and the OTP authentication terminal. Also, the OTP generation terminal and the OTP authentication terminal can be used separately. In other words, it is possible to use a communicable hardware-type OTP generating mobile terminal 1A having an output device capable of generating and displaying an OTP and a login authentication terminal 4A having an OTP input device for website login.
There are a terminal 1A that generates an OTP, a terminal 3A that has a block chain unit that generates an OTP using an OTP token in the terminal 1A, and a terminal 4A that can access a terminal 3C that handles services such as websites. and terminal 4A are connected to network 20, and after 1A executes the OTP generation function to generate an OTP and output it to output device 15A of terminal 1A, user UA visually checks it and manually operates terminal 4A. After inputting to the input device, the terminal 4A performs OTP authentication using the input OTP, and communicates and exchanges the result with the terminal 3C. According to the authentication result, the terminal 4A can be logged in to provide the service.

<Authentication of one-time password based on time using block number Bn and call of authentication result>
The operation of the OTP authentication function 3018A for verifying and authenticating OTPs described in FIGS. 3AA, 3AB and 3AC is similar to the OTP generation function 3009A, and inside the authentication function 3018A, TIDA, KC, Bn, and A are hashed using fh. VeriBnTOTP=fh (A, TIDA, KC, Bn) is obtained using TIDA, A, and IF statements among the input ArgBnTOTP, which are input as arguments of the one-time password authentication function when the user accesses the server 3A. It is determined whether ArgBnTOTP matches VeriBnTOTP using the conditional expression by , and if they match, a return value indicating successful OTP authentication is returned to the terminal 1A. It is also possible to perform processing when authentication is successful.
If they do not match, a return value indicating that the authentication cannot be performed is returned to the terminal 1A, and processing for the case of the authentication failure is performed. Here, in the above BnTOTP, a 32-byte OTP is generated in the embodiment, but it is the same when BnTOTP is read as an input n-digit password BnTOTP-n to be a 7-digit integer password where n = 7. is. FIGS. 6C-6H show flowcharts for the processing of authentication function 3018A.
Typical connection diagrams of terminals are shown in FIGS. 1A and 1B.

The flow chart of authentication function 3018A shown in FIGS. 6C-6H will now be described. In process F110 of the flowchart, three arguments of user identifier A, token number TIDA, and password ArgOTP are received as argument inputs of OTP authentication function 3018A. Note that the OTP authentication function may take a plurality of arguments such as the fourth or fifth argument depending on the application.

FIG. 6F is one embodiment of the authentication function 3018A, which is a basic processing example. Authentication using the process shown in FIG. 6F can be used for terminal 3C or terminal 3D and decryption of encrypted data. At F110, the user identifier A and the token number TIDA are received as arguments of the authentication function, and VeriOTP is calculated from the arguments at F113. At this time, the block number Bn and secret variable KC value are used. VeriOTP=fh(A, TIDA, KC, Bn) is calculated, and ArgOTP, which is the argument OTP input, and VeriOTP are compared in F114 to see if they match. If they match, it is determined that the authentication is successful, and the process of F116 is performed. If they do not match, the process of F118 is performed. Connection examples of terminals using FIG. 6F are shown in FIGS. 8A, 8B, 8C, and 8D.
The OTP authentication function form of FIG. 6F can be used in terminal 3C or terminal 3D.

FIG. 6D shows a process F115 added to rewrite the variables 3017A, 3017AA, and 3017DA such as true/false values and integers used in the process of FIG. 6F after execution of the OTP authentication function 3018A. is. 3017A, 3017AA, and 3017DA are data such as truth values, integers, and character strings. 3017A, 3017AA, and 3017DA are mapping variables having data types such as true/false value type, unsigned integer type, and character string type with the token number as a key. A mapping variable is just one example, and it is sufficient to record data associated with a token number as a key. Examples of connection of terminals using FIG. 6D are shown in FIGS. 8A, 8B, 8C, and 8D.

FIG. 6C is an example of processing that is assumed to be used for decrypting encrypted data or for logging into a website. FIG. 6C is obtained by adding the processing of F111 to the processing of FIG. 6D. At F111, it is determined whether the executor of the authentication function 3018A is the user identifier A, and if not, the process is interrupted as shown at F117. If the executor of the authentication function 3018A is the user identifier A in F111, the process of the authentication function in F112 is continued, and if the input OTP=ArgOTP is no problem, F113, F114, F115, F116, and F116 are performed. processing takes place. If ArgOTP does not match VeriOTP in F114, the process is interrupted as indicated by F118. FIG. 6E is a flowchart from which processing F115 of FIG. 6C is removed. Examples of terminal connections using FIGS. 6E and 6C are FIGS. 8A, 8C, and 8D, and FIG. 8B can be used in applications where terminal 3D can connect to network 20 and can connect to terminal 3A.

Since the processing method shown in FIGS. 6C and 6E uses the owner information 3014A in the contract regarding the OTP token of 3A, if the terminal on the block chain such as 3A and 3D are connected and the information of 3014A is not synchronized and shared, and the authentication method described in FIG. 6E are not available on terminal 3D. If the terminal 3D is a processing terminal such as a ticket gate or an entrance of a station and is connected to the terminal 3A via the network 20 or has the same block chain recording unit and control unit as the terminal 3A, then FIG. 6C and FIG. The processes of 6E, 6G and 6H are available.
If the terminal 3D is a container such as a safe or an automobile, the network 20 may be affected by restrictions on the power supply device such as a battery installed in the terminal, or by restrictions on the communication device due to the environment where the mobile body on which the terminal is mounted is in an environment where radio waves do not reach. If the connection cannot be made, it is difficult to perform the processes of FIGS. 6C, 6E, 6G and 6H.
Depending on the application of terminal 3D, FIGS. 6C, 6E, 6G, and 6H may or may not be used. 6C, 6E, 6G, and 6H are examples of usage patterns.

6C and 6E have a process F111 for determining whether the user identifier A is the executor (msg.sender) of the authentication function 3018A. By having this process, it is determined whether the user identifier A calculated by the private key 101A possessed by the user at the time of login process to the website is transmitting and executing the message, and the executor of the authentication function without the private key suspends function execution by The difference between FIGS. 6C and 6E is the presence or absence of processing F115 for changing 3017A, 3017AA, and 3017DA when authentication is successful. FIG. 6C has F115 and FIG. 6E does not have F115.

FIGS. 6G and 6H have a process F119 for determining whether the executor of the authentication function 3018A is the holder of the OTP token. This process is similar to the process F101 described in the flowcharts of FIGS. 6A and 6B for the OTP generation function. When a message is sent to the terminal 3A, which is a node of the blockchain, using the secret key 101A possessed by the user at the time of login processing to the website by processing F119, it is determined in F119 whether the user possesses an OTP token with the token number TIDA. , suspends execution of the authentication function by performers who do not have an OTP token. The difference between FIG. 6G and FIG. 6H is the presence or absence of processing F115 for changing 3017A, 3017AA, and 3017DA when authentication is successful. FIG. 6G has F115 and FIG. 6H does not have F115.

<Calling functions of other contracts from a contract>
The contract used in the present invention may be completed with only one smart contract recorded in a certain block number, or a smart contract with another contract identifier recorded in the same block number or recorded in another block number. The processing contents may be separately described in smart contracts with other contract identifiers. For example, a function of contract Y may be called from contract X and used.
For example, in F116 of FIG. 6F, in order to perform the processing of 3022A and 3023A of FIG. 3AB, the contract X having a contract identifier different from the authentication contract 3008AA of the OTP token is accessed, the function Y of the contract X is executed, and then the authentication function 3018A may be output to the terminal 1A.
Alternatively, as another example, a function such as a hash function fh of contract X that performs OTP generation and authentication may be defined in another contract Y so that it can be selected and called like a library.
A cryptographic hash function fh has a stronger hash function fh in preparation for a situation where a plurality of message data are calculated for a single hash value due to an improvement in the performance of a computer terminal, and collision of hash values can occur. Contract Y's hash function fh may be updated for use in calculating the OTP, and Contract X may be able to utilize Contract Y's fh.

<Provision of service using authentication result call>
The OTP authentication function is called to input OTP, A, and TIDA, and the resulting authentication result return value CTAU3021A is used to provide the service.
4A. Website login use, 4B. Use as paper or IC admission tickets, use tickets, and unlocking keys for entrances and building facilities, 4C. Decryption and browsing of encrypted data and files, 4T. The use in broadcasting (distribution of encrypted data by one-to-one non-k number broadcasting) will be described in order.

<4A. Website login purpose>
A TOTP type one-time password token based on the block number Bn among the variables TB that can be changed at a certain time in the blockchain is used for login to websites. If TB has the latest timestamp 3002A on the blockchain, it can also be used as TB.

Block hash Bh (3003A) can also be used for TB, but when using block hash, Ethereum and its smart contract programming language Solidity use block hash values up to the 256th block number counting from the latest block number. It can be called, but at that time it is considered that calculation is performed with the block number Bn as an argument. When considering that Bh is calculated using Bn as an argument, the method using the block hash Bh is the same as the method using the block number Bn.
BnTOTP=(A, TIDA, KC, Bh) and Bh=Blockhash(Bn) when expressed as an expression in the Solidity language. Since the block number Bn is also used when using , BnTOTP=(A, TIDA, KC, Bh) and BnTOTP=(A, TIDA, KC, Bn) are similar calculation methods in terms of arguments. The present invention considers that the method using the block hash value Bh as described above is also a form different from the method using the block number Bn.
It is also possible to use the block hash as TB. Note, however, that block hashes can be manipulated by the administrators of the terminals that make up the nodes. Also, it is a hash value of block data of a certain block number Bn, and although it is dynamic with respect to time, it is not a value that expresses time.

If the block hash Bh is used as the block number of TOTP, it is necessary to record the block hash in a different server terminal or block chain, and to be able to refer to the block hash value from the contract that calculates the TOTP. There may be Also, the block hash is a value that changes every 15 seconds in Ethereum, for example, and if the block hash is used instead of the block number, the calculation becomes complicated when it is desired to extend the time interval for generating and authenticating the OTP.
If it is a block number Bn instead of a block hash Bh, a variable n that increases the display interval based on Bn is used, and as Bn mod n, the remainder m obtained by dividing Bn by n is obtained, and m is subtracted from Bn to obtain Bnr. (As Bn-m=Bnr), Bnr is used instead of Bn as an argument of the hash function that calculates the OTP, and the OTP generation and authentication time is 15 seconds, 30 seconds, 45 seconds, 60 seconds and n. It can be extended by increasing the number, and the block number Bn is preferably used in the present invention because of the simplicity of calculation.

In the block hash Bh as well, Bh can use Bn as an argument to obtain the past block hash Bh, but as described above, the calculation may require Bn. The block hash value Bh itself is a hash value corresponding to data of a certain block number Bn, and the block number is a variable whose numerical value increases with time. Even if the hash value changes or increases, it is not possible to indicate when the hash value was data.
In the present invention, there may be cases where it is better to use Bn and cases where Bh may be used. If all the seed values used in the calculation of the OTP generation function and the OTP authentication function are recorded, there is room for the OTP obtained by the generation function to be authenticated by the authentication function.
Since Bn is proportional to time data, it is preferably used when a service requires a time element, for example, when a time stamp-like element is used. On the other hand, in addition to Bn, or if it is desired to generate an OTP with increased randomness using Bh and use it for logging in to a website, etc., it is also preferable to use Bh.
When an OTP token is used as a pseudo-random number generator, it is possible to add more randomness by using Bh as a seed value for OTP calculation together with a value V determined by voting between DLS node terminals, which will be described later.

When Bh is used as a time stamp, it is not possible to know at what time the block hash Bh is, unless a database of Bh, block data, and block number exists in the terminal that provides the service. In addition, although the frequency of block hash value collisions is considered to be extremely low, when there are two or more block numbers for a certain block hash value Bh, it is difficult to determine which block number time data the generated BnTOTP was. I don't understand. This problem can also occur if the hash function used by the blockchain platform that calculates the block hash value is prone to hash value collisions.

Using the server terminal 3C, the contract 3008AG with the OTP generation function and the contract 3008AA with the OTP authentication function as shown in FIG. Access the blockchain using the contract identifier CPGT3019A of the token containing the OTP generation function and the contract identifier CPAT3020A containing the OTP authentication function, authenticate with the contract CPAT3020A containing the authentication function using the BnTOTP obtained from CPGT3019A, and perform the authentication function When the return value is used for login or operation of the website, login processing is performed using the server terminal 3C (SVLogin).
Here, BnTOTP=(A, TIDA, KC, Bn) may be used, or BnTOTP=fh(A, TIDA, KC, Bn, BC, V), or BnTOTP=fh(A, TIDA, KC, Bn, BSZ) plus the block size BSZ. When the terminals 1A, 1C, 3A, and 3C are connected via the network 20 as shown in FIG. 8A, the value V and the block size BSZ determined between the node groups such as the nodes 3A and 3B of the block chain are pseudo can be used as a random element. A block hash value Bh or the like can also be used. For example, the formula for BnTOTP used in the embodiment of the present invention is BnTOTP=fh (A, TIDA, KC, Bn, BC, V, Bh).
When BSZ varies with V, it is assumed that V=BSZ and BnTOTP=fh(A, TIDA, KC, Bn, BC, BSZ, Bh).

Arguments of the hash function fh of the present invention are A and TIDA, KC, Bn and BC, and V and Bh. A calculation method may be adopted so as to make it difficult to guess how to calculate BnTOTP. The present invention is characterized by having A, TIDA, KC, Bn and A, TIDA, KC, BC as arguments and internal variables necessary for function processing. It is characterized in that variables such as V and Bh can be used.

Further, BnTOTP=fh(A, TIDA, KC, Bn, BC, V, VU[TIDA]) including a mapping variable VU (VU[TIDA]) with a token number TIDA held by the user as a key as a seed value may be used. The argument VU[TIDA], which is a seed value based on voting that can be set by the user, will be described separately.

Terminal 1A obtains the return value of the authentication function, 1A processes the return value according to the program of the website running on 3C (SVLogin), or passes the return value to 3C, and when the authentication result is correct, the internal service of 3C to browse and manipulate content. As an example, Internet banking, membership site, etc. are assumed. If the authentication result is incorrect, login is not allowed.
Also, after obtaining the user's permission at the time of login, blockchain information such as CPGT3019A, TIDA, Bn, and user identifier A, login time information,
An identifier based on an IP address such as an IP address or a hash value of the IP address, location information, an ID unique to the terminal 1A, and sensor values such as the sensor 144A of the input device 14A of the terminal 1A are stored as IPV values in the storage device of 3C. The user identifier A or the token number TIDA is associated with the IPV value in the form of , and stored in the database in a form that can be expressed in a table or the like. FIG. 6X is an example, and any ledger data or database that can record that 3C is being accessed by a plurality of IPVs with respect to a token number or user identifier may be used. Here, the information is collected with the user's consent, and part or all of it is pseudonymized (encrypted) or anonymized and stored.

As in the example shown in FIG. 6X, when a user identifier derived from the same secret key 101A has a different IPV value, that is, when there is access from a different environment, the access from the different environment is assumed to be unauthorized access, and the user UA is leaked and the combination of user identifier A and token number TIDA is notified that there is a suspicion of unauthorized access to user identifier A or token number TIDA and corresponding contact information in the database recorded in terminal 3C. However, the terminal 3C can have a function of prohibiting access according to the user's permission. It is assumed that unauthorized access is prohibited when accessing and manipulating important information for users such as Internet banking.

Depending on the service application, the server terminal 3C may also have a terminal 3C that constructs a database as shown in FIG. 6X and does not provide a function of notifying the user of unauthorized access. For example, when it is a simple membership site or a simple online game site, the server terminal 3C, which has a processing unit and a storage unit for providing services, creates a database for monitoring access from users as shown in FIG. 6X. It is assumed that this may increase the computational resources of the terminal 3C and the capacity of the storage device. And there is a possibility that the cost of using the server terminal 3C will increase.
In addition, the cost for protecting and managing personal information at the server terminal 3C is high. There may also be a desire to provide a login service using an authentication system. In order to meet those demands, there is also a terminal 3C that constructs a database as shown in FIG. 6X and does not provide a function of notifying the user of unauthorized access as an embodiment.

In 3C, the recording of access information in the form of FIG. 6X and the monitoring of unauthorized access are not essential functions for the OTP authentication system. It is a function that can be used after agreeing whether or not it will be done. The present invention can be implemented without recording access information and monitoring unauthorized access in the format of FIG. 6X. However, when the secret key 101A is recorded and used in a plurality of terminals in the OTP authentication system, it is desirable for security to have a function of detecting access from a plurality of different environments as shown in FIG. 6X.

Internet banking is an example of the use of FIG. 8A. At that time, both the terminal 3C that manages the website and customer data and the contract data on the block chain of the terminal 3A can be operated.
In the OTP generation contract (3008AG in FIG. 3AB), the customer generates an OTP, and uses the OTP (mainly BnTOTP, and OWP if it can be renewed periodically), the user identifier, and the token number TIDA as an argument to the authentication function 3018A. can be used to store the number of authentications performed as a variable inside the contract. Furthermore, after execution of 3018A, a mapping variable 3023A with identifier A or token number TIDA as a key is provided, and assets, points, etc., evaluation values, and voting result values corresponding to user identifier A and token number TIDA in 3023A are converted into contracts. It may have a write-save function 3022A. 3023A and 3022A may be included in the authentication contract 3008AA and 3008A, and may be programmed and provided in 3008AA and 3008A so that they can be operated when the authentication function 3018A is successfully authenticated.
Specifically, in Internet banking, membership sites, etc., there is a function 3022A that writes and saves the value 3023A of the asset balance, points, etc. for the token number TIDA of the OTP token held by the user identifier A and the identifier A, and the contract 3023A. may be

<Processing to record the number of times the authentication function is executed when logging in to the website>
When the OTP (BnTOTP and OWP) of the present invention is generated or authenticated, the contract can record the number of times the OTP generation function and the authentication function are executed in the internal variable 3017A or 3017AG or 3017AA. Here, the internal variable 3017A, 3017AG or 3017AA is a variable having a value corresponding to the token number. As an example, the variable 3017A is a mapping type variable with a token number as a key. Any variable that is associated with a token number in a data type such as a structure or a class can be used in the present invention in addition to the mapping type. can.
(The mapping type is one of the types available in the Ethereum smart contract programming language Solidity used in the examples.)

By recording the OTP authentication count or generation count in the internal variable 3017A or 3017AG or 3017AA of the blockchain contract, the private key 101A of the terminal 1A of the user UA is leaked, and the attacker blocks without the user UA knowing. When the private key 101A is used to access the chain and the OTP generation function is executed to generate the OTP, the fact that the OTP generation function was illegally executed and acquired is recorded in 3017A and 3017AG.
The number of executions of the OTP generation function that the user UA should not have executed to obtain the OTP increased (if the 3017A is a point such as the fee required to generate the OTP, the balance will decrease. ) The user UA can detect whether the private key 101A is being used illegally. Alternatively, the transaction at the time of unauthorized use is added to the transaction history of the transaction with the user identifier corresponding to the secret key of 101A.
For detection of the above-mentioned unauthorized use, there are servers 3C and 3D that provide OTP token services, 3F that has a search function such as blockchain transaction, 3E that sells OTP tokens as tickets, etc., advertisement distribution server 5A, and encryption data. The distribution server 5B or the like monitors changes in the block chain part of the terminals 3A and 3B, which are nodes of the block chain, and detects changes in transactions attributed to the user identifier A calculated from the secret key 101 and the contract identifier of the OTP token. and a function to notify the contact information of the user UA.
Not only when the OTP generation function is executed, but also when the OTP authentication function is executed and executed, the user UA's e-mail address, telephone number, SMS (SMS , Short Message Service), a transaction on the blockchain that sends a contact to user identifier A, etc.

In the first embodiment, a method of recording the number of executions of the OTP authentication function while not recording the number of executions of the OTP generation function was examined. When considering sending a transaction that changes the number of generations and authentications to the blockchain, it is better to be able to generate passwords any number of times without counting them. This is because we thought that it would be possible to reduce the load on blockchain resources, storage devices of servers that store and control them, and communication devices. However, for security reasons, it is preferable to record the number of times the one-time password generation function is executed.
As shown in FIGS. 6A and 6F, the OTP generation function and OTP authentication function that perform operations of low importance do not record the number of times the OTP generation function and OTP authentication function are executed. It is better for the authentication function to record the number of times of execution as shown in FIGS. 6B and 6D, and these may be used separately.
F115 in FIGS. 6C, 6D, and 6G is a process performed when the OTP authentication function is executed and the authentication result is correct, and F108 in FIG. 6B is a function for recording the number of times the OTP generation function is executed.
Although not shown in the figure, in correspondence with FIG. 6B, a process of recording only the number of times the OTP authentication function similar to F108 in FIG. 6B is executed separately from F115 in FIGS. It may be included in the authentication function, and when the OTP authentication function is executed and the argument is passed in F110 instead of changing the execution count in F115 at the time of authentication, the process of F115 is executed between F110 and F111. may be installed.
It would be good if the number of times the OTP generation function and the OTP authentication function were executed could be recorded on the blockchain in a tamper-resistant and immutable manner.

Preferably, in the present invention, both the OTP generation function and the authentication function can record the number of times the function has been executed. Unauthorized access can be detected in advance by recording the number of executions of the generated function. Run the OTP generation function to generate a password such as BnTOTP or OWP and use it to run the authentication function. If the user UA's private key 101A is leaked and an attacker tries to gain unauthorized access when following the above procedure, it is assumed that the generation function is first operated.
A server terminal 3F, etc. that can access the blockchain and monitor transactions on the blockchain (for example, a terminal 3C, a terminal 3D, a terminal 3E, a terminal 3F, a terminal 5A that can connect to the network 20 and access the blockchain part of the server terminal 3A) and terminal 5B), changes in the number of executions of the generation function on the blockchain with user identifier A, changes in transactions with user identifier A, or changes in internal tokens used in Ethereum, etc. are sent to the user's phone number, email address, etc. to inform the unauthorized access before the authorization function can be run. When there is unauthorized access, the user UA notifies the service provider of the terminal 3C or terminal 3D and stops using the service.

Terminal 3D may not be able to access network 20 . In that case, 3017A and 3017AG, which are executed when the attacker's terminal accesses the terminal 3A and generates the OWP using the OTP generation function, change. It can be seen that there is a possibility that the information is acquired by a person and recorded on paper or an NFC tag. In this case also, the service provider can be consulted.
The number of authentication records stored in the terminal 3D is also immutable because it is possible to detect tampering by assigning a hash value to each transaction and concatenating and saving the history of user access and authentication to the terminal 3D like a blockchain. A recording part may be preferred. Even if it is not a block chain type, it may be preferable as a means to counter tampering etc. that a MAC value can be assigned and recorded by HMAC periodically or for each specified number of times of authentication as a message of a certain key and authentication data of the terminal 3D.
By providing a variable that records the number of executions in either or both of the OTP authentication function and OTP generation function in this way, it becomes difficult for an attacker to manipulate the user's token without the knowledge of the user UA. Prevent access.

<When the function including the authentication function manipulates the variables inside the contract at the time of authentication>
In relation to the process of recording the number of times the authentication function is executed, the present invention can include the process of manipulating variables inside the contract when the function containing the authentication function is authenticated.
Specifically, the process 3022A that includes the authentication function inside or follows the authentication function is set in the contract, and the internal variable 3023A of the contract can be rewritten when the authentication function is executed in 3022A and the one-time password is authenticated. can. Here, the internal variable 3023A is a variable 3023A having a value corresponding to the user identifier or token number. An example of the variable 3023A is a mapping type variable with a user identifier or token number as a key. In addition to the mapping type, if it is a variable associated with a user identifier or token number in a data type such as a structure or class, It can be used for the present invention.

<Example of Internet banking processing>
As an example of a case where a function including an authentication function manipulates variables inside a contract at the time of authentication, it can be used for a simple Internet banking or a system for using points within the contract. The authentication contract 3008AA can in this case provide OTP authentication functionality and record bank account balance information after authentication. The following example is provided for reference.

In the following 1 to 4, set the customer variables to be used within the contract of the point use system in the Internet banking or authentication contract.
1. A bank account number GKBA (or a point account number GKBA, which may be a token number or a user identifier), which is an identifier for a bank account (point account).
2. A value MIGA obtained by anonymizing the name of the account GKBA (it is not preferable to describe it on a non-confidential blockchain platform without anonymizing the name).
3. Balance ASTA of GKBA's assets. GKBA is a variable described in 3023A and is a mapping variable ASTA [token number] with a token number (or user identifier) as a key.
4. A database GKDB in which a token number TIDA corresponding to GKBA or a user identifier A is associated.
GKBA, MIGA, and ASTA are represented by mapping variables using user identifiers and token numbers as keys. The variables of items 1 to 4 above are set in the contract 3008AA (or 3008A) with the OTP authentication function, and the process of transferring assets to another bank account number GKBA, including the OTP authentication function or authentication process, can be performed. may
(In addition, the account type, transfer limit, account opening date or its block number, and anonymized values of identity verification information may also be required.)

There is a balance ASTA [TIDA] (3023A with TIDA as a key) deposited in the OTP token with the token number TIDA held by the user identifier A,
When user identifier B also has TIDA's OTP token and likewise has a balance ASTA[TIDB], when A wants to transfer the number trs from A's ASTA to B's TIDB token,
The user UA designates part of the balance ASTA [TIDA] (3023A with TIDA as the key) deposited in the OTP token with the token number TIDA possessed by the user identifier A,
There is a function or process 3022A that transfers the balance ASTA [TIDB] (3023A with TIDB as a key) deposited in the OTP token of the token number TIDB possessed by the user identifier B,
The user with the user identifier A performs OTP authentication using the OTP token with the token number TIDA, executes the process 3022A and the process of the authentication function 3018A (the process of incorporating 3018 into 3022A or continuing the process of 3022A after 3018A), and OTP When the authentication result of the function is correct, the process 3022A subtracts trs from the TIDA-keyed mapping variable 3023A to obtain ASTA[TIDA]-trs, and then adds the user identifier of the TIDA owner to the TIDB-keyed mapping variable 3023A. The numerical value can be changed by adding the designated numerical value trs to ASTA[TIDB]+trs, and the numerical value trs can be transferred.
As described above, the OTP authentication system of the present invention can be used to implement a contract for performing financial operations including an OTP authentication function and a contract for exchanging points at member sites.

It is also assumed that the function 3022A and the asset balance 3023A can be browsed or executed by the customer directly accessing the contract.

It is also conceivable that after the bank allows the customer to access the server 3C, the bank side manipulates the customer's asset balance of the contract. In that case, the bank, not the user, receives transaction instructions according to the instructions after authentication on the web application website, etc. when the customer logs in, and performs transfer procedures using a function to rewrite the balance.

Asset balances in internet banking can be recorded in either or both of the server 3C and the authentication contract. As for the above, not only Internet banking but also membership sites, voting sites by members, online game sites, etc. can operate numerical quantity data in the same way.

<Method for judging whether the OTP token for logging in to the member site is valid or invalid>
Uses for logging into websites include membership sites, financial transactions such as Internet banking, web mail, online storage, e-commerce sites (EC sites), social networking service SNS, audio and video distribution sites, online games, and online conference sites. mentioned. A customer can be made to access the server terminal 3C as in the case of a bank. Here, it is conceivable that the right to log in is limited by period or number of times. The following three are shown as embodiments of the present invention.

1. Method of setting time limit for display of one-time password using block number OTP generation of the OTP token can be disabled when the block number specified by the customer after the token is issued is exceeded. This is set as it may be necessary to set an expiration date in the OTP generation part if you want the token to expire within a certain period of time.
A specific example is shown below. Record the block number BnMint at the time of token issuance for a certain token number as a mapping type variable with the token number as a key in the contract that generates the OTP, and display the latest block number Bn at the time of execution in the function that generates the OTP. OTP can be generated within the block number BnValid+BnMint corresponding to the desired period.
For example, when executing a function to generate an OTP, determine whether the current block number Bn satisfies the formula Bn<BnMint+BnValid. By programming the part, the OTP generation of the OTP token is disabled when the specified block number is exceeded.

2. When the contract administrator can rewrite the variable that can be used to determine whether the contract is valid or invalid corresponding to the user's token number.
For a token number TIDA of a certain customer UA, the contract manager assigns a mapping type variable VALID [TIDA] that indicates whether the token associated with TIDA is invalid or valid when the expiration date or service provision is terminated according to the terms and conditions. It can be changed and invalidated as token data with the token switched from being valid to being invalid. This processing corresponds to the operation of cutting a paper ticket at a ticket gate. Alternatively, it corresponds to the action of stamping an admission ticket or cutting a ticket into stubs. Validity or invalidity of the OTP token may be indicated by a true/false value, or may be an electronic money-like numerical value charged in the token. In electronic money-like usage, numerical values can be added or subtracted from the balance.
Here, the token on the blockchain of the present invention is a substitute for books and contents in the real world, paper securities and metal keys, and legal disputes will occur unless the user and the service provider agree. Possibilities remain. In order to avoid concentration of authority, the contract manager and the service provider are separate organizations, and the contract manager who manages terminal 1C rewrites VALID [TIDA] according to the request of the service provider who manages terminals 3C and 3D. You can also disable or enable OTP tokens with If VALID[TIDA] is an integer, the size of the numerical value can be changed, and if VALID[TIDA] is a character string, the character can be changed.

3. When the user can indicate the intention to use the token When the customer UA who owns the token wishes to relinquish the right to use the token or indicates to temporarily stop using the token, the user's secret key 101A is used to indicate the user identifier A. can be displayed by setting the intention field corresponding to the token number TIDA of the OTP token of the contract identifier belonging to the mapping type variable NOTE [TIDA].
Regarding the variable NOTE[TIDA], NOTE[TIDA] is changed by a setter function that can be accessed and changed only by the user with the user identifier A who records the private key 101A and is assigned an OTP token with the token number TIDA to 101A.
It is assumed that the expression of intention is performed with a boolean type variable, a numerical value, or a string variable. If NOTE [TIDA] is of character string type, a free character string can be recorded. In distributed ledgers such as blockchains and DAGs, the transaction data inside the block data of a block that has been linked once cannot be rewritten or falsified, so rather than arbitrary character strings, it is possible to express your intentions using a choice method using boolean variables or numbers. may be preferred.

<Use as voting rights for membership sites, etc.>
For example, in voting, the token of the present invention is used to log in to a website or web application using the token of the present invention and the one-time password authentication system, and vote for the identifier of the candidate to vote on the computer screen, Votes can be recorded in variables of token contracts that generate and authenticate one-time passwords on the blockchain. However, in order to implement the voting function, there is a setter function that confirms that the user identifier A has a token with the token number TIDA in the contract that contains the authentication function, and inputs a value to the variable that will be the voting destination only if it has it. is necessary.
The private key 101A and the declaration of intention field corresponding to the token number TIDA of the OTP token of the contract identifier belonging to the user identifier A are set as a mapping type variable VOTE [TIDA], and the variable VOTE [TIDA] has 101A and is used as the user identifier A. Accessible only by users who have access, and users can cast the value of their votes.
If you want to take a majority vote while keeping the contents of the vote secret, make VOTE [TIDA] a private variable and vote on the blockchain base that can be made anonymous, and use VOTE [TIDA] within the contract of the OTP token. The results should be aggregated. For example, if there are only options 0 to 3, program the setter function of VOTE[TIDA] to accept integers between those digits 0 to 3, and select OTP tokens for options whose digits correspond to 0, 1, 2, 3. By summing up the number of votes (that is, the number of votes of the OTP token), it is possible to check which of the integer options from 0 to 3 is indicated. A program that aggregates VOTE [TIDA] data by reading the blockchain part of nodes 3A and 3B using ECMAScript using terminals 3C and 3F without aggregating VOTE [TIDA] in the OTP token contract. may be used.

<Seed value VU [TIDA] by voting that can be set by the user>
As a method of using the BnTOTP generated by the OTP token to generate a pseudo-random number in the login destination service, it is also possible to use the seed value VU[TIDA] based on voting that can be set by the user.
For example, in the terminal 1A, an OTP token with a token number TIDA is issued to the user identifier A, and the seed value VU[TIDA] based on voting that can be set by the user is added to the seed value of BnTOTP as an argument, for example, BnTOTP=fh(A , TIDA, KC, Bn, BC, V, Bh, VU [TIDA]) can be used as an OTP token for OTP generation, authentication, and website login. BnTOTP=fh(A, TIDA, KC, Bn, BC, V, Bh, VU[TIDA]) can be used as a simple pseudo-random number generator. Here, V is a value V determined by voting (in Ethereum, the BlockGasLimit value is used as V), and Bh is a block hash Bh.

The authentication system and pseudo-random number generator using an OTP token using a seed value VU[TIDA] that can be set by the user can be used for online games (online computer games) that require login to websites, web applications, etc. may be available for By applying the OTP randomness of the OTP token using VU[TIDA], the OTP generated by the OTP token can be further hashed or processed and used as a variable to determine the randomness in the game. It can also be used for purposes other than games.

For example, the seed value KC value (and BC value) can be overwritten if the game manager of terminal 3C is the manager of the contract and can operate terminal 1C, but the OTP of the OTP token that gives randomness to the user in the game is used as a pseudo-random number, a contract administrator may attempt to rewrite the KC or BC in an attempt to maliciously control the future appearance of OTP data generated by a user's OTP token.
Therefore, by providing the contract with a setter function that allows the user with the token number TIDA to rewrite the variable VU [TIDA] that the contract administrator cannot control, the user can set the variable VU [TIDA] that can be rewritten at will. .
By setting a seed value VU [TIDA] that can be set by an external user here, it becomes an OTP calculation method such as BnTOTP = fh (A, TIDA, KC, Bn, BC, V, Bh, VU [TIDA]), Not only the KC value of the contract administrator but also VU[TIDA] exists, and variables that can only be controlled by the user and cannot be controlled by the contract administrator are included in the OTP (BnTOTP), so the VU[TIDA] specified by the user ] value (respecting the user's intention based on the voting value of the transaction sent by the user) or pseudo-random numbers can be generated, and can be used for OTP authentication systems and services using pseudo-random numbers.
To use VU[TIDA], it is necessary to have a setter function that allows only users who have a token with the token number TIDA to change VU[TIDA].
(Vote variables VOTE[TIDA] and VU[TIDA] used in the membership site are treated the same as variables that can be set by the user.)

In a specific implementation, as an example, a hash value of BnTOTPrnv is expressed using SHA256 of SHA-2 as a hash function in the following formula.
BnTOTPrnv = SHA256(EncodePacked(A, TIDA, KC, Bn, V, VU[TIDA])).
Here, the user identifier A, the token number TIDA, the secret variable KC, the latest block number Bn at the time of password generation and authentication,
A value V determined by voting among blockchain nodes, a seed value VU[TIDA] that can be voted for a token with number TIDA owned and used by a user.
BnTOTPrnv can be used as a one-time password for logging in to an online game, or as a numerical value that determines pseudo-randomness within the online game after login.

The one-time password BnTOTP having VU[TIDA] as an argument is a variable that is beyond the control of the administrator of the online game. can't.

As a side note, if the administrator tricks the player into setting a function at the time of deploying the contract so that the administrator can also change VU[TIDA], this premise will be broken. It is preferable to separate the administrator of the game from the one who manages tokens for login and pseudo-random number generation. In addition, the contract is preferably anonymized, and more preferably, the processing contents of the contract can be disclosed except for the anonymized variables and transactions that change the variables. It is preferable that the transactions related to VU [TIDA] set by the user are not allowed to be viewed by anyone other than the set user (secrecy of voted values is maintained, secret voting is possible).
When the present invention is used for the login right of the computer game server of the terminal 3C and a pseudorandom number generator, or when it is used for the ownership of the computer game that can be executed by decrypting the encrypted data on the terminal 4A and the pseudorandom number generator, or the online game The random number control unit of the terminal 3C that distributes may be made partly open source.

As a supplement, in Ethereum used in the embodiment of the present invention, all contract internal variables, functions, processing contents, and transactions can be viewed by external users regardless of whether they are mainnet or testnet, so the contract administrator can view the contract processing. It is difficult to hide the contents.
One of the reasons for setting variables V and VU [TIDA] determined by voting is that, like Ethereum, all transaction and contract variables and processing details are open to the public, and the seed value of a user's one-time password is calculated. Even if it seems possible, by adopting the BlockGasLimit value as V as a value determined by voting between nodes and allowing the user to change VU [TIDA] to any value at any time, the attacker will be able to The purpose is to make it difficult to guess the password of
In order to preferably implement the present invention, a block chain in which contracts and transactions are anonymized is preferable.
In the financial field such as banking, it is highly desirable to construct the authentication system and authentication device of the present invention in a distributed ledger system such as a block chain that is concealed.

As a supplement, when the DAG type is used instead of the blockchain type for the data connection structure of the distributed ledger recording unit 300A, if Bn is not available, the BC that can be changed by the contract manager instead of Bn is used as the OTP calculation seed value. , the variable of the seed value inside the smart contract can be changed by periodically incrementing the value of BC according to the passage of time.
Also, VU[TIDA] can be used as a seed value for OTP calculation, like BC. Not limited to online games, if the service after login requires randomness, a pseudo-random value can be used based on the one-time password generated in the smart contract of the present invention.

<4B. Use as paper or IC admission tickets, use tickets, and unlocking keys for entrances and building facilities>
If the information is printed on paper or the like in a fixed form to generate a password used for entry, etc., there is a possibility that it will be difficult to perform authentication with a one-time password synchronized with the block number Bn. Therefore, a semi-fixed password OWP that is not synchronized with the time corresponding to each token number or each user identifier but can be changed at any time is used. FIG. 8B shows a connection example of terminals and devices. 8B, 3AA, 3AB, 3AC, 3D, and 3DA are mainly used for explanation here.

Specifically, of the variable TB that can be changed at a certain time in the blockchain, instead of the block number Bn, only the user with the user identifier C calculated from the secret key 101C of the terminal 1C that has the authority to manage the contract is Equipped with a function fscb 3012A that can be accessed as a setter, and provided with a variable BC value 3013A that can be rewritten at any time on the blockchain only by the user who manages the contract with the user identifier C, and uses BC instead of the block number Bn. The password OWP is used as a paper or IC admission ticket, a use ticket, and an unlocking key for entrances and building facilities.
Here, OWP is an administrator-changed one-time password, which is a fixed password when the administrator does not change it. OWP can be a dynamic password that approaches TOTP if the administrator updates it periodically (eg, every 10 minutes every 60 seconds). BC may be rewritten by an administrator, a specified user, or all users when OWP is handled in a TOTP-like manner (BnTOTP-like manner).
However, when OWP is used for paper ticket 18A and safe or car key 19A instead of TOTP, if BC is rewritten like TOTP (BnTOTP) in a short period of time, authentication by OWP cannot be performed, so the contract administrator decides whether to change BC and changes it at some time.
When reproducing the OWP using BnTOTP, the remainder r obtained by dividing the block number Bn by the unsigned integer variable M is used, and r is subtracted from Bn to obtain Bnr (Bn−m=Bnr). In calculating the Bnr as BnTOTP=fh(A, TIDA, KC, Bnr) instead of Bn, the variable M is significantly increased and M is manipulated to produce the same It is also possible to generate, display and authenticate the BnTOTP of the value.
In the above BnTOTP, when a certain number of months or years passes and the set block number is exceeded, Bnr changes and BnTOTP automatically changes. However, even in this case, a function similar to the OWP system is required to allow the contract manager to set the KC in case the KC that sets the BnTOTP is leaked. Also, if the terminal 3D cannot connect to the blockchain and cannot measure the correct block number and time, it is difficult to use the BnTOTP method, and it may be preferable to use the OWP method using the OTP authentication function 3018DA set in the terminal 3D. do not have.

To calculate the password OWP, at least the following four variables are used as arguments of the hash function fh to generate the password OWP.
Token number TIDA for one-time password generation,
Secret key information KC recorded in the contract,
Always use three variables, the variable BC that the contract manager can change at any given time.
Then, the user identifier A calculated from the private key 101A of the terminal 1A is added to the fourth variable to make the password unique to the OTP token of the token number TIDA of the user UA.
Using TIDA, KC, BC, and A as arguments of the hash function fh, password OWP=fh (TIDA, KC, BC, A) to generate the hash value OWP, and the OTP generation function uses it as a return value to send the terminal 1A. tell the OWP to Here, OWP can be type-converted as an unsigned integer and, for example, the remainder obtained by dividing a 7-digit password by 10 to the power of 7 can be transmitted as a 7-digit password OWP-n7. Here, the case of n digits instead of 7 digits is expressed as OWP-n. The hash function is SHA256 or SHA-3 in the embodiment.
In the embodiment, the variables are encoded in the order of the arguments, combined, and the hash value of the data is obtained by the SHA256 function or the like. Since the message information changes depending on the encoding order, the hash value also changes depending on the order in which the arguments are encoded.
In the present invention, it is sufficient that the variables for generating the hash value that becomes the password OWP are derived from TIDA, KC, BC, and A. That is, TIDA, KC, BC, and A may be calculated, part of the variable data may be omitted, or data anonymized by hashing with a hash function may be used as an argument.

Importantly, if the user identifier A is added to the variable, a different password OWP is generated because the user identifier part of the seed value for calculating the hash value (argument of the hash function for calculating the OTP) changes when the token is transferred. be.
For example, since user identifiers A, B, and C have different identifiers, when an OTP token that generates an OWP that uses the user identifier as an argument can be transferred from A to B, the OTP generated by user identifier B using the OTP generation function and A The OTPs generated by the OTP generation function have different values.
On the other hand, if the user identifier is not used as an argument for the hash function fh, the contents of the semi-fixed password OWP will not change if the token is transferred to a user with a different user identifier, and the same password value will be shared.
For example, it is the same as transferring a paper with a fixed PIN number that should be kept secret or a metal key that can be easily duplicated. A duplicate key is created based on this, and if the token is in circulation, an unlockable duplicate key can be duplicated countless times during the distribution. In order to prevent duplication of the key information, the user identifier A is included in the argument of the hash function fh that calculates the OTP, or even if the user identifier is not included, the contract administrator manually uses the function fscb 3012A every time It is required to rewrite the BC value 3013A.
If the variable BC is accessed and changed at some approximate time and at approximate time intervals, either manually or by an automated program by the administrator of contract C, then the password OWP is close to TOTP. As an example, the administrator of contract C can use an automated program using pseudo-random numbers to perform periodic renewal approximately once a day, once a week, once a month, or once every several years. It is also assumed that the decision is made using pseudo-random numbers and the seed value is changed (the time to change the seed value is roughly determined, but the detailed change time is determined by random values or human will). This makes it possible to provide a pseudo TOTP-based authentication system with randomness.

<Password OWP authentication and authentication result call>
The password OWP can also be authenticated in the same way as the BnTOTP used for the login process on the website. The user terminal 1A accesses the contract including the OTP generation function of the OWP type OTP token of the terminal 3A and causes the OWP type OTP to be generated by the generation function. Then, access the 3D (access control terminal 3D) that provides the service with the OWP generated by the generation function, the user identifier A, and the token number TIDA, and input it to the argument of the OTP authentication function 3018DA.
Next, TIDA, KC, BC, and A are hashed inside the OTP authentication function 3018A from A, TIDA input as arguments of the OTP authentication function, and ArgOWP (or n-digit integer password ArgOWP-n) input as arguments. VeriOWP (or n-digit integer password VeriOWP-n) is obtained using function fh, and a conditional expression such as an IF statement determines whether ArgOWP (or ArgOWP-n) matches VeriOWP (or VeriOWP-n). , and if they match, it is also possible to carry out processing when authentication is successful. If they do not match, perform the processing for when the authentication failed.
This processing is similar to when logging in to the website distributed by the terminal 3C using BnTOTP, but when logging in to the website distributed by the terminal 3C connected to the network using BnTOTP, the node terminal 3A Although the OTP authentication functions 3018A and 3018AA are used, there is a difference that the OTP authentication function 3018DA is used when presenting the OWP to the terminal 3D that can be disconnected from the network 20. FIG.
(3018A and 3018AA can also be used when terminal 3D is connected to network 20 and can be connected to node 3A.)

<Production and use of valuable paper sheets 18A such as paper tickets using OWP, authentication by digital devices such as IC tags 19A>
Using the terminal 1A and the server 3A through the network 20, the password OWP is generated from the OTP generation function 3009A from the OTP generation contract on the block chain. Then, the generated password OWP, user identifier A, and token number TIDA are printed as a character string or bar code or both on paper or the like using a printer or the like to produce a paper ticket or valuable paper leaf 18A. At this time, the printed 18A contains the OTP generation contract identifier, the OTP generation token and the corresponding service name, the date and time of printing, the expiration date of the valuable paper, the name and contact information of the service provider, the error correction code, the MAC value, etc. may be printed with information necessary to provide the services of
The information contained in the bar code of the valuable paper sheet 18A and the data of the character string information contained in the IC tag 19A may contain delimiters for delimiting the variables OWP, A, and TIDA. Also, part or all of the barcode data may be encrypted in such a way that only the service provider who authenticates knows the encryption key.

When the variables OWP, A, and TIDA included in the valuable paper sheet 18A are displayed and printed as barcodes, they are preferably two-dimensional barcodes, and may be one or more one-dimensional barcodes. It suffices if the element 430D can read the bar code printed or printed on the 18A used for authentication and the numerical value and character string information included in the bar code.

Each variable of OWP, A, and TIDA included in the valuable paper sheet 18A may be displayed as a bar code and displayed on the screen 1500A of the display 150A of 1A. The display contents of 1500A may be printed and used as 18A.
The display screen of 1500A and 18A that printed the display screen of 1500A may transmit the user identifier A, the token number TIDA and the password OWP to the terminal 3D by having the barcode (or character string) read by the terminal 340D.

The information of the user identifier A, the token number TIDA, and the password OWP recorded on the valuable paper sheet 18A may be recorded in the recording device of the NFC tag 19A (IC tag/IC card 19A). Then, 19A may communicate with the terminal 3D via the communication device 32D or 341D of the terminal 3D that provides the service, and transmit the user identifier A, the token number TIDA, and the password OWP to the terminal 3D.

For the user UA who presented the valuable paper sheet 18A to the camera/scanner device 340D of the terminal 3D, or presented the NFC tag 19A to 341D and 32D,
Terminal 3D reads the information of user identifier A, token number TIDA, and password OWP described in 18A via 340D Arguments TIDA and user identifier A of authentication function 3018DA (3018DA in FIG. 3DA) of storage device 30D of terminal 3D , passing a variable as the password ArgOWP,
Inside the OTP authentication function 3018DA, VeriOWP is performed using the seed value of the secret variable such as KC recorded in the terminal 3D for ArgOWP and the user identifier A and the token number TIDA which are arguments of 3018DA according to the processing of the flowchart FIG. 6F or FIG. 6D. and determine whether ArgOWP and VeriOWP input to 3018DA match,
If they match, the return value 3021DA when the OTP authentication succeeds is returned as the return value CTAU of the function, and if 3022DA is to be executed before returning 3021DA, it is executed.
Also, it is determined whether the ArgOWP and VeriOWP input to 3018DA match, and if they do not match, the return value 3021DA when the OTP authentication fails is returned as the return value of the function.

When the terminal 3D obtains 3021DA when the OTP authentication is successful according to the return values 3021DA and 3022DA of the function of 3018DA, the terminal 3D presents the valuable paper sheet 18A to the camera 340D or presents the NFC tag 19A to 341D and 32D. On the other hand, an access control device, a starting device, an opening/closing device, or a locking/unlocking device 350D for locking and unlocking is operated.
When 3021DA is the value when the OTP authentication is successful, the terminal 3D controls the part 350D that performs access control such as opening/closing and locking, and controls the gate device at ticket gates and entrances so that the user UA can enter/exit. Open and close. If the part 350D that performs access control such as locking is a door of a building, a door of an automobile, a prime mover of an automobile, or a starter of a computer, the lock is unlocked to enable use of the device, facility, or equipment. When the locked portion 350D is a container such as a safe, the safe is unlocked.

When 3021DA is the value when the OTP authentication is successful, the terminal 3D can unlock the locked portion 350D and can unlock the surroundings of the user UA and the terminal 3D by light and sound using 351D and 352D. can let you know.
If 3021DA is a value when OTP authentication fails and entry is not possible, 351D or 352D can be used to inform the surroundings of the presence of a user who has failed authentication by emitting light, sound, or a radio signal when OTP authentication fails. can.
Furthermore, the terminal 3D that can use the security camera 342D can also photograph the appearance of the user UA who presents 18A or 19A to the terminal 3D. Applications using 342D include equipment and facilities such as large safes, vaults, computer terminals, industrial processing equipment, locking devices such as building doors, automobile locking devices, ticket gates and entrances (entrance/exit, entrance/exit gates) ).
Examples where it is difficult to use the 342D, and where it may not be used, are locks and entrances of buildings and automobiles where power supply restrictions and privacy are taken into account, and where battery power supply restrictions limit the size of the 342D. Locking devices for containers such as safes (some household safes, handbag safes) that are difficult to install from the inside, and lock-type locking devices (small locks such as padlocks and wire locks).
Surveillance by a camera using 342D is not essential in the present invention, but it is preferably used for security purposes such as ticket gates and entrances.

If there is no device 350D for unlocking the terminal 3D and, for example, when the entrance/exit gate and the ticket gate are guarded by human hands to manage entry and exit, 3021DA is the value when the OTP authentication is successful, 351D and 352D can be used to notify the user UA, users around the terminal 3D, and security personnel that the lock has been unlocked by means of light or sound.
Also, in the case where 3021DA is the value when OTP authentication fails and entrance is not possible, when OTP authentication fails using 351D or 352D, a special light or sound is emitted to indicate a user who has failed authentication. You can make your presence known.
Furthermore, a terminal 3D that can use a security camera 342D can also photograph the appearance of the user UA.

The security camera 342D (342D in FIG. 8B) that records the appearance of the user UA is a necessary function for entrance processing at station ticket gates and entrances. It may not be necessary. Likewise, when the terminal 3D is used for locking a car or a locking device for a building, it may not be installed in consideration of privacy.

Terminal 3D shows the status of service provision by user identifier A, token number TIDA, service provision time T, number of times service was performed 3017DA (or number of times service was performed and price value of the service, user's number when security camera 342D is used). It is preferable that the terminal 3D is provided with a database or a ledger section 3116D for recording in association with appearance information).
In order to record the service provision time correctly, it is necessary to receive JJY, GNSS, NITZ, etc., or manually correct the time of the terminal 3D. When the terminal 3D operates on a battery, it is conceivable that the service provision time T is not recorded because the time information cannot be used due to power restrictions. A terminal 3D built in a safe or the like may not be able to use time information.

However, when the database or ledger unit 3116D is used for a household safe, a hand-held safe, or a lock, the 3116D may not be installed in consideration of the capacity and price of the controller/storage device of the terminal 3D.
Also, from the information of 3116D of the terminal 3D provided in the electronic computer, the locking device of the car or building, or the container such as the safe, how many times the unlocking process and the starting process were performed, or how many times the unlocking process was performed at what time. may be known by the user of the terminal 1A by accessing the terminal 3D using the wired communication device (wireless communication device is also possible) of the terminal 1A. In addition to wired communication, encrypted wireless communication can be performed between the terminal 1A and the terminal 3D to check the status of the 3D and the history of the unlocking process. From the unlocking history of the terminal 3D such as 3116D, it can be known whether or not a user other than the user of 1A has illegally unlocked the terminal 3D using the NFC tag 19A using OWP.
If the terminal 3D is equipped with a camera for reading the unlocking key 18A made of paper or the like, it can be determined whether or not the door is unlocked using the unlocking key 18A made of paper or the like.

When the terminal 3D is used as a terminal at a ticket gate or an entrance, when the terminal 3D is connected to the network 20 and can be connected to the terminal 3A, it monitors unauthorized access and entry in the same manner as the website login monitoring section of the terminal 3C. 301C or 311C can also be provided with a function to do so.
In addition, 3C and 3D can become nodes of the blockchain like 3A and 3B when equipped with a device as a terminal that becomes a node when connected to the network 20. It is also possible to have a unit and a control unit (300D or 300C and 310D or 310C).

When the terminal 3D is used as a ticket gate or entrance, when the 3D is connected to the local area network in the facility where the ticket gate or entrance is located,
Having block chain parts 300D and 310D different from the block data described in 3A and 3B using the same block chain base as the recording part and control part related to the block chain of terminal 3A,
Inside the 300D, an authentication contract similar to 3008AA having an authentication function 3018DA having a hash function fh and seed values KC and BC used for the terminal 1A to access the terminal 3A on the network 20 and generate an OWP is provided. may be provided.
Deploy an OTP generation token contract 3008AG on the terminal 3A, deploy an authentication contract with an OTP authentication function 3018DA that calculates and authenticates the OTP in the same manner as 3008AG on the terminal 3D, and synchronize the seed values of the two contracts. 1500A, 18A, or 19A may be authenticated and processing such as admission may be performed.

<Authentication by digital devices such as IC tags>
The NFC tag 19A is a contact type IC card, a non-contact type IC tag (RFID tag), a non-contact type IC card (RFID card) in which a user identifier, a token number, and a password OWP can be written as a near field communication device (NFC device). ) are available.

The NFC tag 19A can be used in automobiles and the like. The OWP authentication information is transmitted to the terminal 3D mounted on the vehicle by remote control using 19A to the vehicle by encrypted wireless communication, and the OWP is authenticated in 3D to unlock the locking device 350 of the vehicle or the prime mover. 19A is equipped with a battery and an input device such as a push button that can input unlocking or locking or both, and communicates wirelessly when the button is pressed (and the battery A light-emitting element such as a light-emitting diode is provided as an output device indicating whether the battery is exhausted. Here, car keys are one example of 19A and can be used for building doors, safes, or equipment.
For example, if the terminal 3D is a terminal that manages the locking and starting of the automobile, the terminal 3D may be a terminal that unlocks the door of the electric automobile and controls a motor drive circuit that operates the motor of the electric automobile. , a control terminal for a device that unlocks the doors of an engine car (a car that uses a heat engine) and starts the engine electrically, such as a starter motor, or a computer terminal that can control the deceleration or gradual stop of the engine. A terminal 3D that controls a motor or an engine according to cruising distance or speed may be able to eliminate restrictions such as cruising distance and upper speed limits when authentication is possible using the authentication system of the present invention.

A configuration in which the NFC tag 19A does not include a battery or an input/output device is also conceivable. As an example, 19A may be an ISO 14443 type B compliant card-type device or tag-type device.
As a known technology, in the non-contact IC card technology called ISO14443 Type B, an antenna coil for communication and power reception is formed in a card-type or tag-type device. Power is supplied to the NFC tag 19A through the antenna coil of the NFC tag 19A from the NFC tag reader/writer (3D communication device 32D or NFC tag signal receiver 341D in terminal 3D) by electromagnetic induction. do not use

The NFC 19A may have additional necessary information in addition to the OTP authentication of the present invention. Specifically, the NFC tag 19A has a secret key 101A2, OWP type OTP authentication is performed, communication is performed by NFC when the motor is started after the door of the vehicle is unlocked, and the terminal 3D connects to the internetwork 20 using 101A2, At block chain node 3A, perform TOTP authentication using the BnTOTP type OTP token assigned to 101A2, and log in to the operating system of the car in the same way as logging in to the website to start and start the car. You may let In the above case, the condition is that the network 20 can always be connected. It can be used in automobiles connected to the internetwork 20 .
When the automobile performs BnTOTP type authentication to start the prime mover, it is necessary for the user UA to be able to move the automobile using the NFC tag 19A even when the network 20 cannot be used (in the event of a communication failure, disaster, etc.). be. Therefore, OWP type OTP authentication is performed using the user identifier A, token number TIDA, and password OWP stored in the NFC tag 19A. may start the prime mover.

The NFC 19A may include a device and a processing unit that are separately required in addition to the OTP authentication of the present invention. For example, a device that operates as ISO 14443 type B, a wireless communication device for realizing a keyless entry system for automobiles, and processing such as encryption of wireless signals are separately added and used depending on the application.

The radio frequency used by the short-range wireless communication device in the present invention is not particularly limited in the present invention. According to known wireless communication technology, the short-range wireless communication device can use the 130 kHz band, 13.56 MHz band, 433 MHz band, 900 MHz band, 2.4 GHz band, and the like. As for the radio frequency, specifically, the 13.56 MHz band is used for contactless IC tags and NFC tags, but radio frequencies other than 13.56 MHz may be used. For example, the 2.4 GHz band may be used.
Specific examples of standards related to NFC include ISO/IEC18092, ISO14443 type A, ISO14443 type B, etc. as standards for the 13.56 MHz band. In the 2.4 GHz band, there are known wireless communication standards such as IEEE (Institute of Electrical and Electronics Engineers) 802.11 series and 802.15.1 series, which can be used in the present invention.

The NFC tag 19A of the present invention can use the 13.56 MHZ band and the 2.4 GHz band in the embodiment. The NFC tag 19A can communicate with the 3D communication devices 32D and 341D at a distance of about 10 cm according to ISO14443 type B. However, when the NFC tag 19A uses a wireless personal area network (wireless PAN, Wireless Personal Area Network), the communication distance may exceed 10 cm.

An NFC tag 19A may be included in a Wearable Computer terminal. Alternatively, it may be a wearable computer terminal having the function of 19A.
As an example, when there are computer terminal 1A, wearable computer terminal 1B, and NFC tag 19A,
NFC tag 19A is connected as an external storage device of 16B of wearable computer terminal 1B, 19A is connected to 12B instead of 16B,
The terminal 1A accesses the storage device of the NFC tag 19A via the communication device 1B,
It may be possible to write a user identifier, token number, and password OWP necessary for authentication using OWP.
Alternatively, after the wearable computer terminal 1B accesses the server terminal 3A via the internetwork 20 and generates an OWP,
It may be possible to write the previous password OWP, user identifier, and token number.

Although there are no restrictions on the type (purpose of use and shape) of the wearable computer terminal used in the present invention, the smart watch, which is mainly a bracelet type and a wristwatch type (bracelet or type terminal), has the function of the NFC tag 19A. type), ring type (a ring or a ring type terminal provided with an NFC tag 19A), belt type (a belt provided with an NFC tag 19A), clothing type (a NFC tag 19A is attached to or woven into clothing). shoe lasts (equipped with the NFC tag 19A on the surface of the footwear or the insole portion of the shoe with the NFC tag 19A), and the like.

For example, wearable computers related to the human head include hat-type/helmet-type, eyeglass-type/head-mounted-display-type, hearing-aid/earphone-type, mask-type, and accessory-type (pendant, necklace, pocket-watch, etc.) types. As an example of accessories, there is an identification card type neck strap that combines a card case containing an NFC tag 19A as an identification card such as an employee card and a strap for wearing the card case like a pendant.
As wearable computers related to human hands, there are bracelet-type, wrist-watch-type, and glove/glove-type 19A.
As wearable computers related to human feet, there are an anklet type, a sock type, a footwear insole type, and a footwear type 19A having an NFC tag 19A on the surface of the footwear.
There is a belt type 19A that can be worn by wrapping it around a part of the body and a clothing type used for human clothing. The NFC tag 19A may be a seal or tape type NFC tag 19A that is attached to the bare skin of the body or clothes.

From the viewpoint of a device that can be worn but not wearable, a smartphone-type or tablet-type portable computer terminal 4A equipped with an NFC tag 19A may be used, or the NFC tag 19A, which is also an employee ID card, or a wallet-type NFC. A tag 19A or a bag-type NFC tag 19A may be used. 19A can be used for authentication by mounting it inside a certain device or object. Alternatively, the NFC tag 19A provided with adhesive tape or adhesive can be used as the NFC tag 19A attached to the surface of a certain device or object.
(For example, by attaching a sticker type/film type 19A in which the same information as 18A is recorded to a paper ticket 18A with an adhesive double-sided tape or an adhesive, visual inspection by a human eye, reading by a camera, NFC Paper tickets can be produced that can be read by

The wearable computer terminal does not have to use a battery for its power supply, may use a primary battery, or may use a rechargeable secondary battery. As for the charging, it may be charged by wire from the charging source, or may be charged by wireless power transmission. It may be possible to charge using an energy harvesting function provided in the terminal.

The NFC tag 19A may not use a battery as a power supply device, may use a primary battery, or may use a rechargeable secondary battery. As for the charging, it may be charged by wire from the charging source, or may be charged by wireless power transmission. 19A may be charged using the energy harvesting function attached to it.

The NFC tag 19A can erase the password OWP, user identifier, and token number recorded in the storage device. Then, the latest password OWP, user identifier, and token number may be recorded.
However, if the NFC tag 19A is distributed to the service provider, rewriting of the contents of the recording device may be prohibited.

<Production of Valuable Paper Leaf 18A>
Regarding the manufacture of 18A, when the user identifier A, the token number TIDA, and the password OWP are used for authentication, the identifier A, the token number TIDA, and the password OWP are connected with delimiters and the like to form a two-dimensional barcode or a plurality of one-dimensional barcodes. Convert to code and print on paper. At this time, in addition to the barcode, the character string data before conversion into the barcode may be printed on the paper in a readable state together with the barcode.
Also, the contents of the bar code may be encrypted in such a way that only the service provider knows the decryption key. In the examples, a two-dimensional bar code described in Japanese Patent No. 2938338 and the like was used to form a bar code portion of a paper ticket, which was printed with a laser printer or an inkjet printer to produce a paper ticket.

Regardless of the printing method of the printer 152A used for printing 18A or the type of paper used as media, it is necessary that the barcode can be read as the user identifier A, the token number TIDA, and the password OWP using a camera or scanner. If 152A is a thermal printer, the paper may be thermal paper or the like, and the paper ticket of the present invention may be printed and manufactured even in a device using thermal paper such as an automated teller machine ATM connected to a network. can also Also, even in a copying machine connected to a network installed in a store or a facsimile machine connected to a telephone network, printing is possible if an external recording device in which ticket print data is recorded is connected and the ticket data can be read.
Ticket data is issued via the Internet through an encrypted network using a copier or facsimile machine that functions as a computer installed at a store, etc., or data is collected from an external recording device brought into the store by the user. You can read and print.

<Response to environments where digital devices are not available or cannot be used>
In the example of use using OWP (mainly the example of use in FIG. 8B), for users who do not have a digital device, a corporation that issues a token or a corporation that issues a ticket sends the valuable paper 18A or the NFC tag 19A. Manufacture can be performed on behalf of the user, and 18A can be sent to the user by facsimile or mail. 19A can also be mailed. A customer sent 18A or 19A can use a service providing window or device provided with terminal 3D by presenting 18A or 19A.

For example, if the customer does not have the internetwork 20, the computer terminal 1A, or a printer that can be connected to the terminal 1A, but has only a telephone line and a facsimile machine, the service provider promises confidentiality and the customer's password OWP, etc. It is also possible to inquire from the customer about the data necessary for preparing the paper ticket of the present invention, send the ticket data based on the customer's facsimile number, and output the paper ticket by facsimile.

<Request for production of 18A and 19A when there is no digital device>
In the case where the user does not have a digital device and does not have the device 1A or printer, a service provider who can manage the customer's token makes a contract by mail or telephone. Here, the service provider (or a token storage company independent of the service provider) may send the character string of the user's private key, the user identifier, etc. by letter. The service provider sells tickets and issues private keys for issuing tokens. Ticket data can be created, sent to the user's facsimile number, and paper tickets produced at the user's facsimile. If there is no facsimile and only a telephone number, a paper ticket (or an IC card or IC tag type ticket) will be handed over in the form of a letter by mail or by hand.
(If the token is a ticket, the paper on which the token and the password OWP generated from it are printed is valuable and may require a license to manage it. In addition, the private key is shared between the service provider and the user. , may also require qualification.)

A specific description will be given. When the user UA wants to obtain 18A or 19A to be presented on the terminal 3D of the service provider, the user UA may not have the terminals 1A or 4A, nor the telephone line, and may not be able to connect to the network 20. In the above case, the user UA has the private key 101A issued to a reliable third party UB, entrusts the private key 101A to the third party UB, requests storage and operation of the private key 101A, and a token number corresponding to the service. The OTP token of TIDA is issued by applying it to the user identifier A of 101A.
Then, the third party UB uses the OTP token issued to the user identifier A to access the blockchain of the server 3A, acquire the OWP from the OTP generation function, manufacture 18A and 19A, and specify the address specified by the user UA. Can be mailed to location. You may attach the letter which recorded 101A with 19A and 18A at the time of mail delivery. A third party UB may provide 18A and 19A directly to the user UA at the store. (There is no technical problem with this mode of operation, but the third party UB who can entrust the private key 101A may be regulated by law and may be required to be qualified.)

Also, if the third party 101B issues an OTP token with the token number TIDA under the name of the user identifier B, issues 18A or 19A from the OWP of the token, and mails it to the address or place specified by the user UA. good. A third party UB may provide 18A and 19A directly to the user UA at the store. (There is no technical problem with this operation mode, but the third party UB who keeps the OTP token of the token number TIDA of the user UA may be regulated by law and may require qualification.)

1A capable of displaying 1500A can be mailed and distributed instead of mailing valuable paper sheets 18A and NFC tags 19A. A customer who does not have a device such as the terminal 1A asks a third party UB (here, including a telecommunications company, a computer, or a smartphone manufacturing and sales company) based on a telephone conversation or a conversation at a store to purchase the terminal 1A and something. At the same time, the third party UB sells the terminal 1A capable of displaying 1500A to the user UA, and the terminal 1A capable of displaying 1500A can be purchased at the address of the user UA, a designated address, or directly at a store counter. You can pass it.

<Ticket issuing device in store>
Purchase and issuance of OTP tokens for users who do not have digital devices at stores (e.g., convenience stores, etc.) where network-connected ATM terminals and terminals equipped with printing devices are installed. and valuable paper leaf 18A such as a ticket may be manufactured.
Specifically, after paying for a ticket or other fee at a store, etc., the customer information (user identifier A, which is the issuer of the OTP token) is entered, and the secret key 101A to the blockchain and the character string information of the user identifier A are entered. , password OWP and other character strings and bar code information necessary for the paper ticket are printed on the paper ticket and output to the user.
If you want to make a ticket using that terminal again next time, you can use the camera or scanner of the terminal to read the information of the user identifier A or the display part of the terminal 1A in the form of a bar code, or manually enter the token. Token is issued for a new ticket by specifying the user identifier of the issuer.
(If the ATM terminal can identify the user UA and the user identifier A for issuing the OTP token is determined, the OTP token and 18A can be issued using biometric authentication means such as face authentication provided in the ATM terminal. However, in that case, biometric authentication is used, so it may be necessary to anonymize personal information so that it is not possible to know who is using the OTP token for which service.)

Here, from the viewpoint of automating and speeding up the processing of the service providing terminal and increasing the number of tickets that can be handled at the entrance/exit gate and the ticket gate, information such as the secret key 101A and the user identifier A can be captured by a camera/scanner 430D. It may be preferable to record the image on an IC card and perform wireless communication using the NFC tag 19A or the like rather than the method of photographing. The IC card 19A may be a credit card, a debit card, a prepaid card, or the like, which may have functions related to payment, or may be an IC credit card using NFC that enables contactless payment. 19A may be an identification card using NFC such as a personal number card.

19A may record private key 101A. However, when recording the private key 101A in 19A, it is necessary that the private key 101A is not leaked to the store, other customers in the store, or via NFC. By encrypting 19A with a PIN, it is necessary to encrypt and record private key 101A so that 101A cannot be read by others.

Therefore, it is conceivable that the IC card 19A or the NFC tag 19A does not include the private key 101A, but only the user identifier A generated from the private key through the public key. In this case, the secret key 101A and the user identifier A generated according to the block chain-based format are recorded on paper or the like, and only the user identifier A is read in the form of a barcode by an IC card issuing device or issuing company, and the user An IC card or the like 19A having a credit card/prepaid card function recorded with an identifier A is issued, and an OTP token is issued to generate an OWP at an ATM or similar terminal at a store, etc., and a password OWP based on the OTP token is included. The printing and issuing of valuable paper sheets 18A such as paper tickets can be performed from the input screen after the non-contact IC card is held over the terminal and accessed from the terminal.
The present invention can be applied not only to tickets, but also to paper coupons and other valuable paper sheets 18A, as long as services can be provided using the authentication of the present invention.

<Usage and application of valuable paper sheet 18A and NFC tag 19A>
The two-dimensional barcode recorded on the valuable paper sheet 18A is scanned using a camera or the like, and the service provider uses the camera to detect three variables of the user identifier A, the token number TIDA, and the password OWP from the barcode. The above three variables are input to the terminal 3D and authenticated using the authentication function 3018DA built in the terminal 3D.
Alternatively, when the terminal 3D can connect to the node terminal 3A via the network 20, the above three variables are input to a web application or the like, the web application queries the blockchain contract, and the three arguments are input to the authentication function 3018A. .
Here, the reason for using a two-dimensional barcode in the process of performing authentication processing by the authentication function of the 3018DA or 3018A on the terminal 3D is that the two-dimensional barcode is recognized by a camera or the like, and three authentication variables are input to the terminal 3D. It is for automating (and speeding up) so that the authentication result can be obtained by having it performed.

Scan 18A with only a character string using an A4 paper size image scanner, image-recognize the character string from the scanned information, and if the user identifier A, token number TIDA, and password OWP can be identified, a two-dimensional barcode can be input to terminal 3D without

If the total number of users that must be provided with the service is small, even if a ticket with no barcode and only a character string is presented, if the corresponding service provider has sufficient labor, human Authentication can be performed by manually substituting the user identifier A, token number TIDA, and password OWP into the arguments of the authentication function of the terminal 3A or terminal 3D. (Also, if a character string is also written on a paper ticket on which the printed part of the two-dimensional bar code cannot be read, the authentication work can be done by the service provider's hand.)

Information such as the user identifier A, the token number TIDA, and the password OWP can be recorded in the form of printing on the valuable paper sheet 18A. The password OWP may be saved. Similarly, the card-type NFC tag 19A or NFC card 19A may also be provided with a magnetic stripe, and may record information such as the user identifier A, token number TIDA, and password OWP.

OTP corresponding to the user identifier A of the user UA who is the user of the terminal 3D, which is a locking device for a door of a building, a locking device for a vehicle, or a locking device for a container such as a safe, and the manufacturing number, serial number, etc. of the locking device terminal 3D. The token number TIDA of the token may be recorded in the terminal 3D.

Record the user identifier A and the token number TIDA of the user UA in the storage device 30D of the terminal 3D, and use them to check whether they match the user identifier information and the token number that were input before performing the authentication process using the 3018DA. Thus, it is possible to accept only the OWP of the user identifier or token number of the user UA recorded in 30D that should be used originally.

The user UA records the user identifier A and the token number TIDA of the user UA in the storage device 30D of the terminal 3D in the terminal 3D, and uses it to store the user identifier information and the token input before performing the authentication process using the 3018DA. By checking whether the OTP token matches the number, even if the OTP token is transferred from the user UB to the UA, the user identifier B known by the user UB before the transfer, the token number TIDA, and the NFC tag 19A created from the OWP cannot be unlocked. You can also make it disappear.

There is a wired communication terminal of a communication device 32D that can access the terminal 3D when a container such as a door of a building or a safe is unlocked. is stored in the recording unit 30D of the terminal 3D, the NFC tag 19A in which the user identifier A, the token number TIDA, and the password OWP are recorded is held over the terminal 3D, and the user identifier A, the token number TIDA, and the password recorded in 19A are recorded. OWP is collated with the user identifier A and the token number TIDA recorded in 30D, and if the user identifier A or the token number TIDA matches the value recorded in 30D, the authentication function 3018DA is operated, and the user identifier A and the token The number TIDA and the password OWP are verified using the 3018DA to see if the OWP is correct, and if correct, the lock is unlocked.
A user identifier and a token number can be freely set from the 32D wired communication terminal. The token is transferred to terminal 1B of UB, and UB uses the wired communication terminal part of the unlocked safe to set user identifier B and token number TIDA. The generated OWP can be used to unlock the terminal 3D. Here, the terminal 3D no longer accepts the user identifier A of the user UA, the original owner, and cannot use the OWP held (stored) in the terminal 1A of the user UA.

The token number recorded in 30D of terminal 3D may correspond to the manufacturing number of the locking device for security reasons in the locking device for operating the authentication function 3018DA.
For example, in the case of a car, the serial number of the car and the token number are associated with each other, and the token number corresponding to the serial number of the car is recorded in the ROM that can be written only once in the storage device 32D of the terminal 3D. The number may be read out and programmed to always be used as the token number of the argument of the authentication function of the 3018DA.
Here, the ROM is integrated as a storage device 32D of the terminal 3D as a terminal that controls the prime mover and the automobile, and is sealed with resin or the like so that the ROM information and the ROM itself cannot be replaced by malicious attackers. is preferred. If the token number of the OTP token and the manufacturing number of the car always match, it may be useful for car distribution management and crime prevention.

When the terminal 3D is incorporated in a locked device, a communication device 32D or an input device or an output device is provided in a portion that can be accessed by unlocking the device. A user identifier, token number, and secret variables KC and BC are recorded in the 3D storage device, and the user identifier, token number, and secret variables KC and BC are stored in a part that can be accessed by unlocking from a communication device or an input device. can be rewritten.

When the terminal 3D is incorporated in a locked device, a communication device with the NFC tag 19A is installed in a portion that cannot be accessed by unlocking (in the case of a safe, the surface on which key input buttons such as numeric keypad and push-type safes are installed). (or camera reader) and an output device.

The locking device based on the NFC tag 19A and terminal 3D of the present invention may be combined with known locking schemes. As a specific example, when the present invention is used for a safe, locking by the NFC tag 19A and terminal 3D of the present invention, a locking method using a dial lock or a key and a cylinder lock, or locking using a password result by a ten-key type push button method, or a locking method using biometric authentication using a biometric sensor in the terminal 3D. Not only safes but also other embodiments may be combined with known locking systems.
For example, it may be combined with a metal key in an automobile. In that case, the cruising distance after starting the prime mover is set with the metal key of the automobile, and when using the NFC tag 19A, the cruising distance is longer than with the metal key, or the cruising distance is limited. You can take measures such as eliminating
If it is possible to connect to the network 20, when authentication such as login to the website by BnTOTP is completed, the cruising distance limit is removed, and when the lock is unlocked at 19A, 100 km is permitted as an example. It is also conceivable to set such that when the door is unlocked with the key of , the vehicle is permitted to travel 50 km.

Examples of applications include not only automobiles and safes, but also airplanes, ships, agricultural machinery, forestry machinery, and heavy machinery. It may be used as a locking device for doors of buildings, locks for storehouses and warehouses, and locking and starting devices for processing equipment, industrial equipment, and computer terminals. It can be used for machines, devices or facilities, installations and vessels that can incorporate terminal 3D for access control.

<IC-type tag-type unlocking key and buildings and facilities unlocked using it>
The authentication system using digital devices such as IC tags of the present invention is used for buildings, vaults, automobiles, and other objects equipped with a power source, and the terminal 3D makes extensive use of input/output devices and storage devices such as security cameras to encourage users to unlock. The user can be made to perform the unlocking operation while monitoring. When a battery with a limited capacity is used as a power source for the terminal 3D, for example, when a battery is provided in a home safe, a hand-held safe, or a lock, the battery capacity may limit operation.
For example, when the terminal 3D is a container such as a safe, when the power supply device 37D of the terminal 3D is driven by a battery, a power storage device such as a primary battery or a secondary battery can be used. When a secondary battery is used, a charging terminal capable of charging a portion accessible to the terminal 3D by unlocking the locked portion, or a portion capable of being charged by wireless power transmission may be provided. Alternatively, even if the inside of the safe with the locked terminal 3D cannot be accessed, the terminal 3D inside may be charged from the locked surface by wireless power transmission. Then, it may be possible to charge using a power generation function such as a handle-type hand-cranked power generation connected to the terminal or an energy harvesting function.
Furthermore, the terminal 3D may be provided with a terminal having a function of only charging on a locked surface (an access-uncontrolled surface). If the Terminal 3D has a terminal that only performs charging on a locked surface, a protection circuit that does not affect the operation of the Terminal 3D even if AC power or high voltage is applied to the charging terminal is added to the charging function. You may have the power supply device 37D carried with it.

Here, it is preferable that the terminal 3D that controls the locks of facilities such as buildings and automobiles is connected to the network 20 . This is because KC and BC that perform OWP calculation of the authentication function 3018DA of the terminal 3D can be changed via the network 20 . KC and BC may be changed during periodic inspections of buildings and the like, vehicle inspections, and the like. Operation is performed so that the seed value of the computer terminal 3D that controls the lock and the seed value of the one-time password generation token that generates the OWP used for the key 19A match.

<Means for Performing OTP Authentication at Terminal 3D Disconnected from Internetwork 20>
Even if it is not possible to connect to the network 20, there is a ground station or a satellite station (for example, the broadcasting station terminal 5C, which is a satellite type terminal) that can broadcast the block number Bn of the block chain, and the block number Bn from the broadcasting station terminal 5C (or block time stamp) or broadcast data such as BC value or encrypted KC value may be received by terminal 3D and terminal 1A, and BnTOTP type and OWP type authentication may be performed between terminal 1A and terminal 3D. In this case, the terminal 1A has software capable of using a function corresponding to the OTP generation function 3009A, and the terminal 3D has an OTP authentication function 3018DA. When the block number Bn is broadcast, the computer controlling the lock in the area where the broadcast can be received authenticates with the block number-based one-time password BnTOTP, unlocks the lock, and can drive the device. Become.

Terminal 1A and terminal 3D use block number Bn or BC to decrypt the KC value using the key information recorded in terminal 3D or terminal 1A, so that BnTOTP=fh (A, TIDA, KC, Bn) or OWP=fh (A, TIDA, KC, BC) is generated at the terminal 1A, A or TIDA and OWP or BnTOTP are input to the terminal 3D via the communication device of the terminal 1A and the terminal 3D, and as an argument of the 3D authentication function 3018DA There is room for verification and authentication of the OWP by inputting it.

It is also envisioned to obtain block numbers and time information and encrypted KC values from radio stations such as NITZ, JJY, GNSS, radio stations, time signals from television stations. Although the user owns the smartphone terminal 1A, it is assumed that the vehicle may not necessarily be equipped with communication functions equivalent to those of a smartphone. You may transmit it to terminal 3D using a communication apparatus. When using time information such as GNSS, it is also possible to use it for a one-time password based on the time information data Tm of GNSS. In that case, it is necessary to change BnTOTP=fh(A, TIDA, KC, Bn) to TOTP=fh(A, TIDA, KC, Tm) at the time of one-time password generation and authentication.
However, the user identifier A and the token number TIDA are necessary even when using the time Tm obtained from a broadcasting station such as GNSS, JJY, or NITZ or a wireless communication station.
In principle, the OTP token is originally operated by connecting to a block chain node such as the terminal 3A to issue or transfer the OTP token and perform the OTP generation function.

<One-time password lock facility with time information receiver>
Also, when the one-time password authentication function of the present invention is used in equipment, it is necessary to suppress consumption of batteries attached to locking devices in the equipment. It is difficult to connect to the network all the time due to the capacity of the battery. For example, the above-mentioned block number Bn is transmitted to a plurality of terminals including the terminal 1A by data broadcasting, and the terminal 1A receives the block number Bn and transmits it to the terminal 3D to authenticate the BnTOTP type one-time password. (however, the KC value must be updated manually or via broadcast data).

<When adding the block number Bnp at the time of obtaining the one-time password to the argument of the authentication function>
There is a method of using the one-time password BnTOTP even when there is no time data transmission station or communication device such as GNSS.
A one-time password authentication function based on block number Bn requires at least two of token number TIDA and one-time password BnTOTP. It is conceivable that the block number Bn and the time information from the internetwork 20, GNSS, etc. cannot be received by the locking device of the building equipment including the processing unit that has the authentication function 3018DA and performs the authentication process and the entrance window.

In order to cope with the case where block number and time information cannot be received from Internet communication or GNSS, etc., when generating a one-time password BnTOTP = fh (TIDA, KC, Bnp) with the one-time password generation function, the password The block number Bnp at the time of acquisition, the token number TIDA, and the one-time password BnTOTP are recorded on the valuable paper sheet 18A or the NFC tag 19A as bar code or character string information.
In the case of 18A barcode, it is read by 340D such as a 3D camera, in the case of NFC tag 19A, it is read by 32D and 341D of 19A 3D communication device, and in the case of character strings, it is necessary to enter a computer into a locked facility with a keyboard or the like. Equipped as an output device, the display of the output device or the like prompts for the input of arguments used in the authentication function.
When Bnp, TIDA, and BnTOTP are input to the authentication function 3018DA, and those arguments are verified by the authentication function and match the BnTOTP input to the argument and the one-time password calculated by the authentication function, the authentication result is correct. The value is passed to the authentication function 3018DA of the program (unlocking program) used for unlocking inside the computer terminal 3D, and as a result of authentication by 3018DA, if BnTOTP, TIDA, and Bnp are correct, an unlocking signal is sent to the locking device to lock. release.

Here, the case where BnTOTP is generated as fh (TIDA, KC, Bnp) has been described, but by adding the user identifier A to the argument of the hash function fh (TIDA, KC, Bnp), BnTOTP = fh (A, TIDA, KC , Bnp), output and recorded as user identifier A, block number Bnp, token number TIDA, and one-time password BnTOTP on paper 18A or NFC tag 19A, and use these 18A and 19A for authentication to terminal 3D good too. Authentication may be performed by inputting Bnp, A, TIDA, and BnTOTP to the authentication function 3018DA. 1500A that also records and displays Bnp may be used instead of 18A.

When calculating as BnTOTP=fh (TIDA, KC, Bnp) or BnTOTP=fh (A, TIDA, KC, Bnp), the OTP token is OTP generated by TIDA of user identifier A at the block number with the value of Bnp. However, if the Bnp number is a block number value significantly smaller than the latest block number Bn and is an old block number value, and before the user transfers the OTP token to someone, BnTOTP = fh ( TIDA , KC, Bnp) and BnTOTP = fh (A, TIDA, KC, Bnp), output user identifier A, block number Bnp, token number TIDA, and one-time password BnTOTP. Suppose that the OTP token that has been released from the
In this case, the user UA after the transfer may be able to unlock the car even though he or she does not have the OTP token (the access right called the OTP token or the car key or ownership information on the blockchain). Therefore, when using the above method, the time information Tm such as GNSS and the broadcast block numbers Bn and Bnp are compared with the estimated time Tp at which BnTOTP was generated based on a certain threshold L, and the difference between Tm and Tp is L, or when the broadcast Bn and Bnp values are greater than the threshold L, it can be stored as a program in the authentication function 3018DA or the recording unit of the terminal 3D so as not to accept authentication based on the Bnp and BnTOTP values.
In addition, nonvolatile memory (nonvolatile memory such as flash memory, ferroelectric memory, magnetoresistive memory, phase change memory, and resistance change memory) that records the time information received by GNSS inside the terminal 3D and has a large number of rewrites can be installed in the terminal. A memory part in which a malicious attacker records the time information of the terminal 3D by using the non-volatile memory such as the resistance change memory and the ferroelectric memory, which has a large number of times of reading and writing, as the time information recording device of the GNSS. It is required to seal the information so that it cannot be accessed and tampered with.

<When setting a different mapping type secret variable KCA for each user identifier or token>
When updating the secret key variable KC of the terminal 3D built in equipment not connected to the network 20, the user or service provider accesses the wireless and wired communication devices of the terminal 3D and individually updates the KC value. There is a need to. In the case of a terminal 3D that cannot receive broadcast time information and KC values or connect to the network 20, it is difficult for the owner of the contract to change the time to an arbitrary time.
If a single KC value is used for the OTP token included in the contract and all locking terminals 3D corresponding to the OTP token, if the KC information is leaked, the KC of all offline locking devices will be individually It may need to be rewritten.
In order to prevent this, it is conceivable to set multiple values for the KC according to the token number and user identifier. As an example, it is possible to set a secret key variable KCA unique to the token number TIDA. As a specific example, there is a mapping type variable KCA[TIDA] whose key is the token number TIDA. Any type other than the mapping type may be used as long as the KCA can be set using TIDA as a key.
In the OTP generation and authentication, the argument KC of the hash function fh (TIDA, KC, Bn) may be replaced with KCA, and BnTOTP=fh (TIDA, KCA[TIDA], Bn) may be used for OTP generation and authentication. =fh(A, TIDA, KCA[TIDA], Bn). OWP=fh(A, TIDA, KCA[TIDA], BC).
When setting a different KCA for each token, the secret variable KCA must be recorded according to the number of tokens issued to the blockchain contract. This could generate a lot of transactions on the blockchain and increase the total amount of data on the blockchain.
A user identifier may be added as BnTOTP=fh(A, TIDA, KCA[TIDA], Bn). The form of OWP=fh(A, TIDA, KCA[TIDA], BC) can be used not only in terminal 3D but also in other embodiments of the present invention. For example, it can be used to access the terminal 3C, and it can also be used to decrypt the encrypted data in the terminal 4A using the software 403A. As with KC, a mapping variable KCA with a token number as a key is also used by the contract administrator to change or update the KCA value of a certain token number used in the calculation of the OTP generation function and OTP authentication function using a setter function. good too.

<Offline type locking device capable of updating secret variable KC>
In updating the KC, the terminal 3D equipped with the authentication system of the present invention used for locking buildings and facilities is equipped with a contact or non-contact communication device, and information for updating the KC inside the terminal 3D that operates the locking device. can be entered. It is assumed here that the user who has purchased the locking device performs the update work. A method of accessing the locking device and its computer terminal 3D from the user's terminal 1A or the like and updating the KC value distributed by the manufacturer of the 3D (for example, by installing the encrypted distributed KC value) can be considered.

<OWP token without user identifier A>
For BnTOTP type tokens, if the user identifier A is not in the argument of the hash function that performs OTP calculation, BnTOTP=fh (TIDA, KC, Bn), and BnTOTP=fh (TIDA, KC, Bn) is 15 seconds. It is updated at regular intervals such as, so it can be used. On the other hand, when the user identifier A is not an argument of the hash function with an OWP type token, the OTP token will not be distributed unless BC in OWP = fh (TIDA, KC, BC) is changed periodically by the contract administrator. It is assumed that OWP values are known to many people at times.
When generating an OWP according to the present invention, there may be a case where the identifier A is not used at all after recognizing the risk of not using the user identifier (that is, the one-time password is generated with only the token number without including the user identifier). Embodiment of the present invention for authentication). According to the wishes of the service provider, the present invention may be provided in a form in which the user identifier A is not used and only the token number TIDA is used to protect personal information, and the OWP is leaked while being transferred and distributed. do not have.
In this case, the holder of the paper ticket of the present invention cannot enter unless he/she can confirm possession on the blockchain with the help of the staff at the ticket gate or the entrance counter, but the service provider permits it by agreement etc. and distributes the token. If you have a contract to provide services to those who know OWP during A service is assumed in which a plurality of users look around the coupon code OWPcp, and the users present the OWPcp to the service provider's store, etc., to receive a privilege. ).
Since the present invention is intended to be useful in providing services by authenticating and agreeing between service providers and users, even under conditions where OWP is likely to be leaked, it is possible to meet the wishes of service providers. provided. It can also be customized.
On the other hand, service providers need to disclose and display what variables are used among the variables provided to users when using contracts on the blockchain, such as token numbers and user identifiers, which belong to users. There is

It should be noted that the present invention relates to the terminal 3D as an authentication device. There is still room for a user who has lost the key 101A or OTP data for unlocking to request a contract manager or vendor to unlock facilities, safes, buildings, and the like.

<Ticket issuing server terminal>
The ticket issuing server terminal 3E is connected via a network 20 to terminals such as ATMs in stores, terminals 1A, 1B, administrator terminal 1C, terminal 4A, blockchain node terminals 3A and 3B, and blockchain search server 3F. Although the terminal 3D may also be connected to the network 20 here, it is not assumed that the terminal 3D is always connected.

The ticket issuing server 3E allows the user UA to operate a terminal such as an ATM in the store or the terminal 1A, search for an OTP token corresponding to the service, purchase the OTP token using the electronic commerce function, and obtain the user identifier A specified by the user UA. to issue an OTP token.
Then, the ticket issuing server 3E sends the OTP token corresponding to the service purchased by the UA to the contract administrator UC and the contract administrator terminal 1C for the user identifier A. It instructs to issue an OTP token with token number TIDA. (The token number TIDA may be determined by the contract administrator.)
The contract manager terminal 1C accesses the block chain part of the node terminal 3A according to the instructions of the ticket issuing server 3E using the contract manager's private key 101C, and enters the user identifier A and the token number TIDA into the token issuance function of the OTP token contract. Enter other OTP token information (OTP token URI information, serial number, valid/invalid true/false value, remarks, etc.) as arguments, send the execution transaction of the OTP token issuing function to 3A's blockchain section after signing, The OTP token with the token number TIDA is issued to the user identifier A by collecting the transactions into block data and linking them to the block chain.
The user who has issued the OTP token is notified by e-mail, telephone number SMS, or mail delivery that the OTP token of token number TIDA has been issued through the contract manager terminal 1C or the ticket issuing server 3E.

<4C. Decryption and Use of Encrypted Data and Files>
As shown in FIG. 1B, in the present invention, the OTP authentication system of the present invention shown in FIGS. 8A and 8B is applied, and terminal 4A having encrypted data 4034A distributed from terminal 5B or the like is transmitted via network 20 to terminal 3A. and acquire the authentication return value 4031A using the OTP authentication system using the blockchain of the present invention, and the software 403A (403A described in FIG. 4B, 403A is software CRHN) uses at least 4031A, preferably 4032A and 40302A, a common key (symmetric key) 4033A for decrypting encrypted data and encrypting plaintext data according to the processing of the software 403A program is calculated based on multiple key information such as 40302A, decrypts the encrypted data, and uses the plaintext data. enable

The OTP authentication system of the present invention is an access control technology, and the embodiments shown in FIGS. 1B, 8C and 8D are different embodiments from FIGS. 8A and 8B.
In FIGS. 1A, 8A, and 8B, the terminal 3C and the terminal 3D are objects to be accessed by OTP authentication. However, in FIG. 1B, FIG. 8C, and FIG. 8D, the object to be accessed by OTP authentication is not the terminal but the encrypted data, and the terminal 3C and 3D do not exist, and the terminal 4A and the server terminal that is the node of the block chain are not present. 3A and network 20, encrypted data 4034A, software 403A, return values after OTP authentication 4031A, 4032A, and 40302A are stored in the recording device of terminal 4A. It is possible to calculate key information 4033A for decrypting data and encrypting plaintext data, and decrypting encrypted data into plaintext data. 4034A can be decrypted using 4033A as a common key (symmetric key) for common key encryption (symmetric key encryption) to obtain 4035A. The encryption scheme used in 403A preferably uses common key encryption.

Encrypted data 4034A is created by using a version of 403A that can encrypt plaintext data 4035A. can.).
In response to access from the user terminal 4A using the network 20 such as the terminal 5B in FIG. It has a function of distributing the encrypted data 4034A to the terminal 4A via the network 20. FIG. Also, 4034A can be distributed/distributed using a known cloud storage or data sharing service without using the terminal 5B.
Furthermore, without using the network 20, optical discs (optical discs, optical discs), semiconductor memories, magnetic discs, magnetic tapes, and external recording devices capable of reading them are distributed through physical distribution or the like, and users A recorded external recording device of 4034A can be delivered to UP and terminal 4A. Alternatively, an external recording device with 4034A recorded may be distributed on the street or in a store. The encrypted data 4034A may be distributed/broadcast to a plurality of terminals including the terminal 4A in the form of broadcasting from a terminal 5C shown in FIG. 8D which will be described later.

The encrypted data in the form shown in FIGS. 8C and 8D cannot be decrypted and may be lost if the key information 4033A that can be unlocked is lost. As in the locking device of a safe as an example shown in FIG. 8B, if the hardware of the terminal 3D itself or the mechanical mechanism for locking does not operate normally and unlocking cannot be performed, the locking device itself is destroyed and unlocked. By doing so, the items in the safe can be recovered, but the encrypted data cannot be unlocked, and the plaintext data contained in the encrypted data, which is difficult to decrypt, may be lost.

In the embodiment, the right to view and browse electronic books and music video information is expressed as an OTP generation token, and the contract of FIG. 3AC includes an OTP generation function 3009A, an OTP authentication function 3018A, an OTP token possession information 3014A, an OTP token issuance function 3043A, etc. Called when 3008A is used in the OTP authentication system.
The OTP token contract utilizing software 403A includes an OTP generation function such as contract 3008AG including OTP generation function and contract 3008AA including OTP authentication function as shown in FIG. 3AB or OTP authentication function 3018DA recorded in terminal 3D. Even if the contract is separated from the contract containing the OTP authentication function, it does not mean that authentication cannot be performed.
When software 403A is used, it is preferable to describe OTP generation function 3009A, OTP authentication function 3018A, KC value 3011A, BC value 3013A and their setter function 3012A in the same contract as shown in FIG. 3AC.
403A has network 20 and distributed ledger system node terminal 3A, and it is desirable that OTP generation and authentication can be completed with contract 3008A of terminal 3A. Only one contract 3008A can be managed by changing contract variables and functions such as 3041A and 3042A.
By managing changes, etc., for only one contract 3008A, it is possible to eliminate labor for setting setting variables such as the KC value to match between contracts that perform different OTP generation and authentication and between the OTP authentication functions 3018DA of the terminal 3D.
For the synchronization of the seed value 3011A, the BC value 3013A, the block number remainder variable 3030A related to the OTP calculation method, and the OTP digit number adjustment integer 3031A between the contracts separated into 3008AG and 3008AA that may be used in the service of terminal 3C Management work such as change of the terminal 3D and management work such as change between the recording units of the terminal 3D having 3008A or 3008AG and 3018DA used for the service of the terminal 3D may not be necessary when the software 403A is used.
If the OTP generation contract used by the user terminal and the OTP authentication function or contract used by the terminal 3C or 3D are separated, when changing the seed value, change the KC value etc. of each contract or function to the same value must be synchronized and synchronized, requiring effort from contract and service administrators. On the other hand, by describing the KC value 3011A and BC value 3013A and their setter function 3012A in the same contract as shown in FIG. In the case, the setter function 3012A of the contract only needs to be manipulated once, which has the advantage of less effort in updating and synchronizing the seed value. Therefore, the embodiment using software 403A utilizes a contract that uses OTP generation and authentication functions as shown in FIG. 3AC.

In the embodiment, when the authentication function 3018A is executed during OTP authentication and the authentication result is received as a return value CTAU (3021A in FIG. 3AC and 4031A in FIG. 4B), there are multiple return values 4031A, and the first return value is Authentication when the second return value of the boolean variable CTAUtf (boolean variable CTAUtf, boolean variable CTAUtf, boolean variable CTAUtf) is the key information CTAUkey recorded in the variable built into the authentication contract The true/false value CTAUtf of the results is used to determine the execution of the next process inside the application software 403A. When defining that the authentication result is correct if the first return value CTAUtf contained in 4031A is true, software 403A determines if the result of CTAUtf is true and aborts processing if the value is false.
When CTAUtf is a true value, the second return value CTAUkey included in 4031A is received, and the information for generating the CTAUkey, the key 40302A built in the software 403A, and the externally set 4032A as needed. A common key 4033A (TTY 4033A, title key 4033A) is calculated according to the program of the software 403A, and data and files encrypted by common key encryption such as AES (Advanced Encryption Standard) are calculated using 4033A as the common key. It can be decrypted, browsed and used.
Here, in the examples and embodiments of the present invention, files that can be browsed and viewed can be text files, audio files, moving image files, and the like. A file with a file extension that can be displayed in a web browser that mainly supports HTML5 and ECMAScript was used.

When carrying out the present invention, 128-bit and 192-bit key lengths of the AES scheme used for common key encryption in the software 403A were used. The AES scheme used in the embodiment of the present invention was specifically AES-CBC cipher, which used Cipher Block Chaining (CBC) mode with explicit Initialization Vector (IV). The software 403A sets the key data length, CBC mode, and initial vector IV.

As an example of the software 403A, it corresponds to file formats that can be used with a web browser, such as the PDF format of Adobe Inc. for text format, the MP3 format for audio, and the MP4 format for moving images. In addition to files containing copyrighted content, for example, personal information such as corporate customers who want to prevent leakage to the outside and not be decrypted by encryption even if leaked (example: customer list of a company, school Corporate student lists, etc.), confidential texts that should be viewed internally by individuals, corporations, and organizations, audio image video information during production, product design drawings, product CAD data (including 3D CAD data that can be used for 3D printers) ), electronic circuit data (including design data that can be used in program logic devices), semiconductor photomask data, etc. is available.

In the embodiment of the present invention, software 403A uses at least key information CTAU 4031A when generating key 4033A for creating or decrypting a file encrypted by common key encryption of the AES system using software 403A. Then, using the key 40302A (CRKY 40302A, CRHN software private key 40302A) built into the software 403A, and using the block chain (distributed ledger system) and the key 4032A (AKTB 4032A, password 4032A, external password 4032A) not included in the software 403A use. 4032A does not use a blockchain, but that is a recommendation, and in practice it may be notified by a transaction from a blockchain platform different from the one that uses 403A, and the notification method of 4032A is encrypted. subject to user policy.

1. Return value 4031A of the authentication function recorded in the blockchain contract
The variable 4031A having key information is included in the variables used in the authentication function of the OTP authentication contract, but may be included in the OTP generation contract together with the authentication function. 4031A is set as a return value CATU when the authentication result is correct when executing the authentication function 3018A. Here, it is preferable that contents of functions and variables of the contract 3008A, which performs processing as a non-fungible token of the ERC721 standard such as OTP token issuance and OTP generation/authentication, be kept confidential.
It may also have a setter function that allows the creator/manager of the contract to change the key information 4031A. It is assumed that the creator/manager of the contract is an individual legal person who has rights such as the copyright of the encrypted file.
When the services targeted by 403A, the OTP token, and 4031A are subscription-type magazines and newspapers, and subscription-type broadcast data, it is preferable that the key 4033A used for encryption be updated every few months or years. 4033A is also updated by the contract manager periodically changing 4031A. The plaintext data is encrypted with the changed 4033A and distributed.
In that case, a user who does not know 4031A cannot calculate 4033A, making it difficult or impossible to decrypt the encrypted data. In this case, in order for 403A to record events, it would be helpful to record culture and current affairs if 403A were able to cut out and save a portion of the newspaper article for personal use, and photocopying etc. should also be permitted. As with certificate 4036A, which will be described later, using means such as electronic signatures and HMAC, time information, block numbers of block chains, and MAC values of those messages are added to data cut out for personal use from public information such as newspapers. It may be stored as a record of a book such as a newspaper that can be attached and tampered with can be detected (if the right holder of the book such as a newspaper does not permit clipping, etc., the function of clipping and saving is stopped in 403A).
As another method, 4031A is set as a fixed data value, and 4032A is notified in advance by a transaction to the user identifier or by e-mail at the time of making a contract for a newspaper or magazine, and 4032A is updated every several months or years to obtain 4033A. Encrypted data is generated while being updated, and while the encrypted data is distributed to the user, the updated 4032A is notified to the user. Encrypted data obtained by calculating 4033A using the updated 4032A and the 4032A and using it as a key may be distributed to the user by e-mail or the like. As a method of transmitting 4032A, instead of e-mail, AKTB 4032A may be obtained automatically by connecting to a website or web application with 403A.
Optionally, 4032A may be changed for each customer/user, and 4033A may also be changed for each customer to create and distribute encrypted data. However, when the data is distributed, the encrypted data has unique data and hash values for the target readers, so there is a risk of tracking who subscribes to which publisher's magazines and newspapers. It is preferable to exchange user-dedicated encrypted data between the publisher and the user by means of communication such as e-mail or cloud storage. A recording medium such as an optical disc on which 4033A produced using 4032A and 4032A is recorded can be distributed in the form of mail or delivery instead of communication.
When newspapers, magazines, etc. are encrypted with a single 4033A and can be acquired in the form of wireless broadcast data, it may be difficult to track who subscribes to what data.

3041A is set in the contract 3008A to restrict transfer according to the request of the right holder who provides the OTP token and corresponding data and contents, and the execution of the token transmission function 3040A is interrupted according to the data value of 3041A. may

For example, when confidential information is handled by an organization, there is no need to transfer the OTP token, which is the data access right, and when the transfer restriction function is desired, a variable value prohibiting transfer is set in 3041A.
On the other hand, if the content corresponding to the OTP token is, for example, book data, and the content right holder permits the book data to be distributed according to laws and regulations as an old article like a paper book, the contract 3008A has a transfer restriction. 3041A is set, but the data value of 3041A can be transferred by the right holder of the content by rewriting the key information 4031A at an arbitrary time using a setter function that can be changed by the creator/administrator of the contract. Considering the OTP token as a substitute for paper books and transferring it between users with different private keys (for example, user with user identifier A with 101A and user with user identifier B with 101B) using transmission function 3040A becomes possible. Furthermore, if the content right holder permits, the tokens can be distributed according to the ERC721 standard without setting 3041A that restricts transfer.

2. A key 4032A that uses a secret word or password.
This information is information that is not included in the OTP generation and authentication contract on the blockchain or software 403A, and communicates the key 4032A to the user using a communication path unrelated to them. The method of communication here is arbitrary, and means such as e-mail, telephone, SMS, the website of the contract creator, or mailing a sealed letter to the user can be used. (Here, it is not recommended to use public blockchain transactions or software 403A to transmit key 4032A to users holding OTP-generated tokens. Anonymized private blockchains record 4032A in transactions. It could be sent to the user's identifier, but could also be sent in the form of an email, phone call, or postal mail delivery without relying on the blockchain.)

It is also possible to fill in blanks in 4032A. In other words, there are cases where the data value of the encryption key is only 4031A, but since it is necessary for the attacker to guess the key transmitted from a route other than the source code of 403A and the blockchain, it is difficult to identify the key. The aim is to discourage people from working on codebreaking, which makes it difficult to decrypt the encryption if it becomes necessary. 4032A is a variable set by a user who wants to encrypt data according to how much he wants to protect the data by encryption. Preferably, the value 4032A is not blank, but a certain number of numbers or a string of characters. Value 4032A can also take a string data value as long as software 403A allows. A 4-digit PIN may be used. Alternatively, it may be a one-letter alphanumeric symbol.

Here, 4032A is transmitted to the e-mail address of the user UA, etc., but is set to a different value 4032A for each e-mail address (for each destination) (for example, various calculations, hashing, information cutting, etc. based on the user identifier A). , and based on one return value 4031A built in the contract and a different value 4032A for each user identifier, a file encryption key TTKY 4033A that differs for each user identifier is generated to encrypt the content file. The encrypted file can also be transmitted to the user separately by e-mail or web service.At this time, in the server 5B for distributing the file, a processing unit and a storage for encrypting and transmitting the content with an AES encryption key different for each user's mail address. part is required.

On the other hand, in the case of encrypting the file of materials to be distributed within the company as a simple security system without distinguishing between users, 4032A is a character string decided in the company, and only a single 4032A is used. It is also conceivable to notify the user through a paper circulation board, in-house mail, etc., and distribute the encrypted file 4034A having the same digest value (hash value) to the terminals of users connected to the company.
In this case, the server 5B connected to the network 20 is unnecessary, and not using a server outside the company leads to cost reduction. It can be used not only within a company, but also when it is desired to distribute contents such as texts and software between individuals or a certain organization. Encrypt internal company data and prevent it from being viewed in the form of plaintext data in the unlikely event that the encrypted data is leaked.

When distributing encrypted files containing the same plaintext data content with different hash values to users with different user identifiers, the greater the number of users at the distribution destination, the greater the number of 4034A to be individually encrypted and created. May consume computational resources and storage space. Furthermore, if there is no transfer restriction on the OTP token, users can transfer the OTP token to each other, but the key 4032A corresponding to the OTP token and the data 4034A encrypted using 4032A must be handed over from the transfer source user at the time of transfer. . Alternatively, terminal 5B may be notified of the transfer of the OTP token, and data 4034A encrypted using 4032A and 4032A newly generated for the user of 5B transferee may be distributed/distributed.

When distributing encrypted files 4034A containing the same plaintext data content with different hash values to users with respective user identifiers, tracking the distribution of custom-made encrypted data 4034A on the network 20 prevents unauthorized access. It may be possible to monitor data circulation, but by tracking the circulation of encrypted data 4034A on network 20, it becomes easier to supplement what kind of newspapers and books are being read by what kind of users. There is also fear.
It is desirable to generate and distribute encrypted data 4034A using 4032A so that both privacy protection and content manager protection can be achieved. In addition, it is preferable to consider computational resources, storage areas, and preservation of encrypted data. As the inventor, 4032A preferably distributes an encrypted file 4034A having the same digest value (hash value) as a single character string (external password as password) determined within an individual, group, or company. I think.

In addition, the following third and fourth key information can be added.

3. As an example of the software 403A, key information 40302A (CRKY, 40302A in FIG. 4B) set in the software 403A described in the source code such as ECMAScript of 403A. Here, the source code of software 403A is preferably obfuscated. Source code can also be encrypted. If 40302A is leaked, it is used when distributing a new version of software 403A in which the value of 40302A is changed.
The calculation of 4033A requires 403A including 4031A, 4032A and 40302A. The user of the new edition 403A preferably records and stores the edition 403A corresponding to the past book's encrypted data 4034A in the same location.

4. Key information 40303A read from a key management contract different from the OTP generation and authentication contract recorded in nodes such as the terminal 3A on the blockchain may be used.
40303A is an example introduced for the purpose of making it difficult for an attacker to decipher the calculation method of key 4033A of software 403A.
The contract identifier 40301A of the key management contract is described in the software 403A, and according to the processing specified by the ECMAScript of the software 403A, the getter function for obtaining the key 40303A from the key management contract is operated, and the return value of the function is 40303A. get 40301A, 40302A, 40303A are determined for each software CRHN. If 40303A is leaked, the value of 40303A is used when distributing software CRHN with changed value. Here, it is preferable that the contents of contract functions and variables are kept confidential.

To summarize, four pieces of key information are used in the embodiment of the present invention. In terminal 4A, the key information obtained from block chain nodes such as terminal 3A is 4031A and 40303A, the key information obtained from software 403A is 40302A, and the key information transmitted through a route that does not belong to either of them is 4032A. is. Using the four keys 4031A, 40303A, 40302A, and 4032A, and using the key calculation function (key calculation processing unit) of the software 403A with the four key information variables, a common key TTKY4033A for encrypting and decrypting files is generated. do.

If no information is set for the key 4032A, it is assumed that a blank has been entered. That is, the program of 403A attempts to decode the file by interpreting that the 4032A is empty. If there is a plaintext file and the user selects the process of encrypting it, if 4032A is blank, it is treated as blank and encrypted.

In the examples and embodiments of the present invention, the reason for adopting the method using such four keys, especially the reason for using AKTB4032A, is that when an attacker unlocks and decrypts a file, 4031A and 40303A on the block chain are temporarily used. In Ethereum, the key information is decipherable, and even if the source code of the software 403A is obfuscated and encrypted, there is a risk that an attacker will find out the key.
Therefore, a variable 4032A called AKTB, which does not exist in the block chain and software 403A, is set to encrypt and decrypt files. By setting 4032A, you can deal with the attacker. The number of variables in 4032A is not limited to one, and a plurality of variables can be set.

Here, instead of Ethereum, we will use a permission type (permission type) blockchain with added functions such as transaction concealment and network access control, such as Quorum provided by the Enterprise Ethereum Alliance (EEA). If used, 4031A and 40303A recorded in the contract can be anonymized, so it is preferable to use a blockchain platform that can anonymize the transaction.
Permission-type (permission-type) blockchains with added functions such as transaction concealment and network access control, such as Quorum, are shown in FIGS. 8C, preferably also utilized in the embodiment of FIG. 8D. Use of terminal 3C for logging in to Internet banking websites of banks and use for logging in to web services that handle financial and valuable information, and locking and unlocking safes, vaults, automobiles, buildings, etc., in terminal 3D. It is preferably used for decryption of encrypted data using software 403A.

<Distributed storage of encrypted data>
4031A, 40303A, 40302A, 4032A, content is encrypted with a single encryption key TTKY4033A calculated based on these four variables, and the encrypted file has only one hash value. It is envisioned that the content will be encrypted and distributed. On the other hand, as described above, it is also possible to change 4031A and 4032A for each user and distribute encrypted files with different TTKY 4033A.
Here, it is also considered to distribute a single TTKY4033A-encrypted file for information storage. The idea that even if the unlocking means is lost as shown in the example of equipment such as a locked safe, breaking the lock is not applicable to encrypted data including contents. If the encrypted data distributed by the content right holder wants to be stored in a plurality of computers and continuously viewed, it may be preferable to distribute a single TTKY4033A-encrypted file.
In the present invention, if the method for calculating TTKY4033A is lost, it becomes impossible to restore the encrypted data. By setting the value of 4031A and 4032A to a single value, users with OTP tokens can decrypt them with software 403A, and users with OTP tokens can decrypt encrypted files with a single 4031A or 4032A all over the world. Encrypted data used around the world may be easier to store for future generations.
The above is the idea of the inventor, and the final encryption method is determined by the data right holder. 4031A, 4032A, 40302A, and other key values are set according to the request of the right holder of the data, they are input to 403A and processed, and the plaintext data is encrypted and the encrypted data is encrypted using the key 4033A used for encryption and decryption. can be decrypted.
Based on the idea of restricting access to information and storing it like a paper book for future generations, text data, etc., from the system of the present invention using 403A can be stored on paper or in an external storage device, etc., if the right holder permits it. You can have the means.
In addition, it is assumed that there are encrypted data that have not been distributed around the world due to problems such as demand, and it is assumed that the plaintext data cannot be viewed due to problems after distribution. It is necessary to store and manage the plaintext or encrypted data of the content data and the key information for decrypting it.

<Systems that can display advertisements or monitor unauthorized access>
A URI for displaying advertisements is recorded in software 403A and plaintext data 4035A obtained by decrypting encrypted data, and software 403A executes a program for displaying advertisements distributed by server terminal 5A according to the URI information. may be provided. In addition to the advertisement, the terminal 5A notifies the instruction manual information of the software 403A and the version information (version information) of the software 403A.
The advertisement is distributed from terminal 5A to terminal 4A via network 20 according to storage unit 505A or 506A and control unit 515A or 516A of terminal 5A to terminal 4A accessing terminal 5A.
The advertisement display method by software 403A and terminal 5A is similar to printing advertisements on paper when reading paper newspapers and magazines. This is to distribute the reward for displaying the advertisement according to the number of times the user browsed the software 403A or the content.
In addition, unlike advertisements on paper media, the advertisement information by the website delivered via the network 20 from the terminal 5A of the link destination URI described in the software 403A or the encrypted content to the terminal 4A dynamically changes the advertisement contents. can be changed.

It is preferable that the part related to the advertisement using the terminal 5A and the software 403A is used for the reproduction of electronic books and audio/video, and not used for the encryption/decryption of confidential information. When confidential data is secretly exchanged between companies, organizations, and individuals, it is preferable to separately prepare a commercial version of the software 403A (commercial version software 403A) from which the advertisement display function is omitted.

There is a possibility that it may not be preferable to automatically connect and cooperate with the advertisement website by the advertisement display function in terms of confidentiality between companies, etc. In some cases, the data obtained from the terminal 5A may contain a program that behaves unintendedly in a harmful way to the user's computer, and there is a risk of lowering security. It is preferable to be able to There may be an OTP token for operating software 403A depending on the application. There may be an OTP token that logs into the application software at 403A.

Considering that the terminal 5A can be operated by a corporation or the like, and that it contains confidential information between government offices and companies, it is possible that an attacker is among all parties involved in creating and selling software 403A and advertisements in order to steal the user's information. I cannot guarantee that there will not be. Therefore, it may be preferable that the software 403A is used in a virtual machine environment or a sandbox environment under the operating system environment of the terminal 4A. It is preferable to examine the behavior when the encrypted data 4034A is decrypted with the OTP authentication system and the key information and the plaintext information 4035A is executed 4035A or when 403A is executed.
If the executable file formats (file extensions) of the software 403A are limited to music files, video files, and book files, the virtual machine environment may be omitted if the files are to be trusted.

Information such as advertisements must be based on the rating information of the software 403A and the OTP token. The contract of the one-time password token of the present invention can be provided with a variable KNBN 3024A that serves as a billboard that records the rating, etc., and the software 403A can read the rating information written in 3024A and change the operation for advertisements. is. (For example, when an advertisement distributed by the terminal 5A contains information about an adult's luxury goods such as alcoholic beverages, the advertisement is not displayed for tokens rated for minors, It is also possible to make it so that only pages and the instruction manual site for the software 403A can be displayed.)

Here, when using the software 403A using the one-time password authentication system of the present invention,
1. software 403A;
2. A smartphone terminal 4A or a computer terminal 4A in which the software 403A is recorded in a recording device, and access information to the blockchain and the contract and the secret key 401A are recorded (inputted);
3. Encryptable communication path network 20 (for example, communication is encrypted by encryption such as TLS),
4. A server 3A that constitutes a blockchain and generates and authenticates a one-time password (a contract including a one-time password generation function and an authentication function is recorded in the blockchain);
5. A server 5A that receives user access and displays advertisements (a server that develops a website that can perform multiple roles of notifying users of information and monitoring user access in addition to advertisements);
6. 7. URI information to server 5A for displaying advertisements contained in the program of software 403A; Encrypted data or file 4034A
8. URI information to server 5A to display the advertisement contained in encrypted data 4034A9. Server 5B delivering encrypted data 4034A to user terminal 4A through communication path network 20
is required. The terminal 4A may be a terminal capable of viewing and using plaintext data, and may be a computer terminal connected to a tablet terminal or a head-mounted display.

The URI of the server terminal 5A that displays the advertisement is set in the software 403A or 4035A obtained by decrypting the encrypted data, and the software 403A accesses the server 5A according to the URI of the server terminal 5A that displays the advertisement. At this time, the server 5A can record access information for a plurality of terminals, such as the terminal 4A of the user UP, the terminal 1A of the user UA, and the terminal 1B of the user UB, as shown in FIG. 6X.

Although the contract identifier and blockchain identifier of the OTP token that provides the service are omitted in FIG. 6X, the contract identifier CPGT and blockchain identifier (distributed ledger system identifier) are shown in FIG. They may be recorded in association with each other.

Terminal 5A is accessed by software 403A of terminal 4A, records access information of terminal 4A in 501A, and distributes advertisements according to storage section 505A or 506A and control section 515A or 516A.
After recording the identifier of the access information block chain of the terminal 4A and the contract identifier CPGT of the OTP token that generates the OTP, the user's identifier A, the token number TIDA, and the IP address or location information of the terminal 4A shown in FIG. 6X. Alternatively, the value IPV calculated from the ID information unique to the computer device or the sensor value of the input device 42A of the terminal 4A, and the login state data such as the browsing time T and browsing history information Cnt (Cnt is the number of accesses) are sent to the server terminal 5A. can be recorded in the database 501A of the recording device.

In the recording device 50A and the processing device 51A of the terminal 5A, the correspondence relationship of the login state data such as the contract identifier CPGT, the user identifier A, the token number TIDA, the value IPV, the browsing time T and the browsing history information Cnt (Cnt is the number of accesses) Save and save for display in a tabular format similar to FIG. 6X.
Here, the format of the table and the system of the database do not necessarily have to be the format of FIG. 6X. Figure 6X uses a table to show that multiple IPV values (a case where a 3-axis geomagnetic sensor and a 3-axis magnetic compass sensor have different Z values) exist for a given user identifier/token number and are illegal. FIG. 10 is an explanatory diagram when detecting a case where access is suspected; It suffices if it is possible to detect whether or not there is access with different IPV values for the same private key or token number of the OTP token. FIG. 6X is an explanatory diagram. Instead of using the format of FIG. 6X as it is, data may be recorded and used to monitor the accessor by modifying a portion of FIG. 6X without departing from the scope of the present invention.

In the recording device 50A and the processing device 51A of the terminal 5A, the server terminal 5A is provided with a processing unit capable of detecting whether the terminal 5A is accessed with a different IPV value for the token number TIDA,
It is confirmed that the token number TIDA assigned to the private key 401A of the same user identifier A has been viewed from a device having multiple IP addresses, location information, location information, and data IPV combining the sensor value of the terminal. It has an unauthorized access monitoring function (511A, 512A, 513A in FIG. 5A) that can detect and contact the user UA corresponding to the user identifier A.
By recording the URI for connecting to the terminal 5A in the program 403A, it is possible to provide the unauthorized access monitoring function as shown in FIG. 6X together with the advertisement display function. The terminal 5A can also be equipped with the unauthorized access monitoring function to notify the customer whether the secret key is being used illegally.
Plaintext data 4035A can also be provided with an advertisement distribution function and an unauthorized access monitoring function as shown in FIG.
However, the unauthorized access monitoring function and the advertisement distribution function using the terminal 5A in the software 403A are not essential elements, and there may be 403A that does not use the unauthorized access monitoring function and the advertisement distribution function.
From the viewpoint of privacy protection, there may be 403A that does not use the unauthorized access prevention function or the advertisement distribution function. On the other hand, the unauthorized access monitoring function and the advertisement distribution function prevent unauthorized use of the private key, and lead to protection of the owner of the OTP token, the content of the encrypted data corresponding to the OTP token, and its right holder.
The unauthorized access monitoring function and the advertisement distribution function using the terminal 5A in the plaintext data 4035A are the functions that the right holder of the plaintext data decides to use. be done. Since the URI to the advertisement is a URI (link tag) described and embedded in plaintext data 4035A in HTML language or the like, the URI of 4035A (and the advertising content linked to the URI) may also be part of the content. do not have.
The unauthorized access monitoring function and the advertisement distribution function using the terminal 5A in the plaintext data 4035A are used by content right holders, and some content right holders do not use the above functions.

<Registration of user contact information in a system that can monitor unauthorized access>
In the terminal 5A, user registration is performed when using the software 403A, and customer information is recorded with a customer information database management unit 514A for registering a notification address and a contact address when unauthorized access is detected in the unauthorized access monitoring function at that time. 504A is provided. When unauthorized access is detected by the unauthorized access monitoring function (511A, 512A, 513A in FIG. 5A), the unauthorized access notification unit 513A uses the contact information recorded in 504A to detect the time when the unauthorized access occurred, the user Identifier, token number, OTP token contract identifier, and other information necessary for service provision are notified.

<When encrypted data is viewable data>
The user can decrypt the encrypted data 4034A using the software 403A and the OTP authentication system to view and listen.

<When encrypting again after decrypting and editing the encrypted data>
The user decrypts the encrypted data 4034A using the software 403A and the OTP authentication system, browses and edits the plaintext data, records the block number, the BnTOTP of the OTP token used for browsing, the time stamp, etc., and uses it to detect falsification. Data attached with an electronic signature or HMAC can be re-encrypted and saved.
For example, after an employee UP of a certain organization makes corrections to text files, audio and video files, spreadsheet files, blueprint files, etc., the block number, BnTOTP, time stamp, etc. are recorded, and an electronic signature is used to detect falsification of text and video data. Alternatively, encrypt and save the data with the MAC value of HMAC attached again, distribute it to another employee UA in the organization, and then give the employee UA the key information such as 4032A for decryption and the software used for encryption By distributing 403A and OTP tokens, the UA receives the data that has been re-encrypted by the employee UP, decrypts it, browses the content added and changed by the UP, and makes changes to the additions and changes by the UA, including block numbers and BnTOTP. It is possible to record a time stamp or the like, attach an electronic signature for detecting falsification of text or video data, or attach a MAC value of HMAC, and then encrypt and save the data.
In this way, a plurality of users such as UP, UA, UB, and UC of a certain organization can add text to a confidential document and attach a time stamp, HMAC MAC value, or electronic signature to the data to exchange text.

<When the encrypted data is 3D blueprint information>
The three-dimensional CAD data (three-dimensional design drawing information) obtained by decrypting the encrypted data is modeled with a 3D printer, and the base material is processed with a multi-axis processing machine etc. Create a three-dimensional object. However, it cannot be output depending on the rating of the plaintext data or the output settings. The software 403A should prohibit the output of a three-dimensional object that violates laws such as the Firearms and Swords Act, and the software 403A determines whether or not to output the three-dimensional object based on the information described in the rating information of the plaintext data. Three-dimensional CAD data information may also be viewed on head-mounted display 453A. Even two-dimensional CAD data can be browsed, output, and used in the same way. For example, design drawing data used for processing machines such as industrial printers and plotters may be used.
Design drawing data related to the manufacture of a one-dimensional, two-dimensional or three-dimensional object or device is saved as encrypted data by the method of the present invention, and decrypted using the OTP authentication system to be used as information used for manufacturing. may

<When the encrypted data is a design drawing of a circuit, etc.>
The encrypted data may be a schematic of the circuit. For example, it may be design drawing data of a programmable logic device. A Field Programmable Gate Array (FPGA) is a type of programmable logic device, a semiconductor IC with a field configurable circuit array that can change electronic control functions within the device. In the embodiment of the present invention, it is possible to receive the data of the circuit for configuring or reconfiguring the FPGA as encrypted data, decrypt it, and use it. The programmable logic device can be used for industrial equipment and broadcast communication equipment, and is also expected to be used for the user terminal 1A and the server terminal 3A.
Circuit information that enables reconfigurable computing may be distributed as encrypted data and decrypted with an OTP token. Encrypted circuit information that enables reconfigurable computing may be stored in version management and code repositories such as GitHub by GitHub, Inc., downloaded from user terminals, and distributed/distributed. The purpose is to perform version management to check whether the circuit information of the programmable logic device has been tampered with, obtain the usage right with the OTP token, decrypt it, and dynamically construct the circuit according to the design drawing in the programmable logic device.
When deploying the design drawing information on an FPGA or the like, it is preferable to investigate the behavior of decrypted data and malicious programs in a virtual machine environment (sandbox environment). Alternatively, when the encrypted data is decrypted by the OTP authentication system only for the first time, the data is examined in the virtual machine environment, and after determining that it is not malicious, a certificate is issued, and if there is the certificate, it is transferred to the FPGA without using the virtual machine environment. The design drawing data may be developed on an FPGA or the like.
Although a specific example was explained using the example of FPGA, data decoded by the method of the present invention is stored in the memory portion of a circuit that controls a computer such as a CPU, SoC, or MPU, and the behavior of the control operation device is changed. good too. Alternatively, it may be used when encrypting, distributing, and installing a program with a certificate similar to hardware such as computer terminal firmware or BIOS.
For the purpose of distribution within a certain organization, there is a device, circuit and semiconductor parts manufacturing line that manufactures the final CPU, SoC, MPU from the circuit board information and semiconductor of electric equipment / electronic equipment from the semiconductor substrate. may be stored as encrypted data by the method of the present invention and decrypted using the OTP authentication system to be used as information for use in manufacturing semiconductor products. It may be applied not only to electronic devices but also to manufacturing data and confidential information of certain products.

<4T. Use in broadcasting (distribution of non-bidirectional encrypted data, live distribution)>
The server terminal 5B, which delivers encrypted data and files 4034A to the user terminal 4A via the network 20, is a device capable of two-way communication. 5C of 5C, SVCRHNbroadcaster) are available. The broadcasting station 5C uses the communication path NTB (communication network 21, radio wave band in wireless broadcasting, broadcasting cable in cable broadcasting) by one-to-many broadcasting to user terminal 4A having receiver 423A that can receive broadcasting. On the other hand, encrypted data 4034A subjected to common key encryption such as AES encryption with a single encryption key TTKY4033A is broadcast. The broadcasting station 5C may be installed on the ground, may be a mobile station, or may be installed on a satellite. It may be installed on the ground, or may be installed in outer space.

<When terminal 5C is a node of the same block chain as terminal 3A and can broadcast BnTOTP>
Broadcaster 5C may have the same functionality as 3A. The broadcasting station 5C is connected to a terminal 5CC controlling the broadcasting station 5C via a communication path 2 (communication network 2). The terminal 5C has a storage device capable of having a block chain part like the terminal 3A, and is connected to the network 20 via a control terminal 5CC that controls the terminal 5C. terminal 5C can have the same block chain part as terminal 3A. The terminal 5C can broadcast the block number Bn, block data, block hash value, time stamp/time information, and time information based on the clock of the terminal 5C in the block chain section of the terminal 3A. The terminal 5C may be a ground station or a satellite broadcasting station.

<When the terminal 5C is a satellite terminal for the global positioning satellite system and can broadcast BnTOTP together with the positioning information for authentication of the signal for the global positioning satellite system>
Terminal 5C may be an artificial satellite in outer space, equipped with an atomic clock, etc., and may be a positioning artificial satellite for Global Navigation Satellite System (GNSS). A terminal 5C has a block chain unit and is connected to a block chain node terminal 3A via a wireless network 2.
Then, BnTOTP, which is an OTP based on the block number Bn, is calculated using the OTP token generation contract of the block chain unit recorded in the terminal 3A and the terminal 5C, and the time information by an atomic clock or the like, Bn and BnTOTP are added to the broadcast signal of the terminal 5C. , token number, and user identifier, the broadcast signal of the GNSS satellite can be authenticated at the terminal 4A that receives the signal.
Here, the transmission message and the MAC value by HMAC of the message may be concatenated and broadcast. Tampering with the broadcast message can also be detected by attaching the HMAC MAC value of the message data including one piece of positioning data, Bn and BnTOTP to the message data including one piece of positioning data, Bn and BnTOTP.

The terminal 5C concatenates the information of the block chain part including the contract of the OTP token held by 5C, the block number Bn and time information, the BnTOTP of the OTP token set exclusively for the broadcasting station 5C, and the MAC value of the HMAC of those messages. can be broadcast. Terminal 5C broadcasts a signal containing time information Bn, BnTOTP, a token number and a user identifier, and terminal 4A and the like receive the broadcast. A terminal 4A that has received broadcasts from four or more GNSS satellite terminals 5C performs positioning by the global positioning satellite system GNSS. In addition, the terminal 4A receives the BnTOTP value, the token number, the user identifier, and the block number Bn (adding the contract identifier of the OTP token and the block chain ID as necessary) and the MAC value to determine the time information and the authenticity of the signal. Verifies falsity/authenticity and authenticates broadcast data.
Broadcast the positioning signal from the GNSS satellite 5C to the terminal 1A and the terminal 4A by radio for positioning, and in addition to the time information etc. necessary for positioning the known position information, the block number Bn and the time of the block number Bn A positioning system that performs positioning by a plurality of broadcasting station satellites 5C, equipped with means capable of confirming the authenticity of GNSS positioning broadcast data by attaching an authentication password BnTOTP that dynamically changes with changes to the signal. It can be used for positioning devices and positioning methods.

The intention and purpose of attaching the OTP by BnTOTP of the present invention to the GNSS satellite is to determine whether the signal of the GNSS satellite is false signal information of spoofing or true GNSS signal information by combining time information and Bn. BnTOTP, a token number, and a user identifier are attached for determination. The OTP authentication system of the present invention can be used to combat GNSS signal spoofing/hacking. Such a mode of use of the present invention may be used to improve security in navigation of airplanes, ships, automobiles, unmanned aircraft, unmanned aircraft, and the like.

The satellite 5C used for GNSS application has a secret key 501C, BnTOTP, a block number, an OTP token number dedicated to 5C, and a secret value KC3011A recorded in the recording device of 5C, among which BnTOTP, block number Bn, and user identifier Terminal 5C broadcasts the token number.

The user identifier is calculated from the private key 500 of 5C. The token number is also set by the GNSS administrator. A satellite identification number, machine number, manufacturing number, etc. of the terminal 5C can be assigned to the token number, and a user identifier calculated from a secret key managed by the operator who provides the GNSS service can be used as the user identifier. Each satellite may have a different private key and user identifier, or a single private key owned by an operator may be recorded in storage devices of a plurality of satellites and used. It is necessary to assign OTP tokens with different token numbers to four or more artificial satellites used for positioning in GNSS, generate different BnTOTPs among the satellites, and attach them to broadcast data.
As an example, when the secret key of one positioning satellite terminal 5C is the same as that of 101A and is an OTP token with token number TIDA, BnTOTP=fh (user identifier A, machine number/token number TIDA, KC value , block number Bn). As for the KC value, the administrator of the GNSS satellite terminal 5C transmits a transaction instructing the block chain unit of the terminal 3A to change the KC value, and the KC value of the block chain contract of the terminal 5C connected to the terminal 3A also changes.
A one-time password code BnTOTP using BnTOTP=fh (A, TIDA, KC, Bn) is executed by the OTP generation function 3009A in the block chain section (5000C and 5100C) of the broadcasting station terminal 5C to generate BnTOTP as an OTP, or Obtained from the network 2 or network 20 by executing the OTP generation function 3009A of the OTP token contract of the blockchain node 3A, and distributed by attaching the main data, time information, block number, and BnTOTP to the data to be broadcast/distributed Alternatively, it is possible to confirm the authenticity and authenticity of broadcasted information/data.

Here, an embodiment using BnTOTP for GNSS broadcasting has been shown, but OWP=fh(A, TIDA, KC, BC) may be attached to data to be broadcast/distributed instead of BnTOTP (in this case, BC may be broadcast). However, in the case of BnTOTP, a new data block is connected to the blockchain in, for example, 15 seconds or 180 seconds, and Bn is automatically updated. need to be changed.
The update time of the block number used for BnTOTP is not limited to 15 seconds, but may be 30 seconds, 60 seconds, or 600 seconds (10 minutes). (You can change the concatenation time of block data including ) by any number of seconds. Even when using OWP, the contract administrator may change the KC value and BC value periodically. It may be preferable to build a blockchain with a block number that changes every 10 minutes specifically for GNSS.

There are a plurality of GNSS broadcasting stations 5C, specifically four positioning satellite terminals 5C, and different user identifiers/token numbers or the same user identifiers/token numbers are set for them, and the four terminals 5C are known. In addition to the positioning information of the GNSS positioning method, BnTOTP (the user identifier/token number used when calculating BnTOTP may be attached, or may be recorded in advance in the information using GNSS of the terminal 4A. ), the block number Bn, and, if necessary, the MAC value by HMAC of the broadcast message are attached and broadcast. Broadcasting may be performed once or more while the block number changes. For example, when the block number Bn changes in 180 seconds, the GNSS satellite 5C may send once or several times within 180 seconds.
If the length of the GNSS message data is insufficient, the time for changing the block number Bn of the block chain unit corresponding to GNSS is increased. For example, when the block number Bn changes in 600 seconds instead of 180 seconds, After transmitting the navigation message data, broadcast the OTP authentication data of the present invention (user identifier, token number, block number, BnTOTP, MAC value of HMAC) for 30 seconds, broadcast the navigation message data again, and alternately broadcast By doing so, the authentication information may be attached during the broadcast.

Assuming that the present invention is applied to the US GPS (Global Positioning System) as a known example of GNSS, four or more GPS satellite terminals 5C (space segments) for measuring position information are placed in outer space. Located in the orbit of each satellite, there are ground control station 5CC (control segment) and GPS receiver terminal 4A (user segment), and terminal 5C, terminal 5CC and terminal 4A are connected via network 20 to block chain node terminal 3A or terminal 3B, etc. to synchronize the block chain part of terminal 5C.
Or, relying on the atomic clock of the terminal 5C, which is accurate, it is assumed that Bn matches with all the GNSS satellite terminals 5C, and the block number Bn is set to increase every 300 seconds, and the ground control station 5CC and the satellite terminal are set several times a year. Synchronize with 5C, check if the time and Bn have increased correctly, and when changing and updating the KC value etc., share the data with all GNSS satellite stations 5C and synchronize the block chain part.
At this time, the terminal 4A authenticates the BnTOTP contained in the broadcast received from the terminal 5C using the authentication function 3018A of the node terminal 3A of the block chain, and uses the broadcast data of the four GPS satellites in which the correct BnTOTP is recorded. position can be determined.

In GPS, for example, navigation message data of 1500 bits is 30 seconds, authentication data is 1280 bits if one variable is 256 bits and there are 5 variables, so within 30 seconds. broadcast over. When a block chain in which the block number Bn changes in 600 seconds is constructed for the GNSS satellite, the same BnTOTP data can be sent 10 times, and the user terminal 4A detects one of these 10 times, and BnTOTP is By verifying with the authentication function and obtaining the authentication result, it is possible to know whether the received data of the satellite 5C is correct data or suspected of impersonation or the like.
Alternatively, it is conceivable not to attach the authentication data to each navigation message data. When using a blockchain where Bn increases by one every 600 seconds, the navigation data that is broadcast for 30 seconds in 600 seconds is broadcast 20 times. It may be possible to broadcast as a broadcast frame for the authentication data. If the navigation message data with authentication data broadcasted four times in 600 seconds can be received and OTP authenticated, the authenticated position and time can be measured.

When the satellite terminal 5C and the terminal 4A are disconnected from the network 20, the block number Bn and BnTOTP are calculated based on a clock such as an atomic clock mounted on the terminal 5C and the OTP generation function 3009A stored in the storage unit. , BnTOTP, message data, and their MAC values are attached and broadcast to user segment terminals such as terminal 4A.
Next, in the terminal 4A, an authentication function 3018A capable of calculating BnTOTP=fh (A, TIDA, KC, Bn) and software in which the KC value is recorded in advance, or BnTOTP=fh (A, TIDA, KC, Bn) is calculated. The authentication function 3018A, 3018A and the function of the terminal 3C in which the KC value is recorded may be provided at 423A of the communication device 42A receiving the GNSS signal.
When OWP is used instead of BnTOTP, an authentication function 3018A capable of calculating OWP=fh(A, TIDA, KC, BC) and software in which the KC value is recorded, or OWP=fh(A, TIDA, KC, BC) An authentication function 3018DA capable of calculating and a terminal 3D function in which the KC value is recorded may be provided in 423A of the communication device 42A receiving the GNSS signal.
Software in which authentication functions 3018A and 3018DA and KC values are recorded may be provided in software 403A.

The user terminal 4A receives positioning signals broadcast by a plurality of (four or more) satellite terminals 5C using 423A or 422A of 42A of the terminal 4A, processes the received signals, and measures the distance between the satellites and the receiver. and calculate the position from this. Then, the current position is temporarily assumed according to the position calculated based on the positioning information of the known GNSS positioning method (up to this stage, it is the same as the existing GNSS, and if the OTP authentication system of the present invention cannot be used, location information at this stage is used). After that, the process shifts to OTP authentication processing of BnTOTP broadcast by the terminal 5C.

In the OTP authentication process for BnTOTP broadcast by the terminal 5C, the block number Bn and BnTOTP attached to the positioning information sent by the satellite terminal 5C received by the terminal 4A (or the user identifier used when calculating BnTOTP・If the token number is also attached, use the user identifier/token number) to authenticate using the OTP authentication function 3018A, and judge the authenticity of the data broadcast by the terminal 5C from the return value of the authentication function. do.

A user identifier/token used when calculating BnTOTP in the authentication function 3018A set by the administrator of the terminal 5C of the terminal 3A via the network 20 in order to determine whether the positioning information received from the terminal 5C in the terminal 4A is correct. 3018A is executed by passing the number and block number Bn and BnTOTP as arguments, and when the return value is the return value when the OTP is correct (when BnTOTP is a true value), broadcasting station 5C broadcasts. The terminal 4A records what is expected to be correct and notifies/displays it to the user.
When the return value of 3018A is an incorrect return value (when BnTOTP is a false value), the user is notified/displayed that the positioning information related to the broadcasting station 5C is false information that cannot be OTP authenticated. Let
When the data information broadcast by the terminal 5C cannot be OTP authenticated and is erroneous, the subsequent processing is entrusted to the service or software using the GNSS with authentication function of the present invention. Inform that the received position information cannot be used, wait to receive the signal of a new GNSS broadcasting satellite 5C different from the terminal 5C that performs the wrong broadcast, authenticate the signal received from the new terminal 5C, and authenticate It is conceivable to perform positioning after increasing the number of terminals 5C that have been set.
Even if the authentication result of the received signal is incorrect (if it is a spoofed signal), it is dangerous to suddenly stop a car running on a public road and switch to another route. It may be necessary to entrust the operation to the user, to display and inform the user that there is a positioning signal that cannot be authenticated, and then to have the user such as the operator perform the operation.

<In the case of attaching the position and time of creation of the authenticated position information and time information data for the broadcasting data of the broadcasting station 5C>
The user terminal 4A records position information and time information authenticated by the OTP authentication of the present invention from four or more terminals 5C to 4A, block numbers Bn and BnTOTP broadcasted by the four 5C as plaintext data, secret key 401A, etc. can be used to apply an electronic signature or HMAC for falsification detection to plaintext data, create an electronic signature or MAC value, attach it to the plaintext data, and save the plaintext data in a state where the time and location of creation of the plaintext data have been authenticated.

The user terminal 4A receives location information and time information authenticated by the OTP authentication of the present invention from four or more terminals 5C to 4A, and block numbers Bn and BnTOTP to be broadcasted by the four 5C as plaintext data (plaintext content data or manuscript data). ), apply an electronic signature or HMAC for falsification detection to plaintext data using a private key 401A or the like, create an electronic signature or MAC value, attach it to plaintext content data, and create plaintext data 4035A. It may also be created as tamper-detectable plaintext data 4035A with an electronic signature or MAC value that is stored with location authentication, and said 4035A is encrypted using software 403A with an OTP token assigned to private key 401A. It may be possible to convert
The plaintext data 4035A may be recording/audio data or recording/moving image data relating to news gathering. The OTP authentication system of the present invention can easily certify the creation place/creation position information and the creation time of the document text/document data of the plain text data 4035A (images such as photographs and blueprints, recorded moving images, and recorded audio).
The block number Bn to be entered in the above 4035A is Bnp, and Bnp is Bn when BnTOTP is obtained. It can be published by distribution using the network 20 or the like and output to the outside of the terminal.
The OTP authentication function 3018A of the OTP authentication contract and the authentication function 3018DA of the terminal 3D for verifying authentication are provided with an authentication function for authentication in the form of BnTOTP=fh (A, TIDA, KC, Bnp), and 4035A has a user identifier A and the token number TIDA may be entered.
The encrypted data 4034A of the published 4035A is circulated, and if there is a customer user UB who has the OTP token of the token number TIDB, AKTB, and the software 403A to decrypt it, the plaintext data 4035A is viewed. Then, the customer user uses the Bnp, BnTOTP and token number TIDA recorded in the plaintext data 4035A, and if the user identifier A is entered, it is used. Obtain A, pass A, TIDA, and Bnp to the argument of the authentication function so that the OTP authentication function can perform calculation in the form of BnTOTP=fh (A, TIDA, KC, Bnp), execute the authentication function, and obtain the authentication result. You can get the time and location information created by The created location information may be accurate latitude and longitude using GNSS, etc., or for privacy protection, prefectures and municipalities (states, provinces and municipalities overseas) based on map information from latitude and longitude information It is also possible to describe the approximate position instead of the detailed position so that it can be understood.

<Broadcast of data file from broadcasting station 5C>
Broadcasting station 5C is a terrestrial station or a satellite station, an amateur station and a commercial broadcasting station, a data broadcasting station that broadcasts text and software data such as newspapers and magazines, a radio station that broadcasts audio, and , or a television station that broadcasts audio and video. It may be a broadcasting station 5C that can broadcast data that can be broadcast as mass media.

Here, the aim of using broadcasting station 5C for distributing text, audio, and video files is to encrypt video data (audio and video data, which tends to be larger than book data) to users with OTP token viewing rights. To avoid imposing a communication capacity load on the public two-way network 20 when distributing the data 4034A live (on a live broadcast).
However, in an emergency such as a disaster, the broadcasting station 5C, which has a public nature, sends a signal to the effect that the encryption will be canceled to the audio radio broadcast viewing software such as the software 403A and the audio video television viewing software, and the broadcast data of the plaintext data 4035A. It is necessary to be able to broadcast.
In addition, rather than transmitting redundant content information (information on popular music pieces, video works, etc.) to users via the two-way network 20, transmitting data in a one-to-many manner by broadcasting reduces the load on the network 20. Communication capacity can be allocated to services such as communication between blockchain nodes that require connection and two-way communication, e-mail, Internet banking services (financial services), membership services using websites.

Specifically, a case will be described in which the present invention is assumed to be used for broadcasting audio and video files such as radio broadcasting and television broadcasting. The radio equipment and radio station 5C used for broadcasting may be for business use or for amateur use. In the case of broadcasting over a wide area in many areas, the range that the electromagnetic waves of a certain broadcasting station radio can reach is limited, and different broadcasting stations 5C, transmitting stations 5C, etc. are installed for each area. The user terminal 4A obtains an OTP generated token for browsing the encrypted data broadcast of the nearest radio station 5C.

Broadcasting station 5C encrypts radio or television program data 4034A with common key TTKY4033A unique to broadcasting station 5C, and transmits encrypted data 4034A to user terminal 4A nearest to which radio waves reach. Then, the server terminal 3A and the terminal 4A are connected via the network 20 by the software 403A that decrypts and browses the broadcast encrypted data 4034A, and BnTOTP is generated and authenticated to obtain the return value CTAU4031A of the authentication function.
Here, instead of BnTOTP, an OTP token that can acquire an OWP may be used to generate and authenticate an OWP in the software 403A to obtain a return value CTAU4031A. TTKY 4033A is generated using 4031A and, if necessary, key information 40302A inside 4032A and 403A, and broadcast data encrypted by TTKY 4033A can be decrypted and viewed.

When OWP is used, the contract manager follows the instructions of the broadcasting station and informs the broadcast receiver that the KC value and BC value that produce OWP will be updated at a certain time such as every year, and the reception contract will be renewed. It is possible to have the user who can send the OWP after updating the KC value and the BC value by mail without using the network 20 . The OWP notified by mail is inputted to the software 403A of the terminal 4A such as a television type, and if the authentication result is correct, the broadcast data can be decrypted. The KC and BC values updated at this time are included in the broadcast data and may be automatically updated when 4A receives the broadcast data. When OWP is used, it targets users who cannot connect the terminal 4A to the network.
The user terminal 4A connected to the network 20 can use the software 403A to connect to the blockchain terminal 3A to generate and authenticate the OWP, so there is no need to notify the OWP by mail. Also, when the network 20 is always connected, both OWP and BnTOTP can be used.
TTKY 4033A that encrypts or decrypts content can be changed by rewriting CTAU 4031A of the OTP token contract, which is the broadcast viewing right, by the contract administrator terminal 1C according to the instruction of the broadcaster. For example, by updating the BC value of OWP and CTAU4031A every year, it is possible to allow users who have the right to view the broadcast to continue viewing, and to prevent users who do not have the viewing right from viewing.

In order to prevent viewing by users who do not have viewing rights, the OTP generation function of the OTP token has a token number as a key, such as a mapping variable that determines whether the OTP token is valid or invalid. is displayed, and if the OWP is invalid, it is preferable that the contract manager can rewrite through the terminal 1C so that the OWP is not displayed.
Alternatively, a method of building a blockchain part dedicated to broadcasting and deploying a new OTP token contract every year is also conceivable. TTKY 4033A, which performs encryption using software 403A, is changed by changing the KC value when deploying a new OTP token contract every year. OTP tokens are distributed and viewable to subscribing user identifiers (for their corresponding private keys 401A).

The reason for using the password OWP is that the user terminal 4A may not be able to connect to the server 3A temporarily when the network 20 is disconnected due to a communication failure or disaster. In such a case, the contract is renewed every year. If it is a method, even if a disaster occurs, the password will not change according to the block number Bn like BnTOTP, and OWP can be notified by mail, etc., and can be obtained by people who cannot use the network. (Things that can be handled in about a week to a month).

When there is a terminal 5CC and a satellite broadcasting station 5C such as GNSS that can be synchronized with the block chain node 3A via the network 20, the broadcast data of the terminal 5C includes the block number Bn, and the software 403A contains the KC value and CTAU4031A. If the part that generates and authenticates the OTP is obfuscated/encrypted/anonymized and recorded/installed, it may be possible to receive encrypted data broadcasting by calculating TTKY 4033A from block number Bn and CTAU 4031A by software 403A. do not have.

Here is a specific example. An amateur station applies for the opening of a station, and a membership-type token that allows viewing of encrypted data broadcasting broadcast by the amateur station is issued on the block chain of the server 3A as an OTP token and its generation authentication contract in the system of the present invention, OTP tokens can be circulated among users. Data can be decoded and viewed if there is an OWP that can be viewed by a person who has a token and software CRHN403A for authentication and data decoding and viewing using it.
It is also possible to broadcast audio and video data, and data in the form of publication such as newspapers, magazines, books on laws and regulations, textbooks, computer software (educational software, operating software, office software, game software) can also be sent. A user receives encrypted data and records or records books or software data, decrypts the data with the authentication system of the present invention, and can browse, view, install software, and so on. Encrypted content data can be downloaded and used in the form of receiving broadcasts.

As a matter of concern in this form of use, it is conceivable that a communication failure may occur due to bad weather or the like, and the wireless signal from the broadcasting station 5C may not reach the terminal 4A. In addition, there is a risk that noise, etc., may be mixed in the broadcast data due to defects in the broadcasting equipment. In the case of video and audio data, even if it contains noise, it may be established as a broadcast program (sometimes it is unavoidable). However, in the case of magazines, newspapers, or computer program data, there is a risk that noise will make browsing impossible or that software, etc. will not operate. As a countermeasure, broadcast the same content multiple times at different dates and times (rebroadcast), and in the case of satellite broadcasting, use high-throughput satellites, etc. to increase the communication speed (communication capacity, capacity) of satellite broadcasting. It is preferable to take countermeasures such as using error correction technology.

In the previous example, the case where there is one TTKY 4033A for one amateur station's encrypted broadcast data 4034A has been described. Even if it is the same plaintext data or content data 4035A, tokens and OWPs are assigned according to the number of different amateur stations, and the data is encrypted by TTKY 4033A and transmitted.
In one country or on a global scale, for example, when sending encrypted data for satellite broadcasting using radio, it is encrypted using common OTP tokens, OWP, and TTKY4033A and sent to users only if the rights holder of the content allows it. You can also (However, if the same TTKY4033A is used for encryption on a global scale, there is a risk that encrypted data stored all over the world will be viewable if TTKY4033A is leaked. Therefore, each station, each broadcasting network, each region, It may be preferable to use different OTP tokens, software 403 versions, OWP/BnTOTP, and TTKY4033A for each country.)

<Distribution and live distribution of two-way communication encrypted data>
It is possible to encrypt contents with live distribution elements (live broadcast distribution elements) such as web meeting software and online games. It should be noted that the software 403A may be used to record and encrypt distribution data for live distribution such as a meeting, distribute the data via the network 20, transmit the encrypted data to the distribution destination, decrypt the data, and allow the terminal to view the distribution site. 3C (server terminal SVLogin) may be used to log in to the website/web application.

When the encrypted data is distributed using the software 403A or the terminal 3C, the block encryption method and the stream encryption method may be used as the encryption method of the encrypted data. In both the block cipher system and the stream cipher system, encrypted data is generated by performing encryption by common key encryption on plaintext data. A known block cipher scheme used for television broadcasting is Patent No. 2,760,799. An AES scheme can also be used. The block cipher system and the stream cipher system may be similarly used for the live distribution by broadcasting from the terminal 5C.

<Encryption of data exchanged over the Internet communication network, in unencrypted communication paths>
A case will be described where the OTP authentication code of the present invention is used as a data encryption key for website communication instead of encrypted communication by TLS (encrypted communication by TLS/SSL). The software 403A shows that the encrypted data is distributed, for example, from the user UC to the user UA. Connect.
Here, TLS stands for Transport Layer Security of Transport Layer Security Protocol and is RFC8446 standard. SSL stands for Secure Socket Layer.

As a specific example, in browsing a web page, there is a smart contract of the present invention, which functions so that the user UA and the contract administrator UC can generate and authenticate a one-time password BnTOTP for the token number TIDA of the OTP token. is set and the UC can get the BnTOTP for the UA's token number TIDA (the UC can call the UA's OTP generation function to see and share the BnTOTP).

Normally, the OTP generation function is designed to be called from the user identifier of the owner of the OTP token and its secret key as described in the flow charts of FIGS. The provider may also call the OTP generation function using the private key 101C of the administrator terminal 1C. However, if the contract administrator can call the OTP generation function of the customer's OTP token, it is necessary to specify it in the terms of service when signing the contract for issuing the OTP token, and the KNBN variable of the OTP token 3024A must also be explicitly stated.
The OTP token of the present invention is the login right to the website of the terminal 3C, the admission ticket 18A and the unlocking key 19A to be presented to the terminal 3D, and the viewing, usage, and ownership that can decrypt the encrypted data using the software 403A. It is intended to be owned by a user and is primarily based on and principle that only one user with a private key assigned an OTP token can call the OTP generation function.
It is not a typical implementation that the OTP generation function can be called from more than one private key, but it can be implemented.

Next, on the website operated by UC, BnTOTP is used for the UA as a key of common key encryption such as the AES method to encrypt the web page to generate encrypted data CRYPTWEBPAGE. Then, the encrypted data CRYPTWEBPAGE is sent to the computer terminal 1A of the user UA through the network 22 having an unencrypted route. Here, the UC can view the BnTOTP value (OWP value) generated by the OTP generation function 3009A with the token number TIDA of the OTP token for communication encryption of the UA.
The user UA can also decrypt the encrypted data CRYPTWEBPAGE using the BnTOTP (OWP value) of the token number TIDA and browse plaintext web pages. Similarly, when sending a message to UC, the user UA obtains BnTOTP of the token number TIDA from the OTP generation function and uses it for encryption to send encrypted data CRYPTWEBPAGE through the network 22 to the server terminal of the UC website.
The UC calls the BnTOTP value (OWP value) generated by the OTP generation function 3009A from the token number TIDA of the OTP token for communication encryption of the UA, and uses the sent encrypted data CRYPTWEBPAGE as a key for decrypting the BnTOTP. By decrypting the CRYPTWEBPAGE and obtaining the UA's plaintext message, the UA and UC perform encrypted communication on the network 22 . In this way, the present invention can also be applied to the encrypted communication field.
(However, even in this case, the communication between UA and UC in the process of obtaining BnTOTP from the blockchain must be separately encrypted and concealed. This communication may require encryption based on public key cryptography using the private key held by UA and UC.Anonymized blockchain infrastructure is also required.)

<Unauthorized access information monitoring function>
In the authentication system of the present invention, when checking whether the private key 101A of the terminal 1A (private key 401A of the terminal 4A) is leaked and the server terminal 3C, the terminal 5A, etc. are illegally accessed, the terminal 3C or the terminal that provides the service is checked. In the function of storing and monitoring the IP address and location information of the terminal 1A accessing 5A, and the ID information unique to the terminal 1A in the server 3C, 5A, etc.,
The ID information unique to the terminal 1A is provided with an accelerometer, a gyro sensor, a magnetic sensor, an atmospheric pressure sensor, a temperature sensor, an illuminance sensor that can be included in the sensor 144A in the input device 14A provided in the terminal 1A,
A method of storing in a server based on measured values derived from physical quantities measured by one or more sensors in the sensor group is conceivable.

Sound sensors such as microphones, and input devices such as cameras, pointing devices, and keyboards can also be sensors that may be included in 144A. Not recommended by the inventors. Reading and collecting keyboard or pointing device information is not recommended as it can lead to reading input data.

IP addresses and location information may lead to the identification of individuals, but atmospheric pressure sensor, temperature sensor information, magnetic sensor (magnetic compass) information, etc. are physical information derived from the location and environment of each user and terminal. There is, and this is used for fraud detection of the private key. (IP address, terminal device ID, operating system and terminal software information such as web browser are collected when recording data such as Figure 6X to protect customer assets when conducting important transactions such as financial applications. may need to be used.)

An attacker who tries to use the leaked secret key 101A illegally uses the above-mentioned processing unit such as server 3C (SVLogin) and server 5A (SVCRHNcm) to check whether the secret key has been leaked and illegally accessed. Unauthorized access by spoofing by imitating the sensor numerical value and physical quantity detected by the sensor unless you check what kind of sensor numerical value the user is accessing to the server with the access information database described. I can't.
As described above, by using the measured value derived from the sensor of the input device of the device 1A as a variable for unauthorized access detection of the authentication system of the present invention, unauthorized access can be prevented while personal information such as IP address and location information is used. Detect fraud in a way that is not based on

In this usage method, the server that provides the service records the sensor values of the user's computer terminal such as a smartphone, and detects whether or not the sensor values that do not match are accessed at the same time. Hash values and anonymized values can be used for monitoring. When using sensor values, some personal information is collected, but the server administrator can easily monitor the user's status. It is useful to protect personal information when using numerical values processed by hashing or various calculations based on sensor values.

If there is only one user, a list of combined values IPV of the user identifier of the server (3C, 5A, etc.) that provides the service, the token number of the user's OTP token, IP address, location information, terminal ID, and terminal sensor value For a certain time T, it is considered normal access that the user identifier with one sensor value or IPV value and the access information of the user's OTP token are recorded. When the user and the unauthorized accessor access at the same time, different sensor values and IPV value access information are recorded for the user identifier and the user's OTP token information, as shown in *2 in FIG. 6X.
The server that provides the service detects the access information, notifies the user who is the owner of the token of the abnormality, and may have a control unit that blocks access if accesses with different sensor values continue at the same time. good. It may also have a recording unit for storing access data.

As an example, at the same time, a terminal 1A having a valid access right with a secret key 101A indicating a temperature and atmospheric pressure of 25° C., a value of 987 hPa, and a geomagnetic sensor facing north, and a terminal 1A having a valid access right, When there is access from the terminal 1B that illegally obtained the secret key 101A, the server can determine that the access has been made from a different environment. In addition to changes in the numerical values of the temperature sensor and the atmospheric pressure sensor, changes in the direction of the terminal of the smartphone that browses data or services from the accelerometer and gyro sensor after login, changes in gravitational acceleration, changes in motion, illumination, temperature, atmospheric pressure, humidity, etc. Can track changes in the environment.
As sensors, information from imaging devices such as cameras, and input data and measured values from sound sensors (mics, microphones) can also be used, but this is not recommended due to privacy concerns for users. However, technically, the information of an imaging device such as a camera and a sound sensor can also be used as a sensor for the IPV value of the present invention. If there is no choice but to use it, we will also use the information of the imaging device, sound sensor, and microphone with the consent of the user. It is particularly preferable to perform hashing or the like when using camera or microphone measurement values for unauthorized access detection.
In the present invention, among the input devices of the device 1A, the camera, microphone, keyboard, and pointing information can be used. However, based on this patent, the input information of the camera, microphone, keyboard, and pointing device of the user's terminal 1A is personal information and information such as the PIN number output by the user for monitoring unauthorized access to the server by the user in actual business. It is preferable not to use it because it may be used for unauthorized acquisition of private key information.

The following sensors can be used in the method of storing in the server 3C or the terminal 5A based on the measured value derived from the physical quantity measured by one or more sensors in the input device provided in the terminal 1A. Sensors include motion sensors, position sensors, and environment sensors, and motion sensors that can be used include acceleration sensors (accelerometers) and gyro sensors (angular velocity sensors). A geomagnetic sensor or an accelerometer can be used as the position sensor. A humidity sensor, an optical sensor, an illuminance sensor, an air pressure sensor, a pressure sensor, and a temperature sensor can be used as the environment sensor.
At the time of authentication, a server having a processing unit that monitors unauthorized use of the private key, such as the server terminal 3C (SVLogin) and the terminal 5A (SVCRHNcm), has a user identifier A, a token number TIDA, a viewing time T, and a viewing time T. In this system, the history information Cnt and the value IPV calculated from the values detected by the sensors installed in the computer are recorded in the recording device of the server, and the server monitors accesses from different IPVs. In the case of the financial terminal 3C, the browsing history information Cnt is preferably kept even after the user terminal logs out in order to record whether or not the access was made from a different environment. is logged in under similar conditions to the browsing history information Cnt recorded in the past, and if the user logs in from a significantly different environment, notify the user's contact information and perform OTP authentication or a preset second secret key (e.g. Alternatively, OTP authentication may be performed using an OTP token derived from the first secret key 101A and the second secret key 101A2) for multisig technology.
(It is a known technology for web services to display and notify that there is access from different IP addresses, operating software, and web browser software environments.)

<Management of contracts on the blockchain>
The contract manager UC of the OTP token issues tokens to users who are entitled to access and provide services to the blockchain node 3A by means of the private key 101C of the terminal 1C, to the identifiers of the users.
Also, the KC value 3011A and BC value 3013A of the secret key information K value used for the OTP calculation of the OTP generation function 3009A and the OTP authentication function 3018A and 3018DA of the contract 3008A, 3008AG, 3008AA and 3008DA are rewritten using means such as the function 3012A and 3012DA. can also be updated by In addition, the variable 3024A that becomes the signboard (KNBN) can be changed.
It should be noted that authentication cannot be performed unless the same key values K and T are used in the one-time password generation function and the authentication function of the present invention.
In services in which the terminal 1A accesses the server terminal 3C or decryption of encrypted data using the software 403A, the terminal 1A accesses the node terminal 3A of the block chain via the network 20 according to the program of 403A and performs OTP (OWP, BnTOTP). can be obtained.
Terminal 3A accepts access from administrator terminal 1C, terminal 3A receives a transaction for changing the KC value 3011A, and connects it to the blockchain to change the KC value. Authentication by OTP reflecting the rewritten KC value can be performed. On the other hand, in the service using the terminal 3D, the contract manager UC provides means for rewriting and updating the KC value 3011DA and the BC value 3013DA for the K value.

As an example, regarding the OTP generation function and the OTP authentication function that the user UA accesses using the private key 101A, the seed values TIDA, KC, Bn, and A of the one-time passwords used by the OTP generation function and the OTP authentication function are KC The value 3011A must be set and synchronized so that both the OTP generation function and the OTP authentication function have the same value or the same data. If it is not synchronized, the generated password and the password calculated inside the authentication function will not match, and one-time password authentication will not be possible.

The KC value 3011A is written when the contract records a block in the blockchain, and the contract can also be programmed to never rewrite. Also, the KC value 3011A can be changed only by the contract manager. The handling of the KC value 3011A is up to the contract manager. If the KC value 3011A is changed at any time by the contract administrator, it can be regarded as a variable that has the same role as the BC value 3013A used for calculating the password OWP.

The KC value 3011A is, for example, the identifier of the OTP generation contract, the service name, or in the case of content such as a book, the content name ISBN, etc., in order to prevent collisions with other smart contracts using the present invention and the OTP value of the OTP token. It is preferred to use the KC value 3011A calculated based on
It is troublesome to set a large value for a KC value with a similar KC value, for example, a KC value with a capacity of 256 bits (an unsigned integer value can express an unsigned integer value including 0 of 2 to the 256th power). For such reasons, if the KC value is recorded in a small integer range such as 0 to 255 (up to the 8th power of 2), or even 0 to 10, if multiple OTP token contracts are used, the OTP value are likely to collide.
A specific example will be described. When the OTP token with the token number 9876 of the user identifier A of the login service of a certain member site is the login OTP token number 9876 of a different Internet banking, the KC value of the contract of the OTP tokens of both services is set to 123, etc. When the hash function was also deployed on the blockchain with the same blockchain identifier using SHA-1, the OTP was calculated as BnTOTP = fh (common A, TIDA = 9876, KC = 123, common Bn) and the result , a matching OTP is calculated between OTP tokens for two different services.
This can occur not only in BnTOTP for website login but also in OWP for locking. Therefore, in order to avoid matching or colliding OTP values of different OTP tokens for different services, it is necessary to make the KC value a unique value. should be used as part of the KC value.
Multiple KC values may be configured to complicate the KC value so that the OTP values of the OTP tokens do not match. There may be more than one KC value. For example, the first KC value is an arbitrary value (a value generated by a pseudo-random number generator or a processed value, or an ), the second KC value is set by the contract administrator to the contract identifier of the OTP token (or its processed and anonymized value), and the third KC value is used to update the key value. It may be a value of the same variable type as the BC value.

KC and BC values do not restrict data types. It may be an unsigned integer type or a character string type, and a plurality of variables corresponding to the KC value and the BC value may be included in the contract and used for OTP calculation.

In the present invention, a hash function called SHA256 of SHA-2 is used as the hash function fh. The SHA256 hash function obtains a 32-byte hash value BnTOTP or OWP for a message created based on the user identifier A, the token number TIDA, the secret variable KC, the block number Bn, and the BC changed by the contract administrator. is used for OTP. The hash value BnTOTP or OWP may be used as it is for the OTP, or the hash value may be further calculated and processed by an arbitrary method to be the OTP.

The use of hash functions such as SHA-1 with known (or suspected) hash function collisions in the OTP calculation is discouraged. And if a vulnerability in the known hash function fh is discovered at some point in the future, it may be necessary to apply countermeasures against that hash function vulnerability to the OTP token contract and blockchain infrastructure.
If there is a problem with the hash function used to calculate the block hash Bh on the blockchain platform (for example, Ethereum uses Keccak-256 as the hash function), it may be necessary to switch the blockchain platform. I can't say no.
When the above problem occurs, the method of generating and authenticating OTP using the OTP token contract and the owner information of the OTP token are stored in a block chain or directed acyclic graph using a hash function without vulnerability. It may be necessary to post the OTP token contract and the OTP token holder information to the new distributed ledger system used.

The hash function fh that generates and authenticates the OTP token may be changed to any type by the administrator of the contract. For example, the hash function fh may be changed from SHA2-256 of SHA-2 to SHA3-256 of SHA-3 after the contract is deployed. At this time, as in the case of the KC value, etc., OTP authentication cannot be performed unless the types of the OTP generation function and the hash function fh used for the OTP authentication function are matched.

<Comparison of processing contents regarding one-time password calculation between the RFC6238 standard and the present invention>
In the RFC6238 standard, a key value K and a T value that changes with time are used as arguments of a hash function to calculate a one-time password. According to the RFC6238 standard, the counter C is replaced with a counter based on time T in the HOTP one-time password standard based on HMAC. Next, the formula for calculating TOTP is shown.
TOTP = HOTP(K,T)
= Truncate(HMAC-SHA-1(K.T))
where Truncate is rounding. The present invention is not limited to a hash function combined with HMAC in RFC6238. Either a hash function or a hash function combined with HMAC can be used in the present invention.
Specifically, in addition to the hash function (Keccak-256 used in Ethereum) used in the foundation of the blockchain, SHA-3, HMAC-SHA3, SHA-2 (SHA256, SHA384, SHA512), RIPEMD-128/168, MD5, SHA-1 etc., HMAC-SHA-3, HMAC-SHA-2 (HMAC-SHA256, HMAC-SHA-384, HMAC-SHA-512), HMAC-RIPEMD-128/168, HMAC-MD5, HMAC-SHA -1, and so on. The specific function group described above is based on a hash function even when using HMAC, and utilizes the property of a hash function as a one-way function, and differs for each argument message data (or key information). There is no change in the function of being able to calculate a digest value that can be regarded as that of a password and using it as a password.

In the present invention, the RFC6238 standard is used as a reference, and for the K value and T value used in that standard, the variable TB that changes at the time on the blockchain (preferably block number Bn or BC that can be changed by the contract manager at a certain time) and Access the blockchain contract using the K value (secret key KC value, token number TIDA, user identifier A, etc.) and hash function fh, and use the OTP token with the token number TIDA owned by the user identifier associated with the contract It is characterized by being used in a blockchain-based time-varying OTP authentication system that generates and authenticates OTPs.
The formula for calculating the one-time password BnTOTP of the present invention is as follows. An n-digit integer password BnTOTP-N is also shown below.
BnTOTP = fh(K,T)
= fh (KC, TIDA, A, Bn) *Specific example.
BnTOTP-N = Truncate(fh(KT))
= Uint ( fh (KC, TIDA, A, Bn) ) mod 10 ⁿ *Specific example, when converting BnTOTP into an unsigned integer, dividing by 10 to the power of n, and using the remainder as the password.
Here, Uint(X) is a function that converts the type of argument X to an unsigned integer.

<Comparison of processing contents regarding calculation of BnTOTP and password OWP>
An example of the formula for calculating the one-time password BnTOTP using the T value that changes with time as the Tm value and the block number Bn of the present invention as Tm is as follows. Tm is the same as TB.
BnTOTP = fh(K, Tm)
= fh (KC, TIDA, A, Bn) * Example On the other hand, the Tm value is a BC value that can be changed by the contract manager at a certain time (or a BC value that can be rewritten by a user who has the authority to change BC) An example of the formula for calculating the password OWP of the present invention is as follows.
OWP = fh(K, Tm)
= fh (KC, TIDA, A, BC) *Example

The n-digit integer passwords OWP-N and BnTOTP-N are shown below.
BnTOTP-N = Uint( fh(KC, TIDA, A, Bn) ) mod 10 ⁿ
OWP−N=Uint(fh(KC, TIDA, A, BC)) mod 10 ⁿ
Since OWP-N and BnTOTP-N use remainder r, they can be rephrased as OWPr, BnTOTPr, or OTPr as a generic term for them.
Here, an example of dividing by 10 to the nth power is shown, but let us consider the case of dividing by Y to the Nth power instead of 10 to the nth power to obtain the remainder. A value m obtained by type-converting an OTP such as OWP or BnTOTP to an unsigned integer is used as the dividend m, and an integer obtained by multiplying 10 or an unsigned integer Y of 2 or more such as 2, 3, or 11 by an unsigned integer N of 1 or more to the Nth power is a divisor n, the contract may be provided with a processing unit and a storage unit that calculate the remainder r when the dividend m is divided by the divisor n and use the r as an integer value OTPr. When the integer value r obtained by converting OTP to an unsigned integer and finding the remainder is OTPr, the following equation is obtained.
OTPr = m-qn
where n=YN, preferably Y is an unsigned integer of 2 or more, ^N is an unsigned integer of 1 or more, q is the quotient, n is the divisor, m is the dividend, and r is the remainder.
For practical use as an OTP, Y is preferably 10 or more and N is preferably 6 to 7 or more. However, Y may be 10 and N may be 2 or 4 depending on the application.
As a clear note, if Y is 2 and N is 1, OTPr will pseudo-randomly output a value of 0 or 1 indicating whether it is odd or even, and can be used as a pseudo-random number generator of 0 and 1. It may be, but it is not practical for the use of the one-time password OTP, such as for website login, because if either 0 or 1 is entered, login will be possible.
Therefore, assuming the case of representing a four-digit integer PIN number in OTPr as an example, it is necessary to set Y to 2 or more and N to 14 or more, and the divisor n=2 ¹⁴ =16384.
If Y is 10 and N is 7 or 6, then a 7-digit or 6-digit OTP can be generated. was used as the N-digit OTP (OTPr).

<About blockchain platform>
During the operation of the present invention, it is conceivable that the blockchain part will be updated or newly created every certain number of years due to technical or storage capacity limitations. It may be necessary to update the block chain part due to the need to change the hash function that calculates the block hash of the block chain part.
Therefore, in the OTP authentication system using the blockchain of the present invention, the administrator periodically records the contract of the OTP generation token recorded in the contract, the program information of the OTP authentication contract, and the information of the seed value KC and BC in the terminal. is particularly preferred.
OTP token status information such as a user identifier A who is the owner of the OTP token, the token number of the OTP token, and the URI attached to the OTP token is recorded, and the OTP token owner list in which the OTP token status information is also stored. It is particularly preferable to create information and store it in the storage device of terminal 3C, terminal 3E, terminal 3F, terminal 5A, terminal 5B, terminal 1C, and user terminal 1A. It is preferable that the user terminal also holds list information owned by the owned OTP tokens.

In the present invention, a smart contract is used as a form of implementing a program having functions and variables that are difficult to falsify using a block chain, a password is generated using a value Tm that changes at a certain time on the block chain, and the password is sent to the terminal 3C or terminal 3D for authentication.
However, if the blockchain is maintained for a long time, for example, over 100 years, the contract data recorded in the blockchain 50 or 100 years ago for the latest block number will be stored for 100 years. It may be necessary to execute contract functions, including

It is not only a problem of the present invention, but also a problem of distributed ledger technology. For a contract with a certain transaction, the response when transactions are accumulated over a period of time exceeding a person's lifetime is unknown. Computational resources, terminal material resources, network resources, and power sources that drive the system must also be sustainable.
Ethereum used in the examples has a track record of operation as a blockchain platform for about 5 years at the time of writing this document, and it is a medium that can be used for over 100 years like paper and can record information for 100 years. There is an unknown point. Ethereum has no track record of operating while accumulating transactions in a contract for over 100 years.
However, unlike paper and existing server terminals, it is difficult to falsify, and it is characterized by the fact that it is possible to construct a contract-embedded database system in which time stamps related to time and block numbers corresponding to time stamps are recorded moment by moment.
As shown in the example of attaching authentication information to broadcast data in the GNSS satellite terminal 5C, tags are attached to objects and data by the authentication system of the present invention to determine the authenticity of the objects and data. Display the OWP type password that can be used, and use it for admission tickets, valuable specifications used for locking and unlocking keys, OTP tokens that can be used for tags, login to websites, and decryption of encrypted data. A BnTOTP type OTP token capable of

As a point of concern for the inventor, when a blockchain (or a system that can execute smart contracts while maintaining tamper resistance using a directed acyclic graph, etc.) is operated for more than 100 years, Merkle Patricia There is a data structure represented by a tree, and key-value pairs are searched and inserted/deleted with a computational complexity of O(log(n)). or 3B of node storage. There is a risk that more data search time and data search time for the Merkle-Patricia tree database will be required. Older contracts deployed with smaller block numbers (and OTP generation functions and OTP authentication functions included in them) are more difficult to read from the blockchain part, or it takes longer than expected to read and execute the function. It is a concern that
Computer terminals with high computational power and computer terminals for data search based on quantum mechanics may be produced, and if there are storage devices such as high-speed and large-capacity RAM and ROM, it may be possible to solve the problem, but it is not. When updating the blockchain platform, archive the distributed ledger of the past distributed ledger system, post the contract in demand in the past distributed ledger to the new distributed ledger platform, and update the blockchain platform. may be required.

It is unclear what the computational complexity O(log(n)) will be when the state tree is 100 years or more, instead of 5 years, in blockchains containing contracts that store transactions. (Ethereum uses a Merkle-Patricia tree-type state tree.)
As the number of transactions contained in the database that makes up the blockchain increases, the state tree or block length of the blockchain increases, increasing the amount of computation required to search for the OTP generation function and OTP authentication function. , the amount of computation required for data search time may increase. In addition, in the present invention, there is a risk that the time required to execute the OTP generation function and OTP authentication function of the contract that generates the OTP will increase.

Therefore, if the block chain unit detects a contract with many users and places it in a storage device that can perform the fastest reading and rewriting in a computer terminal, such as the RAM of the main storage device in the storage unit of the server 3A, the contract users accessing .NET can speed up the OTP generation and authentication process.

In addition, in the present invention, even if the time required to execute the OTP generation function and the OTP authentication function unintentionally increases, the contract administrator can use 3030A to display the BnTOTP and the authentication time (OTP authentication possible time). Standby time) can be increased, and when using OWP, if the contract manager changes the OWP seed value KC, changing the update time interval will block BnTOTP and OWP even if processing delays occur. It can be obtained from the chain and authenticated.

<Renewal of blockchain platform and OTP contract>
It may be necessary to change the specifications such as the data length of the private key 101A for public key encryption and extend the data length due to technical problems or new computers over the years. There may also be concerns about the security of encryption formats and hash functions, such as public-key cryptography used for blockchain infrastructure. As a result, it may be necessary to update the blockchain infrastructure every few decades due to problems with the blockchain infrastructure or problems with the amount of data.

When updating the block chain part including the block chain part and the block chain base, the data of the block chain part held by the terminal 3A is saved, and the reading and writing speed is slower than the semiconductor memory type RAM such as magnetic tape and magnetic disk. It is also preferable to be able to record and save in an inexpensive, non-volatile, large-capacity external storage device.
By recording the full node data of the block chain before update recorded by the node 3A, the transaction can be duplicated and recorded in the external recording device. The pre-update blockchain data recorded in the external recording device is useful when an individual, corporation, or investigative agency conducts an investigation when it turns out that there was a problem with the transaction at some point in the future.

Even for services that have been in operation for over 100 years, due to issues in distributed ledger technology and unforeseen issues, the size of the block number of the blockchain and the length of the block of the blockchain are 25 years instead of 100 years. It is also assumed that it will be necessary to store the data while dividing it into periods such as the following. Assuming that situation, terminal 3A to terminal 3E and terminal 3F collect information about OTP token contracts for each contract identifier and user identifier, and transplant the latest information corresponding to the contract identifier and user identifier to a new blockchain. Alternatively, it may be necessary to enable updating.

In connection with updating the blockchain and updating the blockchain contract, 3C, 3E, 3F, 5A, and 5B access 3A and send OTP token information such as OTP token asset balance and OTP token URI of users UA to each Balance passbook or balance statement or balance recorded in the customer database of the terminal and collected by 3C, 3E, 3F, 5A and 5B from the database information to 3A, 3C, 3E, 3F, 5A, and 5B, and performing electronic signature and HMAC It is preferable to be able to publish data to terminals of users UAs.

Even if the blockchain is not updated, 3C, 3E, 3F, 5A, and 5B can access 3A depending on the requests of service providers and OTP token users, and OTP such as user UA's OTP token asset balance, OTP token URI, etc. It is preferable that token information is recorded in a database, and balance passbooks or balance statements with electronic signatures and HMACs or OTP token balance/remaining number data can be issued to users UA's terminals.

When the OTP token contract is recreated according to the service provider's will, the OTP token contract is newly created with a contract identifier different from the original OTP token using the customer's user identifier, token number, and data included in the token. Deploy and update the contract by reissuing the OTP token according to the customer's user identifier, token number, and data contained in the token contained in the contract of the original OTP token.

<Embodiment for implementing the OTP authentication system of the present invention>
In the present invention, a server terminal 3A, which is a node of a distributed ledger system DLS such as a block chain connected to a network 20, deploys a contract for generating an OTP token and an OTP by a transaction using a secret key 101C of an administrator terminal 1C. The user terminals 1A and 4A call the function 3009A for generating the OTP of the OTP token using the private key 101A or 401A to the server terminal 3A, which is equipped with the contract for generating the OTP token, and generate the OTP. OTP is input according to 3C, 3D, or software 403A program, and if the authentication destination is 3C or 403A, the OTP is authenticated using the OTP authentication function 3018A of the server terminal 3A, and if the authentication destination is 3D, it is built into 3D. The OTP is authenticated using the authentication function 3018DA, and when the return value 3021A of the authentication result is a correct value of the authentication result, it is judged that the OTP authentication has been completed, and the system is provided with the service.
By using a tamper-resistant program called a smart contract that operates on a distributed ledger system DLS such as a blockchain, the execution results of the OTP token generation function 3009A and the authentication functions 3018A and 3018DA can be stored in a tamper-resistant state. In addition, the internal variables of the contract such as the OTP authentication function, the OTP generation function, the owner information of the OTP token, the KC value 3011A that is the seed value for calculating the OTP, etc. are also recorded as a distributed ledger that is difficult to tamper with. We have realized a blockchain-based OTP token that can be recorded by using it, an authentication system using it, and devices and terminals used in the system. An authentication system that can change the key values K and KC used when calculating the OTP by a transaction using the secret key 101C of the administrator terminal of the contract manager and change and update the key values of the OTP tokens of all users belonging to the contract. and devices and terminals used in the authentication system.
In addition to updating the key value K and KC, the number of OTP digits used for OTP authentication and the time interval for OTP authentication can be changed by a transaction using the secret key 101C of the administrator terminal of the contract administrator.
In order to detect unauthorized use of the private key, the information obtained by anonymizing the environment value of the user terminal or the environment value is associated with the user identifier or token number value or the anonymized value, and the leaked private key or the secret that is reused Means may also be provided to detect access to the same time by a key.

FIG. 8A is a basic authentication system diagram for logging into a website in the one-time password authentication system (OTP authentication system) of the present invention.
8A, a user terminal 1A (1A in FIG. 2A), a server terminal 3A (3A in FIG. 3A), a contract administrator terminal 1C (1C in FIG. 2C), and a server terminal 3C (FIG. 3C) that manages a website to be a login destination. ) are connected through (via) network 20 . Although omitted from FIG. 8A, there can be a server terminal 3B having the same block chain part as the server terminal 3A shown in FIG. 1A and a user terminal 3B different from the terminal 1A.
FIG. 7D is an explanatory diagram of the sequence when logging into a website using the OTP authentication system. FIG. 7D is similar to FIG. 7A.
6A, 6B, 6C, 6D, 6E, and 6F are block chains using a block chain type data structure as a distributed ledger recording unit 300A recorded in the storage unit 30A of the server terminal 3A of FIG. 8A. OTP generation processing and OTP authentication processing in one-time password generation and authentication smart contracts (contracts) 3008A, 3008AG and 3008AA used in the present invention recorded and deployed in the entire block chain 3006A of section 300A will be described. FIG. 4 is an explanatory diagram of a flow chart;
As a reference, FIG. 9A illustrates an outline of an authentication system using an OTP token when using a distributed ledger recording unit 300A using a blockchain type data structure in the distributed ledger system DLS, and FIG. 9B illustrates the distributed ledger system FIG. 10 is a diagram illustrating an overview of an authentication system using an OTP token when using a distributed ledger recording unit 300A using a directed acyclic graph type (DAG type) data structure for DLS;
In FIG. 7A, the terminal 1C deploys the contract to the DLS of the terminal 3A and sets the contract to the service from S110 to S113. In S114 and S115, services (mainly terminal 3C, which is assumed to be always connected to the network, decryption of encrypted data by software 403A, etc., and terminal 3D, which may be disconnected from the network 20, can also be connected to the network 20). 7A) issues an OTP token to the user identifier A as the token number TIDA, and 1C or the service sends the token number or token to the user terminal 1A. It is possible to inform the result of issuance.
In S116, the user terminal 1A accesses the service, and the service side may or may not record the access information as shown in FIG. 6X. Next, the service requests OTP authentication from 1A, and the terminal 1A accesses the terminal 3A and acquires the OTP from the OTP generation function 3009A in the sequence of S117 to S119. When SHA256 is used for the hash function, the OTP is calculated and output as 32-byte data (2 to the power of 256 -1 as an unsigned integer).
(The data using SHA256 for 3009A and 3018A may be type-converted to an unsigned integer value, and the remainder when divided by a certain integer n may be used as an integer OTP with a certain number of digits. As an example, 32-byte data may be encoded. It is also possible to convert the type to an unsigned integer and use the remainder OTPr of the Nth power of 10 as the OTP of the N-digit unsigned integer. When constructing the authentication system of the present invention, the OTP generation function 3009A and the OTP authentication function 3018A and 3018DA installed in the terminal 3D are also paired with the number of digits and characters converted from the output data to an unsigned integer or the like. Authentication cannot be performed unless the OTP is calculated in the same way as the OTP generation function and the password OTPr can be calculated from the remainder.)
In S120, the service can collect and record the access status and behavior of 1A during connection, or can not collect or record them. In S120, OTP authentication is requested to the terminal 1A. From S121 to S123, the terminal 1A inputs the value acquired from S117 to S119, the user identifier, and the token number of the OTP token to the OTP authentication function 3018A, executes the authentication function 3018A, and sends the return value CTAU such as the authentication result 3018A to the terminal at S123. Obtain from 3A and input/output the return value CTAU of the authentication function to/from the service. If the return value CTAU of the authentication function output from the terminal 1A is a value when the OTP authentication result is correct, login to the website, operation of the website, and operation of the web service are performed.
In S125, the service side collects the access information of the terminal 1A even after login, and checks whether there is unauthorized access or not. It is possible to monitor whether the ID value and the sensor value of the terminal are recorded as shown in FIG. 6X, and notify the user of unauthorized access when they are recorded. However, in practice, recording as shown in FIG. 6X may infringe on privacy or unnecessarily use computational resources of the terminal, and may not be economically cost-effective, so it is not necessary to do so.
In the present invention, for example, the distributed ledger system to which OTP tokens are assigned to handle monetary value and important items such as content browsing usage by decrypting encrypted data, login for Internet banking, and operation of bank account balance. We would like to collect and monitor the data shown in FIG. 6X as a means of detecting the leakage or reuse of the secret key for access. Data collection and monitoring in FIG. 6X are not performed when a terminal with low computing power is used as a server. The monitoring of unauthorized access to the service shown in FIG. 6X is used according to the mode of use of the present invention.

In Example 1 (Embodiment 1), the OTP calculation for OTP generation and OTP authentication described in FIGS. to the
a user identifier A to the blockchain unit;
A token number TIDA associated with A,
Using four secret variables KC and block number Bn inside the contract,
Furthermore, a secret variable BC that can be changed by the contract administrator,
Let V be the GasLimit value determined by the voting values of the nodes that make up the blockchain system,
By calculating fh (A, TIDA, KC, Bn, BC, V) and calculating OTP,
generate a dedicated OTP that differs by user identifier and token number;
A pseudo-randomness is provided by the V value, and an OTP authentication system capable of updating the BC value among the secret variables KC and BC was constructed.

In the first embodiment, the contracts 3008A, 3008AG, and 3008AA on the blockchain of the server terminal 3A in FIG. It has a setter function fscb (3012A in FIG. 3AC) that can rewrite and update both.
The setter function fscb (3012A in FIG. 3AC) is set to variable KC (3011A in FIG. 3AC) or BC (3011A in FIG. 3AC) or BC (3011A in FIG. 3AC) only when the blockchain is accessed by the private key PRVC (101C in FIG. 3AC 3013A) and the internal variables KC and/or BC are programmed to rewrite and update the function fscb (3012A).
Contract internal variable values are preferably confidential.
In 3008A, the internal variable KC value and BC value are recorded in the same contract, but when using two contracts 3008AG and 3008AA, the variable KC (3011A) and the variable BC (3013A) used for OTP calculation are functioned. The KC and BC values of 3008AG and 3008AA must be rewritten and updated by fscb (3012A) to match and synchronize and maintain the synchronized state. The numbers and data types of KC and BC variables are not limited, but the numbers to be matched increase according to the number and amount of data corresponding to the set KC and BC. In addition to the above KC and BC, the function and variable 3030A for changing the OTP authentication standby time and the OTPr digit number changing function and variable 3031A for obtaining the OTPr must also be synchronized and matched between 3008AG and 3008AA. In addition to the variables, the type of hash function fh required for calculating the OTP must match.
Here, the terminal 3C uses 3008AG and 3008AA, but the terminal 3D uses 3008A or 3008AG and the authentication function 3018DA of the terminal 3D. The variable/function storage unit and the terminal 3D variable/function storage unit must be matched and synchronized.

In addition, the contract manager sends from the terminal 1C to the contract a billboard variable indicating information necessary for providing the service, such as the name of the OTP token, the name of the service, the address and contact information of the service provider, and rating information, and the variables. A changeable rewritable function KNBN (3024A) can be recorded in the contract and set. The number of variables to be recorded as signboards, arrays, structures, mapping types, and other types are irrelevant. Variable 3024A can only be read by all users accessing the blockchain (KNBN rewriting is done using terminal 1C's private key PRVC (101C)).

As a problem that can occur not only in Embodiment 1 but also in Embodiments 2 and 3, the private key PRVC (private key 101C) of the administrator terminal 1C leaks from the hand of the user to be managed, and another user obtains the private key 101C information. obtain, copy the information, illegally access the contract 3008A etc. from the terminal, and issue the OTP token of the present invention, which is the authority to receive the service, to the user identifier desired by the illegal accesser without restriction. . There is also the possibility of accessing signboard information 3024A and internal variables 3011A and 3013A.
In order to prevent such a situation from occurring, when executing the setter function included in the token issuing function (Fig. 3043A), function fscb (3012A), 3024A, etc. inside the contract, a secret key different from the secret key 101C is used. A contract administrator private key compromise protection portion 3042A may be provided to prevent function execution without consent of the user identifier.

<Example of countermeasures against leakage of private key of contract administrator>
The contract administrator private key leakage prevention section 3042A will be described.
When executing the internal variables of the contract that manages OTP and token issuance as a function, one or more user identifiers other than the contract administrator of the user identifier C of the private key PRVC are individually set to execute the function There is a mapping variable, array, structure, or equivalent multiple variables that can be used to record whether the user identifier and the corresponding boolean variable value are true or false.
It can be executed when the boolean value corresponding to the user identifier is true, and cannot be executed when it is false. Here, when the truth value corresponding to the user identifier is true for all user identifiers, issue OTP tokens and manipulate contract internal variables, and even one of all user identifiers becomes false. It is conceivable that execution of the function is stopped when As an application of this, count the number of true or false values corresponding to user identifiers for all user identifiers, and execute a function when the number of all user identifiers exceeds the majority (or a set percentage) can.
3042A has a mapping variable having a true/false value corresponding to the user identifier and a processing unit that determines whether to execute or stop processing based on the true/false value of the variable. It can be described (set) in the processing part of the function that reads or rewrites for the accessor whose state is limited.

<Simple measures to prepare for the leakage of the private key of the contract administrator>
For example, it may be accessed as a contract administrator using two different private keys. Prepare the private key PRVC of the contract manager and the private key PRVB to stop the issuance of OTP tokens when PRVC is leaked. The OTP token issuing function and contract internal variables (3043A, 3024A, 3030A, 3031A, 3011A, 3011A, 3013A) can be set.
In addition to the method described in the present invention, what is generally called multi-sig technology may be used to set a plurality of private keys to deal with leakage of private keys.

The fact that the service provider has leaked the private key, the fact that it is being attacked, and the time of the attack along with the contract identifier 3019A are posted on the company's web page, etc. You can also deploy a contract with a private key and reissue OTP tokens. If a technical problem arises in a distributed ledger system that includes a blockchain, it is possible that the token will be reissued in order to transfer the token to a new blockchain or the like.
The present invention circulates OTP on a block chain that is difficult to tamper with, and uses OTP tokens to automate and record the provision of services. It depends on the content of the contract, legal restrictions, and the agreement between the service provider and the user.
If it is difficult to provide the service and the user wishes to contact the user, or if the user wishes to contact the service provider, it is necessary to post the contact information on the signboard information KNBN (3024A). The rating of the service (restriction information such as whether the service is age-restricted or whether a driver's license is required if the service is a car key) is also entered in 3024 .
The present invention intends to issue tokens for purchase using electronic commerce. In electronic commerce, information such as credit cards is used, but in that case, adults are the target. If this service is used for logging in to computer game sites and web applications for minors and for decrypting encrypted book data, purchase a terminal that records the private key for family use, and purchase the terminal for minors. you may need to think.
When a user UA who does not have a terminal 1A wants to obtain an OWP type 18A or 19A, a service provider, a ticket issuer, a convenience store, etc. can obtain an OTP token and an OWP type 18A or 19A for a service by phone. It can also be issued.
The UA may possess the NFC tag 19A or 16A on which the private key 101A is recorded, and the UA may be able to log in by having the terminal 1A without the private key installed in a store such as a convenience store read the private key information of 19A or 16A. . It can also be used at shops such as Internet cafes, hotels, guesthouses, etc. that provide terminal 1A and Internet lines.

<Token issuance>
In FIG. 8A, contract 3008A or 3008AG issues an OTP token with token number TIDA to user identifier A calculated from private key PRVA (101A in FIG. 2AA) and private key 101A according to the sequence diagram shown in FIG. 7D.
In all embodiments of the present invention, a secret variable (seed value) KC, BC and an OTP generation function (FIGS. 6A and 6B) and an authentication function for calculating an OTP in an Ethereum ERC721 standard token in the blockchain part By adding (Fig. 6C, Fig. 6D, Fig. 6E, Fig. 6F), a contract for one-time password generation and authentication was constructed on the blockchain. The ownership relationship of the token (correspondence relationship between the token number and the user identifier) is recorded inside the contract on the blockchain for the private key PRVA (101A) of the user identifier A. The ERC721 standard has functions such as token issuance, token transmission (transfer), and token removal, but the description thereof will be omitted. In the present invention, a transfer restriction function that restricts token transmission in accordance with the ERC721 standard can be installed.
This is because the present invention intends to use OTP tokens for login use for tickets, membership rights, online games, and net banking that are not transferable.
Execution of the send token function 3040A can be controlled by the administrator of the contract using variables and setter functions 3041A that limit the sending of tokens. 3040A can be programmed to continue executing the send token function 3040A when the variable in 3041A is true and stop executing the send token function 3040A when the variable in 3041A is false.
If you want to prohibit the transfer instead of restricting the transfer, on the premise that the token will be issued after notifying the token contractor that the transfer is prohibited, a setter that can fix the 3041A variable to false and change the 3041 variable. It may be the OTP token contracts 3008A and 3008AG that are programmed such that the send token function 3040A cannot always be executed, except for functions. Alternatively, it may be the OTP token contracts 3008A and 3008AG without the token transmission function 3040A itself.
Next, using the sequence diagram of FIG. 7D, the contract deployment, OTP token issuance, and service provision using the token will be described.

In FIG. 7D, a user terminal 1A, a server 3A (actually an Ethereum testnet) having a blockchain system DLS, a website login service server 3C, deploying and managing OTP tokens and contracts related to the OTP authentication system, and issuing tokens. There is an administrator terminal 1C having a private key 101C capable of

In sequence S210, a block for changing the OTP token secret variable KC (3011A in FIG. 3AC) or BC (3013A in FIG. 3AC), the signboard information 3024A, and the OTP change time (number of blocks) to be deployed on the blockchain at the terminal 1C A number remainder variable 3030A, an OTP digit number adjustment unit 3031A, and the like are set. Then, a contract 3008A for generating and authenticating OTP, a contract 3008AG for generating OTP, and a contract 3008AA for authenticating OTP are set.
In the third embodiment, a contract 3008A capable of OTP generation and authentication is used.
In the second embodiment, a contract 3008A or 3008AG capable of generating an OTP, an OTP authentication function 3018DA of the terminal 3D capable of authenticating the OTP, and variables of the function and a recording part of the function are used. When 3D can connect and communicate with node 3A through network 20, authentication function 3018A of 3008AA and 3008A can be used.
In Example 1, the contract 3008A or 3008AG capable of generating OTP and the contract 3008AA capable of authenticating OTP are used in combination.

Deploy the contract to the blockchain in sequence S211. Send the contract code (bytecode for execution of the Ethereum virtual machine, bytecode) to the blockchain as a transaction and record it in the block data. For login purposes, authentication is performed, and after login, the user enters the value linked to the token in the authentication contract 3008AA (bank account balance mapping variable corresponding to the token and user identifier, remittance processing from the balance, points and voting on the member site value).
Therefore, here, 3008A in FIG. 3AC (which can also be implemented in 3008AG in FIG. 3AB) is an OTP generation contract in which an OTP generation token is recorded, and 3008AA in FIG. 3AB is deployed separately on the blockchain as an OTP authentication contract. (As shown in FIG. 9A, it is deployed to Bd1, Bd3, and Bd4 out of block data Bd0 to Bd7 of the blockchain. Terminal 1A accesses the deployed data to generate and authenticate OTP.)

In the sequence S212, the contract identifier (contract address) determined when the contract was incorporated into the blockchain is acquired from the blockchain unit to the recording device (10C) of the terminal 1C, and logged into the website ECMAScript, etc. of the website of the server 3C is recorded in a program that runs the web page and set. At the same time, set up the program that operates the web page (including front end, server side, database, and blockchain part if necessary).

In sequence S213, an OTP token for generating OTP is issued. The administrator terminal 1C accesses the deployed OTP generation token and issues an OTP token with the token number TIDA for the user identifier A who made a contract or purchased the service. The issued OTP token is a contract shown in 3008A or 3008AG, and in Example 1 has the functions of the ERC721 standard. OTP tokens are purchased as login rights using payment methods in e-commerce, etc., or are used for services in the financial sector such as banks such as Internet banking, login services for member sites, login services for social networking services SNS, online games, etc. issued with the login service of

When providing the OTP authentication system of the present invention, it is assumed that settlement will be performed outside the blockchain. However, in Ethereum, OTP tokens are given using payment according to the payment of the crypto asset Ether on the mainnet (that is, the user inserts Ether into the contract like a coin like a vending machine, and OTP is given to the user sending a token) is also possible. However, depending on the service, it may be necessary for personnel outside the blockchain to confirm the existence of the contract and payment, confirm the existence of the user who grants the OTP token, confirm the identity, and perform KYC (Know Your Customer). Payment in currency is not mandatory. Especially in the financial field such as banks and securities, it is considered that personal identification is necessary, so the contract and issuance of OTP tokens of the present invention require personnel and devices to confirm users outside the blockchain.

In sequence S214, login to the web page is performed. A user who has been granted an OTP token accesses the server 3C and the blockchain system DLS using the terminal 1A having the private key 101A (private key PRVA) recorded in the storage device 10A or the external recording device 16A. The server terminal 3C that has received the access from the terminal 1A distributes the website or web application data to the terminal 1A in response to the access from the terminal 1A.
In sequence S214, 3C distributes web page data requesting the input of a user name and password at the time of login to terminal 1A, and requests the first step of authentication.
Here, the wallet software may be included in the extended function of the web browser, and the web page data may include a program for determining whether the private key is installed in the wallet software. OTP authentication may be performed by performing OTP generation using a private key stored in the wallet software. Further, software for entering and recording a secret key, accessing a block chain, and displaying an OTP may be installed in 102A of the storage device 10A of the terminal 1A. Continue to the next sequence if the username and password match. (User name and password are used as one factor of authentication. Combining OTP authentication and existing user name/password authentication together constitutes two-factor or two-step authentication. In addition to user name/password authentication, PIN or biometric authentication is acceptable).

In sequence S215, the server terminal 3C receives access from the user terminal 1A for OTP authentication, distributes a web page for generating an OTP from the terminal 3C to the terminal 1A, and illegally accesses the user terminal 1A. Monitor access or not. In order to generate an OTP on a web page, it is required to enter a user identifier and token number, and input values such as the user identifier and token number of the user, the IP address and location information of the user terminal, and the sensor value of the input device of the terminal etc., and the login time, number of logins, and login status are recorded as shown in FIG. 6X. In normal use of the terminal 3C, if one individual accesses one private key from one terminal to the server terminal 3C at the same time, multiple different IPV values described in FIG. 6X should not be recorded. .
If the terminal 3C can collect information specific to the terminal such as the version of the web browser and values such as the IP address, the information should be stored in the storage device of the terminal 3C until the next login of the terminal 1A by the user UA. can also A change in the access environment may be detected by comparing the stored access information at the next login.

In sequences S216 and S217, according to a program such as ECMAScript of the web page distributed in S215, one of the nodes of the block chain using the user identifier A, the token number TIDA, and the private key 101A recorded in the user terminal 1A. Access the terminal 3A and execute the OTP generation function (3009A in FIG. 3AC) of the OTP generation contract 3008A or 3008AG deployed on the terminal 3A.
If the token number TIDA is associated with the user identifier A calculated from the secret key 101A and the owner of TIDA is the executor of the OTP generation function 3009A, the OTP is calculated and generated, and the OTP is sent to the terminal 1A as a return value. return. In S218, the user terminal 1A acquires the OTP generated according to the OTP generation contract 3008A or 3008AG of the terminal 3A as the return value of the OTP function 3009A.
6A or 6B, the variable OTPCT (3017A in FIG. 3AC) or OTPCTG (3017A in FIG. 3AC) or OTPCTG (Fig. 3AB 3017 AG) can change a variable on the blockchain contract, and the number of times the computation to generate the OTP is performed on the blockchain is recorded without tampering. In addition, the variable 3114C of the server terminal 3C detects the variable change of the variable 3017A or 3017AG, and sends a non-fungible token (unauthorized notification token) to the user identifier, which is different from the OTP token that notifies that there has been unauthorized use. It is also possible to notify unauthorized access to contacts such as e-mail addresses and cell phone numbers corresponding to user identifiers listed in the customer information database 3016C.
Whether the user terminal is the true user terminal of the OTP token or the user terminal illegally obtained the secret key, changes such as increase or decrease in the numerical values of 3017A and 3017AG occur when generating the OTP, and the server terminal 3C detects it. can be detected and notified to the user, and if 3017A and 3017AG are public variables, anyone who accesses the blockchain can examine their numerical changes. For users who make unauthorized access, the number of OTP generations is recorded on a block chain that is difficult to falsify at the stage of generating OTP for OTP authentication, so the authentication system of the present invention can be used without leaving evidence of unauthorized access. Difficult to get through.

Here, in S216 and S217, if the user terminal records the secret key in the extension function of the web browser, etc., or cooperates with another website that manages the secret key, the secret key information is The user terminal 1A is caused to execute the OTP generation function 3009A and the authentication function 3018A. At this time, the terminal 1A requires information such as a web browser extension function loaded with a private key and the token number TIDA issued to the terminal 1A.
The token number used to access the server terminal 3C from the terminal 1A, the user identifier, IPV information such as the IP address of the terminal 1A, location information, and sensor information, and the login time, the number of logins, and the login status are stored in the terminal 3C. Data as shown in FIG. 6X is recorded in the access detection and monitoring database 3011C of the storage unit 30C.
Also, if the software that writes and records the secret key, accesses the blockchain and displays the OTP is installed in 102A of the storage device 10A of the terminal 1A, it is necessary to enter the secret key information with the login token number TIDA. (It is also necessary to fill in the contract identifier and blockchain identifier.)

In sequence S219, the server 3C requests the terminal 1A to input the token number of the OTP token, the user identifier, and the OTP. In addition to recording IPV information such as login time, login count, and login status, the terminal 3C distributes a web page for OTP authentication to the terminal 1A, and determines whether the access of the user terminal 1A is unauthorized access. to monitor. When authenticating the OTP on the web page, input values such as the user identifier and token number of the user, IPV values including the IP address and location information of the user terminal, sensor values of the terminal, etc., login time, number of logins, and login Record the status as shown in FIG. 6X.
In this case as well, in normal use, if one individual accesses one private key from one terminal to the server terminal 3C at the same time, the different IPV values shown in FIG. 6X should not be recorded.

In sequences S220 and S221, according to the program such as ECMAScript of the web page delivered in S219, one of the nodes of the block chain using the user identifier A, the token number TIDA, and the private key 101A recorded in the user terminal 1A Access 3A and execute the OTP authentication function (3018A in FIG. 3AC) of the OTP generation contract 3008A or 3008AA deployed at 3A.
The OTP authentication function 3018A uses the user identifier A, token number TIDA, and OTP as arguments, uses the argument OTP as ArgOTP, and passes the KC value and BC value recorded in the authentication contract in the authentication function, the latest block number, and the argument. Data is created based on the user identifier A and the token number TIDA, which are the obtained values, and the data is hashed with a hash function fh to calculate VeriOTP. It is verified whether VeriOTP and ArgOTP match, and if they match, it is determined that the authentication was successful, and the process when the authentication was successful is performed, and the authentication result is returned to the terminal 1A as a return value CTAU (3021A in FIG. 3AB), and they match. If not, the processing for the case where the authentication failed is performed (the authentication function 3018A operates according to the flowchart explanatory diagram of FIG. 6C, FIG. 6D, FIG. 6E, FIG. 6F, FIG. 6G, or FIG. 6H).
When the OTP authentication function 3018A is executed as shown in FIG. 6C or 6D, increase or decrease the variable OTPCT (3017A in FIG. 3AC) or OTPCTA (3017AA in FIG. 3AB) that records the number of executions inside the processing of 3018A. and record the number of calculations to generate an OTP on the blockchain without falsification. In addition, the change in the variable 3017A or 3017AA is detected by 3114C of the server terminal 3C, and a non-fungible token (unauthorized notification token) different from the OTP token that notifies of unauthorized use is used as the user identifier. or to notify of unauthorized access to contacts such as e-mail addresses and cell phone numbers corresponding to the user identifiers listed in the customer information database 3016C.
As in the case of the OTP generation function, in the case of the OTP authentication function as well, regardless of the distinction between the genuine user terminal of the OTP token and the user terminal that illegally obtained the private key, the numerical value of 3017A or 3017AG is used when generating the OTP. When a change such as an increase or decrease occurs, the server terminal 3C can detect it and notify the user, and if 3017A and 3017AG are public variables, everyone who accesses the blockchain can check the numerical change. be able to. For unauthorized access users, the number of OTP generations is recorded on a block chain that is difficult to falsify when performing OTP authentication, so it is difficult to pass through the authentication system of the present invention without leaving evidence of unauthorized access. . (Also, if the OTP authentication count changes and the authentication function is executed even though the BnTOTP generation count does not change and BnTOTP is not generated and acquired, the service provider should take countermeasures because it is considered to be illegal use. and the user can also claim that the OTP generation function has not been used and that it has been illegally used.)

In sequence S222, one or more post-authentication return values CTAU are defined as 3021A, 3022A, 3023A, and a database corresponding to the post-authentication processing content and the token number operated by the processing content (for example, bank account balance, , transferring the account balance to another function, etc.). 3022A and 3023A can be set to record valuable variables such as customer account balances, points, and voting results on membership sites on the blockchain so that they cannot be tampered with. Even if 3022A and 3023A are not set, it is possible to manage the customer's bank account information inside the server terminal 3C of the bank (internal network of the service provider) in the same way as the Internet banking of the existing bank, so the service is provided. 3022A and 3023A may not be used depending on individual cases.

In sequence S223, the terminal 1A acquires the authentication result CTAU (3021A) of the authentication function 3018A.

In sequence S224, it is verified whether or not the CTAU acquired by the terminal 1A is the value when the authentication result is correct, and if correct, the website information after login is distributed and the service is provided.
The processing from sequence S215 to S224 can be performed by simply entering the token number (OTP generation and authentication using ECMAScript, etc.) in a web browser environment that has a token number and a secret key and is designed not to leak the user's secret key. The program can do it automatically, saving you from manually entering an OTP) to log you in. However, even if it is possible to log in automatically on the program, the OTP obtained by the terminal 1A is displayed on the display 150A of the terminal 1A in the sequence 218, and the OTP is manually input to determine whether a person actually exists as a user. A confirmation sequence may also be used.

In the sequence S225, as in S215 and S219, access information including IPV such as the user identifier of the user terminal 1A accessing the service after the login of the terminal 3C, the token number, IP address, location information, and terminal sensor value is detected by the unauthorized access detection control unit. 3112C monitors, and if there is unauthorized access as shown in Figure 6X, an unauthorized access notification token is sent to the user identifier on the blockchain, or a pre-registered contact is sent an e-mail, etc., to suspect unauthorized use. inform you that there is
In sequence S226, the service is provided according to the user's access. For example, in net banking, processing such as confirmation of account balance and account transaction history (display of web passbook) is performed. In a process such as a transfer that requires password authentication or OTP authentication, a password is entered in S214 and OTP authentication is performed from S215 to S224 to provide the service. Sequence S227 is the same processing as sequence S225.
When the user executes logout or there is no access from the terminal 1A to the terminal 3C for a certain period of time, the user is automatically logged out.

The server 3C can record values such as the IP address when the terminal 1A accesses. In the present invention, in services that need to handle important transactions in the financial field such as banking transactions, while protecting personal information, information on the terminal that the user normally accesses, IP address, and location information are obtained with the consent of the user. A database that collects (or obtains and collects hash values such as IP addresses and anonymized values) and adds contact information such as bank account numbers, names, telephone numbers, and e-mail addresses to the data table in FIG. 6X may be recorded in the 3C recording section. Then, when the access history of terminal 1A is once accessed from a different environment such as an IP address using the private key 101A of terminal 1A, the customer receives the private key 101 from an environment different from usual by telephone or e-mail. It may be notified that there was an access with the originating user identifier A.

FIG. 8B shows a display screen 1500A of a valuable paper sheet, a valuable paper sheet 18A such as a paper ticket, and an NFC tag 19A in the one-time password authentication system (OTP authentication system) of the present invention.・It is a diagram of a basic authentication system for unlocking equipment/containers. FIG. 8B is a material for explaining Example 2 (Embodiment 2).
The basic operations of Example 1 and Example 2 (Embodiment 2) are similar. When performing admission processing with a ticket, a terminal 3D that has the same functions as 3C may be used (the terminal used when logging in to the website and entering is 3C, and the terminal used when entering the actual entrance) 3D is intended for entrance processing at entrances and ticket gates, but in addition to using 3D terminals for ticket gates at entrances, it is also possible to unlock locked buildings, vehicles, equipment, and containers. It can also be applied to applications where
In Example 2, the contract manager does not use block chain time information such as block number Bn, and has room to change the value of the variable KC (3011A in FIG. 3AC) or BC (3013A in FIG. 3AC) at any time. Use the password OWP. The OWP used in the embodiment is OWP=fh (A, TIDA, KC, BC), and the argument of the function fh does not have a variable such as the block number Bn that changes with time. However, OWP may change when the contract manager changes BC or KC using the setter function fscb at a certain time.

In FIG. 8B, a user terminal 1A (1A in FIG. 2A), a server terminal 3A (3A in FIG. 3A), a contract manager terminal 1C (1C in FIG. 2C), an entrance/ticket gate or a locked building/vehicle/equipment/container A terminal 3D (terminal 3D in FIG. 3D) capable of controlling locking and authentication by the OTP authentication system of the present invention and a server terminal 3E issuing valuable paper sheets such as tickets as OTP tokens through the network 20. It is connected.

Terminal 3D may or may not be connected to a network. Here, authentication functions 3018A and 3018DA capable of authenticating the OWP type OTP generated by the OTP generation contract of the terminal 3A may be recorded in the block chain recording unit 300D or 3010A of the storage device 30D of the terminal 3D. Variable information required for OTP calculation, such as KC values 3011A and BC values 3013A, 3030A, and 3031A used for the authentication functions 3018A and 3018DA, may be recorded in the terminal 3D.
Although the terminal 3D is not connected to the network 20, the authentication function capable of authenticating the OTP (OWP type OTP, OWP) generated by the contract 3008A or 3008AG regarding the OTP generation token of the server terminal 3A is stored in the 3D storage unit 300D. In preparation for 3010D, authentication is performed using a valuable paper sheet such as a paper ticket or an NFC tag that records authentication information such as OWP even in an offline state that is not connected to 3A having a blockchain part through the network 20, It may be possible to unlock entrances, ticket gates, and locked buildings, vehicles, facilities, and containers.
In particular, vehicles, buildings, and containers such as safes are not always online and can be connected to the internetwork. It may be required to be able to authenticate even in a disconnected state.
Therefore, in the present invention, OTP token issuance/distribution/generation of OWP type OTP is performed online by terminal 1A, terminal 3A, terminal 3E, and terminal 1C via network 20 and issuing tokens at the block chain unit. The OWP type is generated between 3A, and the generated OWP and the token number and user identifier used for OWP generation are printed on paper by the printer 152A of the terminal 1A to produce a printed matter 18A (18A in FIG. 2A or FIG. 8B). is manufactured, and the camera 340D of the terminal 3D is made to read the image information of 18A and 1500A for authentication.
In addition, the communication device 12A and the NFC tag 19A (19A in FIG. 2A or FIG. 8B) are made to communicate with each other, and the NFC tag 19A records the OWP and the token number and user identifier used for generating the OWP, and the NFC tag 19A is electronically entered. A ticket or a key for unlocking is communicated with the terminal 3D for authentication and entry or unlocking.
Here, the tag 19A is mainly assumed to be a contactless NFC tag, but it may be a contact IC tag or IC card, an external recording terminal 19A equipped with a communication terminal, or a magnetic stripe 19A. Contact-based or contact-based communication can be made with the terminal 3D.
Note that when the terminal 3D is connected to a network, not only the authentication function 3018DA recorded in the 3D, but also the authentication function 3018A of the block chain part existing in the terminal 3A is accessed and recorded in a paper ticket or NFC tag. Authentication is performed using authentication information including OWP, and entrance processing at entrance gates and ticket gates, and locking/unlocking of containers such as buildings, vehicles, equipment, computer terminals, safes, and safes are also possible.

<Manufacturing and Use of Valuable Paper Leaf 18A such as Paper Ticket or NFC Tag 19A>
The camera 340D of the terminal 3D in the offline state reads the OWP on the printed surface of the valuable paper sheet 18A and the token number and user identifier information used for OWP generation, or the 3D NFC communication device 341D reads the inside of the NFC tag 19A. Read the OWP recorded in , and the token number and user identifier information used to generate the OWP, and perform the same processing as the authentication function 3018DA or 3018A recorded in 300D or 3010D of the 3D recording unit 30D (see also the flowchart in FIG. 6F) VeriOTP is equal to ArgOTP according to the OWP OTP of the paper or NFC tag, and if they match, the opening/closing/gate/locking/starting device 350A is operated to enter and lock if it is an entrance or a ticket gate. If it is a device, it is unlocked, and if it is a starting device, it is started. At the same time, operations corresponding to the case where 351D and 352D can be authenticated and the case where they cannot be authenticated may be performed.
Authentication may be performed by presenting and reading an authentication information display screen 1500A such as OWP on the display 150A of the terminal 1A to the camera 340D of the terminal 3D instead of the paper information 18A.

<Production of 18A by printer>
A printer that manufactures valuable paper sheets 18A such as paper tickets should be able to print character information and bar code information on paper, plastic films, board materials, and the like. Inkjet printers, laser printers (electrophotography), and thermal printers (thermal paper) can be used. In addition, when the ticket is not paper but board or three-dimensional, there are plotters, two-dimensional processing machines that can cut and engrave information on the base material by attaching a cutting device to the plotter, three-dimensional processing machines, and 3D printers. may be available. Here, the printer is a device that processes a base material so that a character string or one-dimensional and two-dimensional bar code information can be read by the camera or scanner 340D of the terminal 3D to be authenticated. A pattern for etching or patterning is created using an inkjet printer, laser printer, or plotter, and processing (sandblasting, etching, sublimation transfer, etc.) of processing the base material based on the pattern can also be used.
Valuable paper sheets 18A can be manufactured by printing, patterning, textile printing, and transferring authentication information such as OWP not only on paper and film materials, but also on textile products such as metal plates, ceramics, and cloth.
Inkjet printers can use water-based pigment inks and dye inks that are visually readable, as well as invisible security inks, solvent inks, film materials for solvent inks, UV curable inks, and films compatible with these inks as needed. material is available. In the field of cash vouchers and tickets, when a ticket seller prints on behalf of a user and sends it to the user's address, it is assumed that special ink will be used to add value to the ticket. Also, if the user has an ink jet printer and can print by connecting to the terminal 1A, it becomes easy to express the pattern of the ticket in the case of color printing. When printing tickets, it is thought that it will be easier to distinguish what kind of ticket it is by printing patterns in multiple colors. (For example, banknotes and cash vouchers are colored and have different colors and patterns depending on the type of bill, making it easy for the human eye to distinguish the type of bill.)
In Example 2, a home inkjet printer using water-based dye ink or a laser printer using toner was used to produce 18A. The reasons why toner and laser printers are used are that the printed material has high weather resistance, that the printing speed is high, and that laser printers, which are widely distributed in offices and CVS, can express white and black colors.
Thermal printers and thermal paper are widely distributed as they are incorporated in commercial equipment such as automated teller machines (ATMs), convenience stores (CVS), and cash registers in stores. In the present invention, even in these thermal printers, information necessary for authentication including OWP can be printed on thermal paper as a character string or one-dimensional and two-dimensional bar code information to make a valuable paper such as a ticket. However, the printing surface tends to be less durable than that of toner, so it can be used for short-term tickets and gift certificates.

<Manufacture of NFC tag 19A>
When using the NFC tag 19A, it is sufficient if the communication devices 12A and 19A of the terminal 1A can communicate with each other. An NFC tag or an NFC card may be used. 19A may be a device having a shape or form having functions equivalent to those of the NFC tag. Products equipped with the NFC tag 19A function, such as eyeglasses, head-mounted displays or hearing aids, earphones, headphones, clothes or bracelets, wristwatches, wristwatch-type terminals or rings or belts, belt-type terminals, shoes, shoe parts, or shoe-shaped terminals It may be the NFC tag 19A incorporated in the device or a wearable computer terminal with the function of the NFC tag 19A.
Further, the NFC tag may be incorporated in known products such as mobile phone type terminals such as smart phones, wallets, key holders, etc., which have been used for payment of money and management of metal keys. The NFC tag 19A may be embedded in the product or attached to the product.
Also, the terminal 1A may have the NFC function and the terminal 1A itself may be a portable NFC tag 19A. In that case, the communication device 12A (including the electronic circuit of the terminal) of the terminal 1A connects the NFC tag portion 19A with the control device 11A and the storage device 10A in a wired manner.
The tag 19A may be equipped with contacts and terminals for wired communication. A contact or terminal provided in 19A may be used to read the authentication information into the terminal 3D to operate a locking device or an opening/closing device for entry controlled by the 3D.
IC-based terminals 19A and 16A are similar to the terminal 1A in that they are card or tag type compact electronic computer terminals equipped with a control operation unit, a storage unit, an input unit and an output unit as the five major computer units, and are also equipped with a power supply unit and a communication unit. The power supply device can include a wireless power supply system, a primary battery, a secondary battery, a circuit using the battery, and a system for charging the battery.

The flow chart of the OTP generation function in the second embodiment is shown in FIGS. 6A and 6B, and the OTP authentication flow chart is shown in FIGS. 6D and 6F. In FIGS. 6D and 6F, when the user identifier A and the token numbers TIDA and OWP as arguments are input as information printed on paper or information transmitted from the storage device of the NFC tag, the authentication function 3018A (or 3018DA) According to the input argument information, the verification OTP is obtained from the internal secret variables KC and BC of the contract 3008AA to which the authentication function 3018A belongs, and the user identifier A, token number TIDA, and OWP (as OWP=ArgOTP) input as arguments. Calculate VeriOTP = fh (A, TIDA, KC, BC), determine whether VeriOTP matches ArgOTP (that is, whether VeriOTP = ArgOTP or VeriOTP = OWP), and authenticate if they match performs correct processing, and if they do not match, performs processing for when authentication cannot be performed. The authentication function can also use the authentication function 3018DA recorded in the terminal 3D.

FIG. 7E is an explanatory diagram of the sequence when authenticating the terminal 3D using the device and the OTP authentication system shown in FIG. 8B. FIG. 7E assumes the use of tickets and memberships, automobile keys, or container keys as examples. It is assumed that tickets and membership rights have expiration dates and expiration dates, and in the field of automobile keys, it is assumed that objects that are locked periodically during vehicle inspections are connected to an internetwork or the like and can be maintained.
FIG. 7E is similar to FIG. 7B.
FIG. 7B is a sequence diagram of a general issuance of an OTP token using a password OWP. Transmit and deploy a transaction including the bytecode of the OTP token contract (generation contract, OTP generation contract) containing the OTP generation function with the KC value of k1 and the BC value of c1 to the terminal 3A so that OWP authentication can be performed. After preparation, a token with a token number TIDA is issued to the user identifier A of the private key 101A of the user terminal 1A. At the same time, the OTP authentication functions 3018DA, 3019AA, and 3018A must be set to the terminals 3D and 3C that provide the service, with the KC value set to k1 and the BC value set to c1. At this point, the user of the terminal 1A can generate and obtain a password OWP of OWP=fh(A, TIDA, k1, c1) and use it for authentication.
After a certain period of time has passed in S144, the OTP generated by the user's OTP token is changed by rewriting the KC value of the contract including the OTP generation function of the OTP token and the authentication function 3018DA to k2 and the BC value of c2 in S145. can be done.
The user of the terminal 1A uses the OWP generation software or a dedicated website using the software that accesses the blockchain, and in a series of steps from S137 to S139, the OWP type OTP token contract of the blockchain part of the terminal 3A OTP Call the create function to get the OWP type OTP. The OWP at that time is calculated by OWP=fh(A, TIDA, k2, c2).
When terminal 3C or terminal 3D is connected to terminal 3A via network 20, call OTP authentication function 3018A in steps S141 to S143, or call 3D OTP authentication function 3018DA instead of 3A in steps similar to steps S141 to S143. to obtain the return value CTAU of the authentication result, and when the return value CTAU of the authentication is the value (data) when the authentication is successful, in S144, according to the internal program for providing the service of the terminal 3D, the switch or lock device or start The device 350D is operated to open a gate device or a ticket examination device in the case of an opening/closing device, to unlock a lock in the case of a locking device, and to start a prime mover or a computer in the case of a starting device.
In the OWP generation software or dedicated website, in order to monitor unauthorized use of the user's private key, the process of S136 and S140 detects the presence or absence of unauthorized access as shown in the data structure shown in FIG. 6X and notifies the user. Good, when it is necessary to protect personal information in devices such as doors, vehicles, containers, etc. that are locked using the NFC tag 19A using OWP, or a server 3C that collects personal information (and a 3D that can be connected to the network) ), 3E, 3F, or 5A, if there is a risk of endangering the equipment of the terminal 3D purchased by the customer or its owner, use the function of collecting access information from the user such as S136 or S140. No need.
In S146, similar to S145, after an arbitrary period of time elapses as in S144, the terminal 1C updates the OTP generation side 3A and OTP authentication, and the service side 3D and 3C to update and match the KC value and the BC value, and the OTP calculation is completed. can be set to allow The KC value can be rewritten to k3 and the BC value to c3, and after that, the KC value and BC value can be rewritten at arbitrary time intervals. In the case where the NFC tag 19A is used as a vehicle key as a form of use, even if there is a forged NFC tag 19 that rewrites the OWP that is the key of the vehicle for each vehicle inspection, it can be regarded as a thing of the past (invalid). . In addition, it is possible to forcibly prevent a use ticket or ticket 18A having an expiration date from being authenticated after the expiration date.

The OWP in Example 2 was calculated as OWP=fh(A, TIDA, KC, BC), and the NFC tag 19A on which three of A, TIDA, and OWP were recorded (and three of A, TIDA, and OWP were printed. Valuable paper sheets 18A) can be authenticated as long as the KC value and BC value are not changed. It is also possible to operate a service that does not change the KC and BC values after setting the same KC and BC values for the generation functions of the contracts 3008A and 3008AG and the 3D authentication function.

However, if the KC value and BC value are not changed for a long time (in this case, several years, several decades), the three pieces of information A, TIDA, and OWP in the NFC tag will be leaked and the OWP information will be duplicated to unlock the vehicle illegally. There is a risk of locking and starting the vehicle. Therefore, there may be times when it is desired to periodically update the OWP as a car key every few months or every few years. In that case, the administrator of the OTP token contract that generates the OWP rewrites the OTP token secret variable by rewriting the KC value and BC value with the setter function fscb every few months and years, and OWP is generated at arbitrary time intervals. can be changed. The updated acquired OWP is different from the OWP that may have been duplicated before the update.
Although the NFC tag is described here, the OWP is updated even for a paper ticket, and the paper ticket printed before the OWP is updated becomes invalid. By updating the KC value BC value, it is possible to invalidate the data value of paper tickets and NFC manufactured in the past. It is up to the service provider to decide how to deal with invalid paper tickets and the like. A service provider who knows the history of changes in the KC and BC values may be able to verify whether a paper ticket ever existed and act against those with that paper ticket 18A. In 18A, in addition to A, TIDA, and OWP, it is preferable to record the block number Bn at the time of printing, the time of printing, the name and contact information of the service provider, and the contract identifier of the OTP token in the form of a readable character string. .

Since automobiles are regularly maintained during automobile inspections (vehicle inspections), the terminal 3D built into the automobile that controls the locking and starting of the automobile should be connected to the Internet to synchronize the seed value of the authentication function. Also, it is necessary to record OWP, TIDA, and A corresponding to the authentication function 3018DA provided in the terminal 3D in the NFC tag 19A again. The administrator of the OTP token for automobiles aims at holidays such as the end of the year when automobile inspections are not conducted, and by sending a transaction that changes KC and BC to the blockchain system including terminal 3A, the NFC tags of all automobiles belonging to the contract The OWP information can be changed, and after the end of the year-end holiday, the car is inspected based on the KC and BC values of the new year, and the latest OWP is used for the terminal 3D inside the car and the customer's NFC tag key. Can update.

In the case of a terminal 3D installed in a building or container instead of a car key, it is not equipped with a communication terminal or wireless communication device, so there is a possibility that KC and BC cannot be updated, so when 3D does not have communication means The contract manager does not change the KC value BC value. However, if the terminal 3D installed in the building or container has a communication device and can update the KC value and the BC value, the contract manager can change the KC value and the BC value.
In order to update the KC value and BC value of the terminal 3D, the owner of the 3D performs the update work, or the manufacturer of the 3D performs the update work, which requires human intervention. A wire is attached to the part that can be seen when the lock is unlocked (the lever or switch that unlocks the lock located on the back side of the locked door, the surface where the locking terminal 3D or the locking device is installed in the case of a safe, or the surface inside the cabinet) It is preferable that the KC value and the BC value can be updated through an update program by providing a communication terminal of the formula.
3D can be accessed wirelessly, but in that case access rights to the terminal 3D are required. It is conceivable to access using some kind of password or secret key installed in the terminal 1A with the user identifier A holding the OTP token.
As for the shape and form of the locking device including the terminal 3A, a padlock type terminal 3D, a wire lock type or a belt type terminal 3D can be considered in addition to the locking device of a safe. For locking a bicycle, a wire lock type or a terminal 3D that serves as a key exclusively for a bicycle can be considered.

Terminals 3D installed at service facilities such as entrance gates and ticket gates can easily be connected to an internetwork or a local area network LAN. The KC value BC value used in the authentication function 3018DA of the terminal 3D used for ticket authentication at the entrance or ticket gate can be updated from the remote terminal 1C using a wired or wireless connection. Alternatively, 3D may be connected to terminal 3A, which is a block chain node, through network 20 and authenticated using authentication function 3018A recorded in the block chain section of 3A.

FIG. 7E explains an explanatory diagram of the sequence when authenticating the terminal 3D using the device and the OTP authentication system shown in FIG. 8B. FIG. 7E explaining the second embodiment and FIG. 7D explaining the first embodiment have similarities. Sequences S230 and S231 are the same as in the first embodiment. In S230, instead of using block number Bn such as fh (A, TIDA, KC, BC) when calculating OTP, variable KC and variable BC that can be changed by the contract manager can be rewritten. In the second embodiment, the password OWP adopting secret variables BC and KC that can be changed by the contract manager is calculated as OWP=fh(A, TIDA, KC, BC). where A is the user identifier A and TIDA is the token number TIDA.

In S232, the contract identifier is registered or set in the server terminal 3E and the server terminal 3D used for issuing value sheets such as tickets. When 3D is used without being connected to the network 20, an authentication contract 3008AA including authentication functions 3018A and 3018A is stored in the block chain portion 300D and the basic program portion 3010D of the recording portion 30D of the 3D, and the authentication function is executed by the control portion 31D. 3018A can be executed.

After confirming that the terminals 1A and 3E have contracted to issue a token corresponding to a certain service, the terminal 3E requests the administrator terminal 1C to issue a token. In sequence S233, 1C issues a token with token number TIDA to user identifier A of 1A.

<Production of valuable paper sheets>
In a series of sequences from S234 to S240, the ticket issuing software recorded in the ticket issuing site 3E or the storage device of the terminal 1A is used based on the token number TIDA issued to the terminal 1A and the private key 101A recorded in the terminal 1A. 1A accesses the OTP generation contract 3008A of the blockchain system, and in S230 the process of generating OWP=fh (A, TIDA, KC, BC) set in 3008A as an OTP is started.
Then, OWP is OWP and other authentication information for printing along with necessary information according to the service, such as ticket pattern information recorded in 3E or ticketing software, contact information and address of service provider, expiration date of valuable paper such as ticket 1A is displayed on the display screen 1500A, and if necessary, the screen information of 1500A is printed using the printer 152A of the terminal 1A to produce a valuable sheet 18A in which OWP, A and TIDA are entered.
Also, an NFC tag 19A with OWP, A and TIDA written is manufactured. For the NFC tag 19A, similarly to the valuable paper sheet 18A, necessary information according to the service such as OWP, A, TIDA, service provider's contact information and address, expiration date of valuable paper sheet such as ticket, etc. is stored in the recording device 19A. can be recorded.

In the sequence S235, when accessing the ticket issuing server 3E and issuing a ticket to 1500A or 18A, accessor information such as that shown in FIG. 6X can be acquired and unauthorized access can be monitored. However, it is not a required function.
Regarding monitoring of unauthorized access, it is preferable to have a system for monitoring visitors, such as a security camera at 342D in FIG. (It is preferable to have a 342D, but for physical or economic reasons, there is little advantage in having a security camera, such as a small safe or a padlock type locking device, so it is not necessary to install a surveillance camera. Although it is possible to install a security camera for purposes such as locking the passenger, the present invention conceives a case where the 342D is not installed in consideration of the passenger's privacy.)

In sequences S236, S237, and S238, the terminal 1A obtains an OTP by calling the OTP generation contract of the terminal 3A to execute a function for generating the OTP. When the ticket is issued on the website of the server terminal 3E, the information 1500A of the valuable paper is displayed in S239, the printing of 1500A is permitted, and the valuable paper is printed on the NFC tag 19A. Have the information recorded. If the ticket is issued from the ticket issuing software recorded and executed in 1A, the information 1500A of the valuable paper sheet is displayed through the software in S240, the printing of 1500A is permitted, and the NFC tag 19A is caused to print the valuable paper sheet 18A. to record information on valuable paper sheets.

<Use of Valuable Paper>
In the sequence S241, the terminal 1A capable of displaying 1500A or the paper ticket 18A or the NFC tag 19 manufactured at S240 is brought to the place where the service is provided and presented to the terminal 3D of the ticket gate, the entrance, or the locked building/vehicle/container. Attempt to enter or unlock. At this time, 1500A or paper ticket 18A is read by camera 340D of terminal 3D. Further, the information required for OWP authentication of the NFC tag 19A is read through the communication device 32D of the terminal 3D at the entrance or locking facility.

In sequence S242, the presented paper or the printed surface of the display is read, or the data of the NFC tag ticket is read,
If the terminal 3D is not connected to the network 20 (offline), the authentication function 3018DA recorded in 300D or 3010D inside the terminal device 3D of the service section performs OWP verification and authentication processing in S242. to obtain the return value CTAU of the authentication result.
If the terminal 3D is connected to the network 20 (online), the OWP is authenticated by accessing the authentication function 3018A on the DLS in S243, and the authentication result return value CTAU is obtained from the authentication function. In S243, it is possible to set processing to increase/decrease the number of times of authentication and to mark the ticket as used at the time of authentication.
Here, examples of when the terminal 3D is offline are small safes, padlock-type locking devices, and locking parts of vehicles and buildings such as automobiles, agricultural machinery, forestry machinery, ships, and heavy machinery that are assumed to be in environments where wireless communication is difficult. is assumed. The terminal 3D, which is assumed to be used offline, is equipped with a communication terminal, a wireless communication device, and an NFC device that can change the variables KC and BC used in the authentication function 3018DA recorded in the 3D 300D and 3010D for maintenance and inspection. preferably.
Examples of when the terminal 3D is on-line include ticket gates at stations and entrances to commercial facilities such as movie theaters. However, since there is a risk that the network will be cut off in the event of a disaster, it is preferable to enable authentication even when online or offline. While replicating and synchronizing the block chain part of 3A, it is preferable that the block chain part 300D can be built in the terminal 3D even if it is cut off from the internetwork.

In sequence S244, the terminal 3D determines whether or not the return value CTAU of the authentication result is correct from the authentication function. If the return value CTAU of the authentication result is not correct, it waits until authentication is performed again. At S244, when the 350D is operated, at the same time, an operation corresponding to the case where the 351D and 352D can be authenticated and the case where the authentication cannot be performed may be performed.
In addition, in S244, when there is no opening/closing device 350D in the case of the terminal 3D at the entrance or the ticket gate of the station, and the entrance is restricted by personnel, the 350D may not be provided, and the personnel may use sound or light instead of the 350D. In order to help distinguish users who are allowed to enter, an operation corresponding to the case where 351D and 352D have been authenticated and the case where they have not been authenticated may be performed.

In sequence S245, the contract manager terminal 1C accesses the node terminal 3A of the blockchain, changes the secret variable KC value and BC value of the OTP generation contract, and furthermore authenticates the authentication functions recorded in the storage device 300D and 3010D of the terminal 3D. By changing the KC value BC value of , the seed value of OWP=fh(A, TIDA, KC, BC) is changed and the password OWP is changed. A terminal 3D that is not connected to a network requires a terminal, a wireless communication device, or an NFC device that enables communication between the terminal 3D and a user terminal. If the terminal 3D is a safe or an automobile, the owner or a person who maintains or maintains the terminal 3D needs to change the secret variable KC value and BC value.

If the KC and BC of the terminals 3A and 3D are changed in the sequence S245, valuable paper sheets such as NFC tags and printed tickets manufactured by the user cannot be authenticated and can be invalidated. For example, if a gift certificate has an expiration date (valid from November 30th to December 30th, etc.), changing the KC value or BC value after the expiration date will result in Display information, NFC tag) can also be made unauthenticated and unusable.

A token number that can be unlocked using the terminal 3D may be determined in advance in relation to the sequences S232 and S233, and the token number may be recorded in a storage device serving as a ROM of the terminal 3D. The authentication function of Terminal 3D performs authentication by reading A, TIDA, and OWP from the NFC tag. A token number corresponding to (the individual identification number of the product) can be incorporated into the terminal 3D when the product is manufactured.

<Car key>
As an example, if an OTP token and an OWP type password generated by the token are recorded in an NFC tag for a car key, the contract identifier of the OTP token corresponding to a certain vehicle type is set, and the serial number of the vehicle type is set. A terminal 3D that records the corresponding token number can be installed in the terminal 3D of the locking device of the automobile, the starting control device terminal 3D or the main computer terminal 3D of the automobile corresponding to the serial number.
Owning a car is recorded on DLS, and if the car is transferred to another person (another user identifier B), the argument for generating OWP is changed from A to B, and it has user identifier B. The user can generate an OWP different from that of the user with the user identifier A, load it on the NFC tag, and use it. Here, user A has an NFC tag with pre-update A, TIDA, and OWP, and there are two users, A and B, who can unlock the car. Therefore, in sequence S245, the KC and BC of the block chain system including 3A and the terminal 3D of the car are periodically changed and updated.
Also, the terminal 3D may record the user identifiers A and B. FIG. When transferred from User Identifier A to the user with User Identifier B, the user with User Identifier B may write User Identifier B to terminal 3D via a communication terminal accessible from inside the door of an unlocked vehicle. In the above example, if the user identifier B is internally written to the terminal 3D and fixed as an argument of the OTP authentication function 3018DA, the terminal 3D can authenticate only the OWP derived from the user identifier B when unlocking. (This operation is similar to a name change.)
When the terminal 3D of the automobile can be connected to the internetwork, updating and synchronization of KC and BC between the terminal 3D and the server terminal 3A are easy. Renewal of KC and BC can be handled under the secondhand dealer who handles the transfer and sale of the secondhand goods. It is also possible to update the authentication function of the car terminal 3D and the NFC tag 19A that drives it at the stage of regular car inspections. In addition, terminal 3D installed in agricultural machinery, heavy machinery, ships, etc. can update the status of NFC tag and terminal 3D by rewriting KC and BC at the time of maintenance inspection or transfer according to user's request. Industrial equipment and devices such as machine tools can also be locked.
Record the token number in the form of a ROM that can be written only once (in the form of a ROM that cannot be rewritten by an attacker once the token number is written by the product manufacturer such as a car) and record it in the recording device of the terminal 3D and correspond to the product serial number. It may be useful to record owner history information, distribution information, and maintenance history of products such as automobiles. It can be used to investigate the distribution status of not only automobiles but also vehicles, equipment, and products.

<Keys to doors of buildings, keys to containers such as safes>
For building keys and keys for containers such as safes, a token number is assigned to each safe and door product with a locking function at the time of manufacturing, just like when manufacturing a car, and a unique token number is assigned to the terminal 3D built into the product. It is possible to record in the ROM of the 3D storage device 30D and distribute products including the terminal 3D to users. On the other hand, assigning a token number corresponding to the manufacturing number of the product to the 30D ROM may require time and labor costs in the manufacturing process of the product. (As an example, individually assigning a token number to a small lock terminal 3D that is mass-produced may lead to an increase in the manufacturing cost of the small lock.)
Therefore, when the token number is recorded in the 30D, non-volatile RAM is used instead of ROM, and when the customer purchases a container such as a door with a locking function or a safe, the user manually enters the token number used for NFC tag authentication. A recording method is conceivable. As an example, a user purchases a safe equipped with a terminal 3D, requests issuance of a token, and is issued a token with the token number TIDA. The purchased safe is not locked, and the storage device 30D is accessed from the user terminal 1A or the like using a terminal for connection to the terminal 3D installed behind the door of the safe or a communication unit such as NFC, and the token of the safe is obtained. A number is set to the token number TIDA held by the user identifier A. Then, OWP is generated from server 3A using private key 101A possessed by terminal 1A, OWP and user identifier A (and token number TIDA) are recorded in NFC tag 19, and NFC tag 19 with the authentication information is recorded. Then, the terminal 3D performs OTP authentication by OWP, and unlocks (locks or unlocks) the safe when the authentication results match.
The user identifier may be recorded in the terminal 3D installed in a safe or the like as in the case of a car. (The device may be labeled with the user's name in the form of a user identifier.)

<NFC tag power supply and input/output device>
The NFC tag 19A may include a primary battery or a secondary battery in its power supply. 19A may include one or more push-button switches (or touch sensors) as input devices. In the application of automobile keys, two 19A push buttons for unlocking the doors of the automobile from a remote location by wireless communication such as NFC, and a lock button for relocking the unlocked doors. In addition, a primary battery or a secondary battery is required as a power source for operating a computer including a storage device, a control operation device, an input/output device, and wireless communication in which the OWP of 19A is recorded.
Here, when the input device of 19A is an IC card or tag with an NFC function, the input device may be only a wireless communication device as an NFC tag.
Also, although the input device has been described as a push-button type or a touch sensor as a specific example, the type is not specified in particular. (This is because various forms of input can be considered according to the type of sensor, such as voice input by a sound sensor, for example). 19A is equipped with a wireless input device including an NFC function and other sensor-based input devices.
Furthermore, if possible, the NFC tag 19A may be provided with an output device for notifying by light or sound that the input device has been operated when the input device is operated (when the input device is in operation). . 19A may comprise a light emitting device such as a light emitting diode or a buzzer.

<Usage for decrypting encrypted data>
8C and 8D are connection diagrams of devices when decrypting and viewing encrypted data in the one-time password authentication system (OTP authentication system) of the present invention. In FIG. 8C, terminal 4A, terminal 1C, terminal 3A, terminal 5A, and terminal 5B are connected via network 20 so as to enable two-way communication. FIG. 8D is a connection diagram of devices when terminal 4A (and a plurality of terminals equivalent to 4A) receives encrypted data broadcast from broadcasting station terminal 5C and decrypts the received encrypted data.
The information 403A of the software CRHN is recorded in the recording unit of the terminal 4A, and the encrypted data EncData (4034A in FIG. 4B) obtained by executing the program of 403A and operating the software CRHN is the key obtained from the authentication system of the present invention. Create key information TTKY4033A used for decryption using information CTAU4031A and external key information AKTB4032A, decrypt 4034A using 4033A, obtain decrypted data DecData (4035A in FIG. 4B), and view or listen to 4035A, If 4035A is a program, execute it. 8C and 8D are materials for explaining Example 3 (Embodiment 3).

The operation of Example 3 (Embodiment 3) is similar to Example 1. FIG. In the first embodiment, it is used for logging in to the website and accessing the service, but in the third embodiment, the login target decrypts the encrypted data and accesses it. In the third embodiment, BnTOTP using block chain time information such as block number Bn is used. BnTOTP used in the examples is BnTOTP=fh(A, TIDA, KC, Bn) or BnTOTP=fh(A, TIDA, KC, Bn, V) or BnTOTP=fh(A, TIDA, KC, BC, Bn, V ) and the variables KC and BC may be changed and updated by the contract manager through the function fscb.

FIG. 7CA shows a sequence for decrypting encrypted data obtained by distribution, distribution of a recording medium, or reception of broadcasting. FIG. 7CB shows a sequence for distributing, distributing, or broadcasting encrypted data created by encrypting plaintext data. FIG. 7CC shows an example of decrypting and browsing an encrypted file using a browsed certificate OFBKMK in an offline state where communication of the user terminal is disconnected from the network.

<Create Encrypted Data>
First, the procedure for creating an encrypted file using software CRHN403A will be described.
Plaintext data (content data, content file) is prepared in sequence S180 in FIG. 7CB. In S181, an electronic certificate DecCert or the like attached to the plaintext data (including information obtained by electronically signing the electronic certificate and content data with a certain private key) is acquired. Although this is not essential, when the encrypted data is decrypted, the creator of the plaintext file is known, and the issuer of the electronic certificate is registered on the server that posts advertisements etc. on the software CRHN. If it is known, it can be determined that it is not a malicious program and the data can be executed.
Usually, when the software CRHN is used only as a playback software for e-books and music videos, if it is a music, video, or book file, the file name has an extension, and the file is processed according to the extension and the document file is displayed. and music video files can be played, so the possibility of executing a malicious file may be low. However, when programming the software CRHN so that all data can be executed without an extension in the file name, countermeasures against malicious program data are required. It is desirable to add an electronic certificate and electronic signature registered in the file.

In S181, it is also assumed that the plaintext data is a magazine, a newspaper, a weekly magazine, or the like. Advertisement distribution for linking and connecting to the advertisement distribution server terminal 5A (CRHNcm) having a site for distributing advertisement data and advertisements in a plain text file, just like paper newspapers and magazines have advertisements printed on paper. You can embed the URI of the site.
Whether or not to use the function of embedding the URI to the advertisement distribution site of the terminal 5A in the plaintext data depends on the judgment of the right holder of the plaintext data. It may be desirable to install it because it is possible to expect the display of advertisements and the return of advertising income to the right holders of plaintext data due to the display of advertisements derived from plaintext data. The above function is a monetization function in which the right holder of the content decrypts the encrypted data of the right holder by using the software 403A on the user terminal and obtains advertising revenue every time the content is viewed.
It is also possible to set a different URI of an advertisement distribution site for each token number (such as setting a value derived from a user identifier or token number to a basic URI and setting advertisement data corresponding to that URI).
Advertisements to be distributed from the URI set here must be distributed according to the plaintext data and the rating information described in the corresponding OTP token. The URI described in the plaintext data included in the encrypted file that has been once encrypted and distributed worldwide through the network 20 cannot be changed.

The URI for connecting to the advertisement distribution site distributed by the terminal 5A can also be set in the software CRHN 403A, and the advertisement can be displayed when the software CRHN 403A is executed on the terminal 4A. 403A can check whether or not there is unauthorized access at the same time as the advertisement is displayed. In addition to the advertisement, it is possible to guide the update of the software information of the software CRHN403A. However, a 403A designed for personal or corporate business use rather than content viewing only may not have a URI to connect to the advertisement.

In S182, the OTP token contract is programmed to encrypt and decrypt the plaintext data created in S181 and embedded with the URI for registration and advertisement. The steps are similar to those of the first and second embodiments. Information such as the name of the content, the name of the right holder, the contact information of the right holder, the rating, etc. is recorded in the variable 3024A serving as a signboard. In addition, variables such as the return value of the OTP authentication function, data CTAU (3021A in FIGS. 3AA, AB, and AC), or database 3023A of information operated by processing contents 3022A and 3022A during OTP processing are set as necessary.
Here, the variable required when implementing Example 3 is the return value CTAU of the authentication function, and CTAU returns the information CTAU recorded on the blockchain when authenticated to the accessor whose authentication result is correct. In that case, information other than CTAU (information when authentication cannot be performed) is returned. In the third embodiment, since the common key TTKY of common key encryption for decrypting encrypted data is calculated based on CTAU, the creator and manager of the contract need to set CTAU.
3021A's CTAU information may have a setter function that is accessed by a user identifier authorized to change the CTAU to change the CTAU. It is also possible to set a different CTAU (CTAU[TIDA] when expressed as a mapping variable) to the token number. However, even in that case, CTAU[TIDA] must be set for each user. Additionally, content needs to be encrypted and distributed per user's CTAU[TIDA] (and more transactions on the blockchain).
CTAU of 3021A is a value in terminal 3A, and is recorded as 4031A in terminal 4A after OTP authentication. 3021A and 4031A are the same value.

In Example 3, a single CTAU is recorded in the contract as a key that can be easily obtained from the blockchain and used as the return value of the authentication function. In the present invention, it is preferable to use a blockchain platform (or a distributed ledger system DLS platform) that can conceal the information of the CTAU data 3021A. It is preferable that the CTAU data 3021A along with the transaction at the time of deploying the contract, the secret variables such as the KC value BC value, and the seed value be made anonymous or viewable only by authorized access or limited access.

In carrying out the third embodiment of the present invention, since Ethereum, whose contract and transaction details are open to the world, was used, CTAU (3021A) cannot but be open to the public on the blockchain. Therefore, it became necessary to encrypt using a key other than 3021A. Then, encryption was performed by using a key AKTB (4032A in FIG. 4B) obtained by a route different from the blockchain and a common key TTKY for encrypting data using CTAU (3021A) of the contract.

In addition, obfuscated or encrypted source code inside software CRHN (403A) - add private key CRKY (40302A in FIG. 4B) inside, CTAU (3021A or 4031A), AKTB (4032A) and CRKY (40302) A key TTKY (4033A) for encrypting and decrypting a plaintext file, which is used for common key encryption, is generated.
In addition, in fact, in addition to this, multiple 4032A are used to prevent TTKY from being deciphered, and a dedicated smart contract (contract identifier APKY, 40301 in FIG. 4B) to acquire the key information CAPKY (40303A in FIG. 4B), and generate TTKY (4033A) using four variables of CAPKY including CTAU, AKTB, and CRKY. In Example 3, three variables, CTAU, AKTB, and CRKY, were used to calculate TTKY (4033A) used for common key encryption. It should be noted that 4033A is calculated by hashing or cutting a part of the variable values, instead of combining the three variables as they are to form a common key. A program including calculation methods and processing methods for calculating 4033A is recorded in software 403A.

In Example 3, TTKY (4033A) is calculated using CRKY (40302A) and CAPKY (40303A) based on CTAU (3021A) and AKTB (4032A). When used for distributing the content, at least the shared key 4033A of the shared key encryption derived from the CTAU (3021) including the OTP authentication result when executing the authentication function in the contract on the blockchain is used.

AKTB (4032A) is available in addition to CTAU (3021A or 4031A). Specifically, 4032A sends a password value corresponding to the token number as AKTB to a person who has purchased a certain book or audiovisual data as an OTP token by means of e-mail, postal mail, or the like, and sends the AKTB by e-mail. Common key encryption (or symmetric key encryption) of plaintext with TTKY (4033A) calculated from common CTAU in the contract, and the encrypted data is cloud storage, e-mail, magnetic tape, magnetic disk, optical disk・For encrypted data distributed by semiconductor memory, etc., and distributed by users who purchased OTP tokens using 4033A,
The user uses software CRHN 403A stored in the storage device 40A of the terminal 4A,
OTP token assigned user private key 401A;
the contract identifier of the OTP token and the OTP token number TIDA;
CTAU (3021A or 4031A) obtained by OTP authentication using 401A and token number TIDA at 403A and key AKTB (4032A) notified by e-mail or the like
can be used to decrypt encrypted data.

The administrator terminal 1C sets a certain value of CTAU (3021A) that can be used to decrypt the encrypted data so that it can be used as the return value of the contract authentication function, sets the KC value and BC value used for OTP calculation, and sends the OTP. Programmed to calculate BnTOTP=fh(A,TIDA,KC,Bn) or BnTOTP=fh(A,TIDA,KC,Bn,V) or BnTOTP=fh(A,TIDA,KC,BC,Bn,V) A contract including an OTP generation function and an authentication function is created, and at S183, the contract created at S182 is accessed to the server terminal 3A, which is a node of the blockchain system DLS, and deployed to DLS.

At S184, the terminal 1C acquires the contract identifier 3019A deployed to the DLS at S183.
In S185, the contract identifier, the name of the contract, the name of the creator, the date of creation, the rating, etc. of the service are set in the storage units of the servers 5A and 5B, and the databases and control units of the storage units. Encrypted data can also be registered.
The server terminal 5B receives access from the terminal 4A, and when the server 5B also serves as a server for sales of contents such as electronic books and audio/video computer software, and for electronic commerce, the right holder name rating information of the product purchased by 4A, etc. and the product name, the contract identifier of the OTP token for decrypting the corresponding encrypted data, and the software CRHN can be associated with each other. If the server 5B is used to encrypt confidential data of a certain organization and share it within the organization, the name of the data, or the name of the data, the name of the data creator, the name of the data right holder, and the contract identifier of the OTP token should be associated. can be done.

In addition, the terminal 5B has a user identifier A used for accessing the blockchain, such as the customer's name, date of birth, etc., e-mail address, login password, address information, telephone number, etc. necessary for electronic commerce (or It has the customer's personal data such as the contract identifier of the OTP token (with purchase history) and the corresponding token number of the owned token. Based on the customer's personal data, the terminal 5B can perform purchase and settlement of merchandise in cooperation with an external settlement business operator such as a credit card and its server terminal with the support of the customer.
The terminal 5B can transmit the key AKTB (4032A) notified to the customer's e-mail address, telephone number, and address by e-mail, telephone, mailing, or the like. In addition, it is also possible to send AKTB (4032A) using a transaction that can conceal the contents of 4032A with user identifier A, which should not be transmitted on the blockchain. Alternatively, another block chain infrastructure is constructed based on the private key 401A of the terminal 4A capable of calculating the user identifier A, and when the user identifier AA is calculated from the private key 401AA instead of the user identifier A, 4032A is sent toward the user identifier AA. You can also consider sending.
Specifically, a user identifier A is used on a block chain platform called Ethereum, and a private key 401A indicating a user identifier AA is used on a block chain platform called Hyperledger. ) has a Hyperledger transaction that allows operations involving decryption of data encrypted by the present invention on different blockchains while using the same private key.

In S185, the contract identifier and content information can also be registered in the server 5A (SVCRHNcm) having the advertising function.

In S186, the contract manager terminal 1C issues an OTP token for testing and encryption to the user identifier C corresponding to the secret key 101C of the terminal 1C before distributing the token and the encrypted data to the customer. S186 is a sequence for issuing an OTP token to the terminal 1C, creating encrypted data obtained by encrypting the plaintext content, recording the encrypted data in the terminal 1C, and distributing the recorded encrypted data.
As will be described later, in S155, the OTP token is issued to the user identifier A of the user who has obtained the OTP token purchase, the right to view the encrypted data, and the ownership of the data that can be viewed by making a payment using the electronic commerce function of the terminal 5B. . Here, the OTP token does not necessarily have to be purchased at the terminal 5B, and can be issued if the terminal 1C receives an order or request. For example, the terminal 1C has a contract with an EC site, an EC type bookstore site, or the like, and a mode is conceivable in which a token number is assigned to a user identifier specified by the EC site and issued.
It is important here that the present invention cannot send the OTP token to the correct party unless the user identifier to which the token is sent is correctly notified. Token issuance requires the correct destination user identifier.

At S187, the software CRHN (403A) is acquired mainly from the terminal 5B. It can be obtained from the reliable storage destination of 403A even at terminals other than terminal 5B. The distributor of the encrypted data must specify the version of 403A that can decrypt the data and inform the user. For practical operation, the version of the software CRHN (403A) used to create the encrypted data should be distributed together with the encrypted data.

At S188, settings are read and input. The secret key is directly input to 403A, or secret key information is input to 403A in cooperation with software other than 403A that manages the secret key.

In S199, the user identifier is calculated and generated when 403A is activated or when the information of the secret key (secret key 101C of terminal 1C in FIG. At this time, the contract administrator 1C can also be monitored for unauthorized access as shown in FIG. 6X.

AKTB (4032A) is set in S189. Alternatively, a predetermined AKTB (4032A) is stored in the recording device of the terminal 1C. S189 may be performed simultaneously with S188. AKTB (4032A) is set corresponding to the user to whom tokens are to be distributed.
Specifically, an organization sets different AKTB (4032A) for each year, month, week and day, and users belonging to the organization know AKTB (4032A) and encrypt only to users who can own OTP tokens You may enable it to decode the data which carried out.
Alternatively, the right holder uses the e-book publication as plaintext data, sets a unique AKTB (4032A) corresponding to a certain user identifier, notifies the AKTB (4032A) with an e-mail address, etc., and then sends the plaintext data to A may be encrypted using AKTB (4032A) corresponding to .

Regarding encryption, AKTB (4032A) arbitrarily set as CTAU (3021A or 4031A) and notified to the distribution destination, and AKTB known only to user identifier A using software CRHN (403A) and secret key CRKY (40302A) of 403A Create encrypted data that can be decrypted using (4032A), attach it to A's mail address as an attached file and distribute it, or distribute it by cloud storage service etc. Server used in the present invention such as terminal 5B It can be distributed using a terminal. Also, even if the network 20 is not used at the time of distribution, external storage devices such as magnetic tapes, magnetic disks, optical disks, and semiconductor memories can be distributed by mail or delivery to the user's address.
When setting and distributing different AKTB (4032A) for each customer for magazines and books, it is useful to protect the plaintext data of the content right holder, while the plaintext data is encrypted according to the number of users and the AKTB (4032A) must be distributed to users with corresponding encrypted data.
In the case of books that distribute content in a one-to-many mass media format similar to broadcasting, such as newspapers and magazines, plaintext is encrypted according to the total number of users for a certain period of time (daily/weekly) for each percentage of users in Japan. computer and network resources.
In that case, AKTB (4032A), which changes depending on the period (weekly, monthly, yearly, etc.) or region (Nagano, Osaka, Tokyo, etc.) By distributing the encrypted data of the newspaper according to the If you can get the data, you can also make it possible to read newspapers.

The distributed encrypted data is recorded in the user's terminal, and the encrypted data (4034A) is transferred to the user terminal as an OTP token (CTAU (3021A) obtained when the OTP token is authenticated), AKTB (4032A), and software CRHN (403A). , CRKY (40302A) and private key 401A, it can be decrypted and viewed as decrypted data/plaintext data (4035A).
A key TTKY (4033A) that can decrypt the encrypted data at the time of browsing is calculated and encrypted with the private key 401A to make CTTKY (40361A), and CTTKY (40361A) is encrypted with CRKY (40302A) recorded in the software CRHN (403A). Obtain the Transform ACTTKY (40360A) and record within the OTP Authenticated Certificate 4036A or Viewed Certificate OFBKMK (4036A) data. OFBKMK records a common key TTKY (4033A) for decrypting content encrypted with the secret key of software CRHN and the user's secret key. (OFBKMK is an offline bookmark)
OFBKMK 4036A allows offline access to users in a manner that controls viewing time and the like.
If the transfer restriction function of the OTP token is canceled and the token is sent to others, OFBKMK4036A may be able to read the book even though it does not have the right to read or own the book. .
Therefore, the content right holder of the OFBKMK function 4036A has the maximum time value of the browsing time limit every time OTP authentication is performed, and the time stamp at that time is recorded in OFBKMK in the form of HMAC, electronic signature, etc. Software 403A can be programmed so that the later the time stamp at the time of authentication described in 403A is, the less time is available for browsing when disconnected from the network 20 and going offline. In Example 3, the viewing time was set in units of 10 minutes, 30 minutes, and several hours.
As an example, if the viewing time limit is 300 minutes immediately after OTP authentication, the present invention allows viewing by the time divided by the number of years every time y years have elapsed since the OFBKMK timestamp time. For example, when y = 10 years, 10 years have passed since the timestamp, 300 minutes is divided by 10 in 10 years, and software CRHN (403A) can be viewed by Here, if the user has an OTP token, they can be authenticated by accessing the blockchain when online, create a new OFBKMK, and reset the viewing time to 300 minutes.
In the process of comparing the time stamp and the current time, the current time is based on the time of the user terminal 4A. It is preferable that there is a time data transmission station such as GNSS, JJY, or NITZ, that the terminal can receive correct time data, and that the terminal's time data is set correctly. If the right holder of the plaintext data permits, it is also possible not to set the reading time by OFBKMK.
The function of OFBKMAK4036A is to decipher encrypted data that can be viewed with a time limit and to access the plain text. It is a concept that exists. Alternatively, it is based on the fact that a person remembers an image of a book once read, and forgets the image of the read book over time, making it difficult to remember. 403A may perform processing such as displaying the plaintext data on the display of terminal 4A in a blurred manner during decoding using 4036A over time.

Even paper books are sometimes copied as materials, and the risk of being copied remains unless the content is protected from being photographed on the display. On the other hand, if the content is useful and can be used even in the event of a disaster that can go offline, it is preferable that the user can read the content.
If you want to distribute the content without leaving it on the user terminal, it is preferable to use the login method to the website of the first embodiment. However, in that case, if the login destination server ends the service and loses the data, the user will not be able to view the books and music video works that the user has subscribed to.
Paper books, ancient documents, and ukiyo-e prints have passed down hundreds of years and passed on to future generations. In the present invention, even if it is digital data, the ownership, viewing rights, and usage rights of data that should be left to future generations after a long period of time are recorded in the form of OTP tokens, and the data that can be viewed with the tokens is encrypted data. , and the encrypted data can be viewed even offline when the network is disconnected, such as in the event of a disaster, using the data at hand of the user. Although the OTP token, which is the right to view and own, is managed by the blockchain, it is not always possible to access the blockchain, and in the present invention, consideration has been given to allowing users to view books they have purchased offline.

If the content is a newspaper or the like, it may be necessary to periodically update the CTAU (3021A) value for the OTP token contract since it is a subscription service. Alternatively, it may be necessary to periodically update AKTB (4032A) instead of CTAU.
A valid/invalid variable corresponding to the user's OTP token number (a mapping variable representing the validity/invalidity of a boolean type token with the token number as a key) is prepared, and when the authentication function (3018A) authenticates, the variable becomes true. It is also possible to add a process of determining whether or not it is true, returning the authentication return value CTAU (3021A) if true, and not returning CTAU (3021A) if false.
Valid/invalid variable corresponding to user's OTP token number (mapping variable representing validity/invalidity of boolean type token with token number as key) You need to set a setter function that can be set to false or not.
(Even in Embodiments 1 and 2, after the expiration date, the mapping variable representing the validity of the boolean type token with the token number as the key is rewritten from true to false for the viewing rights and tickets for admission and login from the terminal 1C after the expiration date. It may be possible to stop OTP generation and authentication by doing so.
Also, if a certain OTP token is an OTP token that decrypts encrypted data related to a book, book, music record, or video, has an indefinite expiration date, and is valid as long as the OTP token is in possession, the token is valid or invalid. There is no need for a mapping function representing , or a function for stopping OTP generation authentication. )
For newspapers and magazines, if the Internet can be connected, OTP tokens are used as login rights to the rights holder sites of newspapers and magazines, as in Example 1, and content is appropriately encrypted while restricting access to users who have access. Delivery may be preferable. However, as with paper newspapers, the method of Embodiment 3 can be used in the present invention if encrypted data is stored at the user's terminal 4A and can be viewed offline when not connected to a network. . Newspapers report on past events, and a method that remains in the user's hands may be a better way to record events.

In a series of sequences from S190 to S192, the terminal 4A accesses the blockchain system DLS (terminal 3A) and acquires OTP from the OTP generation function provided in the DLS OTP token contract to the storage device of the terminal 4A. Here, the OTP may be a BnTOTP type OTP or an OWP type OTP. In Example 3, BnTOTP=fh (A, TIDA, KC, Bn, V) or BnTOTP=fh (A, TIDA, KC, BC, Bn, V) was used. The OTP generation sequence is the same as in Examples 1 and 2.

A series of sequences from S193 to S195 is performed by inputting the acquired OTP, the token number of the OTP token, and the user identifier as arguments to the OTP authentication function (S193 and S194 parts) as in the first and second embodiments, and return value CTAU (3021A or 4031A) is obtained (S195 part).

At S196, a key TTKY (4033A) for encrypting plaintext data is generated from CTAU (3021A or 4031A), AKTB (4032A), and CRKY (40302A) by processing according to the program of software CRHN (403A). Here, the process of generating and calculating 4033A in the program 403A may include processing such as hashing and cut processing of numerical character strings, and the program 403A is also a key element for decrypting encryption.

In S197, the TTKY (4033A) calculated in S196 is used as the common key to encrypt the common key data (4035A, however, 4035A can also exist in the storage device of the terminal 1C and the storage device of the terminal 4A). ) to obtain encrypted data EncData (4034A, where 4034A can also exist in the storage device of terminal 1C and can also exist in the storage device of terminal 4A). AES (Advanced Encryption Standard) was used for common key encryption. In practice, AES key data lengths of 128 Bit, 192 Bit, and 256 Bit are used.

In S198, the encrypted data 4034A is stored in the server terminal 5B (SVCRHNdrive), a cloud storage other than the terminal 5B, or a file storage/file sharing server different from the terminal 5B, and the user who distributed the OTP token delivers the encrypted data 4034A. do. In this process, the encrypted data 4034A may be recorded in the server terminal 5C serving as a broadcasting station and broadcasted by cable or wirelessly. The encrypted data 4034A may be recorded on an optical medium such as an optical disk, a magnetic medium such as a magnetic tape or a magnetic disk, a semiconductor memory, or the like, and distributed.
In addition, a recording medium that does not use magnetism or semiconductors may be used. The encrypted data may be converted into a character string on a microfilm, recorded and stored, and delivered and distributed by mail or the like. Encrypted data can be distributed and circulated in a variety of ways. It is also possible to print on paper a character string of encrypted data in the same way as microfilm. There are no restrictions on how the data is distributed.

When storing data in the broadcasting station server terminal 5C instead of the server terminal 5B in the sequence S198, if the terminal 5C is an artificial satellite station in space, the server terminal 5CC for mutual communication with the terminal 5C is required. The terminal 5CC is also necessary when the terminal 5C is connected to the terminal 5CC by a dedicated line. The encrypted data 4034A is processed into a form suitable for data broadcasting (processed for digital broadcasting from the broadcasting station) and transmitted to the user. Processing for digital broadcasting includes addition of error correction codes and packetization.
In the case of live broadcasting of wireless data, when 4035A to 4034A are created using 4033A as a key, there is a risk that the radio wave will not reach the user's receiver due to the weather and the data will be interrupted. In order to deal with this problem, the video and audio being shot and recorded are distributed as small data packets with 4033A as a key at any time using block encryption, an error correction code is attached, or stream encryption is used for distribution. Sometimes.
In existing examples, block encryption is used for terrestrial digital broadcasting, but in the present invention, software CRHN (403A) can perform stream encryption in addition to block encryption on plaintext data. Encrypted data stream-encrypted can be broadcast successively. In addition to broadcasting, bi-directional exchange of stream-encrypted data via the network 20 may be used for web conferences and audio/video distribution.

<Decryption of Encrypted Data>
Next, the sequence in which the user terminal 4A receives the encrypted data, decrypts the encrypted data, and browses the data will be described. FIG. 7CA shows a sequence for decrypting the encrypted data distributed to the user terminal 4A. A series of sequences from S150 to S153 is the same as a series of sequences from S182 to S185 in FIG. 7CB.

In S154, terminal 1C receives an instruction to issue an OTP token. At this time, the user of the terminal 4A presents the user identifier A for the OTP token to the server terminal 5B from which the encrypted data to be purchased can be purchased, or the electronic transaction site from which the purchase can be made in addition to the terminal 5B, and performs the settlement process. terminal 1C presents a contract identifier corresponding to an OTP token capable of decrypting encrypted data from server terminal 5B or an e-commerce site to user identifier A, and OTP of the contract identifier in the designated user identifier Terminal 1C receives an instruction to issue a token.
Here, there is an expression "purchasing OTP tokens", but this means that the encrypted data is content such as magazines, books, audio and video software broadcasts, there is a content right holder, and there is a right to read, own and use the encrypted data. It is assumed that the sales of For organizations such as companies or for personal use, for example, when encrypting information that you want to keep secret and sharing the encrypted data among people in a limited group, OTP tokens are not purchased but OTP tokens. Permission is required to be granted to the user identifier that you want to use.

In S155, the terminal 1C accesses the OTP token contract of the blockchain system DLS (terminal 3A, etc.) using the private key 101C of the terminal 1C and issues a token with the token number TIDA to the user identifier A. The terminal 4A can calculate the user identifier A from the private key 401A. The terminal 4A does not possess the data of the OTP token, but has the ownership to access and manipulate the OTP token on the DLS by having the private key 401A.

In S156, the terminal 4A obtains the password AKTB (4032A) from outside the blockchain in the form of a transaction, e-mail, telephone, facsimile, mail delivery, etc. from a DLS different from the DLS where the OTP token is deployed, is recorded in the recording device 40A. (AKTB is an abbreviation for password.)
By using this password AKTB, it is possible to arbitrarily set and send a password for a certain user identifier A, avoiding setting passwords individually for smart contracts on the blockchain, or user identifier A, user identifier B, etc. The password value AKTB specified like a password in an organization such as a company to which the employee belongs can be notified to the email address of each employee in the company.
The reason why AKTB was set up is that the Ethereum blockchain platform used in Examples 1, 2, and 3 has open contract variables and an attacker can analyze the CTAU value, so it was unavoidable. AKTB was used as a solution. By using 2 of AKTB and CTAU, and CRKY of software CRHN whose source code is obfuscated and encrypted, by using 3 of them, block chain, browsing software and other external passwords are encrypted if you do not know encrypted data cannot be decrypted.
The contract's CTAU value (3021A) is preferably anonymized.

In S157, the encrypted data EncData (4034A) and software CRHN (403A) capable of viewing the encrypted data 4034A are obtained from the data distributed from the server terminal 5B where the OTP token was purchased or from the electronic commerce site. Note that 4034A and 403A stored in an external recording device such as a magnetic disk, magnetic tape, optical disk, or semiconductor memory may be copied to the storage device of terminal 4A.

In S158, the software CRHN (403A) is executed and activated, and the information on the private key 401A of the OTP token required to decrypt the encrypted data, the contract identifier of the OTP token, and the token number TIDA of the OTP token are entered. In the third embodiment, a URI specifying the server terminal 3A, which is a node to be connected for OTP generation and authentication, is set. (The wallet software may be used to save and input the private key and set the URI of the connection destination node.) By inputting the private key 401A and then executing the program, the user identifier A is calculated, and the private key 401A and the user identifier are calculated. A and the token number TIDA are recorded in software 403A. The software 403A includes the block chain identifier to be used and the program to access the block chain.

In S159, the user identifier and token number from the information input in S158 are used to access the advertisement distribution service server terminal 5A according to the URI to the advertisement distribution site set in the program of the software CRHN (403A). At this time, the user identifier A, the token number TIDA, the IP address and location information of the user terminal 4A, the terminal ID and the sensor value of the terminal are recorded in the server 5A for the information consented by the user, and the access is monitored as shown in FIG. 6X. and can be used to prevent unauthorized access.
It is presumed that in practice, the user identifier or information obtained by anonymizing the user identifier is often used in S159.

From S160 to S165 is a series of OTP generation and authentication sequences, which are the same as the sequence from S190 to S195. The sequence from S160 to S165, such as OTP generation, OTP acquisition, and authentication by the acquired OTP, may be automatically performed inside the software CRHN (403A). The sequence of S162 to S163 can be automated by setting the program 403A so that the OTP acquired from the generation function can be automatically input to the authentication function and executed. In the embodiment, authentication is automatically performed within the program in order to reduce the time required to perform OTP authentication for viewing content and to reduce the time required for viewing content.
If the user wishes to manually enter the OTP in the sequence of S162-S163 and does not want to automate it, the program of 403A can be configured to manually enter and execute the OTP obtained from the generation function into the authentication function.

S166 generates key information TTKY (4033A) for decoding EncData (4034A) from CTAU (4031A), AKTB (4032A) and CRKY (4030A) at 403A.

S167 decrypts the encrypted data EncData (4034A) using the key information TTKY (4033A) generated in S166 to obtain plaintext data DecData (4035A).

In S168, the plaintext data 4035A obtained in the storage device of the terminal 4A by decoding the data 4034A in S167 is viewed using the output device 45A and the input device 44A of the terminal 4A. Runs and manipulates programs and makes content available to users. In the third embodiment, the plaintext data 4035A obtained by decrypting the encrypted data is temporary data, and is deleted from the storage device when the use of the contents such as browsing or viewing of the plaintext data ends.
In Example 3, a PDF format file (extension is .pdf) that manages text data from Adobe Inc., which can be processed by HTML5 and ECMAScript that web browser software supports, and an MP3 file that handles voice data invented by Fraunhofer IIS et al. The third embodiment of the present invention is an MP4 file (extension is .mp4) that handles multimedia data such as video audio according to ISO MPEG-4 Part 14 (ISO/IEC 14496-14:2003). Using the method, encryption and decryption were performed using OTP tokens and software CRHN, and file data was viewed and viewed. Here, access-controlled files can also be set for PDF format files.
It is also possible to create an access-controlled PDF-format plaintext file, and set access control and printing prohibition or printing permission to the plaintext file decrypted by the encryption of the present invention. In addition, as shown in the example of the PDF file, plaintext data containing an access control program of any file format and file extension is encrypted by the method of the present invention and distributed. The data may be programmed to perform access control when the plaintext file is used when the plaintext file is decrypted and viewed or executed. A plaintext file may contain a program that performs access control using a file-specific method (a method corresponding to each content file). )
Access control includes whether or not to print content or copy plaintext files to an external recording terminal, whether or not to change the contents of plaintext files, and restrict devices that can play back music and video. In the case of confidential information of an organization with plain text data, it is possible to print using a printer if it is easier to operate if it is easier to operate by printing it on paper and storing it in a safe depending on the judgment of the manager of the document. For an audio/video file with a right holder, it is possible to specify that the plaintext file should not be duplicated according to the instruction of the right holder.

The software CRHN (403A) reads the contents of the plaintext data 4035A according to the file format, etc., and prints the browsing information on paper using the printer 452A on the user's terminal 4A according to the program set by the right holder 4035A. and output to the display 450A, speaker 451A, head-mounted display 453A, etc. are determined according to the output settings written in the plaintext data, and the plaintext data is output from the output device 45A. Moreover, it is browsed according to the contents inputted from the input device 44A. For example, text files, voice and video data, and if it is software, plaintext data is manipulated, viewed, viewed, and executed using input/output devices such as keys, input buttons, pointing devices, voice input, various sensors, and controllers that operate software. .
It may be output to a display 450A used in a smart phone terminal or a mobile phone terminal, or may be a display 450A having a size such as 22 inches used in a desktop personal computer terminal. The display 450A of a portable laptop or notebook personal computer terminal or tablet terminal may also be used.
In the practice of the present invention, the head-mounted display 453A may not be used, and only the normal display 450A may be used to decrypt the encrypted data by an OTP authentication system using the software 403A and the distributed ledger system DLS for viewing.
The main invention of the present invention is OTP authentication and login by DLS, entrance/exit, unlocking/unlocking, and decryption of encrypted data (login to encrypted data). Biometric authentication and content copy prevention using head-mounted displays are used from the viewpoint of content protection.
When using the head-mounted display 453A, it may be a spectacles type, binocular type, monocular type, non-transmissive type, or transmissive type spectacles or goggle type device. It may be used for an OTP authentication system when realizing virtual reality VR and augmented reality AR.
Also, when the content wants to use pseudorandom numbers when allowing the user to use the content, the OTP calculated from the OTP token of the present invention may be used as a value for realizing the pseudorandom numbers. For example, if you want to use pseudorandom numbers when some event occurs in an online game or offline game (only the blockchain is online, but the game is offline), use the BnTOTP type OTP authentication code of the present invention. may When using the OTP for pseudo-random purposes, a value with fewer digits than that used for OTP authentication, for example, if the OTP is originally 10 digits, use the last 5 digits to generate a pseudo-random value. and preferred.

In addition, in S168, there may be a case where users of a certain organization want to share encrypted confidential texts instead of content such as books or magazines owned by rights holders. Encrypted data indicating a certain document may be rewritten between users and may be changed by adding an electronic signature.
Therefore, the input device 44A is used to rewrite the plaintext data, the hash value of the plaintext data before and after the change is obtained with the private key 401A of the terminal 4A, and the data is changed, added, or falsified at a certain time or a certain block number Bn.・Record the correction with a time stamp, MAC such as HMAC, or an electronic signature using an electronic certificate (The private key for the electronic signature may be 401A, or it may be the one recorded on the employee ID card or personal number card. ), the OTP token of the user terminal 4A is used as the modified electronic signature added plaintext data, and the modified electronic signature added plaintext data is obtained from CTAU (4031A), AKTB (4032A), and CRKY (4030A) as key information. It can also be sent as encrypted data encrypted by TTKY (4033A) to a user who wants to send a confidential text (that user has an OTP token capable of encryption and decryption like the sender). Then, every time a document file is added or changed between two or more users, the HMAC MAC value and electronic signature of the user who added or changed is added and encrypted repeatedly between users. A signature and time stamp can be entered when the data is changed while storing it as encrypted data.
The sequence of procedures described above is a combination of FIGS. 7CB and 7CC. A user UA and a user UC belong to a certain organization, and can create and view data while repeating encryption, data change, decryption, and encryption of a confidential document mutually using the MAC value of HMAC, an electronic signature, and the like. It may be preferable that the commercial software CRHN (403A) that performs this processing is of a version different from the version that can only read and decrypt works such as books and music videos that have rights holders.

In the case of ordinary paper magazines, newspapers, books, and textbooks, users sometimes write notes on purchased items using writing utensils. When the present invention is used in the field of education, it may be preferable to be able to write on a textbook or the like with a touch sensor or an electronic touch pen or marker. Voice music is sold in the form of records, optical discs, and movies in the form of movie films, magnetic tapes, and optical discs, and users rarely write on them with writing utensils. There are cases where it is used for learning.
Therefore, in the present invention, in S168, a pen-type pointing device such as a touch pen or a pen tablet and a touch-type pointing device that is traced with a finger are supported for book data. Plaintext data may be processed with a pen, and an electronic signature may be added to the difference data processed with the private key 401A and stored. Alternatively, if the textbook itself is entirely composed of image data, the image data of the corresponding page is given arbitrary color information and image effect information with a pointing device, and new plaintext data formed as a result can be encrypted and stored. This procedure can also be implemented by combining FIGS. 7CB and 7CC.
Compared to paper textbooks, OTP tokenized textbook data requires less space for storage (only terminal 4A and a private key need not be forgotten). Realize with If the encrypted data of the textbook in which the user has written memos is lost or cannot be viewed due to excessive writing, the original encrypted data of the textbook can be obtained and used again. It may be preferable that the software CRHN (403) that can be written in a book is different from the version (version or software name) that can only be used to decrypt and view or view works such as music and moving images that have rights holders.
Paper textbooks are sometimes disposed of because they take up space, but electronic textbooks can be stored in a digital device and can be easily read again after becoming an adult.

In S169, it can be connected to the advertisement server 5A (SVCRHNcm) corresponding to the URI embedded in the content. This is because the program built in the software CRHN (403A) has a control statement capable of displaying an advertisement in the plaintext data 4035A obtained in S168 and S167 by decrypting 4034A in the storage device of the terminal 4A, According to the control statement, 403A receives advertisement distribution from the connection destination of the URI when the URI that can be connected to the server 5A is described. Here, the URI must be suitable for content rating.
It does not have to be provided with an advertising function, and textbooks and the like may not record such advertising URIs or programs leading to advertisements.
In S169, it is also possible to monitor access as shown in FIG. 6X based on the user identifier of the terminal 4A, the token number held, the IP address and location information, the terminal ID, the sensor value, etc., and check for unauthorized access. It is also possible to access the advertisement display server without displaying the advertisement and to record only the access information in the server 5A. For privacy protection, it is also possible not to access the advertisement distribution server terminal conforming to 5A or 5A.
In S169, advertisements can be distributed by connecting to the server 5A, and the advertiser performs only access management on the server 5A, and the original advertisements are stored in the plaintext data in the form of words, pictures, animations, and voices. It is also possible to record with Further, for privacy protection, the server 5A may not perform advertisement distribution and access management, and the advertisement may be recorded in plain text data as sentences or image data. (In this case, it can be expected that fixed advertisement information will remain for future generations, just like paper magazines.)

At S170, the browsed certificate data OFBKMK (4036A) is created. This is done in software 403A when the user decrypts the encrypted data. In S170A, the certificate data (4036A) encrypts or obfuscates the TTKY (4033A), performs OTP authentication, records the date and time when the browsing is started as time stamp information, and obfuscates or encrypts 4033A and the time stamp. The concatenated data is electronically signed to detect the presence or absence of tampering.
4033A is obfuscated/encrypted in some way and made into key information 40360A that cannot be decrypted (difficult to decrypt) by the user of terminal 4A. The time data and user identifier information (40362A) at the time of OTP authentication and the data of 40360A are concatenated into one message, and HMAC (Hash -based Message Authentication Code, code message authentication using a hash function, message code authentication) is used to calculate an HMAC value and set it as authentication information (40363A). Then, 40360A, 40362A and 40363A are concatenated to form browsed certificate data OFBKMK (4036A).

In S170, the browsed certificate data OFBKMK (4036A) is a function that enables authentication when the terminal 4A is disconnected from the network and the block chain cannot be used while offline, that is, when the CTAU value (4031A) cannot be obtained. The browsed certificate data OFBKMK (4036A) includes information of TTKY (4033A) for decrypting encrypted data.
It is possible to write 4033A in 4036A, but in that case, if 4033A is leaked, the encryption of the distributed encrypted data will become meaningless, so it is necessary to apply some form of encryption/obfuscation. be. It is also possible to encrypt 4033A using only the secret key CRKY (40302A) built into the program of software CRHN (403A), but in that case, between users who use the same 403A If the certificate data is distributed and a different user captures it into the terminal and loads it into 403A together with the encrypted data, it may be possible to view it. (However, in this case, if the private key (101B in this case) produces a different user identifier from the user identifier described in 4036A output by 403A, 403A can detect it and prevent browsing.)
Therefore, 4033A is encrypted using terminal 4A's private key 401A (various valuable OTP tokens of terminal 4A are assigned to 401A) to obtain CTTKY (40361A). Subsequently, CTTKY (40361A) was encrypted using the private key (40302A) of software CRHN (403A) to obtain ACTTKY (40360A).
Leakage of the private key 401A or unauthorized use of the private key is detected by an unauthorized access detection mechanism as shown in FIG. 6X when a user terminal such as the terminal 4A accesses the advertising server 5A.

Note that this is an embodiment, and in the present invention, 4036A is data containing the information of 4033A, the user identifier that browsed, the time that the user browsed, and the MAC value calculated by using HMAC for the message. 4036A has a MAC value calculated from HMAC that can detect falsification of internal information. The information (40363A) for falsification detection may be an electronic signature (digital signature) using public key cryptography instead of HMAC based on a common key or hash function. However, in the embodiment of the present invention, HMAC is used because it is sufficient to detect tampering with 4036A.

In Example 3, as a method of obfuscating or encrypting TTKY (4033A) to make key information 40360A, 4033A is encrypted with the private key 401A of terminal 4A and then encrypted with the private key CRKY (40302A) of software CRHN (403A). TTKY (4033A) is obtained and encrypted data cannot be decrypted unless the secret key 401A of the terminal 4A and the secret key 40302A of the software CRHN (403A) are available.
As a processing method, TTKY (4033A) is encrypted with a common key using the secret key 401A as a key to obtain CTTKY (40361A). (Here, public key encryption can be used in addition to common key encryption, but the certificate data OFBKMK (4036A) is data for browsing when offline and can be sent, notified, shared, or transferred to others. Common key encryption is used because it is not a thing.The means of encryption is not limited to common key encryption or public key encryption, but the key TTKY (4033A) that can be encrypted/decrypted is encrypted or obfuscated and decrypted. However, it does not matter if it can be obtained as TTKY (4033A) again.)
Then, CTTKY (40361A) is encrypted using the secret key CRKY (40302A) built into the program of the software CRHN (403A) as a key, and ACTTKY (40360A) is obtained. The number, the token, the contract identifier, the encryption data and the name of the OTP token are combined as data, and the private key 401A and HMAC are used to apply an electronic signature to the data to create certificate data OFBKMK (4036A). For example, SHA256 of SHA-2 can be used as the HMAC hash function.

<Response to unauthorized use>
Common to Embodiments 1, 2, and 3 of the present invention is that when the private key 401A is duplicated and leaked by an attacker, it is distributed to other malicious user terminals. There is fear. If the maliciously distributed 401A is used on another terminal, if an advertisement is placed in the contents of the plaintext data and connected to the internetwork, the server SVCRHNcm will receive the IP address and terminal device information. If the serial number and the information of the input sensor 444A of the input device 44A of the terminal are agreed to by the terms, they are notified to the server 5A, and the user identifier, the token number of the OTP token, and the IPV shown in FIG. 6X are collected and stored in the server 5A. Monitors and notifies whether there is unauthorized access. The user identifier, the token number of the OTP token, and the IPV shown in FIG.
If time information such as GNSS, JJY, or NITZ can be received in the case of offline, the time that can be browsed is set and displayed in comparison with the time information described in 4036A.
Also, if 401A is maliciously shared with other users on the network without being decrypted by 4036A, and many people are reading books that have unauthorized access to the same private key, software CRHN (403A) Many unauthorized accesses to the terminal 5A as shown in Fig. 6X via the URI to the advertising site embedded in the data of the book (10 people instead of 2 people at the same time, but 10 people, 100 people, etc.) are recorded. can be
Although it depends on the judgment of the service provider, the OTP token is specified in the protocol so that the IP address is not hashed, the IP address is recorded, and the access is monitored by the terminal 5A as shown in FIG. 6X. It may help prevent these unauthorized accesses. (The inventor determines that access at the same time on different terminals using the same secret key when using 403A or its decrypted data constitutes unauthorized access.)
Depending on whether the service provider permits such unauthorized access by sharing 401A, if the content is to be sold, the terms of use should prohibit the sharing and trading of the secret key. Also, when the private key is viewed as a service account, it can be used as a name loan, so the use of the private key is usually not permitted. It is conceivable that the secret key of the present invention is also used for OTP tokens for Internet banking of banks. When using for such purposes, sharing, selling, and lending of the secret key of the OTP token violates the terms of use and causes money laundering. Unauthorized use of the private key may be restricted by law.
From the viewpoint of private key management, the private key such as a personal number card is recorded in an IC card 46A (NFC tag 46A) that cannot be extracted. It may be preferable to have access to contracts on the blockchain. In that case, an organization is required to manage the secret key in the IC card. It is necessary to record the private key information inside the IC card in a database of the IC card manufacturing and issuing organization, and then change the setting of the device so that the private key of the IC card cannot be accessed.

<Removal of tokens and custody transfer of tokens>
The present invention uses the OTP token contract with the OTP generation authentication function shown in the first to third embodiments in accordance with the ERC721 standard. According to the ERC721 standard, a contract can be provided with a remove function for a contract manager's terminal 1C to access the contract and remove the token number. By combining the token removal function, issuance function, and transfer restriction function, the OTP token storage transfer operation can be performed by the contract administrator 1C. In this case also, the user can use the OTP token using the private key 401A of the user terminal 4A.
If the user loses the private key or illegally shares the private key with others by the transfer restriction function and the removal function, and illegal access occurs, the OTP token is transferred to the private key 401A of the terminal 4A (and its private key ) and is issued to the user identifier of another secret key separately designated by the terminal 4A.
If the unauthorized access still does not stop, the token may be removed. For this, it is necessary to specify the existence of a token removal function and the possibility of safe deposit transfer in the terms of use of the OTP token.
If the custodial transfer operation is enabled, the contract administrator can transfer the OTP token to a different private key when the private key is lost or leaked by the user. And when the user transfers or inherits the OTP token, it can be done by requesting the transfer to the contract manager. If there is no transfer function, the OTP token cannot be transmitted if the private key is not known, and inheritance between family members and relatives will not be possible.
On the other hand, the contract manager of the OTP token will be able to issue, remove, and transfer the tokens of all token numbers belonging to the contract. In response to a request from the user's family, the contract manager can carry out the custody transfer at the terminal 1C for inheritance. If the customer's token removal function is performed, it may be necessary to state in the terms of use, etc., to propose token purchases, and to comply with laws and regulations and to be externally audited so that the customer's OTP token can be custody. In addition, it may be preferable for the management to be managed by a company that has acquired qualifications related to the warehousing, trust, banking, finance, and information and communications industries.

Here, I touched on inheritance when the OTP token is expensive or irreplaceable for relatives, such as text, books, or music video data, and there is a problem that you want to inherit it to your family or someone in your family wants to inherit it. In addition, it may be suitable for an organization such as a corporation to operate the terminal 1C and transfer the tokens to the tokens. Paper documents can exist for more than 100 years, but the distributed ledger system such as the OTP token and blockchain of the present invention, the software CRHN that decrypts the encrypted data, the private key and the encrypted data, and the digital that operates them This is because it was necessary to touch on the inheritance of OTP tokens when considering OTP tokens as digital assets held by individuals and corporations in consideration of human lifespans when operating over 100 years using device terminals.

In S171, the contract manager can update the secret value (seed value) for calculating the OTP, such as the KC value and BC value of the contract, using the terminal 1C. In Embodiment 3, the terminal 4A is connected to the internetwork at the time of OTP authentication of the present invention, and BnTOTP or OWP can always be authenticated using the latest seed value. Signboard information KNBN (3024A) describing the name of the OTP token and contact information can also be rewritten. As an example of its use, the OTP token is a token for a book, and when the publisher that publishes the book merges, the contact information of the surviving company can be described in the token contract.
In Example 3, OWP may be used in addition to BnTOTP.

<Decryption of encrypted data when disconnected from the network>
A paper book can be read without relying on the existence of the network 20. - 特許庁Book data stored in electronic computer terminals such as computers and servers can be output to an input/output device according to the data recorded in the storage device of the built-in device as long as there is a power supply to operate the device, even if it is book information. can read. Assuming the presence of the network 20, when viewing book data via the network 20, the data cannot be read unless the data is stored in the terminal and read.
In the present invention, the certificate data OFBKMK (4036A) created when the terminal 4A disconnected from the network 20 due to a disaster or the like performs OTP authentication and browses the encrypted data recorded in the terminal 4A (at the time of sequence S170) ) is used, and books, videos, audio, and software can be browsed and used by using a method that can be browsed within the time limit that can be browsed. FIG. 7CC shows a sequence diagram for viewing encrypted content when the terminal 4A is disconnected from the network 20 and is offline.
In the third embodiment of the present invention, as shown in FIG. 7CC, the encrypted data can be decrypted at the terminal 4A that is not connected to the network 20 and viewed, viewed, and used. TTKY (4033A) used for decryption is included in plaintext or in an obfuscated/encrypted state, and information such as the viewing time and viewing user identifier that records the block number, time information, and user identifier at the time of OTP authentication When message data including 40362A and concatenating 4036A and 40362A is used, the MAC value (40363A) of the message data is calculated by HMAC, and 4036A, 40362A and 40363A are concatenated to obtain 4036A.
The information necessary for 4036A is information linked to calculation of TTKY (4033A) used for decrypting encrypted data, and calculation of TTKY (4033A) by performing OTP authentication from S156 to S170 in FIG. 7CA when connected to network 20. Then, time stamp information 40362A such as the time when encrypted data can be browsed is combined, and based on secret key 401A of terminal 4A, secret key (40302A) built in software CRHN (403A), or software internal variables other than 40302A If there is a MAC value (40363A) calculated by HMAC, the certificate data of the present invention can be constructed.

<Case in which obfuscated/encrypted plaintext data is contained in software 403A instead of using encrypted data 4034A>
As another embodiment of 4036A of Embodiment 3, an embodiment in which plaintext data 4035A is embedded in 4030A inside software 403A in which the source code of terminal 4A described in FIG. 4C is obfuscated and encrypted can be implemented. (This is the case where the encrypted or obfuscated program source code 4030A of 403A incorporates the plaintext data 4035A together with the software private key 40302A).
In this case, when there is a private key 40302A for software 403A and a private key for user 401A, the information of user identifier A that can be calculated from 401A using secret variable K403 (40303KA) in 4030A of software 403A and the time at the time of OTP authentication A hash value HT403 is obtained by concatenating the information T403 and K403, and the hash value HTK403 is concatenated with information constituting the certificate including the readable user identifier A and authentication time stamp information T403, and the body of the certificate is obtained. The data CHT 403 (40362KA) may be 40362KA as a message, use the user secret key 401A as a key, obtain the MAC value 40363KA by HMAC, and concatenate 40362KA and the MAC value 40363A as certificate data OFBKMK (4036A).

When the MAC value 40363KA is obtained by HMAC using the above 40362KA as a message and the user secret key 401A as a key, and the certificate data OFBKMK (4036A) is obtained by concatenating 40362KA and the MAC value 40363A, the return value CTAU of the OTP authentication function is simply A return value of only one true/false value may be used, or two or more return values may be included, including variables used in the conditional statement of the judgment expression that 403A permits the user to view. The reason why CTAU can be a single true/false value is that the internal data of the software 403 is encrypted or obfuscated including plaintext data, and it is true whether OTP authentication was performed in the contract on the blockchain when the program was executed. This is because the 403A confirms the true/false value of whether or not, and if the true value is returned and authentication is successful, the certificate data 4036A in S170 can be calculated using the 40303KA and the user's secret key 401A.

403A reads the user secret key 401A and certificate data 4036A offline, checks whether 4036A has been tampered with from MAC value 40363A described in 4036A using 401A, and if 4036A has not been tampered with The software 403 reads the value of HTK 403 of CHT 403, and calculates whether it matches the hash value HT 403 of the information of user identifier A that can be calculated from 401A calculated inside the software, the time information at the time of OTP authentication, and K 403. If the information in 4036A matches the information calculated in 403A, the plaintext data stored in the program is viewed and viewed through the input/output device of the user terminal 4A. If they do not match, the plaintext data will not be used.

Here, the method using HMAC with the secret key 401A as the common key has been described, but a method using 401A as the key of public key cryptography to create a certificate with an electronic signature (digital signature) is also conceivable. However, since 4036A is data that is not intended to be sent to others, HMAC is preferably used. When online, the secret key 401A to which the OTP token is assigned is used as a key, and the HMAC, the secret variable (K403) inside the software, and the authentication time are used to create the authentication proof data. .

The software 403A calculates the time during which the user can continuously browse from the authentication time data of the certificate that can detect falsification by HMAC and the current time of the terminal 4A, and browses the data for the user of the terminal 4A through the input/output device during that time.・Let them watch and use. The authentication time is in the past, and the older the certificate data (4036A), the shorter the continuous viewing time. Since the browsing time is shortened, the user has to re-start 403A, detect that 403A has exceeded the time limit, terminate it, and re-execute the software 403 frequently. In order to solve this problem, access 3A that constitutes the blockchain system when online, perform OTP authentication again using the secret key 401A to which the OTP token corresponding to the plaintext data to be viewed according to the present invention is assigned, and read the plaintext data. It is only necessary to be able to browse and issue new certificate data (4036A).

The right holder of the data has the right to set the time at which the plaintext data can be viewed continuously on the software. Data right holders can set viewing hours by considering the rating of the content and how the data will be used in an emergency such as a disaster.
Also, if the right holder of the data permits, it is possible not to set the time limit when using the content offline using the 4036A.

In the application of the third embodiment, the time is calculated based on the time information of the terminal 4A when off-line. According to the function of the real-time clock (RTC) included in the control processing device 41A of the terminal 4A, continue to hold the time information even in the offline 4A using the power supply device 47A (including the battery capable of operating the RTC section) of the terminal 4A. However, there is a risk that it will be overwritten by the BIOS. (Here, the RTC is a part that can provide a clock function composed of ICs such as crystal oscillators and oscillator circuits.)
In the present invention, it is preferable to prevent the time of the terminal from being rewritten by software such as the BIOS that controls the terminal 4A, and that the terminal 4A has a device for receiving time information, which is assumed to be correct from an information source such as GNSS, JJY, or NITZ. It is preferable to obtain time information from the terminal 4A and set the time of the terminal 4A to a value close to the International Atomic Time (TAI) or Coordinated Universal Time (UTC). When it is possible to falsify the time information of the hardware of the terminal 4A, the software 403A has no choice but to follow an incorrect time or a maliciously set time. cease to exist.

Requirements of the certificate data OFBKMK (4036A) are the time information 40362A when the data is authenticated by the OTP authentication system of the present invention and the data is browsed, and the MAC value 40363A for verifying whether or not the information has been tampered with. If the encrypted data 4034A is outside the software 403A, information 40360A, 40361A, etc. for calculating the key TTKY (4033A) for decrypting the encrypted data is required. OFBKMK (4036A) is issued in response to user private key 401A. Different 4036A is issued when the secret key is different even for the same content. Further, even when the token number is different, a different 4036A is issued.
When the encrypted data 4034A is inside the software 403A and encrypted, that is, when obfuscated or encrypted like the secret key CRKY (40302A) of the software inside 4030A, the plaintext data is the program. Since it is encrypted together with the source code and TTKY (4033A) is not required, information 40360A, 40361A, etc. for calculating the key TTKY (4033A) for decrypting the encrypted data is not required. By executing the software 403A, the user reads the private key 401A and the certificate data OFBKMK (4036A) into the 403A, and if the user wishes to browse, the plaintext data inside the software can be browsed by the software 403A even when offline.
In the present invention, both the version of the software 403A that reads the encrypted data 4034A and the software 403A that contains the plaintext data can create 4036A, and the corresponding OTP tokens can be used for authentication to decrypt the encrypted data.

FIG. 7CC shows a case where terminal 4A configured in FIG. 4B decrypts encrypted data using private key 401A, encrypted data 4034A, software CRHN 403A, and certificate data 4036A when not connected to a network. In sequence S200, terminal 4A configured as shown in FIG. 4B prepares private key 401A, encrypted data 4034A, software CRHN 403A, and certificate data 4036A.

In S201, the software 403A is executed and activated, at least the secret key 401A and the encrypted data 4034A are read (or the directory and file name of the file containing 401A and 4034A are specified, or the URI indicating the file is specified), and other Enter settings if required.

At S202, the certificate data 4036A is read. At this time, in order to check whether 4036A has been tampered with, the MAC value of 4036A is verified using the secret key.

In S203, ACTTKY40360A of 4036A is decoded by CRKY40302A or the like to obtain CTTKY40361A.
CTTKY40361A is decrypted using the private key of terminal 4A to generate TTKY4033A.

In S204, the TTKY 4033A decrypts the encrypted data 4034A to obtain the plaintext data 4035A.

In S205, according to the program of the software CRHN403A, it is confirmed that the certificate has not been tampered with from 40363A included in the certificate data 4036A, and the time information of OTP authentication time and plain text viewing time information 40362A included in 4036A is confirmed. Then, from the time information of terminal 4A and the time information of 40362A, the available time is calculated.

In S206, the user is allowed to view or use the data until the time obtained by adding the viewable time to the current time. preferably). Here, the method of calculating and controlling the time that can be browsed depends on the request of the right holder of the plaintext data. There are no restrictions on the method of calculating time or variable values. S206 includes a process of calculating and setting the time that the user can browse based on the time information of 40362A and the current time, and stopping the execution of 403A when the time has elapsed. If there is no time limit for browsing, operate accordingly.

S207 indicates that a time longer than the value calculated based on the time information of 40362A and the current time in S206 has passed on the user terminal 4A. In S208, when the time indicated in S207 has come, the software 403A stops viewing and listening to the plaintext data, issues a warning, etc., and then forcibly terminates regardless of the user's will.

In the case where the terminal 4A is not connected to the network shown in FIG. 7CC, and the terminal 4A has the configuration shown in FIG. It becomes a sequence diagram without.

The software CRHN (403A) of Example 3 includes:
1. A CRHNReader that can only convert from EncData to DecData,
2. CRHNWriter, which converts from DecData to EncData;
3. CRHNReaderWriter that can convert between DecData and EncData
Three types are considered.
CRHNReaderWriter encrypts and decrypts the text of a certain organization every time the document data is changed (here, it is stored as EncData, and when the user decrypts and changes EncData (The DecData is stored in the storage device). Documents can be time-stamped and electronically signed when the decrypted data is changed, encrypted, and saved. The blockchain block number and BnTOTP are entered as a unique secret, and the book data is hashed and the book is blocked. It can also be stored in a form that is difficult to tamper with, such as a chain. (This is software for managing confidential documents.)
As another form of CRHNReaderWriter, only when the right holder of the primary creation permits, after decrypting the encrypted data of the content to be the primary creation, changes are made according to part of the content. It can also be used for distribution to the next OTP token holder as content that will be the next creation. In this case, content usage rights may be issued/distributed under a contract different from the OTP token for the content that is the primary creation. By programming 403A, which is CRHNReaderWriter, so that the part of the URI connected to the advertisement server 5A cannot be changed even after the encrypted data is rewritten, the primary creator can access the secondary or n-time creation. It is also possible to increase profits by advertising the server 5A connected/linked to the embedded URI information.
The CRHNReader browses, reproduces, and activates the plaintext data DecData obtained by decoding the encrypted data EncData such as books, audio/video, and software. It may have a function of recording annotations and the like separately from the plaintext data of the original, such as a sticky note in a book.
CRHNWriter is for creating encrypted data EncData to be decrypted by CRHNReader from plaintext data DecData, and encrypts plaintext data DecData such as books, audio/video, and software.
Depending on the type and version of the software 403A, a contract identifier APKY40301A that manages a key dedicated to the software application, a private key 40302A for the software 403A, a return value CAPKY40303A for the key management contract obtained from the blockchain, and the like are set. By setting APKY, CRKY, and CAPKY as unique values for each software 403A of different versions and types, it can be used as information for switching whether the CRHN is operated as a CRHNWriter or as a CRHNReaderWriter. Also, for example, the software version of 403A can be changed every few years to change APKY, CRKY, and CAPKY.

<Additions to the original and nth creation by a special version of CRHNReader Writer>
As a form of CRHNReaderWriter, after decrypting the encrypted data of the content that will be the primary creation, it will be changed according to part of the content and will be distributed to the holder of the next OTP token as the content that will be the secondary creation. This has a lot to do with copyright, which is one of the intellectual property rights.
If the copyright holder permits the n-th use of the content, it may be possible to sell the original copy of the content with the permitted advertisement, the encrypted data, the OTP token that decrypts it, and the CRHNReaderWriter for its use. The content is assumed to include text books, images and videos, audio, game software and program source code.
For example, even if the source code of a free software program is distributed as open source code under a near-free license with collaboration permitted, secondary creators who have collaborated and improved the distributed program A free OTP token corresponding to the primary creator's data and the attached advertisement URI are attached to the secondary creation program, and when the end user uses the attached program, the primary creator and 2 If advertising expenses are paid to both the primary creator and the secondary creator by calling the advertisement to the advertisement distribution site of the terminal 5A according to the tag of the advertisement incorporated by the secondary creator, it may contribute to the programmer's profit improvement. do not have.
<Issues when rights tokens are protected by rights in the laws of countries around the world>
In relation to intellectual property rights such as the copyright of the above n-next creation, the OTP token of the present invention can be used as stock, real estate ownership, intellectual property rights, patent rights, trademark rights, and copyright ownership rights. It is conceivable, but the present invention is a means to make it difficult to falsify information and to facilitate the exercise of rights by performing OTP authentication (a method for automating authentication). It should be noted that public property rights are managed by the laws and regulations of the country, auditing the government of each country, OTP token issuers and issuers, experts such as certified public accountants in the case of companies, and real estate in the case of real estate. Outside of the distributed ledger system, an intermediary of statutory qualified professionals/professional associations such as transaction law experts, patent attorneys, and lawyers will be required.
In the present invention, regarding the use of OTP tokens corresponding to rights, OTP tokens related to legal rights may cause disputes or do not exist ( There is also a risk of becoming a record without legal support), so detailed explanation was not given in the application example of the present invention. However, for securities such as stocks, it can be an OTP token for logging in to the general meeting of shareholders, logging in to the website where shareholders vote, etc., and expressing their intentions, and the shareholder can be the right to use the service of the company corresponding to the stock. Therefore, a usage example is described.
Also, since the distributed ledger system can issue OTP tokens across national borders, it is preferable to issue and transfer OTP tokens to KYC users when converting legally protected rights into OTP tokens. When an intellectual property right such as a patent right or a copyright is obtained, it is not always the case that the right is owned only by the general public. There is a risk that an unexpected party (such as a terrorist) will take control of the majority of the rights and force them to share the proceeds from the token rights. Therefore, in this case, it is preferable to provide the OTP token with a transfer restriction function and a storage transfer function using a token removal function.
In addition, we will record the exchange of money or crypto assets between users through the purchase and sale of OTP tokens, suppress the provision of funds to unexpected organizations, and process tax related to transactions on distributed ledger systems such as OTP tokens. It is preferable to have a server terminal (an extension of terminals 3E and 3F) that automatically performs
Circulation of OTP tokens is preferably traded between KYC users.
In addition, if the user identifier is entered incorrectly, the token cannot be sent to the intended user. Therefore, in order to reduce input errors and facilitate identifier searches, a domain name system that associates user identifiers with domain names and IP addresses is used. Similarly, it may be preferable to associate addresses such as user identifiers and contract identifiers in a distributed ledger system with URLs such as domain names and record them in servers 3F, 3E, 5A, 5B, and the like.
<Remarks on copying>
Although the head-mounted display 453A prevents copying of 450A by a film camera, a digital camera, etc., it is possible to record if it is possible to see it with the human eye and write it down by hand. If it is information that remains in human memory, it can be secondary creation based on it. It is difficult to completely restrict copying and imitation. It is also possible that n-th creation and n-th use will occur in the form of spreading what was recorded by secondary creators.
However, it is not assumed that children and students will be prohibited from copying what they have memorized within the scope of personal use in the form of learning from the content for fun or study.
Usage examples of OTP tokens are subject to content rights holders and laws.

Only a version of the CRHN software that can reproduce the encrypted data can reproduce the encrypted data. This is because continuing encryption inside fixed software could lead to the decryption of data encrypted by that software if the key inside the software is decrypted by an attacker, so periodically the software CRHN and This is to avoid using the same APKY, CRKY, and CAPKY by changing the keys APKY, CRKY, and CAPKY included in .
Another possible embodiment of software CRHN (403A) is software in which plaintext data EncData is included in 4030A and plaintext data EncData and 4030A are encrypted or obfuscated.

<Precautions when decrypting encrypted files>
It is assumed that the plaintext file DecData contains a malicious program when the encrypted file is decrypted.
When creating a plaintext file, an electronic certificate DecCert issued by a third party other than the file creator is attached or signed electronically to the plaintext file so that a viewer can confirm the issuer through the electronic certificate. In addition, books, audio and video computer software, etc. are audited by an external third party and given an audit certificate AuditRat, which indicates that there is no program such as a malicious computer virus, and that the content of the plaintext file has been rated. is preferred.
AuditRat does not need to be assigned for business purposes in which confidential texts of individuals or groups are encrypted. Also, if the customer allows the malicious program to be run and uses it, DecCert will not be used either.
It is also possible to add an EncCert that guarantees the hash value and content of the data to EncData in the encrypted file.

<Environment when decrypting encrypted files>
There is a virtual computer (virtual machine) technology method for virtually constructing a plurality of computer environments on a real terminal. There is also an environment called a sandbox that builds a virtual environment on the operating system and monitors the execution of software whose behavior is unknown. It may be preferable that the software CRHN403A of the present invention is constructed in such a virtual environment system.
This is one of the means of minimizing damage when a computer virus or the like is embedded in the plaintext data of an encrypted file. There is a possibility that the capacity and amount of processing of a third-party organization that audits plaintext is limited, and in the present invention, if various data are issued by a countless number of private corporations with the software CRHN403A, the audit will not be thorough, An audit certificate may be issued even though malicious software is embedded. Also, unknown virus programs may not be audited, so it is preferable to be able to execute them in a virtual environment. It is desirable not to store more personal information or private files than necessary in the virtual environment in which 403A operates. It may also be preferable to divide private keys into hobby 403 keys, business 403 keys, and important financial keys.
In order to realize a virtual environment, the software CRHN403A may be web browser software capable of constructing a virtual environment or operating software including a web browser, or the CRHN has a basic software portion corresponding to the BIOS of a computer. good too.

In carrying out the present invention, in Example 1, Example 2, and Example 3, the block size was variable in the form of voting for the block gas limit value, and was performed on the Ethereum test net. In addition, the smart contract was written in the programming language Solidity, recorded on the blockchain, and deployed.
In Example 1, the computer terminal 1C (terminal 1C in FIG. 8A or FIG. 1) and the server P (terminal 3A in FIG. 8A or FIG. 1), which is the creator and administrator of the smart contract, are connected to the network 20 (FIG. 8A or FIG. 1-20) is used to access the blockchain control processing unit 310A and the blockchain recording unit 300A of the terminal 3A to set the secret value KC and the BC value that only the contract administrator can change for the contract that generates and authenticates the one-time password. , compiled, converted to bytecode, recorded in the block data of the block number, and expanded.
In the Ethereum test network of the embodiment, a new block is concatenated every 15 seconds and the block number Bn is incremented by one. The block number Bn is a variable that varies every 15 seconds and is proportional to time, which is a physical quantity.
In Example 1 of the present invention, a block number was used as a variable representing time on the blockchain. Bn×15 [sec] is used to find how many seconds have elapsed since a block chain with a block number of 0 was created in a certain block number Bn. In Ethereum, the time interval t [sec] does not need to be 15 seconds, and any time interval t [sec] can be set, but this time, the present invention was implemented using 15 seconds determined by the testnet.

The private key PRVA (101A) is recorded in the recording devices 10A, 101A of the user UA. However, depending on the situation, it may be recorded in the recording device DWALT 1603A of the external storage device 16A connected wirelessly or by wire to the terminal 1A. The DWALT 1603A may be a contact IC card type, a non-contact IC card type, a contact storage device type (hardware wallet), or a non-contact tag type (NFC tag type). Alternatively, the private key PRVA1608A recorded on paper or a board may be used.

The contract can look up the user identifier associated with the generated token's token number. Using the function to search and display the user identifier holding the token of that number from the token number, in addition to all the transaction data of the contract on the blockchain, the user UA and UC such as the so-called shareholder list are the owners of the token. A list of user identifiers can be created and stored, and printed on paper or the like in a form including block numbers, BnTOTPs of users, etc., or stored in a recording device. If the token is a service that allows you to view book data, the identifier of the book holder and the book token number (book serial number) (this is the token holding even if the blockchain is not available worldwide) It becomes a list of papers, etc. used to check the person).
The holding percentage of all issued tokens can also be calculated from the roster data. Transaction data is collected from the server P or the like by the server terminal 3F, aggregated, and used on a daily basis. With the server terminal 3F as a representative, the terminals 3E, 5B, etc. will be terminals that have the role of calculating and recording the holding ratio of all issued tokens from the list data and notifying the user as a passbook or an asset balance ledger of the tokens. can also

<Blockchain search function, database construction function for search results>
In 301F of the storage unit 30F of the server terminal 3F, the search history for the blockchain and the correspondence relationship of the data on the block chain corresponding to the search history are recorded on the 3F, and the key information of the search to be searched on the blockchain and the search A database may be constructed by recording part of the resulting blockchain information in 3F.
As an example, by recording the OTP token contract identifier and service name information that many users are interested in and their transactions, access for searches can be accepted at 3F without concentrating access on blockchain nodes such as 3A. Information can be distributed. Memory of 311F is written in 301F, and 301F is controlled by 311F.
The terminal 3F is one of the nodes of the blockchain like the server terminals 3A and 3B, and after recording all the information of the blockchain, for the contract identifier, user identifier and transaction recorded in the blockchain data, Analyze what kind of search access is performed from the user terminal, and save the search results so that information can be provided to the user more quickly. OTP token search results and data on the blockchain are recorded and arranged in a storage device with a high data capacity such as a hard disk drive or magnetic tape, but the access speed is slower than the main storage device or SSD. By storing a cache of searched data with a low value, it is possible to receive access information from users searching for blockchain from all over the world at high speed using a storage device and store search destination information.

<Example of searching data on the blockchain and using it for distribution of OTP tokens>
There is an OTP token of the present invention that corresponds to the right to read content related to books of publishers in demand on the blockchain, and people can use the name of the OTP token, the issuer of the OTP token (publisher name, etc.), and the OTP token Total number of issued (total number of books sold), total number of owned user identifiers (total number of purchased user accounts), presence or absence of multiple OTP tokens (how many were purchased for each user identifier), OTP token transfer Users can search for restrictions, rating information on the signboard information KNBN of OTP tokens, publisher contact information, OTP token purchasers, encrypted data distribution destinations, etc., and users can check the distribution status of OTP tokens Information on the purchaser of the OTP token can be checked, and the retrieved information can be used as a criterion for deciding whether or not to purchase the OTP token.

<Transaction monitoring function on blockchain>
In addition, the user made a contract to use the service provided by 3F, registered as a user, and registered contact information such as an e-mail address, which is personal information, in the notification destination database 3013F using the notification destination registration unit 3113F. 3010F and 3110F monitor the occurrence of a transaction with respect to the contract identifier or user identifier specified by the user, and the 3F updates the blockchain state change notification destination database 3013F when a new transaction occurs and the state changes. It is necessary to notify the time when the state change occurred and the content of the state change by sending the e-mail address or telephone number or user identifier of the user who is the notification destination registered in the .
When the OTP generation function and OTP authentication function are executed and the number of executions can be recorded in the contract internal variables 3017A, 3017AG and 3017AA, the user can monitor the changes of 3017A, 3017AG and 3017AA recorded in the contract on the server terminal 3F. The contract identifier for which monitoring is requested, the token number of the OTP token of the contract corresponding to the contract identifier, the user identifier, etc. are associated with each other and recorded in 3010F of 3F.
The state change detection unit 3111F operated by the state change detection program 3011F detects a change in the transaction of the contract identifier or user identifier specified by the user, and the OTP token transaction or user identifier transaction belonging to the contract specified by the user is newly generated. When the state of the blockchain changes, the state change detection unit 3111F detects the state change of the blockchain, and the notification unit 3112F uses an e-mail address or phone number or SMS (Short Message Service) to perform the transaction. Notifies the user through the user terminal that a new transaction has occurred, and notifies the user whether the transaction is familiar to the user.
If a transaction occurs even though the user does not operate it, inform the provider of the service corresponding to the contract identifier of the OTP token that there was unauthorized use, and the user and the service provider It is expected that the two parties will discuss and resolve the issue.
3017A, 3017AG, and 3017AA are information recorded in the blockchain and are difficult to falsify. A transaction that newly changes the information is sent to the blockchain, and once it is connected to the blockchain, it is difficult to change or tamper with it. If someone illegally obtains a person's private key 401A or 101A and operates an OTP generation function or an OTP authentication function in which a variable such as 3017A is set in the OTP token of the present invention, the record cannot be canceled. In the present invention, a server that constitutes a block chain system such as 3A has a function to detect and record access information such as IP address, location information, and device ID for crime prevention. Combining functions to detect and notify unintended unauthorized use may be able to discourage those who attempt unauthorized use.
For that purpose, the block chain part such as the server 3A records the information of the person accessing the server 3A, and the service providing server part such as the server 3C and the advertisement server 5A also has an access information monitoring function as shown in FIG. In addition, it may be possible to create a 3A block chain type access database and 3C block chain type access database and store them on each server so that the access data cannot be falsified.

<Function to distribute asset balances such as OTP tokens in the form of certificates that can detect tampering from the blockchain system DLS>
In addition, the user 3F collects transactions of user identifiers and contract identifiers on the blockchain, statements (passbooks) in which personal information such as user names and addresses are filled, and asset balance certificates on DLS such as OTP tokens, etc. Transaction reports are searched using user identifiers and contract identifiers as search keys, and the search results are summarized. Using time stamps, electronic signatures, HMAC, etc., the search results are used as balances and transaction statements at the time of a certain time stamp to detect falsification. It may be distributed to users in any form available.

<A function that promises to deposit tokens in the contract up to a certain future block number>
The term token deposit function (OTP token TimeDeposit function, term deposit in currency is formed into the OTP token of the present invention) that prevents the OTP token from being moved to a future block number (until a certain future period) in the OTP token. It may be incorporated into the token of the OTP token of the invention and used, and the function cancels the TimeDeposit function of the OTP token. may be used to create an asset balance certificate that is difficult to falsify.
For example, even if the OTP token transfer restriction has been lifted, the user does not intend to transfer it until a certain period of time (several years or decades). It is assumed that it will be used for Even if there is an unauthorized access due to leakage of the secret key, the TimeDeposit function can prevent the transfer by the token transmission function.

<Service to search for contracts on the blockchain and services corresponding to contracts>
Blockchain search monitoring that accesses information from the contract identifier and signboard information KNBN of the contract of the identifier according to the user's request from the block chain part data recorded by the server terminal 3A, and provides the information desired by the user. There is a server terminal 3F equipped with a storage unit 301F and a blockchain search monitoring unit 311F for the terminal 1A and the terminal 4A to access the 3F from the desired OTP token contract identifier, OTP token service name, OTP User identifiers that have issued tokens, information on OTP tokens with a large number of searches, information on OTP tokens with a large/small number of issued totals, etc. can be searched. Here, 3F already has an existing service example, so the explanation can be omitted.
The server terminal 3F and the search and monitoring services provided by it are Blockchain Explorer (a system for investigating, browsing, and searching information on the blockchain), and Etherscan, an information search site by an organization called Etherscan, is an existing example. (reference source, https://etherscan.io/ viewed December 8, 2020). In the present invention, the presence of the terminal 3F enables access from a terminal that does not have a secret key or a terminal 1A that has a secret key, and makes it possible to investigate, search, and view data on the blockchain according to the settings of the terminal 3F.
Without the terminal 3F, the terminal 1A would have to access the terminal 3A and find the desired information from the blockchain by itself. In addition, for users who do not have private keys to access the blockchain (101A of terminal 1A, 101B of terminal 1B, 101C of terminal 1C, 401A of terminal 4A, etc.) to see the data exchange occurring on the blockchain Also, such a blockchain search service site and a terminal 3F responsible for it are required.

Etherscan is an existing example of a service that searches for blockchains. In the present invention, it is not the content of the invention to search and collect information on the blockchain, so it is omitted, but in addition to the server 3F of the present invention, the server P (3A in FIG. 1), the terminal 1A, the terminal 1B, the terminal 1C, and the terminal 4A, server terminal 3C, terminal 3D, terminal 5A, etc. may access the blockchain to record transaction data of any contract, construct a database, and retrieve data related to the contract. When searching from EtherScan, transactions with user identifiers and contract identifiers specified by URI can be searched.
The following three URIs are transaction search result screens of URIs for contract creator and manager identifiers used in the embodiment of the present invention. （１．https://ropsten.etherscan.io/address/0x0f398803BE4319B98F164cae47589797aC5cF906、２．https://rinkeby.etherscan.io/address/0x0f398803be4319b98f164cae47589797ac5cf906、３．https://goerli.etherscan.io/address/0x0f398803be4319b98f164cae47589797ac5cf906、2020 Viewed December 8, 2020)

It is important to anonymize the transaction when deploying the contract in the authentication system of the present invention on the blockchain and the code inside the contract, and to anonymize the transaction when changing the secret variable KC value and BC value of the contract. There is a need for a system that either allows the anonymized data to be searched, or does not disclose it to users other than the user identifier who has authorized the viewing of the transaction data. In the authentication system of the present invention, it is preferable to use a block chain platform that can be made confidential.
Generate a contract for one-time password generation and authentication using an anonymized blockchain platform, issue a token with a certain token number as the authority to display the one-time password to the user, and provide the user with a means of one-time password authentication. At the same time, the contract administrator etc. encrypts and blocks the transaction that describes the command to rewrite the variable KC or BC, which is the secret key used to calculate the one-time password in the contract, and the value of the new variable, etc. It is preferable to send it to the chain and have it recorded.
It may be a blockchain platform in which multiple blockchains are used and coordinated to anonymize contracts. Also, a node of the blockchain may be equipped with a transaction manager or the like to anonymize transactions on the blockchain.
Since the present invention is not an invention relating to the construction of an anonymized blockchain infrastructure, anonymization will be omitted. The method of concealing contract program data, secret variables KC and BC, etc. is not limited.

<Application of TOTP to Directed Acyclic Graph Systems and Other Systems with Data Structures Equipped with Smart Contracts>
The present invention uses a block chain in which blocks are connected as a single chain for the data structure in the embodiment. Blockchains are resistant to tampering, and blocks are formed in a one-dimensional chain by linking from the past to the future blocks. The present invention is easy to implement in that the smart contract that tokenizes the password and generates and authenticates the password is difficult to be tampered with. In the present invention, the blockchain uses Ethereum, which can be equipped with a tamper-resistant program called a smart contract that operates based on transactions on the blockchain (Non-Patent Document 1).
On the other hand, there is also a system that uses a directed acyclic graph (DAG) in a data structure different from blockchain (Non-Patent Document 2). A DAG treats a transaction as one data block. When the present invention is used for DAG or the like, it may be difficult to express time using block numbers.

If the data blocks (chunks) are time-stamped in the DAG type, it may be possible to build a TOTP token contract that works in that system. Time data Tm described in the latest block (chunk) forming the DAG as a function representing a certain time T in a DAG-type distributed ledger system can be used for generation and authentication of a one-time password. Tm has data blocks that constitute a DAG, and a smart contract for one-time password authentication described in the present invention is recorded in a certain data block, and the latest data that can indicate the same time in the entire DAG system for that smart contract is the latest. If available from a DAG block or DAG system, a smart contract can be implemented as well as a blockchain and can be the authentication system of the present invention.

When DAG is used here, since there are multiple transaction data blocks (chunks) at the latest time, it may be necessary to record the latest time information in all the latest transaction data. In the present invention, it was possible to use the latest block number of the block chain, the time data or time stamp of the latest block, and the block hash of the latest block data as the seed value for calculating the TOTP. However, if it has a DAG type data structure instead of a blockchain, or if there are multiple current latest data blocks or transaction data like DAG, TOTP cannot be generated using block hash. Also, if the block of the latest transaction data does not contain time information or numerical information representing the time corresponding to the block number, it may be difficult to generate the TOTP. A TOTP, such as BnTOTP, may be used when numeric information representing time is included.
In a distributed ledger that uses a blockchain-type data structure, there is only one hash value for block data because there is only one latest block. In addition, past block hashes refer to each block data in the blockchain and can be listed from the present to the past corresponding to the block number. On the other hand, when there are block data of multiple latest transactions, such as DAG blockchain, different block hashes are calculated for each, so there is no unique block value depending on the time, so the block hash is used as the TOTP seed value. It is difficult.

To apply the present invention when using DAG, a distributed ledger controller is required that can use variables corresponding to the latest block number or timestamp in the blockchain type for smart contract execution. In the case of the block chain of the embodiment, the block chain part includes a processing part that obtains the block number and time stamp.
The present invention is a distributed ledger with tamper resistance such as blockchain and DAG, and a platform on which smart contracts operate. When data such as transactions are linked from the past to the future as a block A processing unit related to one-time password authentication is built into a tamper-resistant program called a smart contract inside the concatenated body to provide tamper resistance, and the latest block of the data block concatenated body or the time data Tm obtained in the system state is used. It is characterized by being used to generate a one-time password. Tm may be time information, or BC may be used instead of Tm, and the contract manager may rewrite BC at an arbitrary time.

<Application of OWP to Directed Acyclic Graph Systems with Smart Contracts>
In a directed acyclic graph (DAG) type system or a system in which a smart contract of a data structure not included in it operates, the user of the contract administrator accesses the contract for one-time password generation and authentication at any time, A transaction for rewriting the secret variables KC and BC is described in the distributed ledger, and it is possible to generate a password OWP by changing KC or BC and use it for authentication. In the case of password OWP, the contract manager can change the variables KC and BC at any time regardless of the block chain or DAG time information, so it can be applied to data structures such as DAG.
In the present invention, the password OWP, which can be changed by rewriting the seed value at any time T by the user of the contract administrator, is also effective and applicable to the platform that operates the smart contract with a data structure different from the blockchain. be done. In DAG, by rewriting the variables of KC and BC, which are the seed values of OWP, from the terminal of the contract manager at certain times, a dynamic password can be generated that changes at certain times, similar to TOTP. In this case, the storage device and processing device are provided with a program to change the KC and BC values of the contract for each specified date and time on the terminal of the contract manager, thereby automating the updating work of the KC and BC values. can also (With a DAG equipped with a smart contract, even if the implementation of the TOTP type is difficult, it is possible to construct a pseudo-TOTP authentication system by using an automated program that changes OWP and OWP seed values.)

In the present invention, Ethereum is used in the embodiment, and the present invention was made while verifying that it can operate with a block chain based on Ethereum and a smart contract execution system using it. It was invented in the year 2020 and uses the latest version of Ethereum at that time and the programming language Solidity.

In the present invention, a smart contract is used to use information that changes at a certain time on the blockchain as a seed value for a dynamic one-time password, and a system that decrypts encrypted data using the authentication system, A login system to a website, and an authentication system using a medium such as an NFC tag 19A using a digital device, a valuable paper sheet 18A such as paper, a display 1500A, or the like for a ticket or a key for unlocking has been explained.
The block number Bn of the latest block data in the blockchain at the time of authentication, the block hash value, the timestamp value, the token number of the token belonging to the contract, the blockchain user identifier, the IP address, the location information, the computer device information, and the computer Characterized by using a physical quantity measured using an environment sensor 4440, a position sensor 4441, a motion sensor 4442A, or a biometric authentication sensor 4443A of a sensor 444A of a built-in input device 44A, fraud of a user's secret key used in a blockchain An authentication system that can monitor and detect usage and notify the user. The above-described authentication system of the present invention has been described with reference to the embodiments, symbols, drawings, and the like.

However, since the present invention is not a blockchain-based invention, the details of Ethereum are omitted. As a premise of the embodiments, the present invention operates in an environment in which Ethereum and Ethereum smart contracts operate. In addition, web applications using smart contracts that operate on Ethereum and its blockchain, dApps (distributed application software), web browser software, ECMAscript, Solidity, computer operating software, blockchain nodes, networks, servers that become nodes, etc. For computers, use an environment in which Ethereum can operate. Regarding implementation, preferably a blockchain infrastructure that can use encrypted transactions and contracts.

<Network definition>
The encrypted network 20 (network NT) and the unencrypted network 22 (network NTP) included in the communication network 2 shown in the present invention use wired cables such as optical fibers and electric wires and wireless equipment. , or an internetwork, which is a global communication network.
The network may be a local area network LAN with limited connections.

<Cooperation between internetwork and contract on local area network>
Here, a network that cannot be physically connected to an internetwork refers to a network that is used only within an organization's building or a network that is formed by connecting a building far away with a dedicated line. , for example, a computer network constructed with dedicated lines used by companies, public institutions, universities, research institutions, financial institutions, and the like.
When the one-time password authentication is performed in the present invention, authentication can be performed if the content of processing such as a hash function for calculating a password and its argument match. For example, when generating a password OWP with a paper ticket, the OWP is generated by accessing the blockchain via the Internet and printed on paper, and the paper ticket is authenticated by reading the ticket at the entrance of the building that provides the service. The terminal 3D is connected to the local area network (LAN) in the building, and accesses and authenticates the building-specific blockchain contract that operates on the LAN.
What is important here is that the block chain contract between the Internet and the building LAN must match the processing content such as the hash function fh for calculating the OWP and the seed value KC. If the OWP can be authenticated on the LAN block chain, the user can enter the building.
A network that cannot be physically connected to an internetwork is not limited to the size of a LAN. It may be a computer network that covers from the campus of a university to an entire city, or a computer network that links LANs in remote locations with a dedicated line.

<Cooperation of contracts on the local area network>
If the function for generating and authenticating the one-time password matches the seed value, the one-time password can be generated and authenticated in a contract on a blockchain built in the same LAN or a different LAN. Specifically, in a research institution, when encrypting experimental data in the laboratory with an encryption system using the software 403A of the present invention, or when locking research facilities and equipment, LAN that is not connected to the internetwork A blockchain is formed in , and a one-time password with an access level according to the staff of the laboratory is given to the employee's IC card type employee ID card, etc., and the encrypted data is viewed and the plaintext data obtained in the experiment is encrypted. , used to unlock research facilities and equipment.

<Storage device>
In the present invention, storage devices such as the user terminal 1A and the server terminal 3A include a read only memory ROM (Read Only Memory) and a random access memory RAM (Random Access Memory). In addition, an SSD (Solid State Drive) composed of a flash memory which is one of semiconductor memories, an HDD (Hard Disk Drive) using a magnetic disk, and a magnetic tape can also be used as storage devices. Optical discs are also used.

<Management of personal information used in the authentication system of the present invention>
European Union EU General Data Protection Regulation GDPR (reference source, Japan External Trade Organization "Special Issue on EU General Data Protection Regulation (GDPR)" https://www.jetro.go.jp/world/europe/eu/gdpr/ View December 8, 2020), it is expected that personal information protection will become necessary.
Personal name and address, e-mail address, telephone number, IP address, location information, ID (device ID) unique to devices such as terminals 1A and 4A, values of sensor 444A of terminal input device 44A, user identifier and OTP In the present invention, when the token number of the token is collected as shown in FIG. 6X and held in a terminal such as server 3C or server 5A, the consent of the owner of the terminal is sought, what kind of information is collected, and unauthorized access is detected. The function of explaining and asking for consent to be used for is available in the services described in Examples 1, 2, and 3 having the data structure of FIG. 6X. In the present invention, when monitoring and detecting unauthorized use of the private key of a user terminal, user identifiers, token numbers, IP addresses, terminal sensor values, etc., which are personal information of users, are collected.
In the present invention, in order to detect unauthorized access while protecting personal information, user identifiers, token numbers, IP addresses, location information, IDs (device IDs) unique to devices such as terminals 1A and 4A, and Terminal sensor values are either anonymized (preventing identification irreversibly, processed by hashing, cutting off part of the hash value after hashing, etc.) or pseudonymized (reversibly pseudonymized data and (When personal information is encrypted and stored), the information can be recorded in the data format shown in FIG.

While several embodiments of the present invention have been described, these embodiments are presented by way of example and may be used for each service, encrypted data, device, vessel, vehicle or building in which the authentication system of the present invention is utilized. It can be used in compliance with laws and regulations, and can be used by adding computer terminals, networks, server terminals, recording devices, and input/output devices accordingly. A system to which the present invention is applied is operated on the premise of access control to data and services while protecting the personal information of users who use the authentication system of the present invention. In addition, in the form in which it is actually used, in addition to the contents of the processing described in the explanation of the present invention, variables, functions, and processing necessary to provide various industries and types of services to users are added to the smart contract. can be considered.
While several embodiments of the invention have been described, these embodiments have been presented by way of example and are not intended to limit the scope of the invention. These novel embodiments are not limited to Ethereum, for example, and can be implemented in various other forms, and various omissions, replacements, and modifications can be made without departing from the scope of the invention. .

<Symbols/terms>
Next, symbols and terms will be explained.
DLT (Distributed Ledger Technology) Distributed ledger technology.
DLS (Distributed Ledger System) Distributed ledger system. DLS is used as an abbreviation for the blockchain system and the DAG type system to which the present invention is applied.
URI (Uniform Resource Identifier) A general term for URLs, URNs, etc. that specify the location of information on the Internet.
Manage private keys used in wallet software DLS. For example, it is used as a web browser extension function with a password. You can access the web page/DLS with the recorded private key.
Hardware wallet An external storage device for a private key that records the private key on a digital device. Some devices can work with wallet software. From the point of view of a private key storage device, it is similar to a personal number card.
Private key PRVA, etc. Private key used on DLS. Without the private key and DLS, authentication and services using OTP tokens cannot be performed. Same as 101A of terminal 1A.
User Identifier A Calculated from the private key 101A according to DLS processing. In the embodiment, the private key, the public key, the hash value of the public key, and the partial data of the hash value are cut and used as the user identifier.
UA User of terminal 1A.
UB User of terminal 1B.
UC User of terminal 1C.
UP User of terminal 4A.
BnTOTP An abbreviation for a one-time password based on the time on the blockchain, which is calculated based on the block number Bn and the seed value KC inside the contract on the DLS such as the blockchain.
OWP Abbreviation for password used when the contract owner (Owner) rewrites the contract internal variables KC and BC of the distributed ledger system DLS to an arbitrary number of times at an arbitrary time to generate a pseudo OTP.
BIOS Abbreviation for Basic Input Output System. Performs basic control such as loading operating system software from the terminal's storage device or an external recording device, and recording time information.
EFI Abbreviation for Extensible Firmware Interface. The latest BIOS standard used at the time of patent application.
ROM Read Only Memory. A storage device that can only be read after data is written.
RAM Random Access Memory. A memory device that can erase and rewrite data.
CPU Central Processing Unit. A central processing unit of an electronic computer (computer), which integrates a control unit and an arithmetic unit.
SoC System on Chip. A chip that integrates multiple functions such as a CPU, graphics processing unit, GNSS and other wireless signal reception modem, and wireless communication modem. Constructs a communication device and a control arithmetic device.
Abbreviation for MCU Micro Control Unit. micro control unit.
NFC Abbreviation for Near Field Communication. Near field communication.
NITZ network id and timezone.
GNSS Global Navigation Satellite System / global positioning satellite system.
JJY The name of the broadcasting station that transmits Japan Standard Time.

In a distributed ledger system DLS such as a blockchain, among the information TB (or Tm) that changes at the latest time T on the DLS, using a variable that changes in the latest block on the blockchain depending on the time such as the block number Bn We realized a one-time password authentication system in which the password BnTOTP dynamically changes based on time.
In addition, the information TB that changes at the latest time T on the DLS can be pseudo- A contract administrator change type one-time password authentication system using the password OWP of the token number TIDA valid until the contract administrator changes the value.
Then, a time-based one-time password authentication system is realized in which the contract manager can change and update the seed values KC and BC of the password BnTOTP to arbitrary values at any time.
Furthermore, in a public blockchain, we believe that it is necessary for security to use a random seed value for BnTOTP calculation. We realized a one-time password authentication system that is used to calculate BnTOTP as the original value of . Using BnTOTP as an example, it is possible to log in to a website, decrypt encrypted data, and enter an online service providing venue in the real world by logging in to the website.

<Application by BnTOTP>
Website logins can be used for multi-factor authentication in banking, securities, insurance and payment businesses. It can also be applied to login to membership sites, electronic commerce, online data storage, e-mail, online commercial software, and online computer games. When decrypting the encrypted data, authentication is performed by the authentication system, and the encrypted data can be decrypted using the return value as one of the keys.
<Application by OWP>
It is used for valuable paper sheets 18A such as tickets and NFC tags 19A for unlocking.
The password OWP is displayed and printed by the user, and the user is made to print the user identifier A, the token number TIDA, and the password OWP as a character string or bar code on paper as 18A, or record it in a contactless digital device such as an NFC tag 19A. , paper and electronic tickets are manufactured, and an authentication system that provides services can be constructed by reading and authenticating the password OWP, the user identifier A, and the token number TIDA from the previous tickets in the real world where the services are provided. Any paper can be used as long as it can print information, and digital printing devices such as laser printers, inkjet printers, and thermal printers, and corresponding paper, thermal paper, ink, toner, and the like are used. As for the printing method, a method without a printing plate is used, and a character string or a barcode can be recorded on a medium such as paper, plastic, or metal plate according to instructions output from a computer.
If the authentication information can be read with a camera or the like, the information can be recorded not only on paper but also on metal plates, slates, and the like. Even if the camera is not used, it is possible to manually authenticate the character string. Even if there is no printer, the user can manually write down the character string required for authentication on paper or a metal plate in a readable state, bring it as a ticket to the place where the service is provided, and present or transmit the character string to the service provider. Alternatively, the service provider can manually enter the string into the authentication function for authentication. However, since this method cannot be labor-saving or automated, a character string or a bar code indicating it is printed on paper or the like, and the service provider reads the character string bar code with a camera or scanner for authentication.
When OWP, user identifier A, and token number TIDA are recorded in the NFC tag 19A, the terminal 3D that manages locking that can read the NFC tag 19A reads A, TIDA, and OWP and causes the terminal 3D to perform authentication processing. Locking can be unlocked when the authentication result is correct.

<NFC tag recording authentication information such as OWP>
Authentication by a digital device such as the NFC tag 19A is expected to be faster than paper authentication. The NFC tag 19A may be a portable terminal or a terminal that is easy to wear, and may be built in a mobile phone terminal such as a smartphone, a wallet type, an IC card type, a tag type such as a key ring, a glasses type, a hearing aid, headphones, or earphones. A mold, a garment mold with an NFC tag 19A, a watch mold, a bracelet mold, a belt mold, a shoe last, and the like. (Unauthorized access detection is also possible when a terminal such as a smart phone that can be connected to the network 20 and the NFC terminal 19A are communicating and cooperating with each other except for exceptions such as disasters). Even if it is not an NFC tag, it can be used in the form of a tag made of cloth, plastic film, paper, etc. on which OWP or the like is printed on accessories such as wallets, clothes, and shoes.

<Authentication of products by tag using OWP>
In the present invention, tickets using OWP are assumed to be membership cards, identification cards, gift certificates, and service tickets (valuable paper sheets). In addition, when authenticating and authenticating clothing items that have acquired trademark rights (including three-dimensional trademark rights), the model number of the clothing item, the contract identifier of the OTP token, the manufacturing number and the OTP token number, User identifiers of trademarked product manufacturers, OWP codes, can be used for authentication. In this case, NFC tags embedded in products protected by trademark rights, etc., or in the form of barcodes made of cloth or paper, etc. that are visible on the surface of the product, authenticate whether the product is a legitimate distribution product. can.
When an NFC tag is mounted on clothing, the user can determine the authenticity of the clothing product authenticated by what kind of NFC tag. However, at the same time, there is a risk that the data of the NFC tag embedded in the clothing can be read by wireless communication, which may infringe on the privacy of the user who has the tag.
On the other hand, compared to the NFC tag, the method in which the OWP or the like is printed, dyed, or woven on cloth or the like is not read wirelessly, and is therefore useful for protecting personal information. If the authentication information is written on paper or cloth, put the OWP authentication information tag as the serial number of the product next to the washing indication, size information, and manufacturer information in the tag part that usually writes the size of clothes that is not usually visible. can be attached.
Although clothing is shown as an example, labels for agricultural, forestry and fishery products that are protected by rights holders, labels for daily necessities such as food, labels for alcoholic beverages such as wine and sake, labels for clothing, labels for leather products, labels and engravings for jewelry. , electrical and electronic equipment labels, housing labels, parts labels for automobiles and mechanical equipment, models/toys, paper books, music/movie discs, etc. Labels (and tags) for products with copyright holders ), the present invention can be applied to product authentication and authentication.
Even for small products such as semiconductors and electronic components, patterning, engraving, and printing of fine character strings or barcodes on semiconductor packages and built-in silicon and elements, OWP that is indistinguishable with the naked eye but can be distinguished with a microscope. By recording such authentication information, reading the OWP information, and substituting the read information into the authentication function, it is possible to check whether the product is genuine or not. When OWP is used, even if the print content or engraving content is so minute that it cannot be visually distinguished, it can be authenticated if it can be read as character information or image information by enlarging it.
Wearable computers, wristwatches, rings, jewelry, semiconductor chips (IC silicon pieces before packaging), and other small precious metals, semiconductors, and stone materials. It is also conceivable to record it with a stamp or the like and use it for authentication. In the case of accessories such as rings, stamping is performed on the base material of the main body of the ring, which fastens jewels and the like. It may be possible to manage product distribution by recording a plurality of detailed information such as OWP on products such as precious metal jewelry and ingots. When distributing valuable paper sheets made of plastic film or paper, it may be possible to manufacture valuable paper sheets by printing minute information such as OWP so that they cannot be easily read.

<Logistics management by tags using OWP>
A DLS that generates and authenticates OWP for distribution is constructed, an OTP token is issued to the DLS for distribution, and the corresponding OWP generation function and the location information and sensor information of the terminal that performed authentication at the time of authentication are stored on the DLS. By using an authentication function for recording, it becomes possible to record the delivery status of the physical distribution container labeled with OWP. When the container is sealed with OWP, the authentication information such as OWP of the present invention is printed on the sealing label, and the distribution of the package sealed with the sealing label 18A is recorded and tracked on a block chain that is resistant to tampering. can.

For distribution of food, the information of 18A of the present invention is printed on food packaging, and product information such as expiration date/expiration date information and manufacturing factory information printed on food packaging is recorded and managed in the process of distribution. By reading the two-dimensional barcode at the store when purchasing and linking it with the consumer's payment information and terminal, it is possible to record information on the expiration date and expiration date of the food purchased at a certain store. And from the above information, it may be possible to reduce the food waste loss due to the expiration date of the purchased food. The distribution information of 18A and the expiration date/expiration date information of the product purchased at the time of purchase at the store are used for settlement such as the terminal 1A or recorded and displayed on a terminal that can view the settlement result, and when the expiration date is approaching, the terminal 1A is notified. By doing so, it prevents food waste due to unintended expiry of the expiration date. The information in 18A may be associated with a terminal controlling a food storage such as a refrigerator.

Not only food products, but also home appliances, housing equipment, automobile parts and automobiles, pharmaceutical products, etc., when the product manufacturer and seller collects products from consumers, the manufacturer and seller obtains the consent of the consumer sold by the store. It may be useful to investigate which products are purchased by which consumers.

<OWP certification>
Here, when authentication is performed at 1500A, 18A, or 19A using the password OWP, there is an authentication server (authentication terminal 3D) that determines whether paper and electronic tickets brought into the place where the service is provided are valid. Even if the network goes offline due to a disaster or the like, ticket authentication can be performed. From the point of view of ticket issuance and possession, token data can be recorded on servers around the world due to the tamper resistance and distribution characteristics of DLS such as blockchain, and it can be recorded that the user possessed it. It can also be used as a key for tickets.
In order to make it possible to prohibit or permit the transfer of the ticket 18A using OWP in order to enhance industrial applicability, and to enable entrance tickets with paper and NFC tags, etc., in the present invention In order to link DLS and paper tickets, we introduced the concept of an owner-type one-time password OWP that can be changed at will by the owner, who is the manager of the contract, using arbitrary variables.

<Relationship between BnTOTP and OWP>
In OWP, the contract manager rewrites the seed value for one-time password calculation in the contract, thereby changing the password generated by the token with the token number belonging to the contract. On the other hand, in BnTOTP, the block number is automatically increased and the seed value is changed. A pseudo BnTOTP can also be realized in the OWP method by sending a transaction to the DLS so that the contract manager changes the seed value BC every time the block number changes like the block number Bn and rewrites the seed value. Therefore, in the present invention, it is preferable that the contract administrator can change the seed value used for calculating BnTOTP, like OWP.
In the smart contract on DLS, the concept of the OWP method and the BnTOTP method can be imagined as the case where the second hand of the clock moves automatically (BnTOTP) and the case where it moves manually (OWP). If the second hand of the clock, which is a counter, can be moved, the password can be changed, and a dynamic password can be generated by the DLS smart contract (a variable that changes with time, such as a block number derived from DLS, is adopted as a counter variable. or send a transaction to rewrite the counter variable via smart contract).
Here, compared to BnTOTP, OWP also includes updating of the seed value, so it is a necessary element in the present invention.
In the present invention, by using OWP, it is possible to provide services in the real world using valuable paper sheets such as tickets, provide services in the digital world such as websites, software that decrypts encrypted data, and advertisement distribution services for that software. Unauthorized use monitoring service for private keys is possible.
In addition to OWP, focusing on data such as block numbers used for DLS such as blockchains that do not require manual updating of counters, BnTOTP is obtained by adding the block number Bn to the argument of the hash function that calculates the OWP password. By doing so, the seed value of the one-time password can be changed manually and the seed value can be automatically updated by the DLS.

<Usability of OTP tokens on smart contracts>
FIG. 9A shows a block chain type distributed ledger system, and FIG. 9B shows a form using a smart contract of the present invention and a secret key unauthorized use monitoring function in FIG. 6X using a directed acyclic DAG type distributed ledger system. . In addition to the form of FIG. 9A, the present invention can also provide an OTP authentication system in the form of FIG. 9B by using an OTP generation function and an OTP authentication function that are recorded as a smart contract program on a tamper-resistant distributed ledger system. .

<OTP token availability>
The OTP generation token that generates the BnTOTP or OWP of the present invention can be issued to users in a contract on the blockchain in the same way as a key in the real world, or can be transferred between users in a limited community or around the world. be possible.
The one-time password token of the present invention can be used for keys or login rights, ownership rights, viewing rights, usage rights, voting rights, etc. in the real and digital fields, and encrypted data can be It will also be possible to decrypt using a one-time password token. The present invention is applicable to paper tickets, electronic tickets, website login tickets, and to services deployed in both the real (physical) and digital (data) domains.

<Use of OTP tokens as security tokens>
It has been described that it can be used as a ticket for logging in to websites in the digital space, decrypting encrypted data, and using services in the real world with paper or NFC tags. Here, the OTP token is assumed to be used as a utility token, but it may be possible to give the OTP token the role of legally regulated securities. That is, the OTP token of the present invention is a security token (electronic record transfer right, source: Japan Securities Dealers Association https://www.jsda.or.jp/about/jishukisei/words/0326.html, December 12, 2020 Browsing, ) may be used as
As one of the specific usage forms of the security token, the OTP token used in the OTP authentication system of the present invention is tied to the stock of the corresponding company, and the contract manager of the OTP token performs transfer restrictions and custody transfer. , Dividends out of the profits of the company will be distributed by transferring them to the securities accounts of the owners of the OTP tokens in cooperation with securities companies and trust banks.
Then, it may be possible to use the OTP authentication system to log in to the website where the general meeting of shareholders is held, and to exercise voting rights by an electromagnetic method at the general meeting of shareholders through voting and the like using the OTP authentication system of the present invention. Voting rights are given to one OTP token and used for processing to log in and vote by exercising the voting rights on the website for the general meeting of shareholders. In addition, when the shareholder uses the rights (the right to use the company's own service, the shareholder's complimentary ticket, etc.) that can be received when the shareholder has a stock-type OTP token, the BnTOTP-type OTP is displayed on the display of the terminal 1A. It may be presented to the provider or the service providing terminal, and when the OTP authentication result is correct, the service may be received.
In this way, it may be used as a voucher or securities in the financial field such as banks and securities. It is also envisioned for use in relation to building locks and for ownership and use rights of building real estate.

<Use of the OTP of the OTP token as a pseudo-random number for a pseudo-random number generator>
There are times when something is decided based on probability, such as a lottery or a game using dice. For example, there is a lottery that can be drawn after the purchase of a product for the purpose of attracting customers, and the present invention may be used for that purpose. In amusement applications, OTPs may be used in computer games, including online games, for numbers that determine the processing of things that occur in the game. In the real world, it may be possible to display the OTP of the OTP token used as the dice in place of the actual dice, and play using playground equipment such as a card game according to the displayed number.
Alternatively, there is a case of visiting a religious facility such as a temple or a shrine, throwing coins, or making a donation to the religious facility and drawing a fortune. and its pseudo-random number generation function may be used.
The present invention has a function of generating an OTP, which can be used as a pseudo-random number and used as an OTP token for logging into a website with OTP authentication. can be generated and used as described above. Then, when a donation to a religious institution such as a temple or a shrine or an omikuji is made on the website and the payment is made in currency, etc., the OTP value of the OTP token is displayed on the terminal 3C that distributes the website of the temple/shrine. may be used as an argument for calculation, and the result of the omikuji may be calculated and displayed on the terminal 1A of the user. Then, pamphlet data introducing the auspiciousness and the like may be distributed in the form of encrypted data to users visiting temples and shrines so that they can be browsed by the users.

When using OTP for pseudo-random number generation, the mapping type variable KCU[TIDA] (or VU[TIDA]) corresponding to the user's token number TIDA in the OTP generation and authentication contract is the user identifier of the TIDA token owner. Equipped with a setter function that A can change, KCU [TIDA] can be rewritten only by user identifier A, and although contract administrator 1C cannot rewrite, only users can access and rewrite OTP tokens owned by users. It is also possible to build a pseudorandom number generator that can vary the seed value used to calculate the pseudorandom numbers.
In addition to the secret variable KC value set by the contract manager, a secret variable KCU [TIDA] that can be set by the holder of the OTP token according to the OTP token number is set, and the user sets it for each token. The OTP is generated by adding the obtained KCU[TIDA] to the argument of the hash function fh. A calculation example of the OTP is BnTOTP=fh(A, TIDA, KC, Bn, KCU[TIDA]) in the case of the BnTOTP type.
Mapping type variables such as KCU [TIDA], KCU [TIDB], KCU [token number] (or variables such as structure type and array type are also possible, it is possible if the KCU data array can be expressed using the token number as a key) By being able to set by the user, it is possible to obtain the lottery result with the KCU [token number] determined by the user instead of the KC value determined by the contract administrator. may help prevent it.
As an example of the fraudulent act of the contract manager, for example, if the side managing the game in an online game knows all the seed values including the KC value, the OTP of the specific token number of the specific user identifier will be sent at some time in the future. It is conceivable that the server 3C will know what kind of OTP value can be obtained, anticipate it, and incorporate malicious processing targeting the user identifier A or the like into the online game providing program of the server 3C.
Therefore, if the seed value KCU [token number] of the OTP token held by the user is set and can be changed (and the transaction sent when the user identifier A changes KCU [TIDA] can be made anonymous) ), it becomes difficult for the contract manager to guess the future OTP value of the user. If the user also does not know the KC value determined by the contract manager, the OTP value generated by the OTP token of the token number TIDA held by the user is not known, so it can be used as a pseudo-random number generator. Contract administrators may be discouraged from guessing because they do not know when users will change the OTP seed value KCU[TIDA].
Here, the industrial applicability of the present invention when it is used as a pseudo-random number generator for online games has been described. may be used in making decisions.

<Possibility of circulating data considering OTP tokens as content>
Enables the distribution of encrypted data using a distributed ledger system that is different from e-books and paper books. It is possible to transfer the OTP token, the encrypted data, and the decryption software CRHN403A to another user in a state where transfer restrictions are not applied. It will be possible to facilitate the distribution overseas of data derived from works created in Japan.
Data includes novels, comics, music, videos, computer game software, business software, 3D CAD data (and 3D objects such as models output from 3D printers using 3D CAD data), and a wide range of content. may be treated in the secondary distribution market as a viewing right/data decryption key called an OTP token. In addition, since it has a function to limit the transfer of tokens at any time during secondary distribution or cancel the limitation, distribution can be done according to the request of the right holder.
By providing an advertisement and access monitoring server when data is decrypted during circulation of OTP tokens and encrypted data, it is intended to distribute advertisement revenues to the rights holders of the content being viewed. The advertisement display function also serves as an unauthorized access prevention function, and can detect unauthorized use of the private key of the owner of the OTP token. The software CRHN403A also has an advertisement display function to prevent unauthorized access, display advertisements, and notify software updates.

<Possibility of distributing OTP tokens as content access rights, ownership rights, and content itself>
In the application of decrypting encrypted data in the present invention, for example, for books, distribution of encrypted data using a distributed ledger system that is different from e-books and paper books, and distribution of OTP tokens as ownership rights and access rights. to enable. In computer software, commercial software and game software are also distributed as OTP tokens representing ownership and access rights.
As long as the OTP token contract does not have a built-in removal function, the OTP token will continue to be recorded and stored in a tamper-resistant blockchain in association with the user's private key and the corresponding user identifier. If a user has a terminal with the same function as the node terminal 3A and can become a block chain node like Ethereum, as long as there is a user who wants to keep the block chain, the OTP token possession information can be saved. If the software distributed by the computer software vendor distributes encrypted data or unencrypted plaintext data embedded in the software CRHN, the software is recorded and retained in the user's terminal and the software is operated. can continue.

<When OTP token is used as the viewing right for broadcast encrypted data>
By writing the contract identifier information of the OTP token viewed by the viewer in the broadcast encrypted data or in the software 403A together with the data in FIG. It is possible to know which token number user of the user identifier is accessing and viewing. This function applies the advertisement server function and the unauthorized access prevention function of the terminal 5A. In consideration of the user's privacy, it may be particularly required to anonymize the user identifier and token number and record them in the terminal 5A as shown in FIG. 6X.
By totaling the access data shown in FIG. 6X and totaling the number of accounts with user identifiers corresponding to the number of viewers of the broadcast, the total number of viewers can be obtained, which can be applied to obtain the audience rating at the time of broadcasting. However, when the number of broadcast receivers is comparable to the number of receivers of terrestrial digital broadcasting, etc., the terminal 5A must be divided into a plurality of distributed server groups in order to manage access in the form of FIG. Since the communicable band may be consumed, the terminal 4A sends information on whether or not the terminal 5A is viewing at different times depending on the last digits of the token number in FIG. 6X. It may be preferable to be able to communicate to the flock.

<When determining the authenticity of GNSS signal data using an OTP token>
The BnTOTP signal of the present invention is attached to the GNSS positioning signal broadcast from the positioning satellite terminal 5C such as GNSS that can be connected to the node terminal 3A of the block chain, and the positioning signal received by the ground station terminal 1A and the terminal 4A. By authenticating the data via the network 20 with the authentication function 3018A of the node terminal 3A of the block chain, it is possible to determine whether the positioning signal of the broadcasting station 5C is correct and whether the GNSS positioning signal is a spoof.
GNSS signals are information used by automobiles, aircraft, ships, mobile phones/smartphone terminals, and unmanned aircraft to determine their own positions. The location information and the time information are linked with the data on the block chain by using the authentication by BnTOTP, and the location information and the time information of the terminal 1A that received the positioning information including the BnTOTP and the block chain information are used to confirm that the terminal 1A is It may be possible to authenticate whether you were in a certain place at a certain time.
Then, by using the location information, time information, and block chain information of the terminal 1A that received the positioning information including BnTOTP, BnTOTP and time are added to information such as text image information, video, and audio recorded by the terminal 1A through the input/output device. By recording information and location information, it is possible to add a reliable time stamp with location information to input/output information and printed matter. (A MAC value of HMAC may be assigned to the data.)
In addition, certified location information for navigation applications in automobiles, ships, aircraft, and unmanned aerial vehicles may allow these machines to move more safely.

The idea of attaching BnTOTP to this GNSS signal is different from the idea of managing distribution by attaching OWP to things in the form of 18A or 19A in logistics management using tags using OWP. BnTOTP is attached to broadcast data to manage the distribution of the broadcast data. BnTOTP or OWP may be attached not only to GNSS signals but also to broadcast data or distribution data to authenticate and determine authenticity.

<Relationship with download sales platform>
Electronic books, audio/video data, computer software, and computer game software are increasingly being sold by download sales platforms. However, the download sales platform requires different application software to be installed by each company that operates it, and there is a risk that the service will be terminated if the company that maintains the software becomes unable to survive.
For example, e-books and computer games may have purchased the right to read and play, and the ownership of semiconductor memory type ROM cassettes and optical discs that store game software to be loaded into paper books and computer game terminals It is different from the form of selling
In the present invention, the ownership is distributed as an OTP token only if the right holder permits it, and the content is in the form of encrypted data that can be decrypted by the blockchain system, the OTP token, the private key 401A to which the token is assigned, and the software CRHN 403A. There is an aim to make it possible to possess When the user goes offline due to a disaster or the like, OTP authentication is performed, and the certificate data proving that the user has been able to view the content can be viewed using the private key 401A, and the content can be used without always needing to be connected to the internetwork.
Even in the present invention, if all the nodes such as 3A and 3B that make up the blockchain disappear, the hardware of the blockchain that supports the OTP token disappears, and the service may end. However, when there is a server administrator who wants to configure a terminal like 3A or 3B, node terminal 3A can be maintained according to open source software released to the public.
In order to find value in data and services linked to OTP tokens and to maintain OTP tokens corresponding to the data and services, a user prepares a node terminal 3A and the prepared terminal can become one node of the blockchain. If possible, the blockchain might make it harder to terminate the service.
In the case of a blockchain, unlike an application of a certain company, it can be operated as long as terminals serving as nodes exist all over the world and are connected using the network 20 . If blockchain nodes are distributed all over the world, it can become a database system that is resistant to local disasters on the earth.

<Operation in a virtual machine environment>
It is also conceivable that the blockchain of the present invention is processed by a network of virtual servers. Electronic computer terminals such as personal computers and servers undergo drastic changes in hardware and software. However, there is a risk that the software itself that activates the operating software, such as BIOS and EFI, will be changed, making it impossible to operate existing operating software, web browsers, and blockchain client software. It is also conceivable that blockchain-based public-key cryptography, cryptographic hash functions, and common-key cryptography could be updated.
Therefore, not only the server 3A but also the node terminals and web service terminals of the distributed ledger system such as the server 3C may be operated in the virtual machine environment. In case the blockchain client software cannot run on the operating software of the server terminal due to compatibility issues, it is possible to run it on a virtual computer, on a server, or on multiple servers. may be preferable. (Examples of compatibility issues are changes in Internet protocols for browsing websites, changes in programming languages such as ECMAScript)

<Long-term operation>
Considering that it will be used in a real or virtual machine environment for a long time, it is preferable that the amount of power consumed by the blockchain system is small, and the power consumption is lower than that of proof of work such as proof of authority and proof of stake It is preferable to use the consensus building algorithm of the expected blockchain system. It is desirable to use sustainable energy for the power supply devices that operate terminals and networks.
It is preferable that the service provider has a list of owners of OTP tokens corresponding to the service using the server 3F or the like on the blockchain, and can store the owner information like a list without relying only on the blockchain. Usually, login to the website shown in Example 1 and Example 2, use of tickets for events, etc., keys for cars and buildings, etc. company's login method, etc.), and there are many uses where there is no legal basis for providing services before the end of human lifespan.
On the other hand, in the application of decrypting the encrypted data shown in the third embodiment, it is assumed that it will be left for future generations beyond the human life span. Ancient documents written with existing paper and ink and ukiyo-e woodblock prints convey past events beyond the human lifespan. If the present invention lasts for such a long period of time, it is expected that texts, music records, video information, and computer game software that are difficult to read without OTP tokens will be generated. Along with the data and decryption information, it may be sold as an antiquarian item, just like paper antiquities.

<When the user can change the seed value>
The contract has some seed variables, some of which are only accessible by the contract admin, others are totally unrelated to the contract and can be overwritten by the user, and others can be overwritten by the token owner. By preparing a variable and allowing the user to change it to any value at any time, it can become a pseudo-random value. It is also possible to set a one-time password generation seed value corresponding to the user's token number and use it as a pseudo-random number generation element in online games and the like. It can also be used for lotteries and the like as a service that uses randomness.

<Possibility of distributing OTP tokens as keys for decrypting encrypted confidential information>
It is possible for a certain organization to encrypt plaintext data that is to be viewed only by users who have been granted OTP tokens, distribute the data as encrypted data, and allow viewing. In the present invention, in addition to decryption using only the distributed ledger, an external password AKTB that is used within the organization is set. As an example, a company distributes prototype vehicle parts and models as 3D CAD data as encrypted data, and uses CRHN403A software that can decrypt it and an OTP token (and the return when authenticated with the OTP token). An employee who has the value CTAU) and the external password AKTB can decrypt and view the data, and can create parts and models based on the 3D CAD data.
The confidential information OTP token is linked to the private key of the user terminal 1A (terminal DA). Here, as the external recording device 16A of the terminal 1A (or 4A), an IC card in which a secret key assigned to a personal number card, an IC card-type employee ID card, or a student ID card is recorded is connected and communicated. It is also intended to encrypt sensitive information, personal information, personal records, and confidential information. (In this case, if the IC card that records the private key is damaged or lost, the private key may be lost. Therefore, the IC card issuer copies the private key to a storage device, and prevents the storage device from being accessed from the Internet.) It may be necessary to store and manage it in a data center or safe.)

<Sale as viewing rights to decrypt encrypted data broadcasting>
When performing broadcasting or communication by amateur radio, business radio, or the like, the token of the present invention may be used to exchange encrypted radio or television viewing rights as OTP tokens. It may be possible to provide an OTP authentication system that enables decryption and viewing of encrypted broadcasting in fields including terrestrial broadcasting, satellite broadcasting, cable broadcasting, and Internet broadcasting. For example, it may become possible to contract or buy/sell viewing rights for programs broadcast in one country A and another country B, and view them. Radio information can also be encrypted and broadcasted by private amateur radio stations and corporate stations. It can also be used for business communication in factories and company premises.

<Sales of rights to view scrambled broadcasts for decrypting encrypted data broadcasts in satellite broadcasting>
It may be necessary to secure a radio band for the use of wireless communication devices such as mobile phones and smartphones on the ground. Since satellite broadcasting broadcasts from outer space to the ground, if an artificial satellite can be deployed in outer space, data broadcasting can be performed from outer space without consuming radio wave resources on the ground, and it may be possible to use it as a viewing right for broadcasting during data broadcasting. .

<Relationship between OTP tokens as viewing rights for satellite broadcasting and radio wave resources>
When there is a communication and broadcasting network by many artificial satellites in outer space, and the terminal 4A on the ground can acquire encrypted data from the artificial satellite type broadcasting station 5C by radio broadcasting, encrypted data (data such as magazines, newspapers, etc.) , software data information, etc.) is broadcast, and if there is an OTP token capable of decrypting the data in the private key 401A of the terminal 4A that received the data, it may be decrypted and used. Note that the encryption key TTKY (4033A) at this time is set for each OTP token corresponding to each broadcast content.
Specifically, there is an OTP token that corresponds to a service that broadcasts encrypted data of a certain newspaper or television, and the person who possesses it has a receiver attached to the terminal 4A in a band (channel) that supports encrypted data broadcasting. The received encrypted data is decrypted with the OTP token and viewed and viewed. OTP tokens are contracted for regular subscription or regular viewing by a subscription service. The OTP token is set so that it cannot be used after the end of the fixed-term contract. While existing terrestrial broadcasting, including broadcasting in times of disaster, may be conducted, it may be possible to consider using satellite networks in outer space for broadcasting and communications with higher added value or larger capacity for new uses.
Effective use of radio wave resources necessary for the use of terminals such as mobile phones, smartphones, personal computers, and IoT devices on the ground and existing broadcasting, and effective use of radio wave resources in light of disasters and needs in daily life. When necessary, access control technology for encrypted data like the present invention and distribution of viewing rights by OTP tokens enforcing it may be used.

<In the case of distributing distribution rights for satellite broadcasting network program frames or content to be distributed as OTP tokens>
An individual sends data to a private satellite to a radio station for uplink, which the individual wants to distribute. (which may also OTP tokenize its rights). For example, video data with a large amount of data is distributed all over the world on video viewing sites, and the data traffic may not be negligible. The wireless network 20 consumes radio wave resources, while the wired network 20 requires additional optical fibers and the like to cope with increasing traffic. If the data necessary for watching a video is content that is consumed by many people, it would be better to receive and record the data as encrypted data of satellite broadcasting than to communicate it over the two-way communication network on the video site. 20 may be less loaded.
Alternatively, rather than transmitting the same data repeatedly to different people, even in video distribution data during two-way communication, it is distributed as encrypted data and connected to the advertisement distribution and unauthorized use monitoring server 5A on the software 403A. The load on the network 20 may be less if the user watches while watching. The OTP token may be distributed as a viewing right for live distribution of moving images, and may be used for live distribution of moving images that is resistant to communication failures by combining broadcasting from an artificial satellite and broadcasting from the network 20 .
There may be a scrambled broadcast that broadcasts encrypted data after selling and distributing OTP tokens to users living in a region (including multiple countries) within the reception range of satellite broadcasting by a private sector. do not have.

In the present invention, the head-mounted display 453A is provided with a biometric authentication function 4530A, and when the encrypted data is decrypted and viewed, the biometric data of the person viewing the encrypted data is directly or hashed. It can be obtained indirectly by performing authentication and can be browsed by simple authentication.
Here, the head-mounted display 453A has a smaller screen than a mobile terminal, a tablet computer, or a television viewing display. make it difficult. The software CRHN 403A can be programmed to operate only when the terminal 4A is connected to the CRHN 453A, and an authentication system and an encrypted data decryption viewing system can also be provided to prevent shooting of content obtained by decrypting encrypted data. .
Biometric authentication device 4530A may measure body temperature using a temperature sensor. Point-like, one-dimensional, and two-dimensional thermography is obtained from the head and eyes of the wearer of the 453A to detect the presence of the wearer and the characteristics of the wearer. Authentication related to the shape of the face of the head, biometric authentication related to the eyes, biometric authentication derived from the ear structure, biometric authentication derived from the shape of the head, and biometric authentication related to blinking may also be used.

<When encrypting communication on the network using encrypted data software>
Communication between terminals connected to the network 20 can also be encrypted using the plaintext data encryption function and the encrypted data decryption function using the block chain of the software CRHN403A.

<When using BnTOTP as a timestamp>
Location where block number Bn, user identifier A, and token number TIDA are recorded when OTP is generated according to BnTOTP using an authentication function that requests input of seed values excluding KC value and BC value when BnTOTP is generated function as a time stamp that records the OTP unique to that block number. The data to be recorded here may be the data in the storage device of the terminal 1A that performs the authentication, or the text data may be added and printed when the terminal 1A prints the text data on paper or the like. At this time, the OTP generation contract and the OTP authentication contract existing in the block chain part of the server terminal 3A function as a simple timestamp server.

Consider the following BnTOTP as an example of time stamps to generate and authenticate an OTP.
BnTOTP=fh(A, TIDA, KC, Bn)
Arguments of the authentication function corresponding thereto are (A, TIDA, Bn) except for the secret variable KC which is anonymized as an example.
At this time, the KC of the BnTOTP is anonymized, the user terminal 1A executes the OTP generation function, and the block number Bn at the time of OTP acquisition, the user identifier A, the token number TIDA, and the secret KC Get the calculated BnTOTP. Then, the terminal 1A records A, TIDA, Bn, and BnTOTP in the plaintext data and applies an electronic signature to the file so that falsification of the data can be detected. Alternatively, add A, TIDA, Bn, and BnTOTP to the data for printing to make it a simple time stamp written at the bottom of the page, etc., execute printing, and create a printed matter that is presumed to have been printed near the time of the block number Bn. can. The private key used for the electronic signature may be 101A for accessing the blockchain, or may be a private key issued by a public institution or a private organization. Changing the KC value may not be desirable in this application.

Next, consider a case where the next BnTOTP is calculated as another example of time stamps to generate and authenticate an OTP.
BnTOTP=fh(A, TIDA, KC, Bn, V)
Arguments of the corresponding authentication function are (A, TIDA, Bn, V) except for the secret variable KC, which is anonymized as an example.
At this time, the KC of BnTOTP is anonymized, and the user terminal 1A executes the OTP generation function, and the block number Bn at the time of OTP acquisition, the value V determined by voting, the user identifier A, the token number TIDA, and the secret Get the BnTOTP calculated from the KC that is set. Then, the terminal 1A records A, TIDA, Bn, V, and BnTOTP in the plaintext data, applies an electronic signature to the file, and makes it possible to detect falsification of the data.
Alternatively, five of A, TIDA, Bn, V, and BnTOTP are added to the print data as time stamp data, written at the bottom of the page, etc. as a simple time stamp, and printing is executed, and when the time of the block number Bn is near, printing is performed. You can create a printed matter that is presumed to have been done. By using the V value as one of the pseudo-random value and the time stamp value, it can be seen that the data or text existed at the time when the terminal 1A acquired the BnTOTP and the electronic signature was performed. When a printer is connected to the terminal 1A, the printing time can be authenticated by printing A, TIDA, Bn, and V as time stamps.
If the terminal 1A is a computer built into a printer, the printer itself has the function of accessing the OTP generation contract of the blockchain part of the server terminal 3A through the network 20 and printing A, TIDA, Bn, and V. It is also possible to record five of A, TIDA, Bn, V, and BnTOTP at the bottom of the page of the printed matter each time printing is performed inside the printer according to the user's request. A printer terminal 1A with a time stamp function can be used that can print while adding a simple time stamp to printed matter in cooperation with the OTP contract of the blockchain. Changing the KC value may not be desirable in this application.

<When BnTOTP is used as time stamp and OTP authentication information for valuable paper>
Using BnTOTP, simple time stamps are applied to data and recorded, or printed on paper or the like together with sentences. , Bn, V, and BnTOTP information uses OWP Add block numbers Bn and V to the three pieces of information A, TIDA, and OWP to be filled in on a paper ticket, and add them to the authentication function so that they can be read as arguments of the authentication function It is what I did.
Therefore, it is possible to create BnTOTP type paper tickets and valuable paper sheets in addition to the OWP type. In the second embodiment, OWP is used for authentication. When the OTP calculation formula is changed to BnTOTP=fh (A, TIDA, KC, Bn), the OTP obtained from the generation function, block number Bn, user identifier A, and token number TIDA are stored in storage device 10A of terminal 1A. The four pieces of information A, TIDA, Bn, and BnTOTP recorded in 10A can be printed as character strings or bar codes on paper using a printer and recorded, and used as valuable paper sheets 18A. Alternatively, the four pieces of information A, TIDA, Bn, and BnTOTP may be written to the NFC tag 19A via the communication device 12A.

1A Terminal DA serving as a terminal of user UA, terminal 1A (electronic computer DA, electronic computer 1A.)
10A Storage unit of terminal 1A (including recording device, recording unit, ROM and RAM)
101A User's private key PRVA recorded in terminal 1A
101A2 User's private key PRVA2 recorded in terminal 1A
102A A block chain program for terminal 1A to access a block chain unit such as server P via a network using private key PRVA of 101A.
Here, the program 102A is a block chain identifier (block chain identification information, including network ID, chain ID, etc.),
It is also possible to include URI information indicating the server terminal 3A as an access destination node.
11A Control unit of terminal 1A 110A Control processing unit that accesses blockchain of terminal 1A
12A Communication device of terminal 1A (can also be considered as one of the input/output devices)
120A Short-range wireless communication (NFC device) of terminal 1A
121A Wireless communication device of terminal 1A 122A Wired communication device of terminal 1A (if necessary)
123A Broadcast receiver of terminal 1A (If necessary. Includes GNSS and data broadcast receiver. Wireless broadcast receiver may be included in wireless communication device.)
13A Control and arithmetic device of terminal 1A 14A Input device of terminal 1A 140A Keyboard of terminal 1A 141A Pointing device of terminal 1A (input device such as mouse, touch panel, etc.)
142A Camera or scanner of terminal 1A (solid-state imaging device for detecting photons, image sensor)
143A Terminal 1A microphone (sound sensor)
144A Terminal 1A sensor (accelerometer, gyro sensor, magnetic sensor may be able to measure three-dimensional physical quantities. One or more types of sensors may be used)
1440A Terminal 1A environment sensor (temperature sensor, humidity sensor, barometric pressure sensor, pressure sensor, illuminance sensor, light sensor, chemical sensor, odor sensor)
1441A Terminal 1A end position sensor (magnetic sensor or geomagnetic sensor, magnetic compass or accelerometer)
1442A Motion sensor of terminal 1A (accelerometer or gyro sensor)
1443A Biometric sensor of terminal 1A (Used when necessary. Sensor capable of reading patterns such as face information, body temperature or thermography, voice, ear structure, hand structure, fingerprint, veins, etc.)
15A Output device of terminal 1A 150A Display of terminal 1A 1500A Ticket displayed on display of terminal 1A, image of valuable paper 18A, OTP authentication information 151A Speaker of terminal 1A 152A Printer of terminal 1A
16A External storage device and external input/output device of terminal 1A, external computer terminal 1600A IC card reading device of terminal 1A (contact type IC card reader, non-contact type IC card reader)
1601A Contact or non-contact IC card or non-contact IC tag of terminal 1A 1602A Secret key 101A etc. built in IC of terminal 1A 1603A Recording device DWALT (external Including connected hardware wallet DWALT, IC card type, dongle type, etc.)
1604A Secret key 101A recorded in DWALT 1603A of terminal 1A, or software containing secret key 101A 1605A Secret key processing software recorded in DWALT 1603A of terminal 1A IC chip group, MCU, etc.)
1607A Input/output device of DWALT 1603A of terminal 1A, communication device 1608A Private key 101A printed, printed, stamped or recorded on paper or metal plate by printer or human hand. (It may be recorded in the form of character strings or barcodes on paper, metal plates, slates, etc.)
17A Terminal 1A power supply (*As a premise for the device of the present invention, computers, server terminals, input/output devices, external storage devices, and networks have a power supply and are driven by electric power.)
18A Ticket printed on paper or the like with the printer of terminal 1A, valuable paper 180A Printed information of barcode or character string or both required for one-time password authentication of the present invention described in 18A 181A Barcode described in 18A OR Token number TIDA information contained in character string or both 182A Password OWP information contained in barcode or character string or both described in 182A 183A User identifier contained in barcode and/or character string described in 18A Information of A 184A Information, design, etc. necessary for use as a ticket or valuable paper sheet described in 18A.
19A Wired communication type or short-range wireless communication type IC card, IC tag type ticket, etc. Valuable paper sheet or key for locking and unlocking (mainly NFT tag, NFC card type ticket)
190A Storage device according to 19A 191A Control processing device according to 19A 192A Communication device according to 19A 193A Control arithmetic device according to 19A 194A Input device according to 19A 195A Output device according to 19A 197A Power supply according to 19A Device 1B Terminal DB of user UB, terminal 1B. 1B may be a portable terminal such as a smart phone. A terminal DB is a user terminal that has the same function as DA and possesses and uses tokens used for authentication of the present invention.
10B Storage device of terminal 1B 101B User private key PRVB recorded in terminal 1B
102B A program for terminal 1B to access a block chain unit such as server P via a network using private key PRVB of 101A.
Here, the program 102B is a block chain identifier (block chain identification information, including network ID, chain ID, etc.),
It is also possible to include URI information indicating the server terminal 3A as an access destination node.
11B Control unit of terminal 1B 110B Control processing unit that accesses blockchain of terminal 1B
12B Communication device of terminal 1B 13B Control and arithmetic device of terminal 1B 14B Input device of terminal 1B (Environment sensor, motion sensor, position sensor are provided as input devices. Examples include temperature sensor, geomagnetic sensor, magnetic compass, digital It has a compass needle device.)
15B Output device of terminal 1B 16B External storage device and external input/output device of terminal 1B, external computer 17B Power supply device of terminal 1B 1C Computer terminal DC of user UC who manages the contract related to the one-time password of the present invention, terminal 1C
10C Storage device of terminal 1C 101C User's private key PRVC recorded in terminal 1C
101C2 Arbitrary second secret key PRVC2 of user UC recorded in terminal 1C
102C A program for the terminal 1C to access a blockchain unit such as the server P via the network 20 using the private key PRVC of 101C.
Here, the program of 102C is a block chain identifier (block chain identification information, including network ID, chain ID, etc.),
It is also possible to include URI information indicating the server terminal 3A as an access destination node.
11C Control unit of terminal 1C 110C Control processing unit that accesses terminal 1C block chain
12C communication device of terminal 1C 13C control and arithmetic device of terminal 1C 14C input device of terminal 1C 15C output device of terminal 1C 16C external storage device or external computer of terminal 1C (IC card, IC tag, An NFC card or NFC tag may also be used.)
17C Power supply device of terminal 1C 2 Communication network, network 20 Communication path capable of encrypted communication, network NT (wired or wireless two-way communication path, server and terminal are connected via communication network. Encryption encrypted communication and non-encrypted communication)
21 Broadcasting communication path NTB (This is a wired or wireless broadcasting type information transmission path, and one-to-many one-way communication is possible. The information sender sends information to multiple user receivers at the broadcasting station in real time. )
22 Unencrypted Network NTP (Two-way communication path, wired or wireless. No encryption, so plaintext message data must be encrypted if necessary.)
3A Server P, server terminal 3A (Terminal that becomes a node of the distributed ledger system connected by the user. Shares the distributed ledger part with other nodes. A virtual server built in a certain terminal may be used.)
30A Server storage unit of server terminal 3A (storage device of server P)
300A Distributed ledger recording unit of server terminal 3A (300A is a blockchain-type or DAG-type distributed ledger or a recording unit for a distributed ledger)
3000A Latest block data recorded in 300A 3001A Block number Bn in the latest block recorded in 300A
3002A The latest block recorded in 300A or the timestamp value in the system 3003A The hash value Bh in the latest block recorded in 300A
3004A Value V determined by votes among nodes constituting the blockchain recorded in 300A
3005A Block size value BSZ of the blockchain recorded in 300A (BlockGasLimit value in the example)
3006A Blockchain data part recorded in 300A (Data part of distributed ledger recorded in 300A. Part where contract data such as 3008A, 3008AG, 3008AA etc. is recorded)
3007A Basic information of the blockchain recorded in 300A (including data recording how many seconds the blockchain is connected)
3008A OTP generation contract (one-time password: OTP) with authentication function recorded in 300A
3008AG OTP generation contract recorded in 300A 3008AA OTP authentication contract recorded in 300A 3009A OTP generation function recorded in 300A 3010A Hash function fh used for OTP generation and authentication recorded in 300A
3011A secret key variable KC recorded in 300A
3012A Function fscb that can use either or both of the variable KC and the variable BC recorded in 300A in an arbitrary block number
3013A Variable BC that can only be changed by the user identifier C who is the contract administrator recorded in 300A
3014A A database that associates the token number of the token issued in 3008 recorded in 300A with the user identifier of its owner 3015A In 3014A, the user identifier A and the token number TIDA calculated from the private key PRVA101A of the user UA Associated information 3016A In 3014A, information associated with the user identifier B calculated from the private key PRVB101B of the user UB and the token number TIDB
3017A OTPCT recorded in 300A (a portion that records the number of OTP generation and authentication function executions, etc. In the embodiment, a mapping variable OTPCT with a token number as a key and the number of executions as a value is used)
OTPCTG recorded in 3017AG 300A (OTP generating function execution count storage/recording unit. In the embodiment, a mapping variable with a token number as a key and an execution count as a value is used.)
OTPCTA recorded in 3017AA 300A (OTP authentication function execution count storage/recording unit. In the embodiment, a mapping variable with a token number as a key and an execution count as a value is used.)
3018A OTP authentication function recorded in 300A 3019A OTP generated contract identifier CPGT recorded in 300A
3020A OTP authentication contract identifier CPAT recorded in 300A
3021A Return value or data of the OTP authentication function recorded in 300A 3022A Processing details when the OTP authentication function is executed recorded in 300A, processing functions, etc. Such)
3023A A variable or database that is rewritten according to the process when authentication is successful with the OTP authentication function recorded in 300A (for example, the balance of a bank account, which is rewritten in the remittance process within the bank)
3024A Contract billboard information KNBN recorded in 300A (includes contract name, creator information, administrator information and contact information, rating, etc., with setter functions to change them)
3030A Block number remainder variable m recorded in 300A and its setter function (OTP authentication period extension variable and function)
3031A Integer n for adjusting the number of OTP digits recorded in 300A and its setter function (variables and functions for increasing and decreasing the number of OTP characters and digits)
3040A Token transmission function (token transfer function) recorded in 300A
3041A Assignment restriction variables tf and af recorded in 300A and their setter functions 3042A Contract administrator secret key leakage countermeasure portion recorded in 300A 301A Basic control program recording unit of server terminal 3A 31A Server terminal 3A Server control unit (control device of server P)
310A Distributed ledger system control unit (blockchain control processing unit or DAG type distributed ledger control processing unit) of server terminal 3A
311A Server basic control unit of server terminal 3A 32A Communication device and communication control device of server terminal 3A (communication device of server P)
33A Processing and control arithmetic device of server terminal 3A (control unit, processing unit, arithmetic unit device of server P)
34A Input device of server terminal 3A (input device of server P)
35A Output device of server terminal 3A (output device of server P)
37A Power supply for server terminal 3A (power supply for server P, power source for operating server P)
3B Server terminal 3B (server terminal B), and a server group that can be a block chain node like server terminal 3B and server terminal 3A 30B Server storage unit of server terminal 3B (storage unit has 300A same as server 3A)
31B Server control unit of server terminal 3B (control unit has 310A same as server 3A)
32B Communication device of server terminal 3B 33B Control and arithmetic device of server terminal 3B
34B Input device of server terminal 3B 35B Output device of server terminal 3B 37B Power supply device of server terminal 3B 3C Server SVLogin, server terminal 3C (terminal mainly used for website login, terminal providing web services such as website. It may be a virtual server terminal within a certain real terminal.)
30C Recording unit of server terminal 3C 300C Block chain recording unit of terminal 3C (if necessary. 300A and 300C are the same)
301C Service program and recording unit of terminal 3C Basic program of SVLogin of 3010C terminal 3C (including a program that connects to a blockchain to a website etc. It may have functions specific to services such as banking and electronic commerce)
3011C Database for access detection and monitoring of terminal 3C (Refer to FIG. 6X for data structure. Log-in time, user token information, IPV value, and current service status are stored and monitored at any time.)
3012C Unauthorized access detection program for terminal 3C 3013C Unauthorized access notification program for terminal 3C (contacts the registered e-mail address, sends a dedicated notification token to the user identifier, sends a transaction and notifies of an abnormality)
3014C OTPCT change detection unit of terminal 3C (if necessary. Part that detects changes in the number of OTP generation or authentication contract executions)
3015C OTPCT change notification unit of terminal 3C (if necessary. Part that notifies OTP generation or changes in the number of authentication contract executions)
3016C Customer information database of terminal 3C (if necessary. Record user identifiers and token numbers that are eligible for use, such as service purchase history.)
31C Server control unit of terminal 3C 310C Block chain control unit of terminal 3C (not essential, 310A and 310C are the same)
311C Login and service control unit of terminal 3C 3110C Basic program control unit of SVLogin of terminal 3C (including a program that connects a website or a web application to a blockchain)
3111C Database for access detection and monitoring of terminal 3C (See FIG. 6X for data structure. Log-in time, user token information, IPV value, and current service status are stored and monitored at any time.)
3112C Unauthorized access detection program for terminal 3C (Detects whether or not there is access with different IP addresses or IPV values such as sensor values for the same user identifier or token number information)
3113C Unauthorized access notification program for terminal 3C (contacts the registered e-mail address, sends a dedicated notification token to the user identifier, sends a transaction and notifies the abnormality.)
3114C OTPCT change detection unit of terminal 3C (if necessary. Part that detects changes in the number of OTP generation or authentication contract executions)
3115C OTPCT change notification unit of terminal 3C (if necessary. Part that notifies OTP generation or changes in the number of authentication contract executions)
3116C Customer information database of terminal 3C (if necessary. Record information such as service purchase history, user identifiers and token numbers that are qualified for use.)
32C Communication device and communication control device of terminal 3C 33C Control and arithmetic device of terminal 3C 34C Input device of terminal 3C 35C Output device of terminal 3C 37C Power supply device of terminal 3C 3D Server SVLog, terminal 3D access control terminal 3D (3D is a server terminal, computer terminal, or embedded system terminal)
30D Server storage unit of terminal 3D (30D stores OTP authentication function and variables and functions used for calculation of OTP authentication function)
300D Terminal 3D block chain recording part (if necessary. 300A and 300D are the same)
301D Terminal 3D service program and recording unit 3010D Terminal 3D SVLog basic program (including a program that connects a website or web application to a blockchain)
3011D Terminal 3D access detection and monitoring database (stores time of access, number of accesses, user token information, or current service status at any time)
3012D Unauthorized access detection program for terminal 3D (if necessary. When 3011D includes information such as the appearance of the visitor and the device ID number unique to the NFC tag of the unlocker, determine whether it is different from past information)
3013D Unauthorized access notification program for terminal 3D (if necessary. Notifies the person managing 3D of the abnormality, and notifies the abnormality by sending a notification transaction to the registered e-mail address/user identifier)
3014D OTPCT change detection unit of terminal 3D (If necessary. The part that detects changes in the number of OTP generation or authentication contract executions. For example, a safe or car equipped with terminal 3D records the number of unlocks.)
3015D OTPCT change notification unit of terminal 3D (if necessary. Part that notifies OTP generation or changes in authentication contract execution count. Notifies change in unlock count via network when 3D is online)
3016D Terminal 3D customer information database (if necessary, records user identifiers and token numbers that are eligible for use, such as service purchase history)
Hash function fh recorded in 3010DA 30D
Secret variable KC recorded in 3011DA 30D
3012DA Setter function fscb (accessed by terminal 3D administrator) that modifies and updates either or both variables KC or BC recorded in 30D
3013DA Variable BC modified by contract manager recorded in 30D
3017DA Number of OTP authentication function executions recorded in 30D or numerical value recording part (expressed as a mapping variable or the like using the OTP token number at the time of authentication as a key)
3018DA OTP authentication function recorded in 30D of terminal 3D (provided with variables, functions and processing methods capable of calculating OTP equal to OTP generated by node terminal 3A)
3021DA OTP authentication function return value or data CTAU
3022DA 30D Recorded in OTP Authentication Processing Contents 3023DA 30D Variables or Databases to be Rewritten in OTP Authentication Processing Recorded in 3023DA 30D
31D Server control unit of terminal 3D 310D Block chain control unit of terminal 3D (not essential, 310A and 310D are the same)
311D Terminal 3D login and service control unit 3110D Terminal 3D SVLog basic program (including a program that connects a website or web application to a blockchain)
3111D Terminal 3D access detection and monitoring database (See FIG. 6X for data structure. Log-in time, user information, token number, IPV value, and current service status are stored and monitored at any time.)
3112D Terminal 3D unauthorized access detection program (if necessary)
3113D Terminal 3D unauthorized access notification program (If necessary. Contact the registered email address and send a transaction to the user identifier to notify the abnormality.)
3114D Terminal 3D OTPCT change detector (if necessary. Part that detects changes in the number of OTP generation or authentication contract executions)
3115D OTPCT change notification part of terminal 3D (if necessary. part that notifies change in OTP generation or execution count of authentication contract)
3116D Terminal 3D customer information database (if necessary. Record user identifiers and token numbers that are eligible for use, such as service purchase history.)
32D Terminal 3D communication device, communication control device 33D Terminal 3D control and arithmetic device 34D Terminal 3D input device 340D Character string barcode reader such as camera of terminal 3D A camera or scanner that reads barcodes or character strings on paper (optical imaging device)
341D NFC tag signal receiver of terminal 3D (shared with 32D)
342D Terminal 3D visitor recording device or visitor recording means (for example, a security camera records the entry or unlocking person, etc. Instead of the device, personnel may be assigned to observe and record the visitor.)
35D Terminal 3D output device 350D Terminal 3D opening/closing device, gate device, locking device, starting device, locking/unlocking device, access control device (locked objects include doors of buildings, vehicles such as automobiles, machine tools, containers such as safes , including devices such as computers)
351D Terminal 3D lamps and other light-emitting elements, light-emitting devices (After authentication, users who are allowed to enter will be notified of the color and letters indicating that they can enter, and light will be used to indicate that they are not allowed to enter.)
352D 3D terminal buzzer, sound element, sound device (After authentication, users who are allowed to enter will hear the sound when they are authenticated. For users who cannot enter, they will hear a warning sound to inform the surroundings.)
37D Power supply device of terminal 3D 3E Server SVtk, terminal 3E (tickets 18A used by terminal 1A and play guides of NFC tags 19A used as tickets and keys. Tokens of encrypted data for 403A used by terminal 4A can also be sold. )
30E Server storage unit of terminal 3E 300E Block chain recording unit of terminal 3E (if necessary. 300A and 300E are the same)
301E Token-type ticket issuance information of terminal 3E (including website or application information that displays tickets to customers and token and service database using 300A/300E)
31E Server control unit of terminal 3E 310E Blockchain control unit of terminal 3E (if necessary. 300A and 310E are the same)
311E Ticket issuance processing control unit of terminal 3E (Part that sells tokens according to user instructions, displays ticket surface information such as tickets from the block chain, and enables printing. Includes 312E, 313E, and 314E.)
312E Part for acquiring information such as expiration date, pattern, display and print time of ticket set in block chain part 300E of terminal 3E and server 3E, print block number, time stamp 313E Processed by 311E and 312E of terminal 3E A processing unit 314E which draws the received information on the display of the user with the user identifier A who has received the access and converts it into an image of a valuable paper sheet such as a ticket or text data. , a processing unit that transmits information to be printed and recorded on a tag 19A or the like, or allows a web browser or the like to print and executes it 32E Communication device of terminal 3E 33E Control and arithmetic device of terminal 3E
34E Input device of terminal 3E 35E Output device of terminal 3E 37E Power supply device of terminal 3E 3F Server SVfind, terminal 3F (a device capable of searching transactions, contracts and user identifiers in the block chain part, monitoring and notifying usage.)
(Blockchain search engine that can search, confirm and issue the balance of user OTP tokens, and can also search and notify usage status.)
30F Server storage unit of terminal 3F 300F Block chain storage unit of terminal 3F (if necessary. 300A and 300F are the same)
301F Basic program such as block chain search monitoring of terminal 3F (Basic part for providing services such as searching and transaction monitoring, user balance calculation and output etc.)
(Including programs that connect blockchains to websites, etc.)
3010F Blockchain monitoring unit program of terminal 3F 3011F State change detection unit program of terminal 3F 3012F State change notification unit program of terminal 3F 3013F State change notification destination database of terminal 3F 3014F Blockchain search program of terminal 3F 3015F Blockchain of terminal 3F Searched information display program 3016F Blockchain search information database of terminal 3F 31F Server control unit of terminal 3F 310F Blockchain control unit of terminal 3F (if necessary. 300A and 310F are the same)
311F Basic processing unit/control unit such as block chain search monitoring of terminal 3F 3110F Monitoring unit of terminal 3F 3111F Status change detection unit of terminal 3F 3112F Status change notification unit of terminal 3F 3113F Status change notification destination registration unit of terminal 3F 3114F Blockchain information search unit of terminal 3F 3115F Blockchain search information display unit of terminal 3F 3116F Blockchain search information database processing unit of terminal 3F 32F Communication device of terminal 3F 33F Control and arithmetic device of terminal 3F
34F Input device of terminal 3F 35F Output device of terminal 3F 37F Power supply device of terminal 3F 4A Computer DP serving as a terminal of user UP, terminal 4A (P: user terminal equipped with player and playback device)
40A Recording unit of terminal 4A (storage device of computer DP)
401A User's private key PRVP recorded in terminal 4A (where PRVP is a private key indicating user identifier A like PRVA)
402A A program for the terminal 4A to access the blockchain (a URI or the like for accessing the node terminal 3A of the blockchain may be recorded)
403A Information of software CRHN for decrypting and browsing encrypted files using the present invention recorded in recording unit 40A of terminal 4A, software CRHN program and related data.
4030A Program information of software CRHN of 403A of terminal 4A (source code is obfuscated or encrypted. Variables included in 4030A are also obfuscated or encrypted)
(The URI for accessing the blockchain node terminal 3A may be recorded in 4030A.)
(It may have a function to directly enter the private key, or it may have a wallet software function.)
40301A Identifier APKY of the contract that manages the key dedicated to the software application described in 403A
40302A Built-in private key CRKY described in 403A (It may be a private key of public key encryption that can access the block chain part DLS. 40302A is built in 4030A and obfuscated or encrypted)
40303A The return value CAPKY of the key management contract obtained from the blockchain described in 403A (not required, but can be set for additional security measures)
40303KA Secret variable K403 inside the software described in 403A (K403 is obfuscated or encrypted)
4031A Storage unit in terminal 4A of return value CTAU of OTP authentication function obtained from blockchain (CTAU can be changed by administrator of return value of authentication function)
4032A Storage in terminal 4A of password AKTB set outside blockchain and software CRHN 403A (AKTB can be changed by plaintext data manager)
4033A Storage unit for key information TTKY used for encryption and decryption described in 403A (key information including at least CTAU and calculated using AKTB and further using CRKY.)
4034A Encrypted data or file EncData decrypted by software CRHN used for 403A (4034A should be included in 40A)
40340A Encrypted data body EtData of 4034A
40341A Electronic certificate EncCert given to the encrypted data 4034A of the plaintext data issuer of 4034A (It may also contain an electronic signature. It may contain a MAC value. It may not exist.)
4035A Plaintext data or file DecData to be encrypted by software CRHN used for 403A (4035A should be included in 40A. DecData is access-controlled.)
40350A Plaintext data body CtData of 4035A
40351A 4035A plaintext data issuer's electronic certificate DecCert (Electronic signature may also be included. It is not necessary.)
40352A 4035A plaintext data audit certificate AuditRat (an audit certificate showing that the plaintext data is not a malicious program, or a third-party review result and rating; preferably)
4036A Browsed certificate data OFBKMK recorded in 40A (OTP-authenticated access certificate data. Data for offline access during disasters, etc. 4036A should be included in 40A.)
40360A ACTTKY obtained by encrypting CTTKY recorded in 4036A with secret key CRKY etc. built into CRHN program
40361A Data CTTKY obtained by encrypting TTKY recorded in 4036A with a private key PRVA (Information contained in 4036A. Either public key encryption or common key encryption can be used for encryption.)
40362A Information such as browsing time and browsing user identifier recorded in 4036A 40363A Authentication information such as HMAC recorded in 4036A 40362KA Certificate body data CHT403 recorded in 40A
40363KA Authentication information such as HMAC using 40362KA recorded in 40A as a message 404A Management program such as operating system for operating software CRHN recorded in 40A 405A External recording device of computer DP recorded in 40A (non-volatile memory, hard disk, optical disk, etc.)
41A Control unit of terminal 4A 410A Control processing unit that accesses blockchain of terminal 4A
411A Control processing unit of software CRHN of terminal 4A 42A Communication device of terminal 4A 420A Proximity wireless communication device of communication device 42A (if necessary)
421A Wireless communication device of communication device 42A 422A Wired communication device of communication device 42A (if necessary)
423A Broadcast receiver for communication device 42A (if necessary, including NITZ, JJY for time acquisition, GNSS receiver for time and location information positioning, and encrypted data broadcast receiver)
43A Control and arithmetic device of terminal 4A 44A Input device of terminal 4A 440A Keyboard of terminal 4A 441A Pointing device of terminal 4A (input device by mouse, touch screen, etc.)
442A camera or scanner of terminal 4A 443A microphone of terminal 4A 444A sensor of terminal 4A (accelerometer, gyro sensor, magnetic sensor may be capable of measuring physical quantities in three dimensions. One or more of the sensors may be may be used)
4440A Terminal 4A environment sensor (temperature sensor, humidity sensor, barometric pressure sensor, pressure sensor, illuminance sensor, light sensor, chemical sensor, odor sensor)
4441A Position sensor of terminal 4A (magnetic sensor or geomagnetic sensor or accelerometer)
4442A Motion sensor of terminal 4A (accelerometer or gyro sensor)
4443A Biometric authentication sensor of terminal 4A (sensor that can read patterns such as facial structure, body temperature or thermography, eye structure, blinking, voice, ear structure, hand structure, fingerprint, veins, etc.)
45A Output device of terminal 4A 450A Display of terminal 4A (displays encrypted video data)
451A Speaker of terminal 4A (plays audio of encrypted music data and video data)
452A Printer of terminal 4A (Related data can be printed on paper as two-dimensional information when permission is obtained from the content right holder of the encrypted data. The type of printer includes a 3D printer that can output three-dimensional images.)
453A Head-mounted display of terminal 4A (HMD, head-mounted display. Used when the wearer wants to view the contents of encrypted data. Glasses-type display is also possible.)
4530A A biometric sensor attached to the HMD of terminal 4A.
4530A measures multiple biological information of the wearer (facial structure, body temperature or thermography, eye structure, blinking, voice, ear structure, hand structure, eye vein pattern, etc.), confirms the presence of the wearer and biometrics authenticate
4530A may share functionality with the sensor described in 4443A.
(Here, the sensor of 4530A is an input device that assists 453A. It is a sensor for confirming the existence of the wearer, and the biometric authentication function is attached to the existence confirmation function.)
(In the present invention, it is assumed that the HMD wearer's eye temperature measurement and thermography image are used for the purpose of confirming the presence of the wearer, not for authentication purposes, in consideration of privacy.)
(For body temperature, an infrared temperature sensor is installed inside the HMD to measure the temperature of the eyes and skin around the eyes of the vehicle. The sensor can be measured at one point, or the sensors can be arranged in a two-dimensional line or image. may be measured in the form of
(The sensor of the 4530A measures the temperature distribution around the wearer's eyes and the thermography of the wearer's face around the eyes, and uses it as simple biometric authentication information and existence confirmation information in consideration of privacy.)
(The temperature detected by the sensor of the HMD and its hash value may be notified to the service server such as the terminal 5A in order to detect unauthorized access to the private key if the wearer allows it.)
46A External recording device of terminal 4A (External recording device including magnetic tape, magnetic disk, optical disk, and semiconductor memory for storing encrypted data. Private key may be stored.)
47A Power supply device of terminal 4A 5A Server SVCRHNcm of terminal 5A (advertisement access destination server in encrypted file decryption browsing software)
50A Server recording unit of terminal 5A 500A SVCRHNcm operation program of terminal 5A (program for services such as advertisement information distribution targeted for link URI specified in software CRHN.
Includes a program that connects a website or web app to a blockchain. )
501A Access monitor database of terminal 5A (Database relating to user terminals and token numbers that accessed SVCRHNcm.
Information that associates a user identifier or token number with an IP address or location information or terminal ID or terminal sensor value and service usage status.
Accessor information may be hashed and processed to protect personal information before being stored. A diagram showing the data structure is shown in FIG. 6X. )
502A Unauthorized access detection program for terminal 5A (detects access from a terminal that indicates a different IP address, location information, terminal ID, or terminal sensor value for the user identifier or token number)
503A Unauthorized access notification program of terminal 5A (502A sends a notification token to the user identifier who may be subject to unauthorized access, or notifies the user by e-mail, SMS, etc. corresponding to the identifier)
504A Customer information database of terminal 5A (not essential. A ledger that records contact information corresponding to the user identifier.)
(For privacy considerations, if there is no customer information, unauthorized access will be notified by sending a notification token.)
(If you want to notify customers of unauthorized use at any time, you need a resident program to notify that the token has been sent to the terminal DP when the notification token is sent.)
505A Advertisement information distributed when accessed from URI information embedded in encrypted data of terminal 5A (advertisement content is controlled by token signboard information and rating obtained when encrypted data is decrypted.)
506A Information such as advertisements linked to information contained in software CRHN of terminal 5A (506A includes a function of distributing notifications such as version updates of software CRHN)
5000A Any block chain storage unit of terminal 5A (if necessary. 300A and 5000A are the same)
51A Server control unit of terminal 5A 510A SVCRHNcm control unit of terminal 5A 511A Access monitoring unit and control unit of terminal 5A 512A Unauthorized access monitoring unit of terminal 5A 513A Unauthorized access notification unit of terminal 5A 514A Customer information database management unit of terminal 5A 515A Encrypted data advertisement distribution unit for terminal 5A 516A Software CRHN advertisement distribution unit for terminal 5A 5100A Any blockchain control unit for terminal 5A (if necessary, 310A and 5100A are the same)
52A Communication device of terminal 5A 53A Control and arithmetic device of terminal 5A 53A Input device of terminal 5A 54A Output device of terminal 5A 57A Power supply device of terminal 5A 5B Server SVCRHNdrive, terminal 5B (encrypted data and file distribution, sharing, search , server use for version control.)
50B Server recording unit of terminal 5B 500B Program of terminal 5B (basic program unit of server for distributing encrypted data desired by user)
501B Encrypted file database recorded in terminal 5B (encrypted data or file hash value, file name, one-time password generation that can decrypt file
and a database of contract identifiers for tokens involved in authentication. )
502B Encrypted file search database recorded in terminal 5B (a program that searches for information requested by the user from the database and downloads it from the server)
503B Encrypted file registration unit recorded in terminal 5B (the user uploads the encrypted file to the database,
A program that registers the identifier, file name, hash value, etc. of the one-time password generation and authentication contract that decrypts it)
504B Key information AKTB notification unit of terminal 5B (This may be an e-mail, or may be linked with a correspondence or telephone number SMS service. Key notification may be performed outside terminal 5B.)
505B Notification unit of delivery destination such as URI of file encrypted by AKTB of terminal 5B (mail notification unit for notifying URI of file encrypted with key TTKY generated using AKTB as one of keys)
506B Electronic commerce program for terminal 5B (if necessary. Used when selling content files such as books and video audio together with encrypted files and OTP generation tokens corresponding to them. Cooperation with payment function)
507B OTP generation and authentication OTP token issuing unit of terminal 5B (if necessary. Program for confirming completion of settlement of 506B and issuing OTP token capable of decoding data. Issue instruction to terminal 1C)
508B Database of access users of terminal 5B (if necessary. Database on access of customer users. Data structure is the same as in FIG. 6X.)
509B Unauthorized access detection unit of terminal 5B (This is not essential when only distributing encrypted data. It is preferable to be installed in terminal 5B when buying and selling encrypted data and OTP tokens using money in electronic commerce. )
5000B Any block chain storage unit of terminal 5B (if necessary, 300A and 5000B are the same)
51B Server control unit of terminal 5B 510B Service control unit of terminal 5B (parts controlled according to programs 500B, 501B, 502B, 503B, 504B, 505B, 506B, 507B, 508B, and 509B)
5100B Any blockchain control unit of terminal 5B (if necessary, 310A and 5100B are the same)
52B Communication device of terminal 5B 53B Control and arithmetic device of terminal 5B 53B Input device of terminal 5B 54B Output device of terminal 5B 57B Power supply device of terminal 5B 5C Server SVCRHNbroadcaster serving as broadcasting station, terminal 5C, broadcasting station terminal 5C
50C Server recording unit of terminal 5C 501C Private key for blockchain access of terminal 5C 502C Program for accessing blockchain using private key 501C of terminal 5C 503C Broadcast software of terminal 5C (even if software 403A is included May include software that broadcasts GNSS positioning information.)
5000C Arbitrary block chain storage unit of terminal 5C (if necessary. 300A and 5000C are the same. In particular, satellite type terminal 5C may have 5000C.)
5034C Encrypted data broadcast by terminal 5C (Data broadcast after encrypting 5035C with key TTKY that can be decrypted by 403A)
5035C Plaintext data of encrypted data broadcast by the terminal 5C (Normally not broadcast. However, the plaintext data itself may be held in the storage device 50C in preparation for broadcasting after decryption in an emergency.)
51C server control unit of terminal 5C 510C control unit of terminal 5C 5100C block chain control unit that can be optionally installed in terminal 5C (if necessary, 310A and 5100C are the same)
52C Communication device of terminal 5C 520C Broadcast radio device of terminal 5C 521C Radio communication device of terminal 5C (for communication with terminal 5CC controlling 5C)
522C Wired communication device for terminal 5C (If necessary. Can be used when terminal 5C is a ground station. In the case of wired broadcasting instead of wireless broadcasting, it also serves as a connection device to the communication network.)
5200C Antenna for broadcasting of terminal 5C 521C Two-way communication device of terminal 5C (In the case of artificial satellite, it transmits distribution data and controls and manages the broadcasting station server by radio with the ground station. can be operated.)
53C Control and arithmetic device of terminal 5C 53C Input device of terminal 5C 54C Output device of terminal 5C 57C Power supply device of terminal 5C (including secondary battery and solar battery in the case of artificial satellite),
5CC A terminal or device that controls a server terminal that serves as a broadcasting station for terminal 5C.

Claims (10)

of the dynamic password generated from the dynamic password generator of the smart contract of the distributed ledger system,
A program that executes processing for dynamic password authentication,
In the recording unit of the ledger of the distributed ledger system of the node terminal 3A of the distributed ledger system,
Having the feature that the dynamic password generated from the dynamic password generation unit can not be recorded,
the node terminal 3A having the dynamic password generation unit;
of the node terminal 3A,
a user terminal 1A that stores the dynamic password obtained from the dynamic password generation unit;
Alternatively, recording means for recording the dynamic password obtained from the dynamic password generation unit;
When the dynamic password is received from the user terminal 1A or the recording means,
When entered into the dynamic password authentication unit of the server 3D having the dynamic password authentication unit,
executing the dynamic password authenticator;
The server 3D authenticating the dynamic password,
The server 3D storing the dynamic password authenticator,
said server 3D having a dynamic password authenticator with the same calculation algorithm as said dynamic password generator;
For dynamic password authentication systems, including
A program for executing authentication processing for the dynamic password authentication,
A dynamic password authentication system including the node terminal 3A, the user terminal 1A or the recording means, and the server 3D,
A program that functions as means for authenticating the dynamic password. After the authentication process,
According to the return value CTAU of the dynamic password authentication unit,
A program that causes the dynamic password authentication system to execute a service providing process,
After the authentication process,
According to the return value CTAU of the dynamic password authentication unit, the dynamic password authentication system
characterized by functioning as a means of providing services,
A program according to claim 1. After the authentication process,
As the service providing process,
The return value CTAU of the dynamic password authentication unit to the dynamic password authentication system,
A program for executing a process of generating a data encryption key CTAU,
After the authentication process,
characterized in that the dynamic password authentication system functions as means for generating the key CTAU,
3. A program according to claim 2. In the program for executing the process for dynamic password authentication according to claim 3,
After causing the server 3D to generate the data encryption key CTAU,
to the server 3D, from the server 3D to the user terminal 1A,
a process of communicating the key CTAU;
including data decryption software 403A for decrypting encrypted data by input of said key CTAU;
The key CTAU transmitted from the server 3D to the storage device of the user terminal 1A,
A process to be stored in the user terminal 1A;
From the calculation method of the key TTKY included in the software 403A stored in the user terminal 1A and the key CTAU,
a process of calculating and generating the key TTKY capable of decrypting the encrypted data in the user terminal 1A;
A program to be executed by the authentication system,
the ability of the server 3D to generate the key CTAU;
a function of the server 3D transmitting the key CTAU to the user terminal 1A;
a function of the user terminal 1A receiving the key CTAU transmitted from the server 3D and storing it in a storage device;
The function of the user terminal 1A generating the key TTKY using the software 403A and the key CTAU,
A program implemented as the authentication system. In the program according to claim 4,
From the software 403A and the key CTAU to the user terminal 1A,
In the process of calculating and generating a key TTKY that can decrypt encrypted data,
The user terminal 1A is
the key CTAU;
Different from the communication path used to obtain the return value CTAU and the dynamic password ,
data AKTB obtained from the information transmission path ;
said software 403A including a calculation method for calculating said key TTKY using said return value CTAU and said data AKTB;
The process of calculating and generating the key TTKY using
A program to be executed by the authentication system,
The user terminal 1A is
Using the key CTAU, the software 403A, and the data AKTB,
The function to generate the key TTKY,
A program implemented as the authentication system. In the program according to claim 4,
From the software 403A and the key CTAU, the user terminal 1A
In the process of calculating and generating a key TTKY that can decrypt encrypted data,
to the user terminal 1A,
the key TTKY,
encrypted using the key CRKY included in the software 403A stored in the user terminal 1A;
The process of generating the key CTTKY,
A program to be executed by the authentication system,
The user terminal 1A is
the software 403A;
the key CRKY;
Using the key TTKY,
the function to generate the key CTTKY,
A program implemented as the authentication system. The calculation algorithm includes:
A variable based on the block number Bn of the blockchain,
The process of inputting to the hash function fh is
2. The program according to claim 1, which is executed by said authentication system. The calculation algorithm includes:
At a certain time or block number Bn,
the dynamic password generator of the node terminal 3A of the distributed ledger system;
At the dynamic password authentication unit of the server 3D,
A variable based on a variable K that can be updated, changed or rewritten,
The process of inputting to the hash function fh is
2. The program according to claim 1, which is executed by said authentication system. In the program according to claim 4,
After the user terminal 1A performs the process of generating the key TTKY,
a process of decrypting the encrypted data stored in the user terminal 1A with the key TTKY;
A process of causing the user terminal 1A to read the link information to the advertisement distribution server 5A included in the encrypted data decrypted with the key TTKY;
A process of connecting the user terminal 1A to the advertisement distribution server 5A according to the link information;
A process of causing the advertisement distribution server 5A to distribute advertisement information to the user terminal 1A;
a process of causing the user terminal 1A to receive advertisement information distributed from the advertisement distribution server 5A;
a process of causing the user terminal 1A to output the received advertisement information from an output device;
A program to be executed by an advertisement distribution system comprising the authentication system and the advertisement distribution server 5A,
a function for the user terminal 1A to generate the key TTKY;
a function of the user terminal 1A decrypting encrypted data using the software 403A and the key TTKY;
The user terminal 1A uses the link information included in the software 403A and the encrypted data to
A function of connecting to and communicating with an advertisement distribution server according to link information;
A function of the advertisement distribution server 5A to distribute advertisement information to the user terminal 1A;
The function of the user terminal 1A outputting the software 403A and the advertisement information distributed from the advertisement distribution server from the output device,
A program implemented as an advertisement distribution system comprising the authentication system and the advertisement distribution server 5A. In the program according to claim 6,
From the software 403A and the key CTAU, the user terminal 1A
In the process of calculating and generating a key TTKY that can decrypt encrypted data,
Time information of the user terminal 1A when the user terminal 1A generated the key TTKY,
A program for executing a process stored in the user terminal 1A.

Images