JPH11316543A - Card data authentication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a card data authentication system which has small influence when one of plural terminals reads and writes data on an IC card in the case a terminal is invaded. SOLUTION: A control center 1010 generates different pairs of keys and verification keys by terminals by an open key signature method and distributes the signature keys for the terminals and the verification keys for all the terminals to the respective terminals. A data terminal 1200a generates digital signature data for plaintext data by using the signature key distributed by the control center 1010 and writes the digital signature data on an IC card 1300. A data terminal 1200b reads the digital sign data out of the IC card 1300 and authenticates the adequacy of the data read out of the IC card 1300 by using the verification key which is stored in a verification key storage part 1213 and distributed from the control center 1010.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to a technology for authenticating the validity of data stored in an IC card.

[0002]

2. Description of the Related Art In recent years, digital signatures have been used in data communication systems for distributing data through communication channels in order to authenticate the validity of data to be communicated.
Here, the authentication means confirming the validity of the data, that is, confirming the correctness of the source of the data and the presence or absence of falsification of the communication data contents.

[0003] Even when data is distributed via a portable recording medium, a technique for authenticating the validity of the data is required. Hereinafter, a normally conceivable embodiment of a medium data authentication system for authenticating the validity of data written on a recording medium will be described. <Configuration and Operation of Medium Data Authentication System> FIG. 6 is a diagram showing a device configuration of a normally conceivable medium data authentication system (hereinafter referred to as a medium data authentication system).

As shown in FIG. 1, a medium data authentication system 100 includes one management center 10, about 100 data terminals 20a to 20n, and a recording medium 30. Although only one recording medium is shown in FIG. 1, a plurality of recording media may exist. The management center 10 manages a signature key and a verification key for use in data authentication, and creates a different signature key and verification key for each data terminal based on a predetermined data authentication method using a secret key encryption. Then, the signature key of the terminal and the verification keys of all the data terminals are secretly distributed to each data terminal.

Each of the data terminals 20a to 20n has a memory for storing the signature key of the terminal distributed from the management center 10 and the verification keys of all the data terminals in a confidential manner, and a data terminal having a CPU and the like. And has a function of writing data to the recording medium and a function of reading data from the recording medium. When writing data to a recording medium, each data terminal generates an authenticator, which is digital signature data, by using a secret key encryption algorithm for a combination of the data and the terminal ID, using the signature key of the terminal. Then, the terminal ID, the data, and the authenticator are written together on the recording medium. The data that each data terminal writes to the recording medium is, for example, amount information.

When reading data from a recording medium, each data terminal authenticates the validity of the data using the read data, an authenticator, and a terminal ID. This authentication method will be described later. The recording medium 30 is, for example,
A portable medium on which data can be recorded, such as a flexible disk.After data is written by one of the data terminals, the data is carried by a person and read by one of the destination data terminals. It is. <Data Authentication Method Using Secret Key Encryption Algorithm> As a secret key encryption algorithm, for example, a DEA algorithm registered in ISO / IEC is used. DE
The A algorithm (DES encryption) is described in Chapter 6 of “Modern Encryption” (Tatsuaki Okamoto and Hiroshi Yamamoto, published by Sangyo Tosho, 1997).

[0007] The authenticator is created as follows. That is, 64
This is an algorithm in which a plaintext P of bits and encryption key data S of 56 bits are input, a cryptographic conversion E is performed to create a 64-bit ciphertext C, and this is added to the original plaintext as an authenticator. This is represented as C = E (S, P). Verification of the authenticator is performed as follows. Cryptographic conversion E is performed on the read plain text P using the verification key V to obtain 64
A bit cipher text is created, and this is compared with the read authenticator C. If these results match, and only then, the original plaintext is determined to be valid.

Accordingly, each of the above-mentioned data terminals 20a-2
0n reads the terminal ID stored in the recording medium when reading data from the recording medium 30, and uses the verification key corresponding to the terminal ID stored in the memory to read the terminal ID and data. On the other hand, cryptographic conversion is performed by a secret key encryption algorithm, and the resulting encrypted text is compared with the read authenticator to authenticate the validity of the data stored in the recording medium.

The authentication method is described in Chapter 10 of the aforementioned “modern cryptography”. <Security Function> The above-described medium data authentication system has the following alteration prevention function for data recorded on a recording medium.

<Security Function against Falsification of Data in Recording Medium> There is a possibility that data such as the amount of money recorded on the recording medium may be falsified by a malicious unauthorized person.
However, according to the above-described medium data authentication system, an authenticator is added to the recording medium in addition to data such as the amount of money. Can be created only by using the signature key stored in the, and the signature key cannot be obtained by an unauthorized person. Therefore, when the data terminal reads the data from the recording medium, it can be detected by the authentication that the data has been tampered with, and the damage can be prevented by interrupting the transaction or the like.

<Security Function Against Unauthorized Copying of Data in Recording Medium> There is a possibility that a malicious unauthorized person makes a copy of data such as the amount of money recorded on the recording medium. However, in the above-described medium data authentication system, for example, if a recording medium in which the medium unique number is recorded in an area of the recording medium that cannot be rewritten by the user is used, the data terminal includes the medium unique number. Authenticators can be created for the data
According to this, the authenticator added to the data such as the amount of money is data unique to the recording medium. Therefore, even if an illegal copy is performed, when the data terminal reads the data from the recording medium, it is unique to the medium. By performing authentication by checking the authenticator with reference to the number, it is possible to detect incorrect data, and it is possible to prevent damage by interrupting the transaction or the like. <Advantages and Problems> If the secret signing key held by the data terminal in secret is not different for each terminal, but all are the same, if one of the data terminals is illegal by a malicious person If the signature key stored secretly is compromised, the effect is spread to all terminals. This is because the exposed signature key makes it possible to forge a signature on data such as the amount of money.
Also, exchanging the signature keys of all terminals when a common signature key is exposed requires a great deal of expense.

However, in the above-mentioned medium data authentication system, the above-mentioned problem does not occur because the signature key which is secretly held by the data terminal is different for each data terminal. In the above-described medium data authentication system, the signature key is different for each data terminal. Therefore, in order to verify the authenticator created using this signature key, each data terminal uses the signatures of all data terminals. They have a verification key corresponding to the key. Thereby, authentication can be performed when data written in one of the data terminals is read out in any of the other data terminals.

[0013]

However, the above-described medium data authentication system also has the following problems. Since each data terminal has a verification key corresponding to the signature key of all data terminals, when one data terminal is invaded, the verification keys for all data terminals are exposed. In this case, since the authentication method using the secret key encryption algorithm is used, the verification key and the signature key are the same, and it is possible to forge a signature on data such as an arbitrary amount of money by exposing the verification key. Problem arises.

On the other hand, for example, instead of providing each data terminal with a verification key for every data terminal, the management center stores the verification keys of all the data terminals, and uses a communication line to store the verification keys of each data terminal. A media data authentication system configured to distribute a necessary verification key in response to a request is also conceivable.In this case, each time a data terminal reads data such as an amount of money in a recording medium, the data line and a communication line are used for authentication. There is a problem that the use of the management center is required. In recent years, it has become possible to record and update data using a semiconductor memory, which is portable and non-rewritable memory realized by a semiconductor circuit, and to record and update data only by a specific method from a connected device. An IC card, which is a recording medium having a security function such as a function to determine the validity of a device to be connected and a security function such as an encryption or signature function, has attracted attention as a substitute for bills. IC cards are broadly classified into those that include a microprocessor realized by a semiconductor circuit and those that do not. The former can realize a function for judging the validity of an externally connected device and an encryption or signature function, but has the disadvantage that the circuit scale is large and the cost is high. On the other hand, the latter has only a circuit for providing a non-rewritable memory and can be realized at low cost. Therefore, there is a high need to realize a data authentication system for an IC card with a minimum circuit size that solves the above-mentioned problem.

The present invention has been made in view of the above-mentioned problems, and has been made in consideration of the above-mentioned problems. This is a card data authentication system that does not need to communicate with a management center or the like every time the data of an IC card is authenticated in a data terminal.
It is a first object of the present invention to provide a card data authentication system in which the effect of exposing secret data for authentication recorded inside an intruded data terminal is minimized.

It is a second object of the present invention to provide a data terminal device that can be used as a component of a card data authentication system that achieves the above object.

[0017]

According to a first aspect of the present invention, there is provided a card data authentication system for verifying the validity of data written to an IC card by one of a plurality of write data terminal devices. Is a card data authentication system that authenticates each of the write data terminal devices based on a public key signature method and creates a pair of a signature key for each write data terminal device and a corresponding verification key. The management device that distributes the key to the corresponding write data terminal device and provides the verification key so that the read data terminal device can obtain it, and each of the write data terminal devices distributes the plaintext data by the management device. A plurality of write data terminal devices for creating digital signature data using the obtained signature key and writing the digital signature data to an IC card; I for digital signature data has been written
A read data terminal device for reading the digital signature data from the C card and performing the authentication using a verification key corresponding to the signature key for the write data terminal device.

Thus, in the card data authentication system according to the present invention, since a public key signature method (public key signature algorithm) is used, data having a write function for applying a digital signature to data to be written in an IC card. The signature key held secretly by the terminal device is different from the verification key used for authentication by the data terminal device having the read function, and it is difficult to derive the signature key from the verification key. Even if the verification key used for authentication of the data in the IC card is exposed on the reading side due to an unauthorized intrusion of the device, an improper signature is not issued. Therefore, if the signature keys are different for each data terminal device having a writing function, the verification data corresponding to all the signature keys is stored in the data terminal device on the reading side to cope with these. Even in this case, an unauthorized signature cannot be performed due to an unauthorized intrusion into the data terminal device on the reading side, so that the security of IC card data authentication in the card data authentication system is ensured.

A read data terminal device according to the present invention that achieves the second object is characterized in that the write data terminal device outputs plaintext data and digital signature data created by using a signature key for the plaintext data. Is a read data terminal device that reads plaintext data from an IC card in which is written, and authenticates the validity of the plaintext data. Verification key storage means as a memory for storing the verification key, read means for reading the plaintext data and the digital signature data from the IC card, and the plaintext data and digital signature data read by the read means. Authentication means for authenticating the validity of the plaintext data using the verification key and the verification key.

Thus, the read data terminal device according to the present invention receives the distribution of the verification key of the pair of the signature key and the verification key created by the public key signature method (public key signature algorithm), and Authentication can be performed using the verification key distributed from the management device when data is read from the server, and even if the verification key is illegally extracted, the public key signature method is used. Since it is difficult to derive the signature key from the verification key, unauthorized execution of the signature is prevented.

Further, the writing data terminal device according to the present invention that achieves the above second object is provided so that another device can authenticate plaintext data recorded on its own IC card by another device. Signature key storage means, which is a write data terminal device for writing digital signature data together with plaintext data on an IC card, and a memory for storing a signature key created by a public key signature method outside the device;
Write data storage means for storing the plaintext data; and digital signature data creation means for creating the digital signature data for the plaintext data using a signature key stored in the signature key storage means. Writing means for writing the plaintext data stored in the write data storage means and the digital signature data created by the digital signature data creation means to an IC card.

Thus, the writing data terminal device according to the present invention receives the distribution of the signature key created by the public key signature method (public key signature algorithm), and uses the signature key when writing data to the IC card. Since the digital signature is used and the digital signature data is also written into the IC card, the read data terminal device for reading data from the IC card needs to have a verification key corresponding to the signature key. Data authentication becomes possible.
Therefore, the read data terminal device has a verification key. In this case, even if the verification key is illegally extracted from the read data terminal device, the read key is used because the public key signature method is used. It is difficult to derive the signature key, thereby preventing unauthorized execution of the signature.

[0023]

Embodiments of the present invention will be described below. <First Embodiment> A card data authentication system according to a first embodiment of the present invention will be described below with reference to FIGS.

<Configuration> FIG. 1 is a configuration diagram of a card data authentication system 1000 according to Embodiment 1 of the present invention. The card data authentication system 1000 includes one management center 1010, about 100 data terminals such as a data terminal 1200a and a data terminal 1200b, and an IC card 1300. The figure shows a data terminal 1200
14A illustrates a state in which data is written to the IC card 1300 and a data terminal 1200b reads data from the IC card 1300. In the figure, the data terminal is 2
Although only one IC card is shown, it is assumed that about 100 IC cards exist in various places, and only one IC card is shown in FIG.

This card data authentication system is positioned, for example, as a part of a POS system, in which each data terminal is installed in each store located in various places, and when a customer purchases goods or the like in each store instead of money. In this case, an IC card can be used. The IC card can be moved between stores by the customer, and each data terminal installed in each store refers to or updates the amount information or the like in the IC card owned by the customer.

<Management Center> The management center 1010 has a high-level security mechanism and manages a signature key and a verification key used for data authentication. Distribution unit 10
12 is provided. The key creation unit 1011 creates a different signature key and verification key for each data terminal based on a predetermined public key signature algorithm. In FIG.
|| Si} and {Ti || Vi} mean that the signature key Si and the verification key Vi are created for each data terminal Ti. Here, the data terminal Ti is a terminal ID.
Is a data terminal whose is Ti. The public key signature algorithm will be described later.

The key distribution unit 1012 distributes the signature key Si and the verification keys {Vi} of all data terminals to each data terminal Ti via a secret communication path or the like. Note that the verification key is distributed in pairs with the terminal ID Ti. Here, the secret communication channel means a communication channel in which data distributed through the communication channel is not eavesdropped or altered by a third party.

<Data Terminal> The data terminal 1200a
It has an IC card input / output device, a memory and a CPU in terms of hardware, and has a data reading unit 1210a and a data writing unit 1220a in terms of functions. Similarly, data terminal 1
200b is a data reading unit 1210b and a data writing unit 1
220b. Each data terminal has the same configuration except for the signature key distributed and held by the management center.

The data writing unit 1220a includes a write data storage unit 1221, a signature key storage unit 1222, an authenticator creation unit 1
223 and a write I / F unit 1224. Here, the write data storage unit 1221 is a memory area that stores data such as money amount information to be written in the IC card and the terminal ID of the data terminal. It should be noted that the terminal ID has a different value for each data terminal, and even if data such as money information and the terminal ID are combined, the terminal ID can be represented by 1024 bits or less.

The signature key storage unit 1222 stores information in the management center 10.
Key S of the public key signature algorithm distributed from No. 10
This is a memory area storing i. Authenticator creation unit 1223
The signature key storage unit 121 stores data to be written to the IC card stored in the write data storage unit 1221.
An authenticator is created by a public key signature algorithm using the signature key Si stored in the storage 22.

The write I / F section 1224 stores the data stored in the write data storage section 1221 and the authenticator created by the authenticator creating section 1223 in the IC card 1.
This is the interface part that writes to 300. On the other hand, the data read unit 1210b includes a read I / F unit 1211, a read data storage unit 1212, a verification key storage unit 1213, and a verification unit 1214.

Here, the read I / F section 1211 is an interface section for reading data from the IC card 1300 and supplying the data to the verification section 1214, and the read data storage section 1211.
Reference numeral 12 denotes a memory area for storing data when the validity of the data read from the IC card is successfully authenticated. The verification key storage unit 1213 stores information in the management center 101.
This is a memory area for storing the verification key {Vi} of the public key signature algorithm of all data terminals distributed from 0.

The verifying unit 1214 is connected to the read I / F unit 1
In step 211, data read from the IC card is verified. <IC Card> The IC card 1300 is a portable business card-sized plastic card in which a semiconductor chip 1310 including a communication unit 1311 and a data memory 1312 is integrated.

The data memory 1312 is a memory for storing data written by the data terminal. The communication unit 1311 is an active element for controlling access to the data memory 1312 and exchanging data with the data terminal. Therefore, data is written to the data memory 1312 by the write I / F unit 1224 of the data terminal, and the data memory 131 is written by the read I / F unit 1211 of the data terminal.
The reading of data from the IC card 2 is performed via the communication unit 1311 of the IC card 1300.

<Authentication Method Using Public Key Signature Algorithm> As the public key signature algorithm, for example, an RSA signature algorithm is used. Regarding the RSA signature method, refer to the 11th edition of the aforementioned “Modern Cryptography” (written by Tatsuaki Okamoto and Hiroshi Yamamoto).
Is described in the chapter. <Key Generation> Key generation by the RSA signature algorithm will be described.

First, prime numbers p and q satisfying n = pq are generated, and L = LCM (p-1, q-1) is calculated. Here, the size of n is 1024 bits, and LCM is the least common multiple. A number ei which is relatively prime to L obtained by calculation is selected, and a number d such that ei · di = 1 (mod L)
Find i. The di obtained in this manner becomes a signature key, and e
i is the verification key. The signature key di has a verification key ei of 1024 bits, and corresponds to the signature key Si and the verification key Vi in the above description.

<Generation of Authenticator> The data writer of the data terminal 1200a calculates the authenticator Xi for the signed data m as follows. Note that the signed data m includes Ti which is the terminal ID of the data terminal. Xi = m ^di (mod n) <Data stored in IC card> The data writing unit of the data terminal 1200a stores the signed data m and the authenticator Xi in an IC
Store on card.

<Verification of Authenticator> In the data terminal 1200b, m and Xi are read from the IC card. next,
Then, Ti, which is the terminal ID of the data terminal that has written the data, is extracted from m. Next, in the verification key storage unit, the terminal I
The verification key ei corresponding to the data terminal in which D is Ti is extracted, and the following calculation is performed for the authenticator Xi. The calculation here is for modn.

Y = Xi ^ei = (m ^di ) ^ei = m ^{(di · ei)} = m This result Y is compared with m read from the IC card, and if they match, the data is valid. Authenticate and use. <Operation> The operation of the card data authentication system 1000 using the above-described authentication method using the public key signature algorithm is as follows.

<Creation and Distribution of Key by Management Center> The management center 1010 uses the key creation unit 1011 to generate a signature key Si and a verification key that are different for each data terminal Ti based on the above-described predetermined public key signature algorithm. Then, the key distribution unit 1012 secretly distributes the signature key Si for the data terminal and the verification keys {Vi} for all the data terminals to each data terminal Ti once.

<Write Operation to IC Card by Data Terminal> The data terminal 1200a
When it becomes necessary to write data such as money information to the IC card 1300, the data such as money information and the terminal ID are stored in the write data storage unit 1221, and the data is written to the IC card 1300 in the data writing unit 1220a. Instruct to write.

In response, data writing unit 1220a
The write data storage unit 122
1 using the signature key Si stored in the signature key storage unit 1222 and the public key signature algorithm with respect to the data such as the money amount information and the terminal ID stored in Xi.
After writing, the data such as the amount information, the terminal ID, and the authenticator Xi are stored in the IC card 13 by the write I / F unit 1224.
Write to 00.

The data such as the amount information, the terminal ID, the authenticator and the like are arranged in the IC card according to a predetermined data structure format so that each data terminal can commonly recognize the data. <Read operation from IC card by data terminal> The data terminal 1200b reads the data from the data read unit 1210 when it becomes necessary to read data from the IC card 1300.
b is instructed to read data from the IC card 1300.

In response to this, the data reading unit 1210b
First, the read I / F unit 1211 reads out a terminal ID, data such as amount information, and an authenticator from the IC card, and provides them to the verification unit 1214. The verification unit 1214 extracts the verification key corresponding to the terminal ID from the verification key storage unit 1213, and verifies the validity of the data read from the IC card according to the verification method of the authenticator of the public key signature algorithm using the verification key. If it is valid, data such as money amount information is stored in the read data storage unit 1212.

FIG. 2 shows an authentication procedure by the verification unit 1214.
Show. The processing procedure of the verification unit 1214 is summarized as follows.
become. First, the terminal ID read from the IC card
, The verification key Vi is specified by referring to Ti
Take it out of the storage unit 1213. Second, read from IC card
For the authenticator Xi found out, using the verification key Vi,
Calculate by plain key signature algorithm to obtain plaintext Y
You. That is, Y = Xi ^Vi(Mod n) is obtained.

Third, the plaintext Y is compared with the original plaintext m consisting of Ti read from the IC card and data (Data) such as money amount information. Data is stored in the read data storage unit 1212 assuming that the data has been authenticated. After the validity is authenticated by the verification unit 1214, the data terminal 1200b can use the data of the read data storage unit 1212 such as the money amount information.

<Security Function> In the above-described card data authentication system 1000, since a digital signature using a public key cryptosystem is added to data recorded on an IC card, when data is altered, Detection can be performed and damage can be prevented by interrupting the transaction.

Also, the card unique number is recorded in an area of the IC card where the user cannot rewrite, and the authenticator creating unit 1223 authenticates the data including the card unique number in addition to the data to be written. According to this, even if an unauthorized copy of the card data is performed, it is possible to detect that an unauthorized transaction is being performed in the data authentication by the verification unit 1214. Damage can be prevented before it occurs.

<Consideration> In the above-described card data authentication system 1000, since the signature key held secretly by the data terminal differs for each terminal, even if any data terminal is invaded and stored secretly there. Even if a signing key is exposed, the effect will not affect all terminals. Further, even if one data terminal is invaded and the signature key is exposed, it is relatively easy to exchange the signature key.

The card data authentication system 1000
In, each data terminal has a verification key for all data terminals in response to the fact that the data terminal secretly holds a different signature key for each terminal, but it is necessary to derive the signature key from the verification key. Due to the nature of the public key signature scheme, which is difficult to perform, even if one data terminal is compromised, this does not reveal the signature keys of all data terminals. Therefore, there is no possibility that a signature key of an arbitrary data terminal is illegally derived to forge a data signature. Embodiment 2 Hereinafter, a card data authentication system according to Embodiment 2 of the present invention will be described with reference to FIGS.

<Configuration> FIG. 3 is a configuration diagram of a card data authentication system 2000 according to the second embodiment of the present invention. The card data authentication system 2000 includes one management center 2010, about 100 data terminals such as a data terminal 2200a and a data terminal 2200b, and an IC card 2300. The figure shows a data terminal 2200
14A illustrates a state in which data is written to the IC card 2300 and a data terminal 2200b reads data from the IC card 2300. In the figure, the data terminal is 2
Although only one IC card is shown, it is assumed that about 100 IC cards exist in various places, and only one IC card is shown in FIG.

<Management Center> The management center 2010 has a high-level security mechanism and manages a signature key, a verification key, and the like used for data authentication. A center key storage unit 2012, a certificate creation unit 2013, and a key distribution unit 2014 are provided.

The key generation unit 2011 is equivalent to the key generation unit 1011 in the first embodiment, and generates a different signature key and verification key for each data terminal based on a predetermined public key signature algorithm. In the figure, ｛Ti ||
The expression {Si}, {Ti || Vi} means that the signature key Si and the verification key Vi are created for each data terminal Ti. Note that the public key signature algorithm is the same as that described in the first embodiment.

The center key storage unit 2012 stores a center signature key Sc, which is one signature key created based on a predetermined public key signature algorithm, and a center verification key Vc, which is a corresponding verification key. ing. The center signature key Sc and the center verification key Vc are also created in principle by the same method as the signature key di and the verification key ei described in the first embodiment, and each have a size of 1024 bits.

The certificate creation unit 2013 includes a key creation unit 201
1 for the verification key Vi for each data terminal Ti created by the first method, using the center signature key Sc stored in the center key storage unit 2012 in accordance with the public key signature algorithm, to obtain a certificate of the verification key. (Hereinafter simply referred to as a certificate).
In the drawing, {Ti || Ci} means that a certificate Ci is created for each data terminal Ti.

The key distribution unit 2014 distributes the signature key Si, the verification key Vi, the certificate Ci, and the center verification key Vc to each data terminal Ti via a secret communication channel or the like. . <Data terminal> The data terminal 2200a includes an IC card input / output device, a memory, and a CPU in terms of hardware, and functionally includes a data reading unit 2210a and a data writing unit 2220a. Similarly, data terminal 2200b
Are a data reading unit 2210b and a data writing unit 2220b
And Each data terminal has the same configuration except for the signature key, verification key, and certificate distributed and held by the management center.

The data writing section 2220a includes a write data storage section 2221, a signature key storage section 2222, and an authenticator creation section 2
223, verification key / certificate storage unit 2224 and write I / F
It has a part 2225. Here, the write data storage unit 222
Reference numeral 1 denotes a memory area that stores data such as money amount information to be written to an IC card. Note that data such as money amount information can be represented by 1024 bits or less.

The signature key storage unit 2222 stores information in the management center 20.
Key S of the public key signature algorithm distributed from No. 10
The verification key / certificate storage unit 2224 is a memory area that stores the verification key Vi and the certificate Ci distributed from the management center 2010. The authenticator creating unit 2223 performs the following operations on the data to be written to the IC card stored in the write data storage unit 2221.
An authenticator is created by a public key signature algorithm using the signature key Si stored in the signature key storage 2222.

The write I / F unit 2225 stores the data stored in the write data storage unit 2221, the authenticator created by the authenticator creation unit 2223, and the verification key / certificate storage unit 2224. This is an interface portion for writing the stored verification key and certificate into the IC card 2300. On the other hand, data read unit 2210b is connected to read I / F unit 2
211, center verification key storage unit 2212, verification key verification unit 2
213, verification unit 2214, and read data storage unit 2215
Having.

Here, the read I / F unit 2211 reads data from the IC card 2300, and reads the data from the IC card 2300.
213 and an interface provided to the verification unit 2214. The center verification key storage unit 2212 stores the management center 2
010 is a memory area in which the center verification key Vc distributed from 010 is stored.

The verification key verification unit 2213 receives the verification key Vi and the certificate Ci, and uses the center verification key Vc stored in the center verification key storage unit 2212 for the certificate Ci to generate a public key signature algorithm. A verification key is calculated by a calculation based on the verification key Vi, and the verification key is compared with the received verification key Vi.
4 is given a verification key Vi.

The verification unit 2214 receives the data such as the amount information and the authenticator Xi and authenticates the validity of the data such as the amount information. The read data storage unit 2215
Is a memory area for storing data such as money information when the validity of the data read from the IC card is successfully authenticated. <IC Card> The IC card 2300 is a portable business card-sized plastic card in which a semiconductor chip 2310 including a communication unit 2311 and a data memory 2312 is integrated, and a data memory 231 in the semiconductor chip is provided.
2 is the same as the IC card 1300 of the first embodiment except that the information stored in the IC card 1300 is different.

<Operation> The operation of the card data authentication system 2000 described above is as follows. <Creation and distribution of key by management center> Management center 20
10. First, the key creation unit 2011 creates a signature key Si and a verification key Vi that are different for each data terminal Ti based on a predetermined public key signature algorithm. Then, the certificate creation unit 2013 creates a certificate Ci in accordance with the public key signature algorithm using the center signature key Sc.

Subsequently, the management center 2010 sends a signature key Si, a verification key Vi, and a certificate Ci for the data terminal to each data terminal Ti by the key distribution unit 2014.
And the center verification key Vc are secretly distributed once. <Write Operation to IC Card by Data Terminal> When it becomes necessary to write data such as money information to the IC card 2300, the data terminal 2200a stores the data such as money information in the write data storage unit 2221. The data is stored, and the data writing unit 2220a is instructed to write data to the IC card 2300.

In response, data writing unit 2220a
The authenticator creating unit 2223 allows the write data storage unit 222
For the data such as the amount information stored in No. 1, an authenticator Xi is created by a public key signature algorithm using the signature key Si stored in the signature key storage 2222.
Subsequently, the data writing unit 2220a stores the created authenticator Xi, data such as amount information stored in the write data storage unit 2221, and the verification key / certificate storage unit 2224. The verification key Vi and the certificate Ci are written to the IC card 2300 by the write I / F unit 2225.
Write to.

<Read Operation from IC Card by Data Terminal> The data terminal 2200b
When it becomes necessary to read data from 0, the data reading unit 2210b is instructed to read data from the IC card 2300. In response to this, the data reading unit 2210
b, first, the readout I / F unit 2211 reads out the verification key Vi and the certificate Ci from the IC card and gives them to the verification key verification unit 2213, and reads out data (Data) such as money amount information and the authenticator Xi. To the verification unit 2214.

The processing procedure in the data reading section 2210b will be described with reference to FIG. FIG. 4 is a diagram illustrating a processing procedure performed by the verification key verification unit 2213 and the verification unit 2214. First, the verification key verification unit 2213 obtains a verification key Vi ′ for the certificate Ci using the center verification key Vc stored in the center verification key storage unit 2212 by a public key signature algorithm. That is, Vi ′ = Ci ^Vc
(Mod n) is obtained.

Second, the verification key verification unit 2213 compares the verification key Vi ′ with the verification key Vi read from the IC card, and if they match, the validity of the verification key Vi can be authenticated. Then, the verification key Vi is given to the verification unit 2214.
If the two do not match, the process is stopped. Third
In addition, the verification unit 2214 calculates the authenticator Xi read from the IC card using the verification key Vi whose authenticity has been authenticated by the public key signature algorithm, and performs the plaintext Y
Ask for. That is, Y = Xi ^Vi (mod n) is obtained.

Fourthly, the plaintext Y and the data (Dat
a) is compared, and if they match, it is determined that the data such as the money amount information has been authenticated, and Data is stored in the read data storage unit 2215. After the validity is authenticated by the verification unit 2214, the data terminal 2200b can use data such as money amount information that is the content of the read data storage unit 2215.

<Consideration> In card data authentication system 1000 according to the first embodiment, each data terminal has a database in which verification keys for all data terminals are associated with terminal IDs. In this case, the reliability of the verification key was secured on the assumption that the database of each data terminal was analyzed and not falsified.

On the other hand, in the card data authentication system 2000 according to the second embodiment, since each data terminal does not have a database of verification keys for all data terminals, the certainty of the verification key is as described above. Without any preconditions. That is, the authenticity of the verification key is not affected by unauthorized intrusion into each data terminal.

In the card data authentication system 2000 described above, each data terminal does not have a database of verification keys for all data terminals. This makes it possible to relatively easily cope with the case of invalidating the data terminal. Embodiment 3 Hereinafter, a card data authentication system according to Embodiment 3 of the present invention will be described with reference to FIG.

<Configuration> FIG. 5 is a configuration diagram of a card data authentication system 3000 according to the third embodiment of the present invention. Card data authentication system 3000 is a modification of card data authentication system 2000 shown in the second embodiment, and has one management center 3010 and data terminal 32.
00a, data terminals 3200b, etc., and about 100 data terminals, and an IC card 3300. The figure shows
The data terminal 3200a writes data to the IC card 3300, and the data terminal 3200b writes data to the IC card 3300.
1 shows a state in which data is read from the memory. Although only two data terminals are shown in the figure, it is assumed that about 100 devices exist in various places, and only one IC card is shown in the figure, but a plurality of IC cards may exist.

In the card data authentication system 2000, the management center 2010 sends a verification key V to each data terminal.
i and its certificate Ci are distributed, and each data terminal also writes the verification key Vi and the certificate Ci when writing data such as money amount information to the IC card. On the other hand, in the card data authentication system 3000, the certificate C is obtained from the verification key Vi using the recovery type signature algorithm.
i, and the management center 3010 distributes the certificate Ci to each data terminal but does not distribute the verification key Vi, and each data terminal writes the certificate Ci to the IC card, but transmits the verification key Vi to the IC card. It is not written.

<Management Center> The management center 3010 has an advanced security mechanism and manages a signature key, a verification key, and the like used for data authentication. The management center 3010 is composed of a computer or the like. It includes a center key storage unit 3012, a certificate creation unit 3013, and a key distribution unit 3014.

The key creation unit 3011 and the center key storage unit 301
2 and the certificate creation unit 3013 are described in the second embodiment, respectively.
Are equivalent to the key creation unit 2011, the center key storage unit 2012, and the certificate creation unit 2013. However, the certificate creation unit 3013 uses the center signature key S based on the verification key Vi.
The certificate Ci is created by the recovery type signature algorithm using c. It is also assumed that the verification key Vi is generated by the key generation unit 3011 so as to satisfy a predetermined specific rule, for example, by adding a plurality of bit strings of a specific pattern. The recovery type signature algorithm will be described later.

The key distribution unit 3014 distributes the signature key Si, the certificate Ci, and the center verification key Vc to each data terminal Ti via a secret communication path or the like. <Data Terminal> The data terminal 3200a includes an IC card input / output device, a memory, and a CPU in terms of hardware, and functionally includes a data reading unit 3210a and a data writing unit 3220a. Similarly, data terminal 3200b
Are a data reading unit 3210b and a data writing unit 3220b
And Each data terminal has the same configuration except for the signature key and the certificate distributed and held by the management center. The data writing section 3220a includes a write data storage section 3221, a signature key storage section 3222, an authenticator creation section 3223, a certificate storage section 3224, and a write I / F section 32.
25, and is basically equivalent to the data writing unit 2220a according to the second embodiment.
Reference numeral 224 denotes the verification key / certificate storage unit 2 in the second embodiment.
224, but the function is different and the verification key is not stored. The write I / F unit 3225 does not write the verification key to the IC card, the data stored in the write data storage unit 3221 and the authenticator The point is that the authenticator created by the creating unit 3223 and the certificate stored in the certificate storage unit 3224 are written to the IC card 3300. On the other hand, data read unit 3210b has read I / F unit 3211, center verification key storage unit 3212, verification key recovery unit 3213, verification unit 3214, and read data storage unit 3215. The difference from the data reading unit 2210b is that the verification key recovery unit 3213 corresponds to the verification key verification unit 2213 in the second embodiment, but has a different function. Using the center verification key Vc stored in the center verification key storage unit 3212, a verification key Vi is obtained by calculation based on a recovery type signature algorithm, and it is checked whether this verification key satisfies a predetermined rule. If it satisfies, the validity of the verification key Vi derived from the certificate Ci is authenticated, and the verification unit 3214 is given the verification key Vi.

<IC Card> The IC card 3300 is a portable business card-sized plastic card which is a communication unit 331.
1 and a semiconductor chip 331 including a data memory 3312
0 is integrated and the same as the IC card 2300 of the second embodiment except that the data stored in the data memory 3312 in the semiconductor chip is different.

<Recovery Signature Algorithm> As the recovery signature algorithm, for example, a recovery RSA signature algorithm is used. The RSA signature method is described in Chapter 11 of the aforementioned “Modern Encryption” (written by Tatsuaki Okamoto and Hiroshi Yamamoto). <Certificate creation> Center signature key Sc and center verification key Vc
Has a relationship corresponding to the signature key di and the verification key ei described as key generation in the RSA signature method of the first embodiment.

A certificate is calculated for the verification key Vi, which is the data to be signed, as follows. The 1024-bit V
In i, 60 bits from the beginning are lined up with 0s. The certificate Ci created by the Ci = Vi ^Sc management center 3010 is stored in the IC card by the data writing unit 3220a of the data terminal.

<Verification Key Recovery> In order to recover and verify the verification key from the certificate, the data read unit 3210 of the data terminal
b reads the certificate Ci from the IC card, and the verification key recovery unit 3213 performs the following calculation. The Z = Ci ^Vc verification key recovery unit 3213 verifies the verification key Z obtained by this calculation.
Is checked to see if the first 60 bits are zero, and if it is zero, the verification key Z is authenticated as a correct verification key.

<Operation> The operation of the card data authentication system 3000 described above is as follows. <Creation and distribution of key by management center> Management center 30
10. First, the key creation unit 3011 creates a signature key Si and a verification key Vi that are different for each data terminal Ti based on a predetermined public key signature algorithm. Then, the certificate creation unit 3013 creates the certificate Ci according to the recovery type signature algorithm using the center signature key Sc.

Subsequently, the management center 3010 secretly distributes the signature key Si and the certificate Ci for the data terminal and the center verification key Vc to each data terminal Ti by the key distribution unit 3014 once. I do. <Write Operation to IC Card by Data Terminal> When it is necessary to write data such as money information to the IC card 3300, the data terminal 3200a stores the data such as money information in the write data storage unit 3221. Then, it instructs the data writing unit 3220a to write data to the IC card 3300.

In response, data writing unit 3220a
The authentication data creation unit 3223 allows the write data storage unit 322
For the data such as the amount information stored in No. 1, an authenticator Xi is created by a public key signature algorithm using the signature key Si stored in the signature key storage unit 3222.
Subsequently, the data writing unit 3220a transmits the created authenticator Xi, data such as amount information stored in the write data storage unit 3221, and the certificate storage unit 3224.
And the certificate Ci stored in the write I / F unit 322.
5 is written to the IC card 3300.

<Read Operation from IC Card by Data Terminal> The data terminal 3200b
When it becomes necessary to read data from 0, it instructs the data reading unit 3210b to read data from the IC card 3300. In response to this, the data reading unit 3210
First, the read I / F unit 3211 reads out the certificate Ci from the IC card and gives it to the verification key recovery unit 3213 by the readout I / F unit 3211, reads out data (Data) such as amount information and the authenticator Xi, and sends it to the verification unit 3214. give.

Verification key recovery unit 32 given certificate Ci
13 is a center verification key storage unit 32 for the certificate Ci.
The verification key Vi is obtained by the recovery type signature algorithm using the center verification key Vc stored in the storage unit 12. That is, V
Find i = Ci ^Vc (mod n). Subsequently, the verification key recovery unit 3213 checks whether the first 60 bits of the obtained verification key Vi is zero, and if it is zero, determines that the verification key Vi has been authenticated, and transmits the verification key Vi to the verification unit 3214. give. If the value is not zero, the process is stopped.

Verification unit 3214 given verification key Vi
For the authenticator Xi read from the IC card,
Using a verification key Vi whose authenticity has been successfully authenticated, a plaintext Y is obtained by performing a calculation using a public key signature algorithm. That is, Y
= Xi ^Vi (mod n). Next, the verification unit 3214
Compares the plaintext Y with the original plaintext data (Data) read from the IC card, and if they match, it is determined that the validity of the data such as the money information can be authenticated. Data is stored in the read data storage unit 3215.

After the validity is authenticated by the verification unit 3214, the data terminal 3200b sets the read data storage unit 3
Data such as money amount information, which is the content of 215, can be used. <Consideration> In the above-described card data authentication system 3000, by using the recovery type signature, the verification key for the signature key of the data terminal Ti recorded on the IC card is recorded in a form disturbed by the secret signature conversion. You. Such security of the verification key further increases the security of the system. Also, since the recovery type signature has a smaller total data amount than the appendix type signature, the recording capacity is strictly limited.
There is an advantage that a highly secure signature scheme can be used for the C card. <Supplement> As described above, the user interface device according to the present invention has been described based on the embodiments. However, it goes without saying that the present invention is not limited to these embodiments. (1) Card data authentication system 1 according to first to third embodiments
000, 2000 and 3000, the data terminal T
In the method i, a method of adding an authenticator, which is a signature, to a data to be signed as a digital signature, that is, a so-called appendix type signature is used. However, in addition to this, a method of restoring the data to be signed by verification conversion is performed on the data reading side where the data writer converts the data to be signed as a digital signature and verifies the data to be signed. A type signature algorithm may be used. This recovery type signature algorithm is the same as that used for the verification key in the third embodiment. That is,
Data such as price information to be recorded on the IC card and terminal ID
The data to be signed is made to satisfy a predetermined specific rule, and the data writer writes the authenticator to the IC card but does not write the data to be signed to the IC card. The signed data may be recovered from the authenticator read from the card, and signature verification may be performed based on whether the recovered signed data has the specific rule. For example, as a rule, assuming that an IC card-specific number is recorded in an area of the IC card where the user cannot rewrite, the IC card-specific number is included in the data to be signed. On the data writing side, an authenticator is created and written on the IC card, and on the data reading side, the IC included in the recovered signed data is read.
Signature verification is performed by verifying whether the value of the card-specific number matches the unique number actually read from the IC card. When the data writer of the data terminal in the card data authentication system 1000 shown in the first embodiment creates an authenticator by using a recovery type signature, the data writer creates the authenticator in the IC card. The terminal ID may be stored separately from the authenticator.

As described above, by using the recovery type signature, for example, data such as money amount information recorded on the IC card is recorded in a form disturbed by the secret signature conversion, so that privacy of personal information is protected. And increase the security of the system. Furthermore, since the recovery type signature has a smaller total data amount than the appendix type signature, there is an advantage that a highly secure signature method can be used even for an IC card whose recording capacity is severely restricted. (2) In the first to third embodiments, the RSA signature and the recovery type R
Although the SA signature has been described as an example, the signature algorithm is not limited to this, and a so-called elliptic curve signature method based on a discrete logarithm problem on an elliptic curve may be used. In this case, to ensure the same security, R
Since it requires only a smaller number of bits than the SA encryption, it can be effectively applied when the memory capacity of an IC card or the like is severely limited. (3) In the first to third embodiments, the number of bits of the signature key, the verification key, and the like are described. However, the sizes of various keys used in the card data authentication system according to the present invention are limited to the above-described number of bits. Never. (4) In the first to third embodiments, one data terminal records data on an IC card, and another data terminal records data on an IC card.
Although an example has been described in which data is read from the C card for authentication, the same data terminal may read data from the IC card for authentication, and write data to the IC card. Also, each data terminal may have only one of a data reading unit for reading data from the IC card and a data writing unit for writing data to the IC card. (5) In the first to third embodiments, the management center secretly distributes a signature key, a verification key, a center verification key, a certificate, and the like to each data terminal. However, the distribution is not limited to the one performed through the Internet, but may be another method. (6) In the first embodiment, the verification key storage unit 1213 in each data terminal stores the verification keys of all data terminals. However, it is not always necessary to store the verification keys of all data terminals. Even in this case, data written to the IC card by a plurality of data terminals in a specific range can be read and authenticated by another data terminal. (7) In the first embodiment, it has been described that the card data authentication system 1000 is positioned as, for example, a part of a POS system. However, the card data authentication system according to the present invention is used for other purposes. You may. (8) A procedure for creating a signature key, a verification key, a center signature key, a center verification key, an authenticator and a certificate in the management center and each data terminal of the card data authentication system described as the embodiment, and an IC in each data terminal. A computer program for causing a general-purpose computer or a home appliance having a program execution function to execute an authentication procedure when reading a card can be recorded on a recording medium or distributed and distributed via various communication paths. . Such recording media include an IC card, an optical disk, a flexible disk, and a ROM. The distributed and distributed computer program is provided for use by being installed in a home electric appliance or a personal computer having a program execution function, and the home electric appliance or the personal computer executes the computer program to execute the computer program. Various functions related to the authentication of the data in the IC card as shown in FIG.

[0090]

As is apparent from the above description, the card data authentication system according to the present invention verifies the validity of data written on an IC card by any of a plurality of write data terminal devices, A card data authentication system for authenticating the device, wherein a set of a signature key for each writing data terminal device and a corresponding verification key is created for each writing data terminal device based on a public key signature method, A management device that distributes the signature key to the corresponding write data terminal device and provides a verification key so that the read data terminal device can obtain the same. A plurality of writing data terminal devices for creating digital signature data using the distributed signature key and writing the digital signature data on an IC card; A read data terminal device for reading the digital signature data from the IC card in which the digital signature data is written, and performing the authentication using a verification key corresponding to the signature key for the write data terminal device. It is characterized by.

Thus, in the card data authentication system according to the present invention, since the public key signature method (public key signature algorithm) is used, data having a write function for giving a digital signature to data to be written in the IC card is used. The signature key held secretly by the terminal device is different from the verification key used for authentication by the data terminal device having the read function, and it is difficult to derive the signature key from the verification key. Even if the verification key used for authentication of the data in the IC card is exposed on the reading side due to an unauthorized intrusion of the device, an improper signature is not issued. Therefore, if the signature keys are different for each data terminal device having a writing function, the verification data corresponding to all the signature keys is stored in the data terminal device on the reading side to cope with these. Even in this case, an unauthorized signature cannot be performed due to an unauthorized intrusion into the data terminal device on the reading side, so that the security of IC card data authentication in the card data authentication system is ensured.

The management device further distributes the created verification keys to the read data terminal device, and the write data terminal device further transmits the plaintext data together with the created digital signature data to an IC card. The read data terminal device reads the plaintext data and the digital signature data from the IC card in which the plaintext data and the digital signature data are written by the write data terminal device, and reads the read data. Using one of the verification keys distributed by the management device corresponding to the signature key for the writing data terminal device, the validity of the plaintext data read from the IC card is authenticated. You can also.

Thus, in the card data authentication system according to the present invention, the verification key of the pair of the signature key and the verification key created by the public key signature method for each writing data terminal device is transmitted from the management device. Since the read data terminal device is distributed to the read data terminal device, the read data terminal device can perform authentication using the verification key distributed from the management device when reading data from the IC card. Even if it is extracted, it is difficult to derive the signature key from the verification key because the public key signature method is used, thereby preventing unauthorized signature execution.

Further, the writing data terminal device includes a signature key storing means for storing a signature key for the own device distributed by the management device, and a writing data for storing the plaintext data. Storage means, digital signature data creation means for creating the digital signature data for the plaintext data using the signature key stored in the signature key storage means, and write data storage means Writing means for writing the plaintext data and the digital signature data created by the digital signature data creation means to an IC card, wherein the read data terminal device includes a plurality of verification devices distributed by the management device. A verification key storage unit which is a memory for storing a key;
Reading means for reading the plaintext data and the digital signature data from the C card; any of the plaintext data and the digital signature data read by the reading means; and the verification key stored in the verification key storage means. And authentication means for authenticating the validity of the plaintext data using the above.

Thus, since the write data terminal stores the signature key and the read data terminal stores the verification key, each of these data terminals can write data to the IC card or read data from the IC card. When reading the data of the IC card, the signature key or the verification key in the own device can be used. Reading can be performed quickly.

The management device creates a set of a signature key for each write data terminal device and a corresponding verification key for each write data terminal device so as to be different for each write data terminal device. The verification key of the corresponding terminal ID of the writing data terminal device
And the plaintext data stored in the write data storage means of the write data terminal device includes the terminal ID of the write data terminal device and the verification key. The storage unit stores the plurality of verification keys in association with the terminal ID of the writing data terminal device, and the authentication unit refers to the terminal ID included in the plaintext data read by the reading unit. The validity of the plaintext data can be authenticated by extracting the verification key corresponding to the terminal ID from the verification key storage means and using the extracted verification key.

Thus, the read data terminal device holds the verification key in association with the terminal IDs of the plurality of write data terminal devices. By referring to the terminal ID written on the IC card, it is possible to specify a verification key required for authentication of data in the IC card, and to perform authentication using the verification key. Although the read data terminal device holds a plurality of different verification keys, it is difficult to derive a signature key from the verification key because the public key signature method is used. Even if
The signature key for an arbitrary writing data terminal device is not illegally used and the security is high.

[0098] The plaintext data may include money amount information, and each of the writing data terminal device and the reading data terminal device may be installed in stores located in various places. As a result, the card data authentication system according to the present invention is positioned as a part of the POS system. Therefore, according to the present invention, it is possible to purchase products and the like using an IC card at each store located in various places. A highly secure system can be realized.

A pair of a signature key and a verification key is created by the management device using a recovery type signature method as a public key signature method. The management device further includes a plurality of created verification keys. To the read data terminal device, the creation of the digital signature data in the write data terminal device is performed on the plaintext data based on a recoverable signature method, and the read data terminal device transmits The plaintext data is restored from the read digital signature data based on the recovery type signature method using any of the verification keys distributed to the management device, and whether the plaintext data satisfies predetermined conditions. By checking whether the plaintext data is valid or not, the validity of the plaintext data may be authenticated.

Thus, if only the digital signature data is stored in the IC card without storing the data to be signed, the data to be signed can be restored on the reading side. That is, the digital signature data stored in the IC card is in a form in which the data to be signed is disturbed by secret signature conversion. Therefore, according to the present invention, since the data to be signed is concealed, the security of the system is enhanced, and the data to be signed itself is not stored in the IC card. Highly secure data authentication can be realized.

Further, the management device creates a set of a signature key for each writing data terminal device and a corresponding verification key for each writing data terminal device so as to be different for each writing data terminal device. A set of a center signature key created based on a public key signature method and a center verification key is stored. , A certificate that is a digital signature is created, and the certificate is distributed to the corresponding writing data terminal device.
Distributing the center verification key to the read data terminal device,
The writing data terminal device further writes a certificate distributed by the management device together with the created digital signature data on the IC card. And reading out the certificate and the digital signature data from the IC card in which the digital signature data is written, and using the read certificate and the center verification key distributed from the management device to verify the validity of the verification key. If the authentication succeeds, the verification key may be used to authenticate the validity of the plaintext data, which is the signed data of the digital signature data read from the IC card. it can.

Thus, it is not necessary for the read data terminal device that reads data from the IC card to previously hold the verification keys of all write data terminal devices, so that it is possible to easily cope with system changes. Further, since the read data terminal can authenticate the authenticity of the verification key using the certificate, the reliability of the authenticity of the verification key is improved.

Further, the pair of the center signature key and the center verification key is created by using a recovery type signature method as a public key signature method. Is performed for each of the verification keys on the basis of the signature key storage means, which is a memory for storing a signature key for the own device distributed by the management device, and stores the plaintext data. Write data storage means, which is a memory for storing, a certificate storage means, which is a memory for storing a certificate for a verification key for its own device distributed by the management apparatus, and a signature key storage for the plaintext data. Digital signature data creation means for creating the digital signature data using the signature key stored in the means, and the plaintext data stored in the write data storage means; Writing means for writing the digital signature data created by the digital signature data creation means and the certificate stored in the certificate storage means to an IC card; and the read data terminal device comprises: A center verification key storage unit which is a memory for storing the center verification key distributed by the management device; a read unit which reads the plaintext data, the digital signature data and the certificate from an IC card; Using the recovered certificate and the center verification key stored in the center verification key storage means, a verification key corresponding to the data to be signed for the certificate is restored based on the recovery type signature method and restored. A verification key verification unit that verifies the validity of the verification key by checking whether the verification key satisfies a predetermined condition; When the validity of the verification key is recognized by the verification key verification unit, the validity of the plaintext data is verified using the plaintext data and the digital signature data read by the reading unit and the verification key. Authentication means for authenticating may be provided.

Thus, if only the certificate is stored in the IC card without storing the verification key, the verification key can be restored on the reading side, so that the present invention is excellent in portability. Data authentication with high security can be realized even in an IC card having a small data storage capacity. A read data terminal device for achieving the second object is an IC in which plain data and digital signature data created by using a signature key for the plain data are written by a write data terminal device. A read data terminal device for reading plaintext data from a card to authenticate the validity of the plaintext data, and stores a verification key created by a public key signature method corresponding to the signature key outside the device. Verification key storage means as a memory, and the IC
Reading means for reading the plaintext data and the digital signature data from the card; and authentication for authenticating the plaintext data using the plaintext data and the digital signature data read by the reading means and the verification key. Means.

As a result, the read data terminal device according to the present invention receives the distribution of the verification key of the pair of the signature key and the verification key created by the public key signature method (public key signature algorithm), and Authentication can be performed using the verification key distributed from the management device when data is read from the server, and even if the verification key is illegally extracted, the public key signature method is used. Since it is difficult to derive a signature key from a verification key, unauthorized execution of a signature is prevented.

Further, the writing data terminal device which achieves the second object has a plain text data stored in the IC card so that another device can authenticate the plain text data recorded on the IC card by the device itself. A writing data terminal device for writing digital signature data together with data, wherein a signature key created by a public key signature method outside the device itself is used.
A signature key storage unit that is a memory for storing, a write data storage unit that is a memory for storing the plaintext data, and a signature key stored in the signature key storage unit for the plaintext data. Digital signature data creating means for creating digital signature data, the plaintext data stored in the write data storage means, and the digital signature data created by the digital signature data creating means are written in an IC card. And a loading means.

Thus, the writing data terminal device according to the present invention receives the distribution of the signature key created by the public key signature method (public key signature algorithm), and uses the signature key when writing data to the IC card. Since the digital signature is used and the digital signature data is also written into the IC card, the read data terminal device for reading data from the IC card needs to have a verification key corresponding to the signature key. Data authentication becomes possible.
Therefore, the read data terminal device has a verification key. In this case, even if the verification key is illegally extracted from the read data terminal device, the read key is used because the public key signature method is used. It is difficult to derive the signature key, thereby preventing unauthorized execution of the signature.

[Brief description of the drawings]

FIG. 1 is a configuration diagram of a card data authentication system 1000 according to Embodiment 1 of the present invention.

FIG. 2 is a diagram showing an authentication procedure by a verification unit 1214.

FIG. 3 is a configuration diagram of a card data authentication system 2000 according to Embodiment 2 of the present invention.

FIG. 4 is a diagram showing a processing procedure by a verification key verification unit 2213 and a verification unit 2214.

FIG. 5 is a configuration diagram of a card data authentication system 3000 according to Embodiment 3 of the present invention.

FIG. 6 is a diagram showing a device configuration of a media data authentication system which is normally considered.

[Explanation of symbols]

1000, 2000, 3000 Card data authentication system 1010, 2010, 3010 Management center 1011, 2011, 3011 Key creation unit 1012, 2014, 3014 Key distribution unit 1200a, 2200a, 3200a Data terminal 1200b, 2200b, 3200b Data terminal 1210a, 2210a, 3210a Data read unit 1210a, 2210b, 3210b Data read unit 1211, 221, 3211 Read I / F unit 1212, 2215, 3215 Read data storage unit 1213 Verification key storage unit 1214, 2214, 3214 Verification unit 1220a, 2220a, 3220a Data book Data writing unit 1221, 2221, 3221 writing data storage unit 1222, 2222, 3222 Name key storage unit 1223, 2223, 3223 Authentication code creation unit 1224, 2225, 3225 Write I / F unit 1300, 2300, 3300 IC card 1310, 2310, 3310 Semiconductor chip 1311, 2311, 3311 Communication unit 1312, 2312, 3312 Data memory 2012, 3012 Center key storage unit 2013 Certificate creation unit 2212, 3212 Center verification key storage unit 2213 Verification key verification unit 2224 Verification key / certificate storage unit 3013 Certificate generation unit 3213 Verification key recovery unit 3224 Certificate storage unit

Claims (15)

[Claims] 1. A card data authentication system in which a read data terminal authenticates the validity of data written to an IC card by any one of a plurality of write data terminal devices. A pair of a signature key and a corresponding verification key is created for each writing data terminal device based on the public key signature method, the signature key is distributed to the writing data terminal device, and the verification key is read from the reading data terminal device. A management device provided so that the device can be obtained, and each writing data terminal device creates digital signature data for the plaintext data using the signature key distributed by the management device, and IC data
A plurality of write data terminal devices for writing to the card; and reading out the digital signature data from the IC card in which the digital signature data is written by the write data terminal device, corresponding to the signature key for the write data terminal device. A read data terminal device for performing the authentication by using a verification key to be authenticated. 2. The management device further distributes the created plurality of verification keys to a read data terminal device, and the write data terminal device further transmits the plaintext data together with the created digital signature data to an IC card. The read data terminal device reads the plaintext data and the digital signature data from the IC card in which the plaintext data and the digital signature data are written by the write data terminal device, and reads the read data. And using one of the verification keys distributed by the management device corresponding to the signature key for the write data terminal device to authenticate the validity of the plaintext data read from the IC card. The card data authentication system according to claim 1, wherein 3. The writing data terminal device includes: a signature key storing unit that stores a signature key for the own device distributed by the management device; and a writing data that is a memory that stores the plaintext data. Storage means; digital signature data creation means for creating the digital signature data for the plaintext data using the signature key stored in the signature key storage means; and write data storage means Writing means for writing the plaintext data and the digital signature data created by the digital signature data creation means to an IC card; and wherein the read data terminal device is provided with a plurality of A verification key storage unit which is a memory for storing a verification key; Means for authenticating the plaintext data using one of the plaintext data and the digital signature data read by the reading means and the verification key stored in the verification key storage means. 3. The card data authentication system according to claim 2, further comprising means. 4. The management device creates a set of a signature key for each writing data terminal device and a corresponding verification key for each writing data terminal device so as to be different for each writing data terminal device. Is distributed to the read data terminal device in pair with the terminal ID of the write data terminal device, and the plaintext data stored in the write data storage means in the write data terminal device is The verification key storage unit stores a plurality of verification keys in association with the terminal ID of the write data terminal device, and the authentication unit is read by the reading unit. With reference to the terminal ID included in the plaintext data,
4. The card data authentication system according to claim 3, wherein the verification of the validity of the plaintext data is performed by extracting a verification key corresponding to D from the verification key storage means and using the verification key. 5. The apparatus according to claim 4, wherein the plaintext data includes money amount information, and each of the writing data terminal device and the reading data terminal device is installed in stores located in various places. Card data authentication system. 6. A pair of a signature key and a verification key is created by the management device using a recoverable signature method as a public key signature method, and the management device further includes a plurality of created verification keys. Is distributed to the read data terminal device, the creation of the digital signature data in the write data terminal device is performed on the plaintext data based on a recovery type signature method, and the read data terminal device transmits the digital signature data from the IC card. The plaintext data is restored from the read digital signature data based on the recovery type signature method using any of the verification keys distributed to the management device, and whether the plaintext data satisfies predetermined conditions. By checking for
2. The card data authentication system according to claim 1, wherein the plaintext data is authenticated. 7. The writing data terminal device, a signature key storage unit as a memory for storing a signature key for the own device distributed by the management device, and a writing data as a memory for storing the plaintext data. Storage means; digital signature data creation means for creating the digital signature data for the plaintext data using a signature key stored in the signature key storage means based on a recovery type signature method; Writing means for writing the digital signature data created by the data creation means to an IC card; and the read data terminal device is a memory for storing a plurality of verification keys distributed by the management device. Key storage means; reading means for reading digital signature data from an IC card; and the digital data read by the reading means From the signature data, and restores the plain text data using any of the verification keys stored in the verification key storing means,
7. The card data authentication system according to claim 6, further comprising an authentication unit for authenticating the validity of the plaintext data. 8. The management device creates a set of a signature key for each write data terminal device and a corresponding verification key for each write data terminal device so as to be different for each write data terminal device. The verification key is distributed to the read data terminal device in pair with the terminal ID of the corresponding write data terminal device, and the writing means in the write data terminal device, together with the digital signature data, A terminal ID is also written in the IC card. The verification key storage unit stores a plurality of verification keys in association with a terminal ID of a write data terminal device. The reading unit stores the digital signature from the IC card. The authentication means reads out the terminal ID together with the data, and the authentication means refers to the terminal ID read by the reading means and stores the verification key corresponding to the terminal ID into the verification key storage means. Card data authentication system according to claim 7, characterized in that the restoration of the plaintext data by using removed. 9. The management device creates a set of a signature key for each write data terminal device and a corresponding verification key for each write data terminal device so as to be different for each write data terminal device. A set of a center signature key created based on the public key signature method and a center verification key is stored, and the center signature key is used for each of the created verification keys for the write data terminal devices. Creating a certificate that is a digital signature, distributing the certificate to the corresponding write data terminal device, distributing the center verification key to the read data terminal device, the write data terminal device further includes the created The certificate distributed by the management device is also written on the IC card together with the digital signature data, and the read data terminal device transmits the certificate and the digital signature data by the write data terminal device. The certificate and the digital signature data are read from the IC card on which the data is written, and the validity of the verification key is authenticated by using the read certificate and the center verification key distributed from the management device. 2. The method according to claim 1, wherein when the authentication is successful, the validity of the plaintext data, which is the signed data of the digital signature data read from the IC card, is authenticated using the verification key. Described card data authentication system. 10. The management device further distributes the created verification key to a corresponding write data terminal device, and the write data terminal device stores a signature key for the own device distributed by the management device. A signature key storage unit that is a memory that stores the plaintext data, a write data storage unit that is a memory that stores the plaintext data, and a verification key storage unit that is a memory that stores a verification key for the own device distributed by the management device. A certificate storage unit that is a memory for storing a certificate for a verification key for the own device distributed by the management device; and a signature key stored in the signature key storage unit for the plaintext data. Digital signature data creating means for creating the digital signature data, the plaintext data stored in the write data storage means, and the digital signature data creating means. Writing means for writing the digital signature data created by the above, the verification key stored in the verification key storage means, and the certificate stored in the certificate storage means to an IC card. The read data terminal device comprises: a center verification key storage unit, which is a memory for storing the center verification key distributed by the management device; and an IC card from which the plaintext data, the digital signature data, the verification key, Reading means for reading the certificate; validating the verification key using the verification key and the certificate read by the reading means; and the center verification key stored in the center verification key storage means. Verification key verification means for verifying the authenticity, and when the verification key verifies the validity of the verification key, the verification key read by the reading means is verified. Card data authentication system of claim 9, characterized in that it comprises a data and said digital signature data, and an authentication means for authenticating the validity of the plaintext data using said verification key. 11. The pair of the signature key and the verification key is created by the management device using a recoverable signature method as a public key signature method, and the management device further includes the created verification key. To the corresponding write data terminal device, the write data terminal device stores a signature key storage unit, which is a memory for storing a signature key for the own device distributed by the management device, and stores the plaintext data. Write data storage means as a memory; verification key storage means as a memory for storing a verification key for the own device distributed by the management device; and certification for the verification key for the self device distributed by the management device A certificate storage unit which is a memory for storing a certificate, and a digital signature for the plaintext data based on a recovery type signature method using a signature key stored in the signature key storage unit. Digital signature data creating means for creating data, the digital signature data created by the digital signature data creating means, the verification key stored in the verification key storage means, and the digital signature data stored in the certificate storage means. Writing the certificate to an IC card, the read data terminal device comprising: a center verification key storage unit which is a memory for storing the center verification key distributed by the management device; Reading means for reading the digital signature data, the verification key, and the certificate from an IC card; the verification key and the certificate read by the reading means; and stored in the center verification key storage means. A verification key verification unit that verifies the validity of the verification key using the center verification key; When the validity of the key is recognized, the plaintext data is restored from the digital signature data read by the reading means using the verification key based on a recovery type signature method, and the plaintext data is restored. 10. The card data authentication system according to claim 9, further comprising an authentication unit for authenticating the plaintext data by checking whether a predetermined condition is satisfied. 12. The combination of the center signature key and the center verification key is created by using a recovery type signature method as a public key signature method. Is performed for each of the verification keys on the basis of the signature key storage means, which is a memory for storing a signature key for the own device distributed by the management device, and stores the plaintext data. Write data storage means, which is a memory for performing authentication, certificate storage means, which is a memory for storing a certificate for a verification key for the own apparatus distributed by the management apparatus, and storage of the signature key for the plaintext data Digital signature data creating means for creating the digital signature data using the signature key stored in the means; and the plaintext data stored in the write data storage means; Writing means for writing the digital signature data created by the digital signature data creation means and the certificate stored in the certificate storage means to an IC card; and the read data terminal device comprises: A center verification key storage unit that is a memory for storing the center verification key distributed by the management device; a reading unit that reads the plaintext data, the digital signature data, and the certificate from an IC card; Using the issued certificate and the center verification key stored in the center verification key storage means, a verification key corresponding to the data to be signed for the certificate is restored based on a recovery type signature method and restored. Verification key verification means for verifying whether or not the verification key satisfies a predetermined condition to thereby verify the validity of the verification key; If the verification key verifies the validity of the verification key, the plaintext data and the digital signature data read by the reading unit and the verification key are used to verify the validity of the plaintext data. 10. The card data authentication system according to claim 9, further comprising: authentication means for authenticating the card data. 13. The combination of the center signature key and the center verification key, wherein the pair of the signature key and the verification key is created by the management device using a recoverable signature method as a public key signature method. Is created using a recovery-type signature method as a public key signature method. The management device creates each certificate for each of the verification keys based on the recovery-type signature method. A terminal device, a signature key storage unit that is a memory for storing a signature key for the own device distributed by the management device; a write data storage unit that is a memory for storing the plaintext data; A certificate storage unit which is a memory for storing a certificate for the verification key for the own device, and a recovery type signature for the plaintext data using a signature key stored in the signature key storage unit. Digital signature data creation means for creating the digital signature data based on a method, the digital signature data created by the digital signature data creation means, and the certificate stored in the certificate storage means. Writing means for writing to an IC card, the read data terminal device comprising: a center verification key storage means for storing the center verification key distributed by the management device; and a digital signature data from the IC card. Reading means for reading the certificate; and using the certificate read by the reading means and the center verification key stored in the center verification key storage means based on a recovery type signature method. The verification key corresponding to the data to be signed for the certificate, and whether the restored verification key satisfies the predetermined conditions A verification key verification unit that verifies the validity of the verification key by inspecting the verification key, and the digital signature read by the reading unit when the verification key verification unit verifies the validity of the verification key. From the data, the plaintext data is restored based on the recovery type signature method using the verification key, and the validity of the plaintext data is checked by checking whether the plaintext data satisfies a predetermined condition. 10. The card data authentication system according to claim 9, further comprising an authentication unit for performing authentication. 14. A writing data terminal device reads out plaintext data from an IC card in which plaintext data and digital signature data created by using a signature key for the plaintext data are written, and the plaintext data is read. A verification key storage means, which is a memory for storing a verification key generated by a public key signature method corresponding to the signature key outside of the self-device, and the IC; Reading means for reading the plaintext data and the digital signature data from the card; and authentication for authenticating the plaintext data using the plaintext data and the digital signature data read by the reading means and the verification key. Read data terminal device comprising: 15. A writing data terminal device for writing digital signature data together with plaintext data on an IC card so that another device can authenticate plaintext data recorded on the IC card by the own device. A signature key storage unit that is a memory for storing a signature key generated by a public key signature scheme outside the own device; a write data storage unit that is a memory for storing the plaintext data; Digital signature data creating means for creating the digital signature data using the signature key stored in the signature key storage means; the plaintext data stored in the write data storage means; Writing means for writing the digital signature data created by the means into an IC card. Writing data terminal device.