JPH11339045A - Method for confirming and issuing electronic data, executing device therefor, medium recorded with processing program therefor and electronic data recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent unauthorized use of electronic data by issuing an electronic data recording medium which has the body information of an owner of the electronic data and his or her electronic signature and testing the electronic signature to confirm the owner of the electronic data. SOLUTION: A body information inputting part 143 of an electronic identification card testing part 140 reads the body information of the owner of an electronic identification card 100 through a body information input device 122 and an electronic signature testing part 144 confirms if the card 100 expires and tests an electronic identification card authentication station electronic signature 103 of the card 100. A body information testing part 146 tests whether the body information 102a read by the part 143 matches the body information 102 of the card 100 and confirms the owner of the electronic data. Thus, unauthorized use of electronic data is prevented.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an electronic data processing system for issuing information about a specific person as electronic data and confirming the owner of the electronic data. In addition, the present invention relates to a technology that is effective when applied to an electronic data processing system that issues the identification card and checks whether the holder is the same as the owner.

[0002]

2. Description of the Related Art Heretofore, it has been widely practiced to implement identification cards or similar personal information as electronic data. In the present invention, the purpose of the identification card is defined as follows. The primary purpose is to confirm that the holder of the ID is the owner listed on the ID and that the holder is entitled to the ID certificate guarantee . The second purpose is to confirm the first purpose while the confirmer of the first purpose is facing the holder of the identification card.

[0003] There are several conventional techniques for realizing personal identification or similar personal information as electronic data. For example, a first known example is International.
`` ITU-T Recommendatio '' issued by Telecommunication Union
n X.509 (1997), Information Technology-Open Syst
ems Interconnection-The Directory: Authenticatio
n.Framework ”.

[0004] This known example describes an electronic certificate used by an owner of an encryption key used in an information processing system. The certificate includes an identification number of the certificate itself, a name of the owner of the encryption key, It stores electronic data such as the name of the issuing organization of the certificate and the encryption key, and the electronic signature of the issuing organization for the electronic data.

[0005] The electronic certificate of this known example is applied to a system for conducting electronic commerce in a computer network. For example, "Secure Electronic Certificate" which defines a communication procedure for performing payment by credit card in the computer network. Transaction Specif
ication '' (MasterCard International and Visa Inter
As described in National Corporation, 1997), in addition to the above-mentioned data, data indicating a postal code, an address, and the like are stored.

The main purpose of the electronic certificate of this known example is that in a certain information processing system, when a sender and a receiver exchange each other's encryption keys, the received encryption key is certainly the one of the other party. It is to confirm whether the information processing system exists and whether the other party is qualified to participate in the information processing system.

In this known example, such a confirmation process is realized by the above-mentioned “electronic signature of the issuing organization of the electronic certificate”. An electronic signature is widely used in an information processing system to which encryption technology is applied, and achieves prevention of falsification of target data of the electronic signature and authentication of a creator of the electronic signature.
For electronic signatures, for example, “N” issued by Prentice Hall
etwork Security "(1995).

[0008] Since the electronic signature plays an important role in the present invention, a brief description will be given here.

As a technique for realizing an electronic signature, a public key encryption technique is widely used. In public key cryptography, two cryptographic keys appear. This is called an encryption key pair. One of the encryption key pairs is called a secret key, and the owner of the encryption key pair is responsible for confidentiality. The other is called a public key, which is passed to a communication partner in an information processing system, for example.

An electronic signature using public key encryption is used as follows. Hereinafter, data that the creator of the digital signature wants to pass to the verifier of the digital signature is referred to as plain text.

First, the creator encrypts the plaintext with a secret key.
Data generated by encrypting this plaintext is called a cryptogram. This cryptogram is the “digital signature”. The creator
Pass the plaintext and secret text (electronic signature) to the certifier. The combination of the plaintext and the encrypted text is hereinafter referred to as “digital signature data”.

Next, the verifier decrypts the digital signature of the received digital signature data with the creator's public key. The creator's public key is passed to the verifier in advance or together with the electronic signature data.

Next, the tester compares the data obtained by decrypting the plaintext and the electronic signature. Hereinafter, in this comparison, a match between the two is referred to as a success of the test, and a mismatch between the two is referred to as a test failure.

If the test is successful, the following is known. First, it can be seen that the plaintext has not been altered. This is because if the plaintext is altered, it will not match the decryption result of the digital signature. Second, it can be seen that the creator of the electronic signature is the owner of the private key that forms an encryption key pair with the public key used for the verification. This is because the public key encryption algorithm generally guarantees that only the cryptogram that can be decrypted with the public key is created using the private key that forms the encryption key pair with the public key.

Here, if the public key of the creator of the electronic signature has been changed, the success of the verification does not guarantee the above two items. It is the electronic certificate of the first known example that is used to detect the change of the public key. The electronic certificate of the first known example is, for example, electronic signature data in which the name of the public key owner and the public key are part of the plaintext. Falsification of the certificate data including the password can be detected. Hereinafter, the plaintext that is the target data of the electronic signature is referred to as “digital signature target data”.

The electronic certificate of the first known example is electronic signature data in which the issuing organization has applied an electronic signature to data included in the electronic certificate using its own private key. Hereinafter, the issuing organization of the electronic certificate is referred to as a certificate authority.

The person who receives the digital certificate obtains the public key of the certificate authority and verifies the digital signature of the digital certificate. In the following, the verification of the digital signature of a digital certificate is described.
It is simply called "certification of digital certificate". By verifying the electronic certificate, it can be confirmed that the data included in the electronic certificate has not been tampered with and that the electronic certificate has been issued by the certificate authority.

Here, the digital certificate is further used to ensure that the public key of the certificate authority used for verifying the digital certificate has not been replaced. That is, the public key of the certificate authority is stored in the digital certificate and distributed. In the first known example, the certificate authorities are hierarchically configured, and the digital certificate of the certificate authority itself that issues the digital certificate of the terminal encryption key holder is issued by a higher-level certificate authority.

In the first known example, electronic data indicating an invalid electronic certificate is used. This electronic data is called a CRL (Certificate Revocation List), and is a data indicating a list of invalid digital certificates. Hereinafter, losing the validity of an electronic certificate is referred to as “revoking”. In the first known example, the CRL manages not only the revocation of the terminal cryptographic key holder's digital certificate but also the revocation of the certificate authority's digital certificate.

A second known example is described in, for example, Japanese Patent Application Laid-Open No. 8-305766, "Automatic Certificate Issuing Machine". This known example relates to a device for issuing certificates, which are printed matter such as a resident's card and a seal certificate, and is used to confirm whether a person who applies for a certificate is a person or a person who has obtained the permission. Things. In this known example, a personal identification number and data to be described in a resident's card, a seal stamp certificate, and the like are stored in an IC card. When issuing certificates, the automatic certificate issuing machine compares the personal identification number stored in the IC card with the personal identification number entered by the issue applicant to confirm the identity.

In this known example, data such as a resident's card and a seal stamp certificate stored on an IC card are used by an automatic certificate issuing machine to create certificates such as a resident card and a seal stamp certificate. Used for In this known example, the identification card is the IC card itself, and it is guaranteed that the holder has the qualification to issue the certificates printed with the data stored in the IC card.

A third known example is described, for example, in Japanese Patent Laid-Open Publication No. Hei 6-251049, “Vote receiving terminal device”. This known example relates to a voting reception terminal device for an election, and is for confirming whether or not a voting person (elector) is himself. In this known example, the feature data of the fingerprint of the elector is stored in the IC card owned by the elector, and at the time of voting, the vote reception terminal device compares the fingerprint stored in the IC card with the fingerprint of the elector. Perform identity verification by comparison. In this known example, the identification card is the IC card itself, which guarantees that the holder has the right to vote.

A fourth known example is a card-type or notebook-type printed identification card which is widely used at present, such as a passport, a driver's license, an employee ID card, a student ID card and the like. Such identification documents generally ensure that the owner has certain qualifications and are issued by the respective certification bodies.

[0024]

[0005] When realizing an identification card as electronic data for confirming whether a person is a person or a person having a specific qualification, the related art has the following problems. Exists.

There is a problem that the electronic certificate of the first known example can be used illegally if it is stolen. The electronic certificate is usually stored in a storage medium such as an IC card, and as described in the third known example, access to the storage area of the storage medium is considered to be protected by a password. However, if the storage medium is stolen by another person and the password is known, the electronic certificate becomes readable.

The digital certificate of the first known example is digital signature data by a certificate authority, and the verifier of the digital certificate obtains the digital certificate of the certificate authority and stores the public key of the certificate authority stored therein. The test is performed according to Since the certificate authority digital certificate is stored in the storage medium or obtained separately by the verifier, the verification of the digital certificate is successful if the password of the storage medium is discovered. Would. In other words, it becomes possible to impersonate the digital certificate stolen by another person.

In the first place, the first known example aims at application to an information processing system which protects a message transmitted and received by using a public key encryption technology such as an electronic commerce system in a computer network. If it is not used with public key encryption technology, it will not be effective. That is,
In the information processing system to which the first known example is applied, the electronic certificate itself is public, and even if it is obtained by a malicious person, the secret forming the encryption key pair with the public key stored in the electronic certificate is obtained. Unless a key is obtained, unauthorized use is not possible. In such information processing systems, digital certificates are used for data encryption and verification of digital signatures, but even if this is possible, it is meaningless if the opposite data cannot be decrypted or a digital signature cannot be created. There is no.

In an information processing system to which the first known example is applied, data can be decrypted and an electronic signature can be created only by using a secret key. It is effective in an information processing system to which is applied. However, the use as an identification card, which is the object of the present invention, is not the purpose of the electronic certificate of the first known example, and cannot be effective.

The identification card of the second known example is the IC card itself. The IC card itself is an identification card showing qualifications for having printed certificates, such as a resident's card, issued by an automatic issuing machine. The identification card of the second known example has the following two problems. The first problem is that since the IC card itself is an ID card, an ID card is required for each qualification possessed by an individual, and a lot of space is required for holding the ID card. The second problem is that unauthorized use is possible if the IC card is stolen. In the second known example, this is attempted to be protected by a password, but if the password is known, it cannot be protected.

The third known example of the identification card is the IC card itself. The IC card itself is an ID card showing voting rights. The third known example has the following two problems. The first problem is that since the IC card itself is an ID card, an ID card is required for each qualification possessed by an individual, and a lot of space is required for holding the ID card. The second problem is that unauthorized use is possible if the IC card is stolen. In the third known example, this is attempted to be prevented by storing the fingerprint data of the owner of the IC card in the IC card and comparing the fingerprint data with the fingerprint of the holder of the IC card.
However, if the IC card is stolen and the fingerprint data is forged, it cannot be protected. Also, it seems possible to forge the same IC card itself.

The fourth known example has the following three problems. The first problem is that an identification card is required for each qualification possessed by an individual, so that a lot of space is required for holding the identification card. The second problem is that if the ID card is stolen, unauthorized use is possible by forging a photograph or a seal of an issuing organization. The third problem is that it takes time and effort for the person who verifies the ID to check with the issuing organization of the ID. If the issuing organization of the identification card is unknown to the verifier, to confirm the existence and reliability of the issuing organization, for example, call the issuing organization's telephone number listed on the identification card Or make inquiries to appropriate third-party organizations such as government offices. Due to the labor and time required, this procedure is likely to be neglected, and as a result, fraudulent use of forged identification cards becomes possible. Also, even if it is a known issuing agency,
Forgery of the issuing institution's seal or the like is considered to enable forgery of the identification card itself issued by the issuing institution.

As described above, the prior art firstly requires a lot of space for carrying the identification card, secondly, the unauthorized use of the identification card is possible, and thirdly, However, there is a problem that forgery of an identification card is possible because a method for confirming the reliability of an issuing organization of the identification card has not been established.

An object of the present invention is to solve the above-mentioned problem and to provide a technique capable of preventing unauthorized use of electronic data recorded on an electronic data recording medium.

[0034]

According to the present invention, there is provided an electronic data issuance / confirmation method for publishing an electronic data recording medium on which electronic data is recorded and confirming the owner of the electronic data recording medium. An electronic data recording medium having the electronic signature is issued, the electronic signature is verified, and the owner of the electronic data is confirmed.

According to the present invention, for example, electronic data is used as electronic identification information, an electronic data recording medium is used as an electronic identification certificate storage medium, and an electronic data certification authority which is an issuing organization of electronic data is used as an electronic identification certificate authority. When issuing an electronic identification card storage medium such as an IC card in which electronic identification card information is recorded, first, physical information indicating physical characteristics of a person who is the owner of the electronic identification card is input.

Next, after encrypting the input physical information with an encryption key of an electronic identification certificate authority, which is an issuing organization of the electronic identification certificate, and creating an electronic signature for the physical information,
The electronic identification card including the identification information of the owner of the electronic identification certificate, the created physical information and the electronic signature thereof is written in the electronic identification certificate storage medium.

When confirming whether the holder of the electronic identification certificate storage medium is the owner of the electronic identification card,
The electronic signature for the physical information in the electronic identification card is verified, and when the verification of the physical information is successful, the physical information of the holder of the electronic identification certificate storage medium is read, and the read physical information is used as the electronic ID. Test whether it matches the physical information in the certificate.

According to the present invention, various kinds of information such as an identification card for confirming the identity of a certain person and whether or not he / she has a specific qualification can be realized as electronic data. Can store information such as identification cards,
The space required for carrying multiple identification cards can be reduced.

Further, according to the present invention, the electronic identification card includes the physical information of the owner and an electronic signature for the physical information. By verifying the electronic signature of the information and comparing the physical characteristics of the person holding the electronic ID card with the physical information of the owner, the person holding the electronic ID card can check the electronic ID card. You can check if you are the owner. Even if the physical information of the owner of the electronic identification card has been tampered with, it can be detected by verifying the electronic signature for the physical information of the owner. Unauthorized use can be prevented.

Further, according to the present invention, the electronic signature for the physical information of the owner of the electronic identification card can be an electronic signature created by the electronic identification certificate authority using the encryption key. Here, according to the present invention, the electronic identification certificate confirmation device can store the encryption key certificate that is the electronic certificate of the encryption key of the electronic identification certificate authority, and can verify the encryption key certificate. Therefore, the encryption key for verifying the electronic signature of the physical information of the owner of the electronic identification card can be included in the encryption key certificate of the electronic identification certificate authority and distributed to the electronic identification verification device, In addition, by verifying the electronic signature of the encryption key certificate of the electronic identification certificate authority,
The reliability of the electronic identification certificate authority and the reliability of the encryption key of the electronic identification certificate authority can be confirmed.

Thus, according to the present invention, forgery of the encryption key of the electronic identification certificate authority can be prevented, and forgery of the electronic identification card can be prevented. In addition, even if there is an electronic ID certificate issued by an electronic ID certificate authority unknown to the person who verifies the electronic ID certificate, it is necessary to easily confirm the reliability of the electronic ID certificate authority. Can be.

As described above, according to the electronic data processing system of the present invention, the unauthorized use of the electronic data is performed by the physical information of the owner of the electronic data recorded on the electronic data recording medium and the electronic signature for the physical information. , So
It is possible to prevent unauthorized use of electronic data recorded on an electronic data recording medium.

[0043]

DESCRIPTION OF THE PREFERRED EMBODIMENTS (Embodiment 1) An electronic data processing system according to Embodiment 1 for confirming the owner of an electronic identification card by using physical information indicating the physical characteristics of the owner and an electronic signature thereof will be described below. .

The first embodiment describes the operation of an electronic identification card storage medium for recording electronic identification card information as electronic data, and the operation of an electronic identification card confirmation device for confirming the owner. This embodiment will be described with reference to FIGS.

FIG. 1 is a diagram showing a data structure of an electronic ID card, a storage medium for storing the electronic ID card, and a schematic configuration of an electronic ID confirmation apparatus according to the present embodiment. As shown in FIG. 1, the electronic identification card confirmation device 120 of the present embodiment
An electronic identification card input / output unit 141, an electronic identification confirmation display unit 142, a physical information input unit 143, an electronic signature verification unit 144, an electronic identification information analysis unit 145, and a physical information verification unit 146. , A certificate authority certificate management unit 151,
And a CRL management unit 152.

The electronic identification card input / output section 141 receives the personal identification number 112 and the electronic identification certificate list 11 from the electronic identification certificate storage medium 110 via the storage medium input / output device 121.
1 and a processing unit for reading the electronic identification card 100.

The electronic identification card confirmation display unit 142 is a processing unit that displays the contents of the electronic identification card 100 on the display 123. The physical information input unit 143 is a processing unit that reads the physical information 102 a of the holder of the electronic identification certificate storage medium 110 via the physical information input device 122.

The electronic signature verification unit 144 stores the electronic identification card 1
Check whether the encryption key certificate for the encryption key of the electronic identification certificate authority that is the issuing organization of 00 has been revoked, and verify the encryption key of the electronic identification certificate authority using a valid encryption key certificate. Then, the electronic identification card 1 stored in the electronic identification card storage medium 110 is stored in the electronic identification card storage medium 110 using the encryption key for which the above-mentioned verification has succeeded.
This is a processing unit for verifying the electronic signature certificate electronic signature 103 of the electronic identification certificate authority 00.

The electronic identification information analyzing section 145 is a processing section for analyzing the electronic identification information 101 of the electronic identification card 100. The physical information verification unit 146 tests whether the physical information 102 a of the holder of the electronic identification certificate storage medium 110 read by the physical information input unit 143 matches the physical information 102 of the owner of the electronic identification card 100. It is a processing unit.

The certificate authority certificate management unit 151 stores the encryption key certificate of the electronic identity certificate authority used for verifying the digital signature 103 of the electronic identity certificate 100 of the electronic identity card 100 in the certificate authority certificate / CRL storage disk. This is a processing unit that searches for and obtains 128. The CRL management unit 152 indicates a revoked electronic ID card 100 or an encryption key certificate of an electronic ID certificate authority.
This is a processing unit that manages the CRL.

The electronic identification card confirmation device 120 is connected to the electronic identification card input / output unit 141 and the electronic identification card confirmation display unit 14.
2. Physical information input unit 143, electronic signature verification unit 144, electronic identification information analysis unit 145, physical information verification unit 14
6. A program for functioning as the certificate authority certificate management unit 151 and the CRL management unit 152 is recorded on a recording medium such as a CD-ROM, stored on a magnetic disk or the like, and then loaded into a memory and executed. And The medium on which the program is recorded may be a medium other than the CD-ROM.

The electronic identification card 100 is electronic data including electronic identification certificate information 101, physical information 102, and an electronic signature certificate authority digital signature 103.

The electronic identification certificate information 101 is a collection of a plurality of electronic data such as identification information indicating the name and affiliation of the owner of the electronic identification certificate and the identification number of the electronic identification certificate. The physical information 102 is data that can specify the physical characteristics of the owner of the electronic identification card, and for example, a face photograph, a fingerprint, a voice print, or the like can be used. In addition, text data explaining the face photo and physical characteristics, fingerprints and voice prints, etc.
The data may be a combination of a plurality of physical characteristic data.

The electronic signature certificate authority digital signature 103 is
This is an electronic signature in which data obtained by combining the electronic identification certificate information 101 and the physical information 102 is used as electronic signature data. The electronic identification certificate authority digital signature 103 is created by the electronic identification certificate authority, which is the issuing organization of the electronic identification certificate.

The owner of the electronic ID card 100 stores the electronic ID card in the electronic ID card storage medium 110 and carries it. The electronic identification card storage medium 110 stores a plurality of electronic identification cards 100, and the plurality of electronic identification cards 100 are issued by different electronic identification certificate authorities.

Here, the electronic identification certificate storage medium 110 is
Data including electronic identification information 101, which is electronic data owned by the owner, physical information 102 indicating physical characteristics of the owner, and an electronic signature certificate authority digital signature 103 of the physical information are stored. It is an electronic data recording medium such as an IC card on which recording is performed. Note that the recording medium for recording the data may be a medium other than the IC card.

The electronic identification certificate storage medium 110 stores an electronic identification certificate list 111 and a personal identification number 112. The electronic identification certificate list 111 is list data of the electronic identification certificate 100 stored in the electronic identification certificate storage medium 110. The personal identification number 112 is data used for checking when reading the electronic identification card 100 or the like from the electronic identification certificate storage medium 110.

The electronic identification card confirmation device 120 is a device for confirming the qualification of a certain person using the electronic identification card 100. In the following, the electronic identification card confirmation device 12
A person who uses 0 to confirm the qualification of the holder of the electronic identification card 100 is called a confirmer. Further, a person carrying the electronic identification storage medium 110 in which the electronic identification card 100 is stored at a certain point in time is referred to as a holder of the electronic identification card. The electronic identification card confirmation device 120
This is a device for confirming whether the holder of the electronic identification card 100 is indeed the owner of the electronic identification card and whether the confirmer has the qualification to be confirmed.

The electronic identification card confirmation device 120 has the following structure. The electronic identification card confirmation device 120
Display 123, CPU 124, keyboard 125,
It comprises a mouse 126, a memory 130, a bus 127, a storage medium input / output device 121, a physical information input device 122, and a certificate authority certificate / CRL storage disk 128.

The memory 130 has programs such as an electronic identification certificate verification unit 140 and a certificate authority certificate / CRL management unit 150. The storage medium input / output device 121 is a device that reads electronic data stored in the electronic identification certificate storage medium 110. Physical information input device 122
Is the physical information 102a of the holder of the electronic identification card 100
Device, for example, a fingerprint input device or a voiceprint input device can be used.

The electronic identification card verification unit 140 verifies whether the holder of the electronic identification card 100 is the owner of the electronic identification card. The electronic identification card input / output unit 141
The personal identification number 112, the electronic identification certificate list 111, and the electronic identification certificate 100 are read from the electronic identification certificate storage medium 110 via the storage medium input / output device 121. The electronic identification card confirmation display unit 142 displays the electronic identification card 100.
Is displayed on the display 123.

The physical information input section 143 reads the physical information 102 a of the holder of the electronic identification card 100 via the physical information input device 122. Electronic signature verification unit 144
Checks whether the electronic identification card 100 has expired and verifies the electronic signature 103 of the electronic identification certificate authority of the electronic identification card 100. Electronic identification information analysis unit 14
5 is the electronic identification card information 10 of the electronic identification card 100
Analyze 1 The physical information verification unit 146 tests whether the physical information 102a read by the physical information input unit 143 matches the physical information 102 of the electronic identification card 100.

The certificate authority certificate / CRL storage disk 128
Stores the encryption key certificate, CRL, etc. of the electronic ID certificate authority. Here, the electronic certificate of the encryption key is called an “encryption key certificate”.

The certificate authority certificate / CRL management unit 150 manages the encryption key certificate, CRL, and the like of the electronic identification certificate authority. The certificate authority certificate management unit 151 stores the encryption key certificate of the electronic identification certificate authority used for the verification of the electronic signature certificate 103 of the electronic identity certificate 100 in the certificate authority certificate / CRL storage disk 128. Search and get. CRL management unit 15
2 retrieves the CRL from the certificate authority certificate / CRL storage disk 128. Digital ID Certificate Authority encryption key certificate and CRL
Will be described in detail with reference to FIG.

FIG. 2 is a diagram showing a system configuration of the electronic data processing system of the present embodiment. In this embodiment, the electronic identification card confirmation device 120, the electronic identification certificate authority 20
3. It is composed of the central certificate authority 200. In this embodiment, a plurality of electronic identification card confirmation devices 120 may exist.

The electronic identification certificate authority 203 is an electronic data authentication authority that is an issuing organization that issues the electronic identification card 100. In the present embodiment, there are a plurality of electronic identification certificate authorities 203 for each type of electronic identification card 100.

The general certification authority 200 is an issuing organization of the encryption key certificate of the electronic identification certificate authority 203, and guarantees the authority of the electronic identification certificate authority 203. In addition, general certification authority
00 is an electronic identification card 100 used in the present embodiment.
It is also the issuing organization of the CRL 184, which is a list of revoked electronic identity certificate authority certificate 182.

The certificate ID certificate / CRL storage disk 128 of the electronic ID certificate confirmation device 120 stores an electronic ID certificate authority certificate 182, a general certificate authority public key 183, and a CRL 184.
Is stored.

The electronic identification certificate authority certificate 182 is an encryption key certificate of the electronic identification certificate authority 203. The general certification authority public key 183 is a public key of the general certification authority 200. The CRL 184 is list information of the revoked electronic ID card 100 and the revoked electronic ID certificate authority certificate 182.

The electronic identification certificate authority 203 has an electronic identification certificate authority disk 205. The electronic identification certificate authority disk 205 includes an electronic identification certificate authority private key 204 that is a secret key of the certification authority, and an electronic identification certificate authority that is an encryption key certificate containing the public key of the certification authority. The certificate 182 is stored.

The general certification authority 200 has a general certification authority disk 202. The general certification authority disk 202 includes a general certification authority private key 201 which is a private key of the general certification authority 200,
The public certificate authority public key 18 which is the public key of the general certificate authority 200
3 and CRL 184 are stored.

In the present embodiment, the electronic identification certificate confirmation device 120 transmits the electronic identification certificate
L184 and the central certificate authority public key 183 are obtained as follows.

The electronic identification certificate authority 203 sends a new electronic identification certificate authority certificate 182 from the general certification authority 200.
Is obtained, the electronic identification certificate authority certificate 182 is stored in an arbitrary storage medium, and the electronic identification certificate confirmation device 120 is stored.
Send to

When the central certificate authority 200 creates a new CRL 184, it stores the CRL 184 in an arbitrary storage medium and sends it to the electronic identification certificate confirmation device 120. Further, the general certification authority 200 stores the general certification authority public key 183 in an arbitrary storage medium and sends it to the electronic identification certificate confirmation device 120.

Next, a specific example of the electronic identification card 100 and the electronic identification certificate storage medium 110 of the present embodiment will be described with reference to FIG.

FIG. 3 is a diagram showing the concept of the electronic identification certificate authority 203 of the present embodiment. FIG. 3 shows a situation where the person A 311 and the person B 312 are receiving the electronic identification card 100 from the plurality of electronic identification certificate authorities 203. In the present embodiment, for example, the electronic identification card 100
As a car driver's license 1001, passport 10
02 and A university student ID card 1004 exist.

As each of the electronic identification certificate authorities 203, there are a driver's license issuing organization 2031, a passport issuing organization 2032, and an A university student ID issuing organization 2033.

The person A 311 has a driving license for a car and a qualification for traveling abroad, and obtains the driving license 1001 from the driving license issuing organization 2031 and the passport issuing organization 2032.
To apply for a passport 1002 at each issuing organization to have it issued (210).

Similarly, person B 312 has overseas travel qualifications and is a student of University A. So person B312
Passport issuing organization 2032 to passport 1003
From the A university student ID issuing organization 2033 to the A university student ID 10
04 at each issuing organization to apply for it.

The person A 311 and the person B 312 store a plurality of electronic ID cards 10 in their own electronic ID card storage media A 1101 and B 1102, respectively.
Store 0 and carry. Here, the electronic identification card confirmation device 120 is installed in, for example, an immigration control agency, and is used to confirm the passport 1002, which is the electronic identification card 100, at the time of immigration control. The electronic identification card confirmation device 120 is carried by, for example, a police officer, and is used to confirm a driver's license 1001 as the electronic identification card 100.

As described above, according to the present embodiment, an identification card can be realized as electronic data, and a plurality of types of electronic identification cards 100 can be stored in a single electronic identification certificate storage medium 110.

Next, referring to FIG. 4, the electronic identification card 100 and the electronic identification certificate authority certificate 182 in this embodiment will be described.
And the data structure of the CRL 184 will be described.

FIG. 4 shows an electronic identification card 10 according to this embodiment.
0, Electronic Identity Certificate Authority Certificate 182 and CRL 184
FIG. 3 is a diagram showing a data structure of FIG. Electronic identification card 100
Is composed of electronic identification information 101, physical information 102, and an electronic signature certificate authority digital signature 103.

The physical information 102 has been described above. The electronic signature certificate authority digital signature 103 is the electronic identification card 1
00 is an electronic signature created by the electronic identification certificate authority 203, which is the issuing organization of No. 00. The electronic signature target data of the electronic signature is composite data including electronic identification certificate information 101 and physical information 102.

The electronic identification certificate information 101 includes an electronic identification certificate ID 1011, a certificate authority certificate ID 1012,
013. The electronic ID card ID 1011 is
This is a unique number given to the electronic identification card 100.
The certification authority certificate ID 1012 is a unique number of the electronic identification certificate authority certificate 182 which is an encryption key certificate of the electronic identification certificate authority 203 that has issued the electronic identification certificate. The identity information 1013 is information indicating the identity of the owner of the electronic identification card 100, such as the name, address, and affiliation.

The electronic identification certificate authority certificate 182 includes a certificate authority certificate ID 1821, an electronic identification certificate authority public key 1
823, and a central certificate authority digital signature 1824. The certification authority certificate ID 1821 is a unique number for identifying the electronic identification certificate certification authority certificate 182. The electronic identification certificate authority public key 1823 is used for the electronic identification certificate authority 203 that is the owner of the electronic identification certificate authority certificate 182.
Public key. The general certification authority digital signature 1824 is an electronic signature created by the general certification authority 200, which is the issuing organization of the electronic identification certificate authority certificate 182. The electronic signature target data of the electronic signature is composite data including a certificate authority certificate ID 1821 and an electronic identification certificate authority public key 1823.

The CRL 184 is a list of the electronic ID card 100 and the electronic ID certificate authority certificate 182 that have lost their validity. The CRL 184 includes a CRL ID 1841, an electronic ID card ID 1842, a certificate authority certificate ID 1843, and an electronic signature 1844 of the central certificate authority.

The CRL ID 1841 is a unique number for identifying the CRL 184. The electronic ID card ID 1842 is a unique number of the revoked electronic ID card 100 and is a CRL.
184 has a plurality of entries. Certificate Authority Certificate ID 18
Reference numeral 43 denotes a unique number of the revoked electronic identification certificate authority certificate 182, and a plurality of entries exist in the CRL 184. The general certification authority digital signature 1844 is an electronic signature created by the general certification authority 200 which is the issuing organization of the CRL 184. The target data of the electronic signature is composite data including a CRL ID 1841, an electronic ID card ID 1842, and a certificate authority certificate ID 1843.

Next, with reference to FIGS. 5, 6 and 7, the principle of confirming the electronic identification card 100 and the electronic identification certificate authority certificate 182 in this embodiment using the encryption technology will be described. These confirmations are performed using an electronic signature. In the present embodiment, the electronic identification card 100 is realized by using the physical information 102 and the electronic signature together, and the principle described here forms the basis of the present invention.

First, the principle of the creation of the electronic signature certificate authority digital signature 103 of the electronic identification card 100 will be described with reference to FIG.

FIG. 5 shows an electronic identification card 100 according to this embodiment.
FIG. 4 is a diagram showing the principle of the creation of. Electronic signature target data 50
Reference numeral 1 denotes target data when the electronic signature certificate authority digital signature 103 is created. The electronic signature target data 501 is
It consists of electronic identification card information 101 and physical information 102.

The electronic identification card 100 includes the electronic identification certificate information 101 and the physical information 102 as the electronic signature target data 5.
01 is copied (502), and is created as composite data with the electronic signature certificate authority digital signature 103. The electronic signature certificate authority digital signature 103 stores the electronic signature target data 501 in the electronic identification certificate authority private key 20.
4 (503).

Next, with reference to FIG.
The principle concerning the verification of the electronic signature certificate authority digital signature 103 will be described.

FIG. 6 shows an electronic identification card 100 according to this embodiment.
It is a figure which shows the principle of confirmation. First, electronic identification card 1
The electronic identification certificate information 101 and the physical information 102 are copied to create electronic signature target data 601 (60).
2). Next, the digital signature certificate authority digital signature 103 is decrypted using the digital identification certificate authority public key 1823, and the decrypted result is compared with the digital signature target data 601 to check whether they match. This comparison operation is the verification (603) of the electronic signature certificate authority digital signature 103.

In the present embodiment, this verification operation is performed by the electronic identification certificate confirmation device 120. The electronic identification certificate confirmation device 120 transmits the electronic identification certificate certification authority public key 1823 to the electronic identification certificate certification authority. It is extracted and obtained from the certificate 182. Thereby, the electronic identification card 100
That the electronic identification certificate information 101 and the physical information 102 are not falsified, and that the electronic identification certificate 100 is issued by the electronic identification certificate authority 203 which is the owner of the electronic identification certificate authority certificate 182. You can confirm that.

Next, with reference to FIG. 7, the principle of verifying the digital certificate 1824 of the central certificate authority of the digital certificate authority certificate 182 will be described. This certificate authority's digital signature 1
824 indicates that the general certification authority 200, which is the issuing organization of the electronic identification certificate authority certificate 182,
It was created using.

FIG. 7 is a diagram showing the principle of confirming the electronic identification certificate authority certificate 182 of this embodiment. First, the certification authority certificate ID 182 of the electronic identification certificate certification authority certificate 182
The electronic signature certificate authority public key 1823 is copied to create electronic signature target data 701 (702).
Next, the central certificate authority digital signature 1824 is decrypted using the central certificate authority public key 183, and the decrypted result is compared with the digital signature target data 701 to check whether they match. This comparison operation is the verification of the central certificate authority digital signature 1824 (703).
It is.

In the present embodiment, this verification operation is performed in the electronic identification card confirmation device 120. This allows
Certificate ID 1 of the electronic certificate CA certificate 182
843 and the electronic identification certificate authority public key 1823 are not falsified, and it can be confirmed that the electronic identification certificate authority certificate 182 is issued by the general certification authority 200.

Next, the operation flow of the electronic identification card confirmation apparatus 120 according to the present embodiment will be described with reference to FIGS.

FIG. 8 is a list of electronic identification documents 1 of the present embodiment.
It is a figure which shows the outline | summary of No. 11. Electronic ID List 111
Is a list of the electronic identification cards 100 stored in the electronic identification certificate storage medium 110. The electronic identification card list 111 has an entry corresponding to each of the electronic identification cards 100. Each entry includes an electronic ID card ID 1011, an electronic ID card type 802, and an electronic ID card certification authority name 804. Electronic identification card
The ID 1011 is a unique number for identifying the electronic identification card. The electronic identification card type 802 indicates what kind of identification card the electronic identification card is. The electronic identification certificate authority name 804 is the name of the electronic identification certificate authority 203 that has issued the electronic identification certificate.

Next, the flow of the operation in which the electronic identification card confirmation device 120 confirms the electronic identification card 100 will be described with reference to FIG.

FIG. 9 is a flowchart showing a processing procedure of the processing for confirming the electronic identification card 100 by the electronic identification card confirmation apparatus 120 of the present embodiment. First, the holder of the electronic ID card 100 is the electronic ID card storage medium 110.
Is inserted into the storage medium input / output device 121 (90
2). Next, the holder of the electronic identification card 100 inputs the personal identification number 112a of the electronic identification certificate storage medium 110 via the keyboard 125 (904). This is because the electronic identification card confirmation device 120 can store the electronic identification card storage medium 11
This is to confirm whether the holder of 0 is the owner.

In response to this, the electronic identification certificate verification unit 140 compares the input personal identification number 112a with the personal identification number 112 of the electronic identification certificate storage medium 110 (906).
If they do not match, the electronic identification card verification unit 140 displays on the display 123 that the verification of the electronic identification card 100 has failed (918). If they match, the electronic identification card verification unit 140 displays the contents of the electronic identification certificate list 111 on the display 123 (908).

Next, the confirmer selects the electronic identification card 100 to be confirmed and inputs it via the keyboard 125 or the mouse 126 (909). Next, the electronic identification certificate verification unit 140 reads the selected electronic identification card 100 from the electronic identification certificate storage medium 110, and verifies the electronic signature certificate authority digital signature 103 (910).

If the verification fails, the electronic identification card verification unit 140 displays on the display 123 that the verification of the electronic identification card 100 has failed (918). If the verification is successful, the electronic identification card verification unit 140 extracts the identification information 1013 and the physical information 102 of the electronic identification card 100 (911). Since the verification is successful, the contents of the electronic identification information 101 of the electronic identification card 100 and the physical information 102 are not falsified, and the electronic identification certificate authority 203
It is confirmed that the contents guaranteed by are stored.

Next, the holder of the electronic identification card 100 inputs the physical information 102a via the physical information input device 122 (912). For example, a fingerprint is input when a fingerprint is used as the physical information 102, and a voiceprint is input when a voiceprint is used.

Next, the electronic identification card verification unit 140 compares the inputted physical information 102a with the physical information 102 of the electronic identification card 100 (914). If they do not match, the electronic identification card verification unit 140 displays on the display 123 that the verification of the electronic identification card 100 has failed (9).
18). If they match, the electronic identification card verification unit 140
The display 123 shows that the electronic identification card 100 has been successfully confirmed and the contents of the identification information 1013 (9
16).

Physical information 10 in which physical information 102 is input
By matching with 2a, it is confirmed that the holder of the electronic identification card 100 is indeed the owner. Finally, the confirmer confirms whether or not the content of the identity information 1013 displayed on the display 123 satisfies the required qualification.

Here, the electronic identification certificate storage medium 110 is
Consider a situation in which the person C is held by another person C who is not the official owner, and the person C can know the password 112. Even in such a case, the electronic identification card confirmation device 120 of the present embodiment can detect that the person C is not the owner of the electronic identification card 100. In this case, in step 906, the comparison between the input personal identification number 112a and the personal identification number 112 matches. However, in step 914, the input physical information 1
Since the comparison between 02a and the physical information 102 fails, the verification of the electronic identification card 100 fails.

Next, the electronic identification certificate storage medium 110
It is held by another person C who is not the official owner, who can know the password 112, and
Consider a situation in which a person C has replaced the physical information 102 of the electronic identification card 100 with his own physical information 102a.
Even in such a case, the electronic identification card confirmation device 120 of the present embodiment can detect that the person C is not the owner of the electronic identification card 100.

In this case, in step 906, the comparison between the input personal identification number 112a and the personal identification number 112 succeeds. If the process proceeds to step 914, the comparison between the input physical information 102a and the input physical information 102 is successful. However, in this case, in step 910, the verification of the electronic signature certificate authority digital signature 103 of the electronic identification card 100 fails. This is because, as described with reference to FIG. 6, the replaced physical information 102a of the person C is different from the physical information 102 used to create the electronic signature certificate authority digital signature 103 when the electronic identification card 100 is issued. This is because the electronic signature verification (603) fails. As a result, the verification of the electronic identification card 100 fails.

As described above, according to the present embodiment, even if the electronic identification card 100 is used by another person, the physical information 102a input to the electronic identification card confirmation device 120 and the physical information of the electronic identification card 100 are obtained. By comparing 102, that fact can be detected. Even if the physical information 102 of the electronic identification card 100 has been tampered with, the fact can be detected by the verification of the electronic signature 103 of the electronic identification certificate authority.

In this embodiment, the physical information verification unit 14
6 compares the physical information 102 of the electronic ID card 100 with the physical information 102a of the holder of the electronic ID card 100 input via the physical information input device 122, The display unit 142 displays the contents of the physical information 102 of the electronic ID card 100 on the display 12.
3 and the confirmer may compare the content displayed on the display 123 with the physical information 102a of the holder of the electronic identification card 100.

Next, referring to FIG. 10, step 91 in FIG.
0 will be described in detail. FIG. 10 is a flowchart showing the processing procedure of the verification process of the electronic signature 103 of the electronic identification certificate authority of the electronic identification card 100 among the operations of the electronic identification card 100 confirmation device of the present embodiment. In step 910, the electronic identification certificate verification unit 140 verifies the electronic signature certificate authority digital signature 103 of the electronic identification card 100.

In the electronic identification card verification unit 140, the electronic identification card input / output unit 141 is connected to the electronic identification card 100.
Is read from the electronic identification certificate storage medium 110, and the digital signature verification unit 144 requests the verification (9102).

Next, the electronic signature verification unit 144 checks the certificate authority certificate ID 1012 from the electronic identification information 101 of the electronic identification card 100 (9104). Next, the electronic signature verification unit 144 checks the electronic identification certificate authority certificate 18 having the certificate authority certificate ID 1012 read in step 9104.
2 and the CRL 184 are requested to the certificate authority certificate / CRL management unit 150 (9106).

The certificate authority certificate / CRL management unit 150 searches for the electronic identification certificate authority certificate 182 and the CRL 184 requested by the electronic signature verification unit 144 (9108). In the present embodiment, the operation of Step 9108 is performed by a certificate authority certificate.
The search is performed as a search for the electronic identification certificate authority certificate 182 and the CRL 184 from the / CRL storage disk 128.

If the search fails in step 9108, the digital signature verification unit 144 returns a verification failure to the electronic identification card input / output unit 141 (914). If the search is successful, the electronic signature verification unit 144 checks whether the electronic ID card ID 1011 of the electronic ID card 100 is described in the CRL 184 (9109).

If there is a description, the electronic identification card 100
Has expired, the digital signature verification unit 14
4 responds to the electronic identification card input / output unit 141 that the verification has failed (9114). If not described, the electronic signature verification unit 144
Uses the electronic identification certificate authority public key 1823 of the electronic identification certificate authority certificate 182 to
It verifies the electronic signature certificate authority digital signature 103 of 0 (9110). The principle of this procedure is as described in FIG.

If the verification fails, the digital signature verification unit 144
Responds to the electronic identification card input / output unit 141 that the verification has failed (9112). If the verification is successful, the digital signature verification unit 14
4 responds to the electronic identification card input / output unit 141 that the verification has been successful (9114). In this embodiment, data indicating the expiration date may be provided in the electronic identification card 100, and the expiration date may be checked in the operation of step 910.

Next, referring to FIG. 11, the electronic identification card confirmation device 120 transmits the electronic identification certificate authority certificate 182 and the CR.
The operation at the time of obtaining L184 will be described.

FIG. 11 shows that the electronic identification card confirmation apparatus 120 of this embodiment uses the electronic identification certificate authority certificate 182 and the CRL.
It is a flowchart which shows the processing procedure of the processing which acquires 184. As described in the description of FIG. 2, when the electronic identification certificate authority certificate 182 is updated, the electronic identification certificate authority 203 stores the new electronic identification certificate authority certificate 182 in an arbitrary storage medium. Electronic identification card confirmation device 12 for storing
Send to 0.

When the CRL 184 is updated, the central certificate authority 200 stores the new CRL 184 in an arbitrary storage medium and sends it to the electronic identification certificate confirmation device 120. Here, the certificate authority certificate / CRL management unit 150 inputs the electronic identification certificate authority certificate 182 and the CRL 184 from the storage medium.

In the certificate authority certificate / CRL management unit 150,
The certificate authority certificate management unit 151 stores the central certificate authority public key 183
Is used to verify the electronic signature 1824 of the central certificate authority of the digital certificate authority certificate 182 (1104).

The principle of the verification of the electronic signature in step 1104 is as described with reference to FIG. If the test fails, the operation ends. If the certification is successful, the certificate authority certificate management unit 15
1 stores the electronic identification certificate authority certificate 182 in the certificate authority / CRL storage disk 128 (1106).

Next, the CRL management section 152 checks the certificate authority certificate / CR
Using the general certification authority public key 183 stored in the L storage disk 128, the general certification authority digital signature 1 of the CRL 184 is used.
Test 844 (1108). If the test fails, the operation ends. If the certification is successful, the CRL management unit 152
184 is stored in the certificate authority / CRL storage disk 128 (1110).

Next, the CRL management unit 152 stores the certificate authority certificate / CR
The certification authority certificate ID 1821 of the electronic identification certificate certification authority certificate 182 stored in the L storage disk 128
184 is checked (1112). If there is no description, it ends. If described, CRL management unit 15
2 deletes the electronic identification certificate authority certificate 182 described in the CRL 184 from the certificate authority certificate / CRL storage disk 128 (1114).

As described above, in this embodiment, in step 1104 of FIG. 11, the electronic identification certificate authority certificate 18
If the verification of the digital certificate 1824 of the central certification authority of 2 is successful,
Electronic identification certificate authority 203 of electronic identification card 100
Is guaranteed to be the issuing organization of the electronic identification card 100.

The electronic identification certificate authority certificate 182 is stored in the certificate authority certificate / CRL storage disk 12 unless the verification of the supervising authority electronic signature 1824 in step 1104 is successful.
8 cannot be stored. Therefore, when the confirmer is performing the operation of confirming the electronic identification card 100 by the electronic identification certificate confirmation device 120, in step 9108 of FIG. , The authority of the electronic identification certificate authority 203 is guaranteed.

Conversely, an issuing institution that has not obtained the certification of the general certification authority 200 cannot possess the electronic identification certificate authority certificate 182 containing the electronic signature 1824 of the general certification authority. Therefore, even if a holder of the electronic identification card 100 issued by an issuing organization that has not been certified by the general certification authority 200 appears, the electronic identification card confirmation device 120 will preliminarily confirm the electronic identification card in step 1104 of FIG. By verifying the digital signature 1824 of the central certificate authority of the certificate authority certificate 182, the electronic certificate of the issuing authority can be stored in the certificate / CRL storage disk 12.
8, it can be detected that the electronic identification card 100 is not valid.

As described above, according to the present embodiment, by verifying the electronic identification certificate authority certificate 182, it is possible to easily confirm that the authority of the electronic identification certificate authority 203 is guaranteed. it can. In addition, by verifying the electronic identification certificate authority certificate 182, it is possible to detect that the electronic identification certificate authority certificate 182 and the electronic identification certificate authority public key 1823 included therein are forged, so that the electronic identity certificate can be detected. It can be detected that the certificate 100 is forged.

Further, in the present embodiment, the electronic identification card confirming apparatus 120 determines in step 9109 in FIG. 10 that the electronic identification card 100 of the person whose qualification has been suspended after the electronic identification card 100 is issued, the electronic identification card Document storage medium 110
The electronic identification card 100 stored in the electronic identification certificate storage medium can be rejected by using the CRL 184 when the device is lost.

As described above, according to the present embodiment, the electronic identification card 100 of the person whose qualification has been suspended or the electronic identification card 100 that has been lost is revoked, and such electronic identification card 100 is confirmed. Can be prevented from succeeding.

As described above, according to the electronic data processing system of the present embodiment, the physical information of the owner of the electronic data recorded on the electronic data recording medium and the electronic signature of the physical information are used to obtain the electronic data. Since the unauthorized use is detected, the unauthorized use of the electronic data recorded on the electronic data recording medium can be prevented.

(Embodiment 2) An electronic data processing system according to Embodiment 2 for obtaining an electronic identification certificate authority certificate via a communication network will be described below.

In the first embodiment, when the electronic identification certificate confirmation device 120 performs an operation for confirming the electronic identification certificate 100, the electronic identification certificate authority certificate 182 of the electronic identification certificate authority 203 is It was stored in the certificate authority certificate / CRL storage disk 128 in advance.

On the other hand, in the present embodiment, when the electronic identification card confirmation device 120 performs the operation for confirming the electronic identification card 100, the certification authority certificate / CRL storage disk 128 is used.
If the electronic identification certificate authority certificate 182 of the electronic identification certificate authority 203 does not exist, the electronic identification certificate authority certificate 182 is obtained via the communication network.

FIG. 12 shows the electronic identification card 10 of this embodiment.
FIG. 3 is a diagram showing an outline of a data structure of a storage medium storing an electronic identification card 100 and a confirmation device thereof. The structures of the electronic ID card 100 and the electronic ID card storage medium 110 are the same as those in the first embodiment. The electronic identification card confirmation device 1200 is a device for confirming the electronic identification card 100, and has substantially the same structure as the electronic identification card confirmation device 120 of the first embodiment. Hereinafter, points different from the first embodiment will be mainly described.

In the electronic identification card confirmation apparatus 1200, the electronic identification card verification unit 140 has the same structure as the first embodiment and operates in the same manner. The certificate authority certificate / CRL storage disk 128 stores the electronic identification certificate authority certificate 182, the general certificate authority public key 183, and the CRL 18 as in the first embodiment.
4 is stored. The certificate authority certificate / CRL management unit 150 manages the electronic identification certificate authority certificate 182 and the CRL 184. Unlike the first embodiment, the certificate authority certificate / CRL management unit 150 has a certificate authority certificate management server access unit 153 and performs an operation different from that of the first embodiment. The connection form is the same as in the first embodiment.

The electronic identification certificate confirmation device 1200 has a communication network controller 160 and is connected to a certificate authority certificate management server 180 via a communication network 170. Communication network 170 may be a wired network or a wireless network.

The certificate authority certificate management server 180 manages the electronic identification certificate authority certificate 182 and the CRL 184.
The certificate authority certificate management server 180 has a certificate authority certificate management server disk 181. The certificate authority certificate management server disk 181 includes an electronic identification certificate authority certificate 182,
The CRL 184 is stored.

In the certificate authority certificate / CRL management unit 150,
The certificate authority certificate management unit 151 stores the electronic identification certificate authority 2
03, an electronic identification certificate authority certificate 182 is obtained.
The electronic ID certificate CA certificate 182 is the CA certificate / C
Whether it is obtained by searching the RL storage disk 128, or obtained from the certificate authority certificate management server 180,
Alternatively, it cannot be obtained. The CRL management unit 152 searches the CRL 184 from the certificate authority certificate / CRL storage disk 128.

Certificate Authority Certificate Management Server Access Unit 153
Is sent to the certification authority certificate management server 180 via the communication network 170 via the electronic identification certificate certification authority certificate 182.
Request. The certificate authority certificate management server 180 searches the certificate authority certificate management server disk 181 and returns the target electronic identification certificate certificate authority certificate 182 via the communication network 170, if any.

FIG. 13 is a diagram showing a system configuration of the electronic data processing system of the present embodiment. In the communication network 170, the electronic identification card confirmation device 1200, the certificate authority certificate management server 180, the electronic identification certificate authority 203,
The central certificate authority 200 is connected. In the present embodiment, there are a plurality of electronic identification certificate authorities 203 for each type of electronic identification card 100. In the present embodiment, a plurality of electronic identification card confirmation devices 1200 may exist.

The certificate authority certificate management server 180 stores the electronic identification certificate authority certificate 182, the central certificate authority public key 18
3. Copy the CRL 184 to the certificate authority certificate management server disk 1
81, and supplies it to the electronic identification card confirmation device 1200.

The electronic identification certificate authority 203 sends the new electronic identification certificate authority certificate 182
Is obtained, the electronic identification certificate authority certificate 182 is transferred to the certificate authority certificate management server 180 by the communication network 170.
Pass through. The certification authority certificate management server 180 stores the passed electronic identification certificate certification authority certificate 182 in the certification authority certificate management server disk 181.

When the CRL 184 is updated, the central certificate authority 200 passes it to the certificate authority certificate management server 180 via the communication network 170. The certificate authority certificate management server 180 stores the passed CRL 184 in the certificate authority certificate management server disk 181. In this embodiment, a plurality of certificate authority certificate management servers 180
May be installed for each region, for example.

In the present embodiment, the electronic identification card confirmation device 1200 includes an electronic identification certificate authority certificate 182, a CR
L184 and the central certificate authority public key 183 are obtained as follows.

The electronic identification certificate confirmation device 1200 obtains the electronic identification certificate certification authority certificate 182 necessary for confirming the electronic identification certificate 100 from the certification authority certificate management server 180 via the communication network 170.

The certificate authority certificate management server 180
When the CRL 184 is obtained, the CRL 184 is sent to the electronic identification card confirmation device 1200 via the communication network 170. Further, the general certification authority 200 stores the general certification authority public key 183 in an arbitrary storage medium and sends it to the electronic identification certificate confirmation device 1200.

Next, the operation flow of the electronic identification card confirmation apparatus 1200 according to the present embodiment will be described with reference to FIG. In the present embodiment, the electronic identification card confirmation device 12
The operation of 00 is the same as the operation of the electronic identification card confirmation device 120 described in the first embodiment with reference to FIGS. However, in the present embodiment, the operation of step 9108 in FIG. 10 is different from that of the first embodiment. FIG. 14 illustrates details of the operation of step 9108 in the present embodiment.

FIG. 14 is a flowchart showing a processing procedure of the electronic identification card confirmation apparatus 1200 of this embodiment.
In step 9108, the certificate authority certificate / CRL management unit 150
Retrieves the electronic identification certificate authority certificate 182 and the CRL 184 used when the electronic identification certificate authority digital signature 103 of the electronic identification card 100 is verified. That is, in the certificate authority certificate / CRL management unit 150, the certificate authority certificate management unit 151 stores the general certificate authority public key 183 and the CRL 184,
Search from the certificate authority certificate / CRL storage disk 128 (1
402).

Next, the certification authority certificate management unit 151 stores the certification authority certificate ID from the certification authority certificate / CRL storage disk 128.
A search is made for an electronic identification certificate authority certificate 182 having 1012 (1404). If the search is successful, the certificate authority certificate management unit 151 sets the electronic identity certificate authority certificate 182 and
The CRL 184 is returned to the digital signature verification unit 144 (141
8). If the search fails, the certificate authority certificate management unit 151
Requests the certificate authority certificate management server access unit 153 for the electronic identification certificate authority certificate 182 having the certificate authority certificate ID 1012 (1406).

Next, the certificate authority certificate management server access unit 153 sends the electronic identification certificate having the certificate authority certificate ID 1012 to the certificate authority certificate management server 180 via the communication network controller 160 and the communication network 170. It requests the station certificate 182 (1408).

Next, the certificate authority certificate management server 180
From the certificate authority certificate management server disk 181, the electronic identification certificate certificate authority certificate 18 having the certificate authority certificate ID 1012
Search for 2. If the search is successful, the electronic identification certificate authority certificate 182 is sent to the certificate authority certificate management server access unit 153.
If the search fails, a response indicating the search is returned (141).
0). If the search fails, the certificate authority certificate management unit 151 returns a response indicating the search failure to the electronic signature verification unit 144 (14
20).

If the search is successful, the certificate authority certificate management unit 1
51 checks whether the certification authority certificate ID 1821 of the electronic identification certificate certification authority certificate 182 is described in the CRL 184 (1412).

If there is a description, the certificate authority certificate management unit 151 sends a response indicating the search failure to the electronic signature verification unit 144.
(1420). In this case, the electronic identification certificate authority certificate 182 has expired, and the electronic identification card 100 verified by the electronic identification certificate authority public key 1823 of the certificate is regarded as invalid.

If there is no description in step 1412,
The certificate authority certificate management unit 151 stores the central certificate authority public key 183
Is used to verify the electronic signature 1824 of the central certificate authority of the digital certificate authority certificate 182 (1414). This operation is performed using the principle described with reference to FIG.

If the verification fails, the certificate authority certificate management unit 1
51 returns a response indicating the search failure to the electronic signature verification unit 144 (1420). If the verification is successful, the certificate authority certificate management unit 151 stores the electronic identification certificate authority certificate 182 in the certificate authority / CRL storage disk 128 (141).
6), the certificate authority certificate management unit 151 returns the electronic identification certificate authority certificate 182 and the CRL 184 to the electronic signature verification unit 144 (1418).

In this embodiment, the operation when the electronic identification card confirmation apparatus 1200 obtains the CRL 184 can be performed in the same manner as in Steps 1108 to 1114 in FIG. 11 of the first embodiment.

As described above, according to the present embodiment, the electronic identification card confirmation device 1200 is
The electronic identification certificate authority certificate 182 can be obtained from the certificate authority certificate management server 180 via the communication network 170 when it is required, and the electronic identification certificate authority certificate 182 can be verified.

Accordingly, the electronic identification card confirmation device 12
00 eliminates the need to previously store the electronic identification certificate authority certificates 182 of all the electronic identification certificate authority 203 in the certificate authority certificate / CRL storage disk 128. It is possible to reduce the required amount of 128 and the trouble of the administrator of the electronic identification certificate confirmation device 1200 to obtain the electronic identification certificate authority certificate 182.

For example, in the certificate ID certificate / CRL storage disk 128 of the electronic ID certificate checking device 1200, the electronic ID certificate certificate 182 of the electronic ID certificate authority 203 which is frequently checked is stored. , An electronic identification certificate authority certificate 182 of another electronic identification certificate authority 203
Is to obtain the electronic identification certificate authority certificate 182 from the certificate authority certificate management server 180 when it is necessary to confirm the electronic identification certificate 100 issued by the electronic identification certificate authority 203. be able to.

Even in such a case, according to the present embodiment, when the electronic identification certificate confirmation device 1200 obtains the electronic identification certificate authority certificate 182, the electronic identification certificate authority certificate 182 is verified. By doing so, it is possible to easily confirm that the authority of the electronic identification certificate authority 203 is guaranteed.

Also, an electronic identification certificate authority certificate 182
By examining the certificate, an electronic ID certificate authority certificate 1
82 and the electronic certificate authority public key 182 it contains
Since it is possible to detect that the electronic identification card 100 is forged, it is possible to detect that the electronic identification card 100 is forged.

Further, according to the present embodiment, the electronic identification card confirmation device 1200 transmits the CRL 184 to the communication network 1
70, and can be obtained from the certificate authority certificate management server 180 via the electronic certificate verification device 1200.
Of the CRL 184 can be reduced.

As described above, according to the electronic data processing system of the present embodiment, the physical information of the owner of the electronic data recorded on the electronic data recording medium and the electronic signature of the physical information are used to obtain the electronic data. Since the unauthorized use is detected, the unauthorized use of the electronic data recorded on the electronic data recording medium can be prevented.

(Embodiment 3) An electronic data processing system according to Embodiment 3 for issuing an electronic identification card having physical information indicating the physical characteristics of an owner and an electronic signature thereof will be described below.

The third embodiment is for explaining the operation of the issuing device of the electronic identification card 100, and for explaining the procedure for creating the electronic identification card 100. FIG.
This embodiment will be described with reference to FIG. First, FIG.
The structure of the issuing device of the electronic identification card 100 will be described with reference to FIG.

FIG. 15 is a diagram showing a schematic configuration of an electronic identification card issuing apparatus according to the present embodiment. As shown in FIG. 15, the electronic identification card issuing device 1220 of this embodiment includes an electronic identification card input / output unit 1241, an electronic identification information input unit 1242, a physical information input unit 1243, and an electronic signature creation unit. 1244 and an electronic identification card creating unit 1245.

The electronic identification card input / output unit 1241 performs input / output processing with the electronic identification certificate storage medium 110 via the storage medium input / output device 121 and is created by the electronic identification card creation unit 1245. Electronic identification card 100
Is written into the electronic identification certificate storage medium 110.

The electronic identification information input unit 1242 is a processing unit for inputting the identification information 1013 of the electronic identification information 101. The physical information input unit 1243 is a processing unit that reads the physical information 102 of the owner of the electronic identification information 101 via the physical information input device 122.

The electronic signature creation unit 1244 is a processing unit that creates an electronic signature certificate authority digital signature 103 for the electronic identification information 101 and the physical information 102. The electronic identification card creation unit 1245 includes the electronic identification card information 101,
The processing unit creates an electronic identification card 100 having the physical information 102 of the owner of the electronic identification certificate information 101 and the electronic signature certificate authority digital signature 103.

The electronic identification card issuing device 1220 is connected to the electronic identification card input / output unit 1241, the electronic identification information input unit 1242, the physical information input unit 1243, and the electronic signature creation unit 1
It is assumed that the program for functioning as the 244 and the electronic identification card creating unit 1245 is recorded on a recording medium such as a CD-ROM, stored on a magnetic disk or the like, and then loaded into a memory and executed. The medium on which the program is recorded may be a medium other than the CD-ROM.

In the present embodiment, the electronic identification card issuing device 1220 is installed in the electronic identification certificate authority 203. An electronic identification certificate authority disk 205 is connected to the electronic identification certificate issuing device 1220.

The electronic identification certificate issuing device 1220 has a program in the memory 130, which includes an electronic identification certificate issuing unit 1240 and a certificate authority private key management unit 1250. In addition, similarly to the electronic identification card confirmation device 120, a storage medium input / output device 121, a physical information input device 122, a display 123, a CPU 124, a keyboard 125, a mouse 1
26.

[0177] The electronic identification card issuing unit 1240 creates the electronic identification card 100 of the applicant of the electronic identification card 100. The certificate authority private key management unit 1250 searches the electronic certificate authority disk 204 for the electronic certificate authority private key 204 used to create the electronic certificate authority digital signature 103 of the electronic identity card 100. I do.

Next, the processing of the electronic identification card issuing unit 1240 will be described with reference to FIG. In the present embodiment, before the operation in FIG. 16, the electronic identification certificate authority 203 completes the examination as to whether the applicant has sufficient qualification to own the electronic identification card 100, and Book 100
Has been certified.

FIG. 16 is a flowchart showing the processing procedure of the electronic identification card issuing unit 1240 of this embodiment. In FIG. 16, first, the applicant of the electronic identification card 100 inserts the electronic identification card storage medium 110 into the storage medium input / output device 121.
(1302). The applicant of the electronic ID card 100 inputs the password 112a of the electronic ID card storage medium 110 via the keyboard 125 (1304).
Then, the electronic identification card input / output unit 1241 compares the inputted personal identification number 112a with the personal identification number 112 (130).
6).

If the personal identification number 112a and the personal identification number 112 do not match, the electronic identification card 100 cannot be issued, and the process ends. If they match, the applicant for the electronic identification card 100 inputs information for the identification information 1013 of the electronic identification information 101 using the keyboard 125 or the mouse 126 (1308). In the present embodiment, this procedure may be performed by the issuer of the electronic identification card 100.

Next, the electronic identification information input unit 1242 of the electronic identification card issuing unit 1240 receives the input information and creates identification information 1013 (1310).

The applicant for the electronic identification card 100 inputs information for the physical information 102 using the physical information input device 122 (1312), and the physical information input section 1243
It receives the input information and creates the physical information 102 (1314).

The electronic identification card creating unit 1245 determines the electronic identification certificate ID 1011 of the electronic identification certificate information 101, checks the own certificate ID certificate 1821 of the electronic identification certificate authority certificate 182, and checks the electronic identification certificate ID. The certificate information 101 is created (1316).

The digital signature creating unit 1244 reads its own digital certificate authority CA private key 204 from the electronic certificate authority disk 205 via the certificate authority private key management unit 1250 (1318).

Next, the electronic signature creating unit 1244 uses the electronic identification certificate authority private key 204 as the electronic signature target data 501 with the electronic identification certificate information 101 and the physical information 102 as the electronic signature certificate authority digital signature. 103 is created (1320).

The electronic identification card creating unit 1245 creates the electronic identification card 100 from the electronic identification certificate information 101, the physical information 102, and the electronic identification certificate authority digital signature 103 (1322). Electronic identification card input / output unit 124
1 writes the electronic identification card 100 in the electronic identification certificate storage medium 110 (1324). Lastly, the electronic identification card input / output unit 1241 adds the electronic identification card list 111 to the electronic identification card list 111.
Add an entry for the electronic ID card (132
6).

As described above, according to the present embodiment, the identification information is realized as electronic data, and the physical information 102 and the electronic identification certificate authority digital signature 1 for the physical information 102 are provided.
03 can be created.

(Embodiment 4) An electronic data processing system according to Embodiment 4 for compressing and restoring physical information indicating physical characteristics of an owner will be described below.

In the first embodiment, the physical information 102 of the electronic identification card 100 is the data itself indicating the physical characteristics of the owner of the electronic identification card. In the present embodiment, the physical information 102 is data obtained by compressing data indicating the physical characteristics of the owner of the electronic identification card.

In the present embodiment, the electronic identification card issuing device 1220 has a processing unit that compresses the physical information input by the applicant of the electronic identification card 100 and converts it into physical information 102. Further, the electronic identification card confirmation device 120 has a processing unit for restoring the physical information 102 of the electronic identification card 100 to the physical information before compression.

As described above, according to the present embodiment, the size of the electronic identification card 100 can be reduced.

(Embodiment 5) An electronic data processing system of Embodiment 5 for encrypting the identity information of the owner will be described below.

In the first embodiment, the identification information 1013 of the electronic identification card 100 is not encrypted. In the present embodiment, the identity information 1013 is encrypted electronic data.

In this embodiment, an encryption key for encrypting the identification information 1013 is stored in the electronic identification certificate authority disk 205 of the electronic identification certificate issuing device 1220, and the electronic identification certificate issuing device 1220 stores the identification key. A processing unit for encrypting 1013 is provided.

Further, an encryption key for decrypting the identification information 1013 is stored in the certificate authority certificate / CRL storage disk of the electronic identification certificate confirmation device 120, and the electronic identification certificate confirmation device 12
0 has a processing unit for decoding the identity information 1013.

[0197] The electronic identification card confirmation device 120
An encryption key for decrypting the identity information 1013 is obtained. For example, it is obtained when the general certification authority public key 183 is obtained. In the present embodiment, the identity information 1013 is encrypted. However, the identity information 102 can be encrypted in the same manner.

As described above, according to the present embodiment, the identification information 1013 and the physical information 102 in the electronic identification card 100 can be kept secret.

(Embodiment 6) An electronic data processing system according to Embodiment 6 for adding arbitrary information and its electronic signature will be described below.

The electronic identification card of the present embodiment enables arbitrary information to be added to the electronic identification card after the electronic identification card is issued, and guarantees that the added information is certain. It is. This embodiment will be described with reference to FIGS.

FIG. 17 is a diagram showing the structure of the electronic identification card of the present embodiment. The electronic ID card 1700 includes the electronic ID card information 101, the physical information 102, the electronic ID card 103, and the additional information certificate 1702, similarly to the electronic ID card 100 of the first embodiment.
Electronic data.

The additional information certificate 1702 is used when the electronic identification card 1700 is confirmed.
Is electronic data for holding information to be added and guaranteeing its contents.

The additional information certificate 1702 is a certificate authority certificate
An ID 1012, additional information 1704, and an additional information certificate authority digital signature 1706 are provided.

[0203] The additional information 1704 is arbitrary information created by an organization other than the electronic identification certificate authority 203 that is the issuing organization of the electronic identification information 101, and has confirmed the electronic identification card 1700. Electronic ID card 1700
Is the information to be added to Additional Information Certification Authority Electronic Signature 17
Reference numeral 06 denotes an electronic signature created by a private key of an organization that adds the additional information 1704 to the electronic identification card 1700, and is an electronic signature using the additional information 1704 as target data. The certificate authority certificate ID 1012 is a unique number of an encryption key certificate of an organization that adds the additional information 1704 to the electronic identification card 1700.

In the present embodiment, it is assumed that the additional information certificate issuing device shown in FIG. 18 is installed in the institution where the electronic identification certificate checking device 120 of the first embodiment is installed. In the present embodiment, such an organization is referred to as an additional information certification authority. FIG.
The structure and operation of the additional information certificate issuing device will be described with reference to FIG.

FIG. 18 is a diagram showing a schematic configuration of the additional information certificate issuing device of the present embodiment. As shown in FIG. 18, the additional information certificate issuing device 1920 of this embodiment includes an additional information certificate input / output unit 1941, an additional information certificate information input unit 1942, an electronic signature creation unit 1944, an additional information certificate And a creation unit 1945.

The additional information certificate input / output unit 1941 is a processing unit that adds the additional information certificate 1702 to the electronic identification certificate 1700 and writes the same into the electronic identification certificate storage medium 110.
The additional information certificate information input unit 1942 is a keyboard 125
And a processing unit that receives additional information 1704 input via the mouse 126.

The digital signature creating section 1944 adds the additional information 170
4 is a processing unit that creates an additional information certificate authority digital signature 1706 for the key 4 using the additional information certificate authority private key 1961. The additional information certificate creating unit 1945 generates the additional information certificate authority certificate 1
The processing unit creates an additional information certificate 1702 by combining the unique number 962, the additional information 1704, and the created additional information certificate authority digital signature 1706.

A program for causing the additional information certificate issuing device 1920 to function as the additional information certificate input / output unit 1941, the additional information certificate information input unit 1942, the electronic signature creation unit 1944, and the additional information certificate creation unit 1945 is as follows. C
After being recorded on a recording medium such as a D-ROM and stored on a magnetic disk or the like, it is loaded into a memory and executed. The medium for recording the program is a CD-ROM.
Other media other than the above may be used.

[0209] The additional information certificate issuing device 1920 includes the electronic identification certificate confirmation device 120 and the electronic identification certificate issuing device 1.
Similarly to 220, a storage medium input / output device 121, a physical information input device 122, a memory 130, a display 123, a CPU 124, a keyboard 125, a mouse 12
6. A bus 127 is provided.

[0210] In the memory 130, there are programs such as an additional information certificate issuing unit 1940 and a certificate authority private key managing unit 1950. In addition, additional information certification authority disk 1
960. The additional information certificate authority disk 1960 includes an additional information certificate authority private key 1961 and an additional information certificate authority certificate 1
962 are stored.

[0211] The additional information certificate authority certificate 1962 is an encryption key certificate of a public key forming an encryption key pair with the additional information certificate authority private key 1961. The additional information certificate authority certificate 1962 is
It is assumed that the certificate is issued from the same organization as the general certification authority 200 of the first embodiment, and is passed to and stored by the same organization as the certification authority certificate management server 180 of the second embodiment. The additional information certificate issuing unit 1940 operates as follows.

[0212] The additional information certificate information input unit 1942 receives the additional information 1704 input via the keyboard 125 or the mouse 126, and the electronic signature creation unit 1944 adds the additional information certification authority electronic signature 1706 to the additional information 1704.
Is created using the additional information certificate authority private key 1961.

[0213] The additional information certificate creation unit 1945 includes the unique number of the additional information certificate authority certificate 1962 and the additional information 1704.
The additional information certificate input / output unit 1941 adds the additional information certificate 1702 to the electronic identification certificate 1700 to create the additional information certificate 1702 by combining the created additional information certificate authority digital signature 1706 and the electronic identification certificate. Write to the storage medium 110. In the present embodiment, the content of the additional information 1704 is guaranteed by applying the electronic signature of the issuing organization to the additional information 1704.

In this embodiment, the electronic identification card 17
00 is, for example, a passport. In this case, the additional information 1704 can be considered as, for example, proof information for immigration control, and the additional information certificate authority digital signature 1706 can be, for example, a proof stamp for immigration control. Here, the immigration authority can be considered as an additional information certification authority.

At the immigration control agency, an electronic identification card confirmation device 120 and an additional information certificate issuing device 1920 are installed. The immigration authority checks the electronic ID card 1700, which is the passport of the applicant for examination, by the electronic ID confirmation device 120 in the same manner as in the first embodiment, and thereafter, the additional information certificate 1702 by the additional information certificate issuing device 1920. Is created and added to the electronic identification card 1700.

If another organization needs to confirm the additional information later, the organization verifies the additional information certificate authority digital signature 1706 of the additional information certificate 1702. Additional Information Certificate Authority Certificate 196 Required for this Certification Operation
2 can be obtained from an organization similar to the certificate authority certificate management server 180 of the first embodiment.

As described above, according to the present embodiment, every time the electronic ID card 1700 is confirmed by various organizations, the information that the organization guarantees the contents is transmitted to the electronic ID card 17.
00, it can be confirmed later whether the owner of the electronic identification card 1700 has been awarded the information guaranteed by the institution.

(Embodiment 7) An electronic data recording medium of Embodiment 7 for storing physical information of an electronic identification card as a separate structure will be described below.

FIG. 19 is a diagram showing an outline of an electronic identification card and a storage medium thereof according to the present embodiment. The electronic identification card 2000 according to the present embodiment includes the electronic identification certificate information 101 and the electronic signature certificate authority digital signature 2002.
The electronic identification card 2000 does not include the physical information 102, unlike the electronic identification card 100 of the first embodiment. The electronic identification certificate authority digital signature 2002 is an electronic signature for the electronic identification certificate information 101 as target data.

On the other hand, in the present embodiment, the physical information certificate 20
20 are provided. The physical information certificate 2020 is the physical information 1
02, which is electronic data for guaranteeing the content of the physical information 102. Certificate of physical information 202
0 is issued by one of the electronic identification certificate authorities 203 of the first embodiment.

The physical information certificate 2020 is composed of physical information certificate information 2021 and a physical information certification authority digital signature 2023. The physical information certificate information 2021 includes a physical information certificate ID 2022, a certificate authority certificate ID 1012, and physical information 102. Physical Information Authority Electronic Signature 202
Reference numeral 3 denotes an electronic signature that uses the physical information certificate information 2021 as target data.
03.

[0222] The physical information certificate ID 2022 is a unique number of the physical information certificate. Certificate Authority Certificate ID 1012
Is the electronic identification certificate authority certificate 1 of the electronic identification certificate authority 203 that created the physical information authentication authority electronic signature 2023.
82 is a unique number.

In this embodiment, the electronic identification certificate storage medium 2010 is a storage medium for storing the electronic identification certificate 2000. The electronic identification certificate storage medium 2010 stores an electronic identification certificate list 111 and a personal identification number 112, like the electronic identification certificate storage medium 110 of the first embodiment. The electronic identification certificate storage medium 2010 stores a physical information certificate 2020 and an electronic identification certificate 2000. The electronic identification card storage medium 2010 stores a single physical information certificate 2
020 and a plurality of electronic identification cards 2000.

In this embodiment, the electronic identification card 2000
Has the same configuration as the electronic identification card confirmation device 120 of the first embodiment. However, in the present embodiment, the electronic signature verification unit 144 of the electronic identification certificate verification unit 140 performs verification of the electronic signature certificate authority digital signature 2002 and verification of the physical information certification authority digital signature 2023. The physical information verification unit 146 transmits the physical information certificate 2020.
The input physical information 102a is inspected using the physical information 102 contained therein.

As described above, according to the present embodiment, the physical information 1
Since 02 is not included in the electronic identification card 2000, the size of the electronic identification card 2000 can be reduced as compared with the electronic identification card 100 of the first embodiment.

[0226]

According to the present invention, unauthorized use of the electronic data is detected by the physical information of the owner of the electronic data recorded on the electronic data recording medium and the electronic signature for the physical information. It is possible to prevent unauthorized use of electronic data recorded on a medium.

[Brief description of the drawings]

FIG. 1 is a diagram showing a schematic structure of a data structure of an electronic identification card, a storage medium for storing the electronic identification certificate, and an electronic identification certificate confirmation device according to a first embodiment.

FIG. 2 is a diagram illustrating a system configuration of an electronic data processing system according to the first embodiment.

FIG. 3 is a diagram illustrating the concept of an electronic identification certificate authority 203 according to the first embodiment.

FIG. 4 is a diagram showing the data structures of an electronic identification card 100, an electronic identification certificate authority certificate 182, and a CRL 184 according to the first embodiment.

FIG. 5 is a diagram illustrating the principle of creation of the electronic identification card 100 according to the first embodiment.

FIG. 6 is a diagram illustrating the principle of confirmation of the electronic identification card 100 according to the first embodiment.

FIG. 7 is an electronic identification certificate authority certificate 18 according to the first embodiment.
FIG. 4 is a diagram showing the principle of confirmation of No. 2;

FIG. 8 is a diagram illustrating an outline of an electronic identification card list 111 according to the first embodiment.

FIG. 9 is a flowchart showing a processing procedure of a process in which the electronic identification card confirmation device 120 of the first embodiment confirms the electronic identification card 100.

FIG. 10 is a flowchart showing a processing procedure of a verification process of an electronic signature 103 of the electronic identification certificate authority of the electronic identification card 100 in the operation of the verification device of the electronic identification card 100 of the first embodiment.

FIG. 11 is an electronic identification card confirmation device 120 according to the first embodiment.
Is a flowchart showing a processing procedure for obtaining an electronic identification certificate authority certificate 182 and a CRL 184.

FIG. 12 is a diagram showing an outline of a data structure of an electronic identification card 100 according to a second embodiment, a storage medium for storing the electronic identification card 100, and a confirmation device thereof.

FIG. 13 is a diagram illustrating a system configuration of an electronic data processing system according to a second embodiment.

FIG. 14 is an electronic identification card confirmation device 120 according to the second embodiment.
9 is a flowchart illustrating a processing procedure of No. 0.

FIG. 15 is a diagram illustrating a schematic configuration of an electronic identification card issuing device according to a third embodiment.

FIG. 16 is an electronic identification card issuing unit 1240 according to the third embodiment.
6 is a flowchart showing the processing procedure of FIG.

FIG. 17 is a diagram illustrating a structure of an electronic identification card according to a sixth embodiment.

FIG. 18 is a diagram illustrating a schematic configuration of an additional information certificate issuing device according to a sixth embodiment.

FIG. 19 is a diagram showing an outline of an electronic identification card and a storage medium thereof according to a seventh embodiment.

[Explanation of symbols]

100: electronic identification card, 101: electronic identification information, 102: physical information, 103: electronic signature certificate authority digital signature, 110: electronic identification certificate storage medium, 111:
List of electronic identification cards, 112: personal identification number, 120: electronic identification card confirmation device, 121: storage medium input / output device, 122: physical information input device, 123: display, 124: CPU, 125: keyboard, 126: mouse 127, bus, 128, certificate authority certificate / CRL storage disk, 130, memory, 140, electronic identification certificate verification unit, 150, certificate authority certificate / CRL management unit, 141, electronic identification card input / output unit, 142: electronic identification confirmation display section; 143: physical information input section; 144: electronic signature verification section; 145: electronic identification information analysis section; 146: physical information verification section; 151: certificate authority certificate management section; 152 ... CR
L management unit, 182: Electronic ID certificate authority certificate, 18
3 ... Public Certificate Authority Public Key, 184 ... CRL, 200 ... Primary Certificate Authority, 201 ... Primary Certificate Authority Private Key, 202 ... Primary Certificate Authority Disk, 203 ... Electronic Identity Certificate Authority, 204 ... Electronic Identity Certificate Authority Private key, 205: Electronic identification certificate authority disk, 311: Person A, 312: Person B, 100
DESCRIPTION OF SYMBOLS 1 ... Driving license, 1002 ... Passport, 1003 ... Passport, 1004 ... A university student card, 1101 ... Electronic identification storage medium A, 1102 ... Electronic identification storage medium B, 2031 ... Driving license issuing organization, 2032 … Passport issuing organization, 2033… A University student ID issuing organization, 1
011: Electronic ID card ID, 1012: Certificate Authority certificate I
D, 1013 ... ID information, 1821 ... CA certificate ID,
1823 ... Electronic ID Certificate Authority Public Key, 1824 ... General Certification Authority Electronic Signature, 1841 ... CRLID, 1842 ... Electronic ID Certificate ID, 1843 ... Certificate Authority Certificate ID, 1844 ...
Digital certificate of the central certificate authority, 501 ... Data for electronic signature, 6
01 ... Electronic signature target data, 701 ... Electronic signature target data, 802 ... Electronic identification certificate type, 804 ... Electronic identification certificate authority name, 1200 ... Electronic identification certificate confirmation device, 1
53: Certificate Authority Certificate Management Server Access Unit, 160: Communication Network Controller, 170: Communication Network, 180: Certificate Authority Certificate Management Server, 181: Certificate Authority Certificate Management Server Disk, 1220: Electronic Identity Certificate Issuing Device, 1240 ... Electronic ID issuing unit, 1250
... Certificate authority private key management unit, 1241... Electronic identification card input / output unit, 1242.
... Physical information input unit, 1244 ... Electronic signature creation unit, 124
5: electronic identification card creation unit, 1700: electronic identification card, 1702: additional information certificate, 1704: additional information,
1706: additional information certificate authority digital signature, 1920: additional information certificate issuing device, 1940: additional information certificate issuing unit,
1950: CA private key management unit, 1960: Additional information CA disk, 1961: Additional information CA private key, 19
62 additional information certificate authority certificate, 1941 additional information certificate input / output unit, 1942 additional information certificate information input unit, 1
944: Digital signature creation unit, 1945: Additional information certificate creation unit, 2000: Electronic identification certificate, 2002: Electronic signature certificate authority digital signature, 2010: Electronic identification certificate storage medium, 2020: Physical information certificate, 2021 ... physical information certificate information, 2022 ... physical information certificate ID, 2023 ...
Digital signature of the Physical Information Authority.

Claims (11)

[Claims] 1. An electronic data confirmation method for confirming whether or not electronic data recorded on an electronic data recording medium belongs to a holder holding the electronic data recording medium. Verifying the electronic signature of the physical information indicating the physical characteristics of the owner of the electronic data, reading the physical information of the holder of the electronic data recording medium, and reading the physical information of the holder and the owner of the electronic data Examining whether or not the physical information matches the physical information of the electronic data. 2. The step of verifying an electronic signature on the physical information comprises verifying the electronic signature on the physical information of the owner of the electronic data using an encryption key of an electronic data certification authority which is an issuing organization of the electronic data. The electronic data confirmation method according to claim 1, wherein: 3. The step of verifying an electronic signature of the physical information includes checking whether an electronic certificate for an encryption key of an electronic data certification authority, which is an issuing organization of the electronic data, has not been revoked, and 2. The electronic device according to claim 1, wherein the authentication key of the electronic data certification authority is verified using a certificate, and the electronic signature for the physical information is verified using the encryption key for which the verification is successful. Data confirmation method. 4. The method according to claim 1, further comprising the step of verifying an electronic signature for an arbitrary electronic data created by an authority different from the electronic data certification authority.
An electronic data confirmation method according to any one of the above. 5. An electronic data issuance method for issuing an electronic data recording medium on which electronic data has been recorded, comprising: reading physical information indicating physical characteristics of an owner of the electronic data recorded on the electronic data recording medium; An electronic data issuance method comprising: creating an electronic signature for the electronic data; and recording the electronic data, physical information, and the electronic signature on an electronic data recording medium. 6. A step of adding, to the electronic data recording medium, arbitrary electronic data created by an organization different from an electronic data certification authority that is an issuing organization of the electronic data, and an electronic signature for the arbitrary electronic data. 6. The electronic data issuing method according to claim 5, comprising: 7. An electronic data confirmation device for confirming whether or not electronic data recorded in an electronic data recording medium belongs to a holder holding the electronic data recording medium, wherein the electronic data is recorded on the electronic data recording medium. An electronic signature verification unit for verifying an electronic signature for physical information indicating physical characteristics of the owner of the electronic data; a physical information input unit for reading physical information of a holder of the electronic data recording medium; and the physical information input unit. An electronic data confirmation device, comprising: a physical information verification unit that verifies whether the read physical information of the holder matches the physical information of the owner of the electronic data. 8. An electronic data issuing device for issuing an electronic data recording medium on which electronic data is recorded, wherein a physical information input section for reading physical information indicating physical characteristics of an owner of the electronic data recorded on the electronic data recording medium. An electronic signature creating unit that creates an electronic signature for the physical information; an electronic data creating unit that creates the electronic data, physical information and data having the electronic signature; An electronic data issuing apparatus comprising: an electronic data input / output unit that records data on a data recording medium. 9. A program for causing a computer to function as an electronic data confirmation device for confirming whether or not electronic data recorded in an electronic data recording medium belongs to a holder holding the electronic data recording medium. An electronic signature verification unit for verifying an electronic signature for physical information indicating physical characteristics of an owner of the electronic data recorded on the electronic data recording medium, and reading physical information of a holder of the electronic data recording medium. A physical information input unit, and a program for causing a computer to function as a physical information verification unit for verifying whether the physical information of the holder read by the physical information input unit matches the physical information of the owner of the electronic data. A medium having recorded thereon. 10. A medium in which a program for causing a computer to function as an electronic data issuing device for issuing an electronic data recording medium on which electronic data is recorded is recorded, wherein a body of an owner of the electronic data recorded on the electronic data recording medium is provided. A physical information input unit that reads physical information indicating physical characteristics, an electronic signature creating unit that creates an electronic signature for the physical information, and an electronic data creating unit that creates the electronic data, physical information, and data having the electronic signature. And a program for causing a computer to function as an electronic data input / output unit for recording data created by the electronic data creation unit on an electronic data recording medium. 11. An electronic data recording medium which records electronic data owned by a specific owner, comprising: electronic data owned by the owner; physical information indicating physical characteristics of the owner; An electronic data recording medium on which data having an electronic signature is recorded.