535380 五、發明說明(1 ) 本發明是有關於(尤其是由電子晶片載入系統之)不可 捨棄之簽字產生方法。 本發明還有關於使用此方法載入系統,尤其是晶片卡。 在本發明之範圍內,’’載入系統”此名詞可應該以最廣 的意義來理解。它尤其是關於所有種類之輕便之終端機 ’其配備了電子晶片,並且更特別是適當稱爲晶片卡的 電子晶片。此電子晶片配備了數位資料登錄與處理裝置 ,例如是用於數位資料處理裝置之微處理器。 爲了確定觀念而沒有限制其範圍,以下將其置於本發 明較佳的實施例中,即,以電子晶片爲主的應用中,而 沒有作相反的陳述。 近幾伴來,電子形式之元件交換(尤其是經由網際網 路)快速增加。然而此種增加造成若干問題。特別是在傳 統形式元件(即,以紙張形式)的情況中,通常須要附上 簽字,(並且此文件發出者之沒有模糊不淸而被確認的簽 字),並且不會被收件人拋棄。 一直到最近之時期,只有π紙張”的文件可以作爲證明 ,在許多國家中,法律要求原始手寫的簽字。然而,在 電子的環境中,元件之原本(例如是契約)’無法以任何 方式與所拷貝之副本區別。 然而存在此等技術其允許執行可以察覺之如同傳統手 寫簽字之特徵之全部或部份功能。此等技術通常使用編 密(碼技術),其與證書之確認有關或無關。此電子簽字 是二位元(binary)之序列通常藉由將訊息編密(碼)而獲得 535380 五、發明說明(3) ,而另一種在指令中稱爲”複雜”。它是關於一種電子簽 字,”其滿足以下之需求”: (a) 被單獨唯一地連接至簽字者; (b) 能夠辨識此簽字者 (c) 其由此裝置所產生,使待簽字者可以保持其專有之控 制;以及 (d) 被連接至資料,對於它提醒,使得此資料外部之修正 是可以偵測的。 本發明尤其特別是針對第二種型式之電子簽字。爲了 如此作,必須運用保全裝置,使用一種資料(簽字)編密 方法,在指令中此確認(certificat)稱爲”給予資格”, •’qualify”,以作管理器(authority),稱爲”確認服務之提 供者”,其以下稱爲”確認管理器”。此確認管理器尤其 產生一*種公開錄匙’而由晶片卡使用於上述的過程中。 在事實上以實際的方式而言,應該使用非對稱之編密 方法。根據此等方法,使用一種私人的簽字鑰匙,也就 是說由簽字者所持有掌握之秘密鑰匙,以及查核簽字之 公開鑰匙。在事實上,在以晶片卡爲主之應用中,此私 人鑰匙是記錄於簽字者之晶片卡之不消逝記憶體的區域 中,”ROM”、"EEPR0M”或等同型式的記憶體中。 此非對稱之編密方法是被認爲不可拋棄,因爲此簽字 之查核者(此方法固有特性之事實),不能夠簽字。 爲了確定觀念,一種眾所周知並且廣泛使用之非對稱 535380 五、 發明說明 ( Ο 編 密 方 法 之 例 子 是 由 稱爲” RS A ”(其發明者的名字爲 Ri ve St 3h am in 以 及 Adleman)的方法所構成。此方S 說 明 可 以 在 美 國 專 利 US-A-4405829 中找到。 雖 然 有 效 此 非 對 稱 之編密方法並不因此而免除不 便 它 在 事 實 上 是 精 巧 並 且使用起來是昂貴的。 首 先 須 要 產 生 以 及管理與此使用者所配備之電 子 簽 字 裝 置 同 樣 多 的 和 人 /公開綸匙對(pair)。 其 次 此 非 對 稱 之 編 密方法須要不可忽略之資訊資 源 其 至 少 是 須 要 通 常 由 電子晶片所提供者。它尤其須 要 設 置 數 學 之 共 同 處 理 器 ,以執行編密/解密計算。 於 是 電 子 晶 片 之 成 本(其提供非對稱編密所須之計算 能 力 ), 是日; ί顯地高於巨 1前由其他之應用系統之機組所 使 用 傳 統 晶 片 之 成 本 要 高。然而,對於非常廣泛使用 之 元 件 之 成 本 之 考 慮 是 極 其重要的。 人們 可 以 設 想 運 用 對 稱之編密方法,其對資訊資源 之 要 求 較 不 嚴 格 〇 然 而 此 對稱編密方法由於其本身之特 性 , Μ j\\\ 法 確 保 其 所 追 求 之 ’’不可放棄’’的情況,因爲簽字 的 查 核 者 可 以 同 樣 地 簽 字 ,因爲他在一開始就先天地與 簽 字 處 於 相 同 的 情 況 中 〇 本 發 明 的 S 的 在 於 減 輕習知技術之方法與裝置之不 便 , 其 某 一 些 剛 才 提 過 5 而完全滿足其所感受的需求。 本 發 明 所 確 定 的 巨 標 是建立一種產生不放棄簽字的 方 法 , 其 尤 其 適 用 於使 用 輕便終端機之應用,例如是電 子 晶 片 載 入 系 統 以 及 更 特別是晶片卡載入系統,其特 -6- 徵 535380 五、發明說明(5) 之一是提供有限之資訊資源。 爲了如此作’根據有利之特徵,此根據本發明之方法 將對稱之編密法配合靜態之非對稱編密法,而瞭解此等 使用於非對稱編密法中之作業是無法於載入終端機中實 施。於是它不須要賦予擴大之計算能力,尤其不須要設 置數學之共同一處理器。 在本發明之第一實施形式中,此方法包括初步階段, 其包括以下之主要步驟: 1 ·將所有的晶片卡配備兩對稱爲f’起源”的簽字鑰匙,此 兩對鑰匙對於所有的晶片卡均相同。 2.此晶片卡之每一個同樣地接收兩個各晶片卡特有的不 同的鑰匙,其根據此對”起源”鑰匙計算而得,以及接 收所討論中晶片卡特有之辨識件(identifier)(及/或所 有其他之辨識其所有者之資訊)以及此辨識件中之內 容。此等不同鑰匙之計算是運用對稱之編密方法而實 施,其較佳但非獨自專屬地要求稱爲”三個字DES” (代表,,資料編密標準,,:丨,Data Encryption Standard”) 的方法而實施。 此晶片卡之辨識件(以及也許其他的資訊)是由稱爲’’確 認,,管理器所持有之私人(即’秘密)鑰匙所確認。此確 認件(certificate)在晶片卡中伴隨者辨識件中而構成曰曰 片卡持有者之,,簽字資格,,。此確認件是使用非對稱形 式之編密的方法(較佳是上述”RSA,,方法)而計算。然 而應該充分瞭解所須之計算是由確認管理者 535380 五、 發明說明 (_ 〇 此 簽 字 之 計 算 是 藉 助 於 上述不同的鑰匙,藉由 將 欲傳 送 之 資 料 編 密 碼 而 實 施 , 其請求對稱編密算法之 協 助, 較 佳 是 如 同 先 前 所 顯 示 之 ” DES”之協助而達成。 此 簽 字 之 重 新 組 成 與 查 核,是由一或數個收件 人 經由 等 同 編 密 之 作 業 藉 助 於 不同的簽字鑰匙而實施 , 其重 新 組 成 是 由 — 或 多 個 收 件 人以及相同的對稱算法 實 施。 此 簽 字 者 同 樣 傳 送 其 確 認 件與辨識資料而用於初 步 階段 之 步 驟 (3)之 .ι-ί -舅 此確読 (件由收件人藉助於上述之公 開 鐘 匙 而 查 核 〇 它 請 求 非 對稱算法之協助。此所 須 之計 算 可 以 由 晶 片 卡 之 宿 主 (h 〇st)終端機實施。 根 據 本 發 明 方 法 之 第 二 實施形式,它同樣包括 初 步階 段 之 步 驟 之 主 要 部 份 , 然 而此兩個不同鑰匙之一 是 依據 兩 對 ”起源” 繪 匙 之 一 以 及收件人之辨識資料而獲 得 ,並 且 不 再 如 同 於 第 —* 變 化例 中之發件人之辨識資料 而 獲得 〇 根 據 此 變 化 例 只 有 收件人能夠查核發件人之 簽 字。 除 了 此 例 外 此 項 查 核 以 如同先前相同的方式實 施 〇 人 們 察 覺 到 在 此 兩 個 實施形式中,所有的晶 片 卡均 擁 有 此 兩 對 之 π起源” 鑛 匙 ,這從保全的觀念而言 會 出弱 點 〇 此 外 在 與 此 兩 個 實 施 模式相符合之較佳之變 化 例中 , 爲 了 增 加 本 方 法 之 耐 用 性,而在每個晶片卡中 增 加一 對 不 同 的 鑰 匙 其 與 屬 於 確認管理器的兩對確證 (authenti catio η) 鑛 匙 是 不 同的。此項作業是在初 步 階段 之 補 充 步 驟 中 實 施 〇 -9- 535380 五、發明說明(8)535380 V. Description of the invention (1) The present invention relates to a method for generating signatures (especially by electronic chip loading system). The invention also relates to loading systems, especially chip cards, using this method. Within the scope of the present invention, the term "loading system" should be understood in the broadest sense. It is particularly relevant to all kinds of lightweight terminals, which are equipped with electronic chips, and more particularly appropriately called Electronic chip of chip card. This electronic chip is equipped with a digital data registration and processing device, such as a microprocessor for a digital data processing device. In order to determine the concept without limiting its scope, the following is placed in the present invention. In the embodiments, that is, electronic chip-based applications, the contrary is not stated. In recent years, the exchange of components in electronic form (especially via the Internet) has increased rapidly. However, this increase causes several problems ... especially in the case of traditional form elements (i.e. in paper form), usually a signature is required (and there is no vague and confirmed signature of the sender of this document) and it will not be abandoned by the recipient Until recently, only "pi paper" documents could serve as proof, and in many countries the law required original handwritten signatures. However, in an electronic environment, the original (for example, a contract) of the component cannot be distinguished from the copied copy in any way. However, there are technologies that allow to perform all or part of the functions that are perceptible like traditional handwritten signatures. These technologies usually use encryption (coding technology), which is related to or not related to the confirmation of the certificate. This electronic signature is a binary sequence. It is usually obtained by encrypting (code) the message. 535380 5. Invention Description (3), and the other is called "complex" in the instruction. It is about an electronic signature that "meets the following needs": (a) is individually and uniquely connected to the signatory; (b) is able to identify the signatory; (c) is generated by this device so that the person to be signed can Maintain its proprietary control; and (d) be connected to the data, alerting it so that external corrections to this data are detectable. The invention is particularly directed to a second type of electronic signature. In order to do this, a security device must be used, using a method of data (signature) encryption. In the instruction, this certification is called "qualification", and "qualify" as the authority, called " "Confirmation service provider", which is hereinafter referred to as "confirmation manager". This confirmation manager generates, in particular, a * public record key 'and is used by the chip card in the above process. In fact, in a practical way Asymmetric encryption methods should be used. According to these methods, a private signature key, that is, the secret key held by the signatory and the public key for checking the signature. In fact, in the chip In card-based applications, this private key is recorded in the non-erasable memory area of the signer's chip card, "ROM", "EEPR0M" or equivalent memory. This asymmetric cryptographic method is considered non-disposable because the verifier of the signature (the fact that the method is inherently characteristic) cannot sign. In order to determine the concept, a well-known and widely used asymmetric method 535380. 5. Description of the invention (〇 An example of the secret method is the method called “RS A” (the name of its inventor is Ri ve St 3h am in and Adleman). The description of this side can be found in US patent US-A-4405829. Although effective this asymmetric encryption method does not avoid this inconvenience, it is in fact delicate and expensive to use. It must first be produced And manage as many electronic / public key pairs as the electronic signature device equipped with this user. Secondly, this asymmetric encryption method requires non-negligible information resources, which at least needs to be usually provided by electronic chips. In particular, it requires a co-processor for mathematics to perform encryption / decryption calculations. Therefore, the cost of the electronic chip (which provides the computing power required for asymmetric encryption) is significantly higher than the previous one. By other applications The cost of traditional chips used by the traditional unit is high. However, it is extremely important to consider the cost of very widely used components. One can imagine that the use of symmetrical encryption methods has less stringent requirements on information resources. However, Due to its own characteristics, the symmetric encryption method guarantees the `` non-abandonable '' situation it seeks, because the signing checker can also sign the same, because he and the The signature is in the same situation. The S of the present invention is to alleviate the inconvenience of the methods and devices of the conventional technology. Some of them have just mentioned 5 and fully meet the needs they feel. The giant mark determined by the present invention is to establish a kind of Generate a method of not giving up the signature, which is especially suitable for applications using portable terminals, such as electronic chip loading systems and more particularly chip card loading systems, which are characterized by the characteristics of 535380. 5. Description of Invention (5) One To provide limited information resources. In order to do so, according to advantageous features, the method according to the present invention combines symmetric encryption methods with static asymmetric encryption methods, and understands that these are used in asymmetric encryption methods The operation cannot be carried out in the loading terminal. Therefore, it does not need to be endowed with expanded computing power, and especially does not need to set up a common processor for mathematics. In the first embodiment of the present invention, the method includes a preliminary stage, which includes the following main steps: 1. All chip cards are equipped with two pairs of signature keys called f 'origins, which are for all chips The cards are the same. 2. Each of the chip cards similarly receives two different keys unique to each chip card, which are calculated based on the "origin" key, as well as the unique identification of the chip card in question ( identifier) (and / or all other information identifying its owner) and the contents of this identification. The calculation of these different keys is implemented using a symmetric encryption method, which preferably but not exclusively requires that Implemented for the "Three Words DES" (Representative, Data Encryption Standard ,: Data Encryption Standard) method. The identification of this chip card (and perhaps other information) is confirmed by a private (i.e., 'secret') key known as a '', which is held by the manager. This certificate is included in the identification card of the chip card and constitutes the name of the card holder. This confirmation is calculated using an asymmetric form of encryption (preferably the above-mentioned "RSA," method). However, it should be fully understood that the required calculation is performed by the confirmation manager 535380 V. Description of the invention (_ 〇 This signature The calculation is implemented by means of the different keys mentioned above, by encrypting the data to be transmitted, and it requires the assistance of a symmetric encryption algorithm, preferably as the assistance of the "DES" shown previously. The reorganization and checking is implemented by one or more recipients through the equivalent secret operation with the help of different signature keys. The reorganization is performed by—or multiple recipients and the same symmetric algorithm. This signature Those who also send their confirmation and identification information for the initial stage of step (3). Ι-ί-舅 此 定 読 (the receiver checks the above with the help of the public key mentioned above) It requests an asymmetric algorithm Assistance. This required calculation can be made by a chip card Host (h ost) terminal implementation. According to the second implementation form of the method of the present invention, it also includes the main part of the initial stage steps, however, one of the two different keys is based on two pairs of "origin" keys. First, the identification information of the recipient is obtained, and it is no longer the same as the identification information of the sender in the first-* variation. According to this variation, only the recipient can check the sender's signature. Exception This check is implemented in the same way as before. It is observed that in these two implementation forms, all chip cards have these two pairs of "pi origin" mining keys, which would be a weakness from the perspective of preservation. In addition, in a preferred variation consistent with these two implementation modes, in order to increase the durability of the method, a different pair of keys is added to each chip card, which is associated with two pairs of authentications belonging to the confirmation manager. catio η ) Mining spoons are different. This operation is implemented in the supplementary steps of the initial stage 〇 -9- 535380 V. Description of the invention (8)
每個晶片卡鑰匙之計算是請求對稱算法以及此晶片卡 特有之辨識件而實施。如同先前,此對稱算法 (Algorithm)較佳是DES(資料編密標準:Data Encryption Standard)。根據存放在晶片卡中之不同的鑰 匙與先前產生之簽字,並請求對稱算法之協助,此晶片 卡產生補充資料,其以下稱爲”簽字之確證資料”。這些 資料同樣傳送給收件人。收件人可以將它呈報給確認管 理器,而輪到它來確證此簽字作爲回應。 在此實施變化例中還有利地設有簽字產生計數器 (counter),其被使用於確保簽字之產生以及其可追蹤性 (tracebility),例如用於偵測具有相同號碼之不同的簽 字。這些計數器同樣是設置於晶片卡中,並且選擇性地 用於所有簽字資料之初設(initialisation)。The calculation of each chip card key is performed by requesting a symmetric algorithm and the unique identification of the chip card. As before, the algorithm is preferably DES (Data Encryption Standard). According to the different keys stored in the chip card and the previously generated signatures, and requesting the assistance of the symmetric algorithm, this chip card generates supplementary information, which is hereinafter referred to as "signature verification information". This information is also transmitted to the recipient. The recipient can report it to the confirmation manager, and it is his turn to confirm the signature in response. In this implementation variant, a signature generation counter is also advantageously provided, which is used to ensure the generation of the signature and its traceability, for example to detect different signatures with the same number. These counters are also set in the chip card and are optionally used for the initialisation of all signature data.
因此本發明之主要目的是設立一種簽字產生方法,使 此簽字不會被些組體(assembly)之第一實體捨棄,尤其 不會被電子晶片之載入系統捨棄,此系至少包括不消逝 記憶體裝置與計算裝置。該簽字之目的在於傳送,並且 被該組體之至少一實體查核,其特徵爲它包含初步階段 其至少包括以下步驟: -在該不消逝記憶體裝置中儲存兩對稱爲”起源”之簽字 鑰匙,其爲所有的該等實體所共用; -根據至少一個該”起源”簽字鑰匙對以及該第一實體唯 一特有之辨識件,藉由執行對稱之編密算法,而產生 稱爲’’不同”之第一簽字鑰匙,並且將該不同的鑰匙儲 -10- 535380 五、發明說明(9) 存於該不消逝記憶體裝置中; -將該唯一的辨識件儲存於該不消逝記憶體的裝置中; -藉由稱爲”確認管理器”之補充實體而產生確認件,其 構成用於該第一實體之簽字資格。該確認件是根據至 少該辨識件與該確認管理器所擁有之編密私人鑰匙, 藉由實施非對稱編密算法而獲得,並且將該確認件儲 存在該不消逝記憶體裝置中,以及 -藉由該確認管理器將簽字查核之公開鑰匙傳送給該組 體之實體之一部份或全部。 並且隨後的階段至少包括以下的步驟: -根據該不同之第一簽字鑰匙、不同之第二簽字鑰匙、 以及傳送給該組體之至少一個實體之資料,藉由執行 對稱之編密算法,而產生該不可捨棄之簽字,以及 -將至少該資料、該簽字、該辨識件與該確認件,傳送 給該組體之至少一實體。 本發明另外的目的是提供電子晶片(尤其是晶片卡)載 入系統,其用於使用此方法。 本發明現在參考所附圖式作進一步說明。 圖式之簡單說明 第1圖槪要圖式說明晶片卡之結構,其用於產生根據 本發明不可捨棄之簽字; 第2圖槪要圖式說明產生用於第1圖之晶片卡之該f 同之簽字鑰匙,其根據該對f,起源”簽字鑰匙以及晶片+ 辨識件而實施; -11- 535380 五、發明說明(1〇) 第3圖槪要圖式說明根據本發明方法之第一實施形式 而產生不可捨棄簽字之過程; 第4圖槪要圖式說明由該確認管理器實體,產生簽字 確認鑰匙之過程; 第5圖槪要圖式說明根據本發明方法之第二實施形式 而產生不可捨棄簽字之過程; 第6圖槪要圖式說明根據上述之確認與簽字鑰匙以產 生確認資料之過程; 第7圖槪要圖式說明由晶片卡之簽字人所傳送之不同 資料; 第8圖槪要圖式說明根據產生不可捨棄簽字之第一形 式之簽字產生查核步驟; 第9圖槪要圖式說明根據產生不可捨棄簽字之第二形 式之簽字產生查核步驟; 第1 0圖槪要圖式說明由晶片卡藉由上述簽字確認管 理器而產生確認之過程。 現在將根據數個變化例以更詳細的方式說明根據本發 明之不可捨棄簽字產生方法之較佳實施例。 如同已經說明,爲了確定觀念,在沒有限制本發明之 範圍之情況下,而置入於以晶片卡爲主的應用例子中。 此應用例子之電子晶片以通常的方式包括計算裝置(其例 如包含微處理器),與記憶裝置(爲Ram且不消逝)。此 種結構爲此行業之人士所熟知,並且沒有必要更深入地 說明。 -12- 535380 五、發明說明(11) 第1圖槪要圖式說明晶片卡cPi之結構,i爲任何指 數,其代表CPi至CPn之η個晶片卡(未圖示)之所有晶 片卡之一。在第1圖上只出現不消逝記憶體其以Μ代表 。它可以是關於”ROM”式(唯讀記憶體:Read-only-Memory)記憶體,”EEPROM”式(電性可拭除可程式化唯 讀記憶體·· Electrically Erasable Programmable Read Only Memory),或是所有其他類似型式之記憶體裝置。 在初步階段期間,有利地在當晶片卡CPi”個人化”階 段時’在預設記憶體之位置中(在所描述的例中各自爲 、M2、M4與M5)—方面登錄兩對”起源”鑰匙MKSm 與MKS12,以及另外一方面登錄MKS21與MKS22。這些 ”來源”鑰匙是爲所有的晶片卡CPi至CPn所共有的。 根據符合本發明方法之第一實施變化例,使用者Ui (即’晶片卡CPi之持有者)將所傳送之訊息或資料簽署 。所有其他的使用者可以查核此簽字。 爲了這樣作,兩個不同的鑰匙dKSi⑴與dKS2⑴,各 自被計算並且登錄於例如記憶體M3與M6的位置中。此 計算是在晶片卡CPi之外實施,其使用對稱算法。以較 佳的方式而言,它是關於”DES,,。此外在以下假設在每 次使用對稱算法時,同樣是關於"DES”,以下爲了簡化 而稱爲"T-DES"。 第2圖槪要圖式說明鑰匙dKSUi)之計算。此DES (資 料編密標準)之參考號碼爲1,包括三個串聯步驟1 〇至 1 2。作爲例子,步驟1 〇與1 2實現稱爲,,直接”的” D E S,, -13- 五、發明說明(12) 。此使用於此兩個步驟之簽字鑰匙在此例中總是鑰匙 MKSh。中間步驟1 1實現稱爲相反之”DES”,其記爲 ’’DES·1”。使用於此步驟之簽字鑰匙是鑰匙MKS12。在第 1步驟)1〇之入口輸入晶片卡CPi及/或其持有者Ui之辨 識資料ID i(第1圖)。此辨識資料IDi可以是唯一僅有或 是來自數個不同的資料’例如可能與塡充資料連接,以 獲得預設長度之二位元之句子(word)。在第1圖上呈現 兩個辨識資料來源,其記爲Info與Div(晶片卡CPi的號 碼’寺)。适些資料同樣存放在晶片卡CPi中,並且在所 說明的例子中記載於記憶體Μ之位置M7與M8中。 步驟10之輸出是傳送至步驟11之輸入,並且步驟11 的輸出是傳送至步驟12之輸入。最後,在步驟12之輸 出獲得不同的錄匙dKSi⑴’其爲晶片卡CPi所持有,並 且如同其所顯示記載於記憶體M3的位置中。 此計算在保全中例如,由稱爲”夾入’’(encarteur)之實 體在晶片卡CPi外實施。此用於使用"T-DES”之模組1可 以與”硬體"(特殊電路)的型式無關,或是請求軟體協助。 鐘匙dKS2(i)以同樣的方式獲得,並且無益重新描述此 過程。 如果重新參考第1圖,除了此等不同的資料外,確認 件CTAi由確認管理器CA算出。此後者實體CA根據本 發明方法之觀點使用參考號碼爲2之非對稱算法,較佳 爲上述之”RSA”算法。晶片卡CPi之辨識資料IDi,藉助 於確認管理器CA之所有物之私人鑰匙(其記爲κΑ)而編 -14- 五、發明說明(13) 成密碼。 在第1圖所描述的例子中,此編密碼作業之結果是, 即,此確認件CTA,被記載於記憶體M9之位置中。 確認管理器CA同樣分發簽字確認公開鑰匙(以配合私 人鑰匙KA,並且以下稱爲KP)給所有的晶片卡。 假設截至此所描述的時刻爲止,所有擁有晶片卡CPi 的使用者U i是屬於唯一且僅有的組,並且因此公開鑰匙 KP是供所有的使用者Ui使用。根據此方法之實施形式 之另一個變化例,可以將所有的使用者至少分成兩組 (未圖式)。每個組因此使用其他組之不同的公開鑰匙·· Κρι、Kp2、— Kpm,假設m爲不同組的數目。 第3圖槪要圖式說明由晶片卡CPi產生簽字,其參考 號碼爲SIGNi。 假設晶片卡CPi之持有者Ui發送應該簽字的訊息 M S G。爲了如此作,此訊息M S G由所熟悉的資料處理裝 置(例如是晶片卡CPi之宿主(host)終端機Τ)製作,而被 傳送至參考號碼3之”T-DES”之輸入,或是所有其他類 似對稱的算法。以其本身所熟知的方式,訊息M S G可 以事先提交呈報給稱爲”散列"(hashing)的作業。此”Τ-DES”3之選擇結構是等同或是至少完全類似於參照第2 圖所描述者。此使用於直接步驟f’DES”的鑰匙是例如鑰 匙dKS1(i),並且使用於步驟"DES·1”的鑰匙是鑰匙 dKS2(i)。由於關於對稱算法,不須要設置強有力之計算 裝置。因此簽字之計算可以有利地在晶片卡CPi的內部 -15- 535380 五、發明說明(14) 藉助於設置在那裡之標準之計算裝置(未圖示)而實施。 於是,雖然是爲了設計圖淸楚的理由,此等計算裝置在 圖上並未顯示於晶片卡CPi的外部,人們應該瞭解此裝 置較佳是植入於晶片卡的電子晶片中。 以實際的方式而言,它不是關於一般的特殊電路。較 佳借助於軟體以執行簽字SIGNi之計算,此軟體是設置 於記憶體Μ中,而與上述之標準計算裝置配合。 人們瞭解這些不同的鑰匙dKSi⑴與dKS2⑴,即,各 晶片卡CPi特有之秘密,是不可以泄露給外面世界。然 而,所有的晶片卡CPi具有在其”起源”形式下之兩個簽 字鑰匙對(pair)。如果人們能破解此等鑰匙,則危及此 方法之整個安全。因此,爲了 ”加強’’此方法以防止外來 之攻擊,而在每個晶片卡CP i中增加一組不同的補充簽 字鑰匙,其各記爲dKSA1(i)與dKSA2⑴。此等鑰匙本身 不同於屬於確認管理器CA之兩對簽字確認鑰匙(第1圖) 。以下將以更詳細的方式說明此等鑰匙之用途。 第4圖以槪要圖式說明此不同之補充鑰匙dKS A i⑴與 dKSA2⑴之產生過程。此等稱爲”簽字確認”之鑰匙對各 別是MKSAh與MKSA12,^^8八21與MKSA22,被傳送 至使用對稱算法模組鑰匙之輸入,此模組較佳是”T-DES丨,,而標示爲1丨與1”。在資料之輸入端輸入辨識件 ID i,其爲晶片卡CPi之特徵。此鑰匙dKS A !⑴的計算過 程與dKSA2⑴相同,或至少是完全類似於(第2:1圖)其 使得能夠計算不同的鑰匙dKSi⑴與dKS2⑴。此外如果 -16- 535380 五、發明說明(15) 它是關於特殊之電子電路,則可以使用相同的電路’或 可使用相同的軟體。 如同用於不同的鑰匙dKSi⑴與dKS2(i),此計算是在 初步階段期間在保全中,例如是在晶片卡CPi之”個人化” 階段期間實施。這些計算之結果,即,簽字之確認鑰匙 dKSAi⑴與dKSA2⑴是同樣記錄於晶片卡之記憶體Μ中 之位置M1C與Μμ中(同樣參考第1圖)。 根據此方法之較佳變化例,突破晶片卡CPU之秘密然 而亦變得難以獲得晶片卡之私人鑰匙,其配備動態之非 對稱編密算法。 在簽字產生方法之其他變化例中,可以有利地配備簽 字產生計數器4,其輸出標示爲CGS。此計數器4被使 用於保全簽字之產生,以及用於確保其可追蹤性(不同的 簽字卻具有相同的號碼)。如果重新參考第3圖可以發現 此輸出CGS被傳送至”T-DES”3之資料輸入。以實際的 方式而言,它是有關於二位元的句子其可以與簽了字之 訊息MSG連接。此計數器4同樣被植入於晶片卡CPi中 並且選擇性地用於將資料之所有的簽字初設(initial ize)。 它可以有關於硬體元件,其例如是屬於晶片卡CPi之電 子晶片之計算裝置之電路。此計數(句子CGS)同樣可以 以軟體裝置獲得。 現在藉由參考第5圖以槪要圖式說明簽字產生方法之 第二實施模式。根據此實施模式,此不同鑰匙之一,例 如參考號碼爲dKS2⑴之鑰匙,是借助於其他晶片卡之不 -17- 535380 五、發明說明(16 ) 同資料而獲得,而如果存在數個不同的組,則不是晶片 卡C P i的那一組’例如是晶片卡C P j的辨識資料I ,並 且不是根據晶片卡簽字人CPi之辨識資料iDi。 除了此特徵之外,其他的階段與步驟與對於第一實施 模式所描述著相同。因此並沒有益處將其全部地重新描 述。同樣地,此實施模式與使用簽字確認鑰匙dKS A i⑴ 與dKSA2⑴之模式’以及與使用簽字產生計數器4而產 生字句CGS的模式相容符合。 根據此實施模式,其事實正是上述之特徵,在第5圖 上只有此收件人U j,即,晶片卡匕之持有者能夠查核 發出者U,(其標示爲SIGNt)之簽字。此爲有益要提醒注 意此最後之特性並沒有由傳統之動態非對稱編密方法提 供,其用於產生根據習知技術之不可捨棄之簽字。 假設在此初步階段期間,如同先則此不问的鏡匙 dKSi⑴被算出並且記錄在晶片卡CPi之記憶體μ中之位 置Μ3。爲了如此作,而使用晶片卡CPi特有的辨識資料 IDi。 此不同之簽字鑰匙dKS’2⑴如同先前根據”起源”簽字 鑰匙對MKS21與MKS22而算出,但是使用來自晶片卡 CPi之辨識件IDi,並且以類似於辨識件IDi用於晶片卡 CPi的方式’此辨識件是記錄在晶片卡之5己隱、體M t 個或數個位置中。此簽字鑰匙之計算使用參考號碼爲3* 之,,T - D E S,,而實施,在其輸入上接收鑰匙’即起源鑛匙 MKS21與MKS22,並且輸入資料,即,辨識件1D」’其 -18- 535380 五、發明說明(18) dKSA1(i)|§| dKSA2⑴,其參考第4圖明顯的方式產生’ 並且在所描述之例中,它被記錄於記憶體Μ中之位置 M1G與Μη中。此所產生之簽字SING,被傳送至參考號 碼爲3”之” T-DES”之輸入。以選擇的方式,此計算資料 CGS (第3圖)同樣地可以在資料輸入時(例如將其與簽字 訊息MSG連結時)輸入。此等鑰匙dKSA1(i)與dKSA2(i) 被使用如同簽字鑰匙。此模組3 ”之邏輯結構是與第3圖 之模組3之邏輯結構相同或至少完全類似,其被使用於 產生簽字SIGNi。模組3”之輸出則呈現所尋求簽字之確 證資料ASIGNi。此等資料被傳送給簽字SIGNi之收件人 。如同先前,其計算是在晶片卡CPi之內部實施,以便 此等鑰匙(158八1(|)與dKSA2⑴不會離開晶片卡。在實際 上,此等資料ASIGNi之最後收件人是確認管理器CA( 第1或4圖)。事實上,如同在以後所顯示,收件人(例 如是Uj),其欲確證此所收到的簽字SIGNi,並且確定這 是有效的晶片卡Cpi所發出之簽字,其將此簽字之確認 資料ASIGK呈報給確認管理器CA,只有它可_以使得此 等資料有效,因爲它儲存了 ”起源”鑰匙MKSAh至 MKSA22,其用於算出錄匙dKSAi⑴與dKSA2(i)。 第7圖槪要圖式說明在較佳實施變化例中,由簽字人 藉由晶片卡CPi傳送給收件人之不同的資料。 此所傳送之資料如下: -簽字訊號資料MSG ; -簽字計算之選擇性資料CGS; -20- 535380 五、發明說明(19) -簽字 SIGNi ; -晶片卡CPi及/或其持有者小之辨識件IDi; -確認件CTAi,以及 -確證資料ASIGK。 收件人根據所有這資料可以查核簽字SIGN,並且在 較佳之變化例中,藉助於資料ASIGN將此簽字確證。 現在說明由晶片卡(例如是晶片卡CPi)所發出簽字 S IG N i之查核步驟,其根據剛才所描述之方法之兩個主 要之實施模式。 第8圖槪要圖式說明簽字SIGNi之查核步驟,其依據 根據本發明方法之第一實施模式,而由以下之使用者所 產生:由屬於所給定(given)組之至少一個使用者,或是 如果沒有存在不同的組的話則是所有的使用者。吾人應 該回想起第一實施模式允許所有的使用者U!至Un在收 到所發出之訊息MSG與其簽字SIGN;時,先天地一開始 對其查核。 此查核在於重新組成發出者所發出的簽字,並且與所 接收的比較。爲了確定觀念,而考慮此在第7圖上所說 明的情形:晶片卡CP;從晶片卡CPi接收各種不同的資 料。此晶片卡Cpj之結構先天地完全類似於(如同不是相 同的話)晶片卡CPi之結構。其尤其包括不消逝記憶體其 參考號碼爲M',在其中記錄而對π起源”鑰匙MKSh至 MKS22(其記憶體之位置是Μ、、、MU與Mf5),兩個 不同的鑰匙dKS1(j)與dKS2(j)(其記憶體之位置爲Μ、與 -21 - 535380 五、發明說明(2〇) Μ、)、辨識資料IR之晶片卡CP」之秘密(Info’與Div’, 其記憶體之位置爲Μ、與M’8)、確認件CTAj記憶體位 置M'9),以及在較佳變化例中之兩個確證鑰匙dKSA1(i) 與dKSA2⑴(其記憶體位置爲Μ’ιο與Μ、〗)。 第1個不同之鑰匙,其參考號碼dKS!是以下列方式 計算而得:其依據”起源”鑰匙MKSh與MKS12、以及由 晶片卡CPi所接收之辨識件IDi,並且請求對稱算法較佳 是”T-DES”(其參考號碼爲5a)之協助。此辨識件IDi是在 資料輸入上輸入。此等π起源π鑰匙MKSu與MKS12是被 傳送至鑰匙之輸入。第二個不同的鏡匙是以相同的方式 藉助於”T-DES”5b,依據起源鑰匙MKS21與MKS22以及 同樣地所接收之辨識件IDi所計算而得。此等所算出之 不同的鑰匙^1尺81與dKS2,可以被暫時儲存於暫存器6a 與6b中,或是活的記憶體(RAM)的位置(未圖示)中,其 通常配備於晶片卡。此第3圖參考號碼爲5c之"T-DES” 在鑰匙之輸入端接收先前所算出的鑰匙,以及在其資料 輸入端接收由晶片卡C p i所傳送之訊息M S G、以及或許 簽字產生之數目句CGS。此在模組5c輸出端的資料其 參考號碼爲SIGN,是被認爲代表由晶片卡cpi所發出之 簽字SIGNi。此等相對應之資料可以儲存於暫存器6c中 或是活的記憶體(RAM)之位置中。其設有由模組7所實 施之比較作業。如果此重新組合之簽字S IGN是與所接 收之簽字SIGNi相同,其結果(在輸出s上之信號或資料) 是肯定的,並且此簽字被確證。 -22- 五、發明說明(21) 晶片卡CPj同樣地由晶片卡CPi接收辨識件CTAi(參 考第7圖)。此確認件可以被模組8借助於由確認管理器 CA所發射之公開鑰匙KP而查核(第1與4圖)。如同其 所稱呼,此公開鑰匙ΚΡ是由所有的使用者Ui(如果存在 數個不同的組,則至少是相同組內部之所有的使用者)所 使用。此辨識件CTAi之查核資料是在輸出端s上供自 由使用。 爲了設計圖淸楚之理由,此等’’T-DES’’5a至5c,此等 暫存器6a至6c,比較裝置7與查核裝置8是顯示於晶 片卡CPj之外。不用說,此如同先前,這些裝置是應該 設置於晶片卡中。此等不同的鑰匙與其計算之結果是不 應該池露給外部世界。此外,此所實現的功能可以全部 或一部份請求軟體協助。 現在參考第9圖說明依照根據本發明方法之第二實施 模式所產生之簽字之查核。此等與先前之圖示(尤其是第 8圖)相同的元件具有相同的參考號碼,只有在須要時才 重新說明。 如同先前’一個不同之鑰匙dKSi是根據由晶片卡CPi 所接收之辨識件IDi而計算出。相反的此儲存於晶片卡 CPj中之不同的鏡匙dKS2(j)’是直接被使用如问簽字之 鑰匙。假設鑰匙dKS2⑴是藉由多樣化根據”起源’’鑰匙 MKS21與MKS22以及由晶片卡CP」所提供之辨識件IDj 而獲得。此鑰匙dKS2⑴與所算出之鑰匙^1&81是被傳送 至nT-DESM5c之鑰匙之輸入端,其如同先前在其資料之 -23- 535380 五、發明說明(22) 輸入端上接收所傳送之訊息M S G,並且選擇性地接收簽 字計算句CSG。其餘之過程與用於描述第一實施模式者 (弟9 Η)相冋’並且無益再g羊細重新說明。 此在確認件CTAi以與先前相同的方式查核。 在此所計算出簽字的兩個例子中,S IGN絕不提供給 外部世界,只有比較的結果可以揭露。 總結先前所述,由於這些不同的鑰匙(其爲例如是C p i 的每個晶片卡之秘密),以及此簽字計算的結果都不會離 開此晶片卡,其結果是此系統不可拋棄。 現在參考第10圖來說明此簽字SIGNi之確證之查核。 所有的使用者U_j,其查核由另一個使用者(例如Ui)所 產生之簽字,可以將以下之物件提交呈報給確認管理器 :簽字者之辨識件IDi,此辨識件之確認件CTAi、此簽 字SIGNi、此等確證資料ASIGNi、以及簽字產生計算之 選擇性資料C G S。 基於此等資料,此確認管理器CA依據以下物件而計 算不同的簽字dKSA1(i)與dKSA2⑴:起源鑰匙對MKSAm 至MKSA22以及晶片卡0?,簽字者及/或其持有者Ui(在 其確認辨識之控制之後)之辨識件IDi ;用以控制此等簽 字確證資料ASIGN丨。 一方面將起源鑰匙對MKSAh-MKSA^,另一方面將起 源鑰匙對MKSA21-MKSA22,傳送至兩個模組”T-DES’’9a 與9b之鑰匙之輸入端,其在它的資料輸入端上接收辨 識件IDi。此等模組之輸出端提供簽字之不同的確證鑰 -24- 535380 五、發明說明(23) 匙dKSA1(i)與dKSA2⑴,其被傳送至參考號碼爲9c之第 三個”T-DES”之鑰匙輸入端。此"T-DES”在其資料輸入端 上接收信號SIGNi以及選擇性之簽字產生計算資料CGS 。在”T-DES”9c之輸出端上所出現之資料ASIGN合理地 代表重新組合之ASIGNi資料。它因此在比較器模組9d 中與ASIGN比較。其比較之結果不論是肯定或否定,是 在模組9d之輸出端S”上可自由使用。此結果被送回在 事實上作此要求之使用者,例如使用者U^j,其藉由鑰匙 dKSAi⑴與dKSA2⑴以及” T-DES”9e而簽字。當然,這些 鑰匙dKSAi⑴與dKSA2⑴不能直接傳送給使用者Uj,而 是由確認管理器CA以以下之方式重新計算: 藉由執Sf’T-DES”(未圖示),並且一方面借助於起源鑰 匙MKSAn-MKSA12,另一方面借助於起源鑰匙MKSA21-MKSA22,以及使用者Uj之辨識件IDj,而以類似於鑰匙 dKSAi⑴與dKSA2⑴之計算方式。此在” T-DES”9e之輸出 所產生之簽字R,可以由使用者U j借助於其本身之確證 鑰匙dKSAi⑴與dKSA2〇·),並藉由執行補充之” T-DES” (未圖示)而解密。 選擇式地可以要求口令(pass-word)或是完全類似的辨 識方式("PIN”碼,等等),用於更加強此過程之保全。 在閱讀了以上之說明之後,可以輕易地察覺本發明充 分地達成了它所設定之目標。 它(尤其在較佳之變化實施例中)確保更大的保全以及 獲得所發出簽字之不可捨棄之可能性,這不須要使用在 -25- 535380 五、發明說明(24 ) 晶片卡中之非對稱之編密方法,並且以更一般的方式將 電子晶片輕易地載入終端機。因此,使得可以使用配備 有標準§十算與fe、體裝置之電子晶片。尤其是電子晶片 不須要配備有數學共同一處理器。 其結果是,本方法所產生之成本與複雜度,對於所謂 ”公共大眾”之使用,是保持在可接收的範圍內。 然而,應爲明顯的,本發明並不受限於所明確描述之 實施例,尤其是關於第1至1 0圖之實施例。 尤其,雖然非對稱之"RSA”算法與對稱之nDES”算法是 特別有利,本發明並不以任何方式受限於此等算法。其 他的算法,不論是對稱還是不對稱,是完全可以考慮的 。特殊算法之選擇只構成此行業人士技術範圍(尤其是依 據所涉及確實應用)的選擇。 符號之說明 1 模組 3 算法 31 算法 4 計數器 5a 算法 8 查核器 10 步驟 CA 確認管理器 CPi 晶片卡 CTAi 確認件 -26- 535380 五、發明說明(25) dKS 1 不 同 錄 匙 dKS2 不 同 鑰 匙 KA 私 人 鑰 匙 ΚΡ 公 開 鑰 匙 Μ 記 伊 1必、 體 MKS ι ι 起 源 綸 匙 MKSi2 起 源 鐘 匙 SIGN 簽 字 Τ 宿 主 Ui 使 用 者 Uj 使 用 者 -27-Therefore, the main purpose of the present invention is to establish a signature generation method so that the signature will not be discarded by the first entity of some assemblies, especially the electronic chip loading system, which includes at least non-fading memory Device and computing device. The purpose of the signature is to transmit and is checked by at least one entity of the group, which is characterized in that it includes a preliminary stage which includes at least the following steps:-storing two pairs of signature keys called "origins" in the eternal memory device , Which is shared by all of these entities;-based on at least one "origin" signature key pair and the unique identifier of the first entity, by executing a symmetric encryption algorithm, it is called "different" The first signature key and store the different key -10- 535380 5. The invention description (9) is stored in the non-evanescent memory device;-The unique identification piece is stored in the non-evanescent memory device Medium;-A confirmation is generated by a supplementary entity called a "confirmation manager", which constitutes the signing qualification for the first entity. The confirmation is based on at least the identification and the compilation owned by the confirmation manager Secret private key, obtained by implementing an asymmetric encryption algorithm, and storing the confirmation in the eternal memory device, and-signing by the confirmation manager The nuclear public key is transmitted to some or all of the entities of the group, and the subsequent stages include at least the following steps:-according to the different first signature key, different second signature key, and transmitted to the group The data of at least one entity of the entity is generated by the implementation of a symmetric encryption algorithm, and-the at least the data, the signature, the identification and the confirmation are transmitted to at least the group An entity. Another object of the present invention is to provide an electronic chip (especially a chip card) loading system for using this method. The present invention will now be further described with reference to the attached drawings. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 槪Figure 2 illustrates the structure of a chip card, which is used to generate a signature that cannot be discarded according to the present invention. Figure 2 illustrates the schematic diagram of generating the same signature key for the chip card of Figure 1, which is based on the pair. f, "origin" signature key and chip + identification piece; -11-535380 V. Description of the invention (10) Figure 3 Schematic illustration of the first embodiment of the method of the present invention The process of generating a non-disposable signature; Figure 4 illustrates the process of generating a signature confirmation key by the confirmation manager entity; Figure 5 illustrates the process of generating a non-disposable according to the second embodiment of the method of the present invention. Signing process; Figure 6: diagrammatically illustrates the process of generating confirmation data based on the above-mentioned confirmation and signature key; Figure 7: diagrammatically illustrates the different information transmitted by the signer of the chip card; Figure 8: Figure 9 illustrates the steps of generating a signature based on the first form of a signature that produces a non-disposable signature; Figure 9 illustrates the steps of generating a signature based on a second form of a signature that generates a non-disposable signature; Figure 10 requires a schema The process of generating confirmation by the chip card through the above-mentioned signature confirmation manager is explained. A preferred embodiment of the non-discardable signature generation method according to the present invention will now be described in more detail based on several variations. As already explained, in order to determine the concept, it is placed in an application example mainly using a chip card without limiting the scope of the present invention. The electronic chip for this application example includes a computing device (which, for example, contains a microprocessor), and a memory device (which is Ram and does not die) in the usual way. This structure is well known to those in the industry and need not be explained further. -12- 535380 V. Description of the invention (11) Figure 1 illustrates the structure of the chip card cPi graphically, where i is any index, which represents all chip cards of η chip cards (not shown) from CPi to CPn. One. Only non-evanescent memory appears on Figure 1 and is represented by M. It can be about "ROM" type (Read-only-Memory) memory, "EEPROM" type (Electrically Erasable Programmable Read Only Memory), Or all other similar types of memory devices. During the preliminary phase, it is advantageous to register two pairs of "origins" in the location of the preset memory (in the example described, M2, M4 and M5 respectively) during the "personalization" phase of the chip card CPi. ”The keys MKSm and MKS12, and the other sign in MKS21 and MKS22. These "source" keys are common to all chip cards CPi to CPn. According to a first implementation variation consistent with the method of the present invention, the user Ui (i.e., the holder of the 'chip card CPi') signs the transmitted message or data. All other users can check this signature. To do this, two different keys dKSi⑴ and dKS2⑴ are each calculated and registered in, for example, the locations of memories M3 and M6. This calculation is performed outside the chip card CPi, which uses a symmetric algorithm. In a better way, it is about "DES," and it is also assumed in the following that each time a symmetric algorithm is used, it is also about "DES", which is called "T-DES" for simplicity. Figure 2 illustrates the calculation of the key dKSUi) graphically. This DES (Data Encryption Standard) has a reference number of 1 and includes three serial steps of 10 to 12. As an example, the implementation of steps 10 and 12 is called, "direct" DES, -13- V. Description of the invention (12). The signature key used in these two steps is always the key MKSh in this example. The intermediate step 11 1 implementation is called the opposite "DES", which is recorded as "DES · 1". The signature key used in this step is the key MKS12. In the first step) enter the chip card CPi and / or at the entrance of 10 The identification data ID i of its holder Ui (picture 1). This identification data IDi can be the only one or come from several different data 'for example, it may be connected with the charging data to obtain two bits of the preset length Word of Yuan (word). In Figure 1, two sources of identification data are presented, which are recorded as Info and Div (chip card CPi's number 'temple). Suitable information is also stored in chip card CPi, and is described in the description The example is recorded in the locations M7 and M8 of the memory M. The output of step 10 is transmitted to the input of step 11, and the output of step 11 is transmitted to the input of step 12. Finally, the output of step 12 is different. The recording key dKSi⑴ 'is held by the chip card CPi and is recorded in the position of the memory M3 as it is shown. This calculation is in the security, for example, by an entity called "encarteur" on the chip card Implemented outside CPi. This module 1 for using "T-DES" can be independent of the type of "hardware" (special circuit) or ask for software assistance. The clock key dKS2 (i) is obtained in the same way and it does not help to re-describe the process. If referring again to Fig. 1, in addition to these different data, the confirmation CTAi is calculated by the confirmation manager CA. This latter entity CA uses an asymmetric algorithm with a reference number of 2 from the viewpoint of the method of the present invention, preferably the "RSA" algorithm described above. The identification data IDi of the chip card CPi is edited by means of the private key (which is recorded as κΑ) for confirming the possession of the manager CA. -14- 5. Description of the invention (13) It is a password. In the example described in FIG. 1, the result of this cryptographic operation is that the confirmation CTA is recorded in the location of the memory M9. The confirmation manager CA also distributes the signature confirmation public key (to cooperate with the private key KA, and hereinafter referred to as KP) to all chip cards. It is assumed that as of the moment described here, all users U i who own the chip card CPi belong to the only and only group, and therefore the public key KP is for all users Ui. According to another variation of the implementation of this method, all users can be divided into at least two groups (not shown). Each group therefore uses a different public key from the other group ... Kρ, Kp2,-Kpm, assuming m is the number of different groups. Figure 3 illustrates the signature generated by the chip card CPi. The reference number is SIGNi. It is assumed that the holder Ui of the chip card CPi sends a message M S G that should be signed. In order to do this, this message MSG is made by a familiar data processing device (such as the host terminal T of the chip card CPi) and is transmitted to the input of "T-DES" at reference number 3, or all Other similar symmetric algorithms. In a manner known per se, the message MSG can be submitted in advance to an operation called "hashing." The choice structure of this "T-DES" 3 is equivalent or at least completely similar to that shown in Figure 2. Described. The key used in the direct step f'DES "is, for example, the key dKS1 (i), and the key used in step " DES · 1" is the key dKS2 (i). Because of the symmetric algorithm, there is no need to set Powerful computing device. Therefore, the calculation of the signature can be advantageously carried out inside the chip card CPi -15-535380. 5. Description of the invention (14) It is implemented by means of a standard computing device (not shown) set there. Therefore, Although it is for the sake of good design, these computing devices are not shown on the outside of the chip card CPi. People should understand that this device is preferably embedded in the electronic chip of the chip card. In a practical way, In other words, it is not about a special circuit in general. It is preferable to use software to perform the calculation of the signature SIGNi. This software is set in the memory M and cooperates with the above-mentioned standard computing device. People understand These different keys dKSi⑴ and dKS2⑴, that is, the secrets unique to each chip card CPi, cannot be leaked to the outside world. However, all chip cards CPi have two signature key pairs in their "origin" form .If people can crack these keys, the overall security of this method is endangered. Therefore, in order to "enhance" this method to prevent external attacks, a different set of supplementary signature keys is added to each chip card CP i, They are each referred to as dKSA1 (i) and dKSA2⑴. These keys themselves are different from the two pairs of signature confirmation keys belonging to the confirmation manager CA (Figure 1). The use of these keys will be explained in more detail below. Figure 4 illustrates the generation process of the different supplementary keys dKS A i⑴ and dKSA2⑴ in a schematic diagram. These key pairs called "signature confirmation" are MKSAh and MKSA12, ^ 8, 821, and MKSA22, respectively, and are transmitted to the input of the key using the symmetric algorithm module. This module is preferably "T-DES 丨, , And labeled 1 丨 and 1 ". Enter the identification ID i at the input end of the data, which is a characteristic of the chip card CPi. The calculation process for this key dKS A! ⑴ is the same as, or at least completely similar to, dKSA2⑴ (Figure 2: 1) which enables the calculation of different keys dKSi⑴ and dKS2⑴. In addition, if -16-535380 5. Invention Description (15) It is about special electronic circuits, you can use the same circuit ’or you can use the same software. As with the different keys dKSi⑴ and dKS2 (i), this calculation is performed during the preliminary phase, such as during the "personalization" phase of the chip card CPi. As a result of these calculations, the signature confirmation keys dKSAi⑴ and dKSA2⑴ are also recorded in the positions M1C and Mμ in the memory M of the chip card (see also FIG. 1). According to a preferred variation of this method, breaking the secret of the chip card CPU has made it difficult to obtain the private key of the chip card, which is equipped with a dynamic asymmetric encryption algorithm. In other variations of the signature generation method, a signature generation counter 4 may be advantageously provided, the output of which is labeled CGS. This counter 4 is used to preserve the generation of the signature and to ensure its traceability (different signatures have the same number). If you refer to Figure 3 again, you can see that this output CGS is transmitted to the data input of "T-DES" 3. In practical terms, it is a two-bit sentence that can be linked to a signed message MSG. This counter 4 is also embedded in the chip card CPi and is selectively used to initialize all signatures of the data. It may be related to a hardware component, which is, for example, a circuit of a computing device of an electronic chip belonging to the chip card CPi. This count (sentence CGS) can also be obtained with a software device. The second embodiment mode of the signature generation method will now be described schematically with reference to FIG. 5. According to this implementation mode, one of the different keys, such as the key with the reference number dKS2⑴, is obtained with the help of other chip cards -17-535380 5. Invention Description (16) The same information is obtained, but if there are several different The group is not the group of the chip card CP i, for example, it is the identification data I of the chip card CP j, and it is not based on the identification data iDi of the chip card signer CPi. Except for this feature, the other stages and steps are the same as described for the first embodiment mode. It is therefore not useful to re-state it all. Similarly, this implementation mode is compatible with the mode using the signature confirmation keys dKS A i⑴ and dKSA2⑴ 'and the mode using the signature generation counter 4 to generate the word CGS. According to this implementation mode, the fact is exactly the above-mentioned feature. In Figure 5, only this recipient Uj, that is, the holder of the chip card can check the signature of the issuer U, (designated as SIGNt). It is useful to remind that this last feature is not provided by traditional dynamic asymmetric cryptographic methods, which are used to generate inalienable signatures based on conventional techniques. It is assumed that during this preliminary stage, the mirror key dKSi⑴, which is the same as before, is calculated and recorded in the position M3 in the memory μ of the chip card CPi. To do this, the identification data IDi unique to the chip card CPi is used. This different signature key dKS'2⑴ is calculated as previously based on the "origin" signature key pair MKS21 and MKS22, but uses the IDi from the chip card CPi and uses it in a manner similar to the IDi for the chip card CPi 'this The identification piece is recorded in the 5 hidden positions, the body M t or several positions of the chip card. The calculation of this signature key uses the reference number 3 *, T-DES, and is implemented, and receives the key 'i.e. the originating mineral keys MKS21 and MKS22 on its input, and enters the data, ie, the identification piece 1D' 'its- 18- 535380 V. Description of the invention (18) dKSA1 (i) | § | dKSA2⑴, which is generated in a manner obvious with reference to Fig. 4 'and in the example described, it is recorded at positions M1G and Μη in memory M in. The resulting signature SING is transmitted to the input of "T-DES" with reference number 3 ". In a selected way, the calculation data CGS (Figure 3) can also be entered when the data is entered (for example, by comparing it with The signature message (MSG link) is entered. These keys dKSA1 (i) and dKSA2 (i) are used as signature keys. The logical structure of this module 3 ”is the same as or at least completely the logical structure of module 3 in FIG. 3 Similarly, it is used to generate the signature SIGNi. The output of "Module 3" presents the verification information ASIGNi for which the signature is sought. This information is transmitted to the recipient of the signature SIGNi. As before, the calculation is implemented inside the chip card CPi so that these keys (158 1 (|) and dKSA2⑴ will not leave the chip card. In fact, the last recipient of this information ASIGNi is the confirmation manager CA (Figure 1 or 4). In fact, as shown later, the recipient (For example, Uj), if it wants to confirm the signature SIGNi received and determine that it is a signature issued by a valid chip card Cpi, it reports the confirmation information ASIGK of this signature to the confirmation manager CA, only it can _ In order to make this information valid, it stores the "origin" keys MKSAh to MKSA22, which are used to calculate the recording keys dKSAi⑴ and dKSA2 (i). Fig. 7 Schematic illustration In a preferred embodiment variation, the signature Different data transmitted by the person to the recipient through the chip card CPi. The information transmitted here is as follows: -Signal signal data MSG; -Signal calculation optional data CGS; -20-535380 V. Description of the invention (19)- Signature SIGNi;-Chip Card CPi / Identification IDi of its owner;-Confirmation CTAi, and-Confirmation information ASIGK. The recipient can check and sign the SIGN based on all this information, and in a preferred variation, sign this with the help of the information ASIGN Confirmation. Now, the verification steps of the signature S IG N i issued by the chip card (for example, the chip card CPi) will be described, which is based on the two main implementation modes of the method just described. Figure 8 illustrates the signature SIGNi The checking step is based on the first implementation mode of the method of the present invention and is generated by the following users: by at least one user belonging to a given group, or if there is no different group It is all users. I should recall that the first implementation mode allows all users U! To Un to check the message sent by MSG and its signature SIGN; at the beginning of the check. This check consists in reorganization The signature issued by the sender, and compared with the received. In order to determine the concept, consider the situation illustrated in Figure 7: chip card CP; receiving each from chip card CPi Different information. The structure of this chip card Cpj is completely similar to (as if not the same as) the structure of the chip card CPi. It includes, in particular, the non-erasing memory whose reference number is M ', which is recorded in the key of π origin. MKSh to MKS22 (the memory locations are M ,, MU, and Mf5), two different keys dKS1 (j) and dKS2 (j) (the memory locations are M, and -21-535380) V. Invention Explanation (2) M,), the chip card CP of the identification data IR "(Info 'and Div', whose memory locations are M, and M'8), and the CTAj memory location of the confirmation M'9) , And two confirmation keys dKSA1 (i) and dKSA2⑴ in the preferred variation (the memory locations are M′ιο and M, 〖). The first different key, its reference number dKS! Is calculated as follows: it is based on the "origin" keys MKSh and MKS12, and the identification IDi received by the chip card CPi, and the request for a symmetric algorithm is preferably " T-DES "(reference number 5a). The identification IDi is entered on the data input. These π origin π keys MKSu and MKS12 are transmitted to the input of the key. The second different mirror key is calculated in the same way with the help of "T-DES" 5b, based on the origin keys MKS21 and MKS22, and the IDi, which is also received. These calculated different keys ^ 1 feet 81 and dKS2 can be temporarily stored in the registers 6a and 6b, or in the location (not shown) of live memory (RAM), which is usually equipped with Chip card. The reference number of this figure 3 is "T-DES" of 5c. It receives the previously calculated key at the key input terminal, and receives the message MSG transmitted by the chip card C pi at its data input terminal, and may generate the signature. Number of sentences CGS. The reference number of the data at the output of module 5c is SIGN, which is considered to represent the signature SIGNi issued by the chip card cpi. The corresponding data can be stored in the temporary register 6c or saved. The location of the memory (RAM). It is provided with a comparison operation performed by module 7. If this reassembled signature S IGN is the same as the received signature SIGNi, the result (the signal on output s or Information) is affirmative, and this signature is confirmed. -22- V. Description of the Invention (21) The chip card CPj also receives the identification CTAi (refer to Figure 7) from the chip card CPi. This confirmation can be used by module 8 Check by means of the public key KP transmitted by the confirmation manager CA (Figures 1 and 4). As it is called, this public key KP is owned by all users Ui (if there are several different groups, at least Is inside the same group Used by the user). The verification data of the identification CTAi is freely available on the output terminal s. In order to design the map well, these `` T-DES '' 5a to 5c, these registers 6a to 6c, the comparison device 7 and the checking device 8 are displayed outside the chip card CPj. Needless to say, this is the same as before, these devices should be set in the chip card. These different keys and their calculation results should not be pooled Exposed to the outside world. In addition, this implemented function can request software assistance in whole or in part. Now refer to FIG. 9 to illustrate the verification of signatures generated in accordance with the second implementation mode of the method according to the present invention. In the figure (especially Fig. 8) the same components have the same reference numbers and will only be explained again when necessary. As before, a different key dKSi is calculated based on the IDi received by the chip card CPi. In contrast, the different mirror key dKS2 (j) 'stored in the chip card CPj is a key that is directly used as a signature. Assume that the key dKS2⑴ is based on the "origin" key MK by diversification S21 and MKS22 and IDj provided by chip card CP ″. This key dKS2⑴ and the calculated key ^ 1 & 81 are the input terminals of the key transmitted to nT-DESM5c, which are the same as those previously described in the data of -23-535380 V. Description of Invention (22) The input terminal receives the transmitted Message MSG, and optionally receive the signature calculation CSG. The rest of the process is the same as that used to describe the first implementation mode (brother 9Η) and will not be explained again. The CTAi is checked in the same way as before. In the two examples of signatures calculated here, SIGN is never provided to the outside world, and only the results of the comparison can be revealed. Summarizing earlier, since these different keys (which are, for example, the secrets of each chip card of C p i), and the result of this signature calculation do not leave the chip card, the result is that the system cannot be discarded. Reference is now made to Figure 10 to illustrate the verification of the signature SIGNi. All users U_j who check the signature generated by another user (such as Ui) can submit the following items to the confirmation manager: IDi of the signer, CTAi of this identification, and The signature SIGNi, such confirmatory information ASIGNi, and the optional information CGS generated by the signature. Based on this information, the confirmation manager CA calculates different signatures dKSA1 (i) and dKSA2⑴ based on the following: the origin key pair MKSAm to MKSA22 and the chip card 0 ?, the signatory and / or its holder Ui (in its After confirming the control of identification), the identification IDi is used to control these signature confirmation data ASIGN 丨. On the one hand, the origin key pair MKSAh-MKSA ^, and on the other hand, the origin key pair MKSA21-MKSA22 are transmitted to the input terminals of the keys of the two modules "T-DES" 9a and 9b, which are at its data input terminals. Receive the identification IDi on the module. The output end of these modules provides different verification keys for signatures-24-535380 V. Description of the invention (23) Keys dKSA1 (i) and dKSA2⑴, which are transmitted to the third reference number 9c "T-DES" key input terminal. This "T-DES" receives the signal SIGNi and optional signature on its data input terminal to generate calculated data CGS. The information ASIGN appearing on the output of "T-DES" 9c reasonably represents the recombined ASIGNi data. It is therefore compared with ASIGN in the comparator module 9d. The result of the comparison, whether positive or negative, is free to use on the output terminal S "of the module 9d. This result is returned to the user who actually made the request, such as the user U ^ j. The keys dKSAi⑴ and dKSA2⑴ and “T-DES” 9e are signed. Of course, these keys dKSAi⑴ and dKSA2⑴ cannot be transmitted directly to the user Uj, but are recalculated by the confirmation manager CA in the following manner: By executing Sf'T- DES "(not shown), and on the one hand by the origin key MKSAn-MKSA12, on the other hand by the origin key MKSA21-MKSA22, and the user Uj identification piece IDj, a calculation method similar to the keys dKSAi⑴ and dKSA2⑴ . The signature R generated at the output of the "T-DES" 9e can be used by the user U j with his own authentication keys dKSAi⑴ and dKSA2 ·), and supplemented by the implementation of the "T-DES" (not shown) (Shown) and decrypted. Selectively, you can require a password (pass-word) or a completely similar identification method (" PIN "code, etc.) to strengthen the security of this process. After reading the above description, you can easily detect The present invention fully achieves the goal set by it. It (especially in the preferred variant embodiment) ensures greater security and the possibility of obtaining an inalienable signature, which does not need to be used at -25-535380. 2. Description of the invention (24) The asymmetric encryption method in the chip card, and the electronic chip is easily loaded into the terminal in a more general way. Therefore, it is possible to use a device equipped with the standard §10 calculation and fe, body device. Electronic chips. Especially electronic chips do not need to be equipped with a common mathematical processor. As a result, the cost and complexity of this method are kept within acceptable limits for the use of the so-called "public public". However It should be obvious that the present invention is not limited to the embodiments explicitly described, especially with respect to the embodiments of Figs. 1 to 10. In particular, although the asymmetric & qu ot; RSA "algorithm and symmetric nDES" algorithm are particularly advantageous, the present invention is not limited to these algorithms in any way. Other algorithms, whether symmetrical or asymmetric, are fully considered. Choice of special algorithms It only constitutes the choice of the technical scope of this industry (especially according to the actual application involved). Explanation of Symbols 1 Module 3 Algorithm 31 Algorithm 4 Counter 5a Algorithm 8 Checker 10 Step CA Confirmation Manager CPi Chip Card CTAi Confirmation Piece-26 -535380 V. Description of the invention (25) dKS 1 different recording key dKS2 different key KA private key PK public key M key 1 must body MKS ι ι origin key N MKSi2 origin key SIGN signature host Ui user Uj user -27-