WO2004028079A1 - データ処理方法、そのプログラムおよびその装置 - Google Patents
データ処理方法、そのプログラムおよびその装置 Download PDFInfo
- Publication number
- WO2004028079A1 WO2004028079A1 PCT/JP2003/011802 JP0311802W WO2004028079A1 WO 2004028079 A1 WO2004028079 A1 WO 2004028079A1 JP 0311802 W JP0311802 W JP 0311802W WO 2004028079 A1 WO2004028079 A1 WO 2004028079A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- authentication
- key
- authenticated
- key data
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
- G06F21/35—User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
Definitions
- the present invention relates to a data processing method for performing a predetermined process based on an authentication result, a program therefor, and a device therefor.
- the authentication source holds the mutual authentication key data for all the authentication destinations, and exchanges the mutual authentication key data corresponding to the authentication source with each of the authentication sources. Select to perform mutual authentication.
- the authentication source confirms the validity of the authentication destination by the mutual authentication
- the authentication source identifies in advance the process permitted to the authentication destination based on a management table or the like, and executes the identified process.
- the authentication destination needs to hold the mutual authentication key data corresponding to all the authentication sources, and there is a problem that the management burden of the mutual authentication key data is large.
- a process permitted by the authenticated means after the authenticating means has authenticated the authenticated means is an object of the present invention to provide a data processing method, a program, and a device thereof, which make it possible to reduce the processing load on the authentication means when executing the processing.
- a data processing method comprises: an authenticated unit that holds first authentication data generated by performing encryption using a key device; A data processing method performed by an authentication unit that holds key data, wherein the authenticated unit provides key specification data that specifies the key data to the authentication unit; and A second step of performing the encryption using the key data specified by the key specification data received in the first step to generate a second authentication data; and Means for performing authentication using the first authentication data, the authentication means performing authentication using the second authentication data, and the authentication means comprising the third step According to the authentication, the first authentication data and the second authentication data are the same. If it is determined that it is, and a fourth step for executing a process associated with the Kagide Isseki.
- the operation of the data processing method of the first invention is as follows.
- the means to be authenticated provides the authentication means with a key designation data for designating the key data.
- the authentication means performs the encryption using the key data specified in the key specification data received in the first step, and performs a second authentication data. Produce evening.
- the means to be authenticated performs authentication using the first authentication data, and the authentication means performs authentication using the second authentication data.
- the authentication means determines that the first authentication data and the second authentication data are the same based on the authentication in the third step. Then, a process associated with the key data is executed.
- a data processing system comprises: an authenticated unit that holds a first authentication data generated by performing encryption using key data; and an authentication unit that holds the key data.
- the authenticated means provides key designation data for designating the key data to the authentication means
- the authentication means comprises: a key designation data received from the authenticated means.
- a second authentication data is generated by performing encryption using the specified key data, the authenticated means uses the first authentication data, and the authentication means uses the second authentication data.
- the authentication unit performs authentication using the authentication data of the first authentication data, and the authentication unit determines that the first authentication data and the second authentication data are the same by the authentication. Then, a process associated with the key data is executed.
- the means to be authenticated provides a key designation data for designating the key data to the authentication means.
- the authentication means performs the encryption using the key data designated by the key designation data received in the first step to generate a second authentication data.
- the authenticated means performs authentication using the first authentication data, and the authentication means performs authentication using the second authentication data.
- the authentication unit holding predetermined key data stores the first authentication data generated by performing encryption using the key data.
- a data processing method for performing authentication with authentication means comprising: a first step of receiving a key designation data for designating the key data from the authenticated means; and the key received in the first step.
- the data processing device of the fourth invention performs authentication with a means to be authenticated that holds a first authentication data generated by performing encryption using predetermined key data, A data processing device that stores the key designation data specifying the key data from the authenticated unit; and the key designation data specified by the key designation data received by the input unit.
- the encryption is performed to generate a second authentication data, and the first authentication data is used for authentication using the second authentication data.
- the key Control means for executing a process associated with the data.
- a program according to a fifth aspect of the present invention is a program for performing authentication with a means to be authenticated, which holds a first authentication data generated by performing a decryption process using a predetermined key data,
- the authenticated means for using the first authentication data for authentication, a third procedure for performing the authentication, and the authentication in the third procedure, If it is determined that the first authentication data and the second authentication data are the same, And a fourth procedure for executing the linked processing.
- the authentication means for holding the key data performs encryption using the key data designated by the authenticated means for holding the first authentication data.
- Generating a second authentication data performing authentication with the means to be authenticated using the second authentication data, and by performing the authentication, the first authentication data and the second authentication;
- a data processing method performed by the authenticated means when performing a process associated with the key data, on condition that it is confirmed that the password is the same as the password.
- the authentication means for holding the key data is encrypted using the key data designated by the authenticated means for holding the first authentication data.
- To generate a second data for authentication perform authentication with the means to be authenticated using the second data for authentication, and perform the authentication to obtain the first data for authentication and the second data.
- a data processing device that constitutes the authenticated means when performing a process associated with the key data on condition that it is confirmed that the data for authentication is the same as the data for authentication.
- the authentication means for holding the key data performs encryption using the key data designated by the authenticated means for holding the first authentication data.
- To generate a second authentication data perform authentication with the means to be authenticated using the second authentication data, and perform the first authentication data and the second authentication data by the authentication.
- the program executed by the data processing device constituting the authenticated unit is used.
- FIG. 1 is an overall configuration diagram of a communication system according to an embodiment of the present invention.
- FIG. 2 is a functional block diagram of the management device shown in FIG.
- FIG. 3 is a flowchart for explaining an outline of a processing procedure performed by the management device shown in FIG.
- FIG. 4 is a diagram for explaining a card used in processing related to the AP editing tool and the management tool shown in FIG.
- FIG. 5 is a functional block diagram of the IC card shown in FIG.
- FIG. 6 is a diagram for explaining data stored in the memory shown in FIG.
- FIG. 7 is a diagram for explaining a software configuration of the SAM module shown in FIG.
- FIG. 8 is a diagram for explaining a hardware configuration of the SAM module shown in FIG. 1 and a storage area of the external memory 7.
- FIG. 9 is a diagram for explaining the AP storage area shown in FIG.
- FIG. 10 is a diagram for explaining application element data overnight.
- FIG. 11 is a diagram for explaining the types of application element data AP.
- FIG. 12 is a flowchart for explaining a procedure for creating an owner key and a user key.
- FIG. 13 is a diagram for explaining the mutual authentication key data.
- FIG. 14 is a diagram for explaining the mutual authentication code.
- FIG. 15 is a diagram for explaining the relationship between the mutual authentication key data and the service.
- FIG. 16 is a diagram for explaining a method of generating the degenerate key data.
- FIG. 17 is a diagram for explaining another generation method of the degenerate key data.
- FIG. 18 is a diagram for explaining the hierarchy of encryption of degenerated key data.
- FIG. 19 is a diagram for explaining an example of the characteristics of the degenerated key data.
- FIG. 20 is a diagram for explaining an example of a usage pattern of the mutual authentication key data.
- FIG. 21 is a flowchart for explaining the mutual authentication between the SAM management unit and the SAM unit of the management device shown in FIG.
- FIG. 22 is a continuation flowchart of FIG. 21 for explaining the mutual authentication between the SAM management function unit and the SAM unit of the management device shown in FIG.
- FIG. 23 is a flowchart for explaining the processing of the SAM unit.
- FIG. 24 is a diagram for explaining a screen used for issuing various forces related to the management device described with reference to FIGS. 2 and 4.
- FIG. 25 is a diagram for explaining an owner card creation screen.
- FIG. 26 is a diagram for explaining the card request screen.
- FIG. 27 is a diagram for describing a user force creation screen.
- FIG. 28 is a diagram for explaining a screen for creating an AP encryption card.
- FIG. 29 is a diagram for explaining a screen for creating a transport card.
- FIG. 30 is a diagram for explaining the SAM management screen.
- FIG. 31 is a diagram for describing a screen showing an example of display contents of the SAM area shown in FIG. 30.
- FIG. 32 is a diagram for explaining icons displayed in the SAM area shown in FIG.
- FIG. 33 is a diagram for explaining the SAM network screen.
- FIG. 34 is a diagram for explaining the group screen.
- FIG. 35 is a diagram for explaining the SAM screen.
- FIG. 36 is a diagram for explaining the AP storage area screen.
- FIG. 37 is a diagram for explaining the APE type screen.
- FIG. 39 is a screen when the SAM command on the menu bar shown in FIG. 30 is specified.
- FIG. 40 is a diagram for explaining a case where a SAM group is created on the SAM management screen shown in FIG.
- FIG. 41 is a diagram for explaining the AP storage area editor screen.
- FIG. 42 is a diagram for describing a screen for adding a package of Application Element Data AP.
- FIG. 43 is a diagram for explaining a screen for creating the application element data APE.
- FIG. 44 is a diagram for explaining a screen for adding a version of the application element data APE.
- FIG. 45 is a diagram for explaining the AP storage area editing screen after a series of processing.
- FIG. 1 is an overall diagram of a communication system 1 of the present embodiment.
- the communication system 1 is composed of a server 2, a smart card 3, a smart reader 4, a personal computer 5, an ASP (Application Service Provider) Device, 19, SAM (Secure Application Module) units 9a, 9b, ..., management device 20, and mobile communication device 41 with built-in IC module 42 Communication is performed via the network 10 to perform a procedure such as a settlement process using the IC force 3 or the portable communication device 41.
- the management device 20 and the SAM units 9a and 9b perform processing according to the embodiment corresponding to the present invention.
- the management device 20 executes a predetermined process permitted by an administrator or the like in the SAM.
- a process for issuing a card (for example, an owner card and a user card, which will be described later) containing an IC (the integrated circuit of the present invention) used to cause the units 9a and 9b to perform the process is performed.
- the data required for mutual authentication is provided to the means to be authenticated.
- the management device 20 performs mutual authentication with the SAM units 9a and 9b using the issued card by an administrator or a user, and executes the above-described predetermined processing permitted by the SAM unit. 9a and 9b.
- the management device 20 is the authentication means of the present invention
- the SAM units 9a and 9b are the authentication means of the present invention.
- FIG. 2 is a functional block diagram of the management device 20.
- the management device 20 includes, for example, an AP editing tool 51, a management tool 52, a power driver / writer 53, a display 54, an I / F 55, and an operation. It has a part 56.
- the management device 20 corresponds to the data processing device of the eighth invention
- the I / F 55 is the first means of the present invention
- the SAM management function unit 57 is the second device of the present invention. And third means.
- the AP editing tool 51 and the management tool 52 may be realized by executing a program (corresponding to the program of the ninth invention) on a data processing device, or by an electronic circuit (hardware). May be.
- the management tool 52 has, for example, a SAM management function unit 57 and a card management function unit 58.
- the leader / writer exchanges non-contact or contact data with the ICs of the following cards in a non-contact or contact manner.
- Display 54 is used to display the card issue screen and AP management screen ⁇
- the I / F 55 exchanges data with the SAM units 9a and 9b in a non-contact or contact manner.
- the operation unit 56 is used for inputting an instruction data to the AP editing tool 51 and the management tool 52.
- FIG. 3 is a flowchart for explaining an outline of a processing procedure performed by the management device 20.
- the management device 20 uses the default card 71 set in the card reader / writer 53 by the card management function unit 58 in response to the operation of the administrator to set a predetermined time. S Create a new one 7 2 Also, a user card 73 is created using the owner card 72.
- the management device 20 performs the processing for permitting the authenticated means using the owner card 72 and the user card 73 among the processing relating to the SAM units 9a and 9b (authentication means of the present invention).
- device key data to be described later is encrypted by a predetermined encryption method (a predetermined generation method of the present invention).
- a degenerate key (which is the first authentication data of the present invention) for which it is difficult to recover the data is generated.
- the management device 20 compares the generated degenerate key data and the key specification data for specifying the mutual authentication key data used for generation of the degenerated key data with the owner key 72 and Write to the IC (integrated circuit of the present invention) of the user card 73.
- the management device 20 creates a transport card 74 and an AP encryption card 75.
- the user of the owner card 72 or the user card 73 uses these forces to execute processing authorized for the user via the management device 20 through the SAM units 9a and 9a. b), the user enters the key designation data stored in the owner card 72 or user IC 73 into the force reader / writer 53 of the management device 20. Let me read the evening.
- the SAM management function unit 57 of the management device 20 outputs the read key designation data to the SAM units 9a and 9b.
- the SAM units 9a and 9b encrypt the device key data with the predetermined encryption method using the mutual authentication key data specified by the key specification data, and generate a degenerate key data. To generate the second authentication data).
- the SAM management function unit 57 performs authentication using the degenerated key data read from the force 72 or 73, and the SAM units 9a and 9b perform authentication using the generated degenerated key data.
- the management device 20 In response to the instruction from, a process associated with one or more mutual authentication key data used to generate the degenerated key data is executed.
- FIG. 4 is a diagram for explaining a card used in the processing related to the AP editing tool 51 and the management tool 52 shown in FIG.
- the owner card 72 and the user card 73 are used.
- the encryption key data stored in the AP encryption key 75 is stored. By using this, the AP package file is encrypted.
- the user creates application element data APE constituting the application program AP in the SAM module 8 using the AP editing tool 51. Then, the AP editing tool 51 is used by one or more application
- An AP package file including the data AP E is created, and is provided to the management module 52 by using the encryption key data stored in the AP encryption card 75 to perform the encryption. .
- the management tool 52 performs the mutual authentication with the SAM units 9a and 9b, and associates the SAM units 9a and 9b with the SAM units 9a and 9b that are permitted in association with the mutual authentication key data used for the mutual authentication.
- the transport card 74 is used for extracting security-related data such as key data stored in the SAM units 9a and 9b, transferring the data to another device, storing the data, and the like.
- FIG. 5 is a functional block diagram of the IC card 3.
- the IC card 3 has an IC (Integrated Circuit) module 3 a provided with a memory 50 and a CPU 51.
- IC Integrated Circuit
- the memory 50 is a storage area 55-1 used by a service provider 15-1 such as a credit card company, and a storage area 5 used by a service provider 15-2. 5-2 and storage area 5 5_3 used by service provider 1 5-3
- the memory 50 is used to determine the access authority to the storage area 55-1, and the key data used to determine the access authority to the storage area 55-2. One night, and the key data used to determine the access authority to the storage area 55-3 are stored.
- the key data is used for mutual authentication, data encryption and decryption, and the like.
- the memory 50 stores the IC card 3 or the identification data of the user of the IC card 3.
- the mobile communication device 41 is connected to an ASP server via the mobile phone network and the Internet 10.
- the IC module 42 has the same function as the above-described IC module 3 a of the IC card 3 except that the IC module 42 exchanges data with the communication processing unit 43 of the mobile communication device 41.
- the processing using the portable communication device 41 is performed in the same manner as the processing using the C card 3, and the processing using the IC module 42 is performed in the same manner as the processing using the IC module 3a.
- the processing using the IC card 3 and the IC module 3a will be exemplified.
- the SAM units 9a and 9b have an external memory 7 and a SAM module 8.
- the SAM module 8 may be realized as a semiconductor circuit, or may be realized as a device in which a plurality of circuits are accommodated in a housing.
- the SAM module 8 has a software configuration as shown in FIG. As shown in Fig. 7, the SAM module 8 is logically integrated from the lower layer to the upper layer, including the hardware HW layer and the dryno layer (RTS layer) including the RTOS force channel corresponding to the peripheral HW. It has a lower handler layer that performs unit processing, an upper handler layer that collects application-specific libraries, etc., and an AP layer in order.
- an application program that defines the procedures using IC force 3 by service providers 15-1, 15-2, and 15-3 such as the credit force company shown in Fig. 1 AP-1, AP__2, AP__3 are read from the external memory 7 and operate.
- FIG. 8 is a diagram for explaining a hardware configuration of the SAM module 8 and a storage area of the external memory 7.
- the SAM module 8 has, for example, a memory I / F 61, an external I / F 62, a memory 63, an authentication unit 64, and a CPU 65, and these are connected via a bus 60.
- the SAM module 8 corresponds to the data processing device of the fourth invention
- the external I / F 62 is the input means of the present invention
- the authentication unit 64 is the authentication means of the present invention
- the CPU 65 is the control means of the present invention. Each one corresponds.
- the SAM module 8 may correspond to the data processing device of the fifth invention, and execute a program including the following procedures to realize the function.
- the memory I / F 61 exchanges data with the external memory 7 overnight.
- the external IZF 62 exchanges commands and exchanges commands with the ASP server devices 19a and 19b and the management device 20 shown in FIG.
- the memory 63 stores various key data used for mutual authentication of the SAM units 9a and 9b, which will be described later.
- the key data may be stored in the AP management storage area 221 of the external memory 7.
- the authentication unit 64 performs a process related to mutual authentication described later.
- the authentication unit 64 performs, for example, encryption and decryption using a predetermined key sequence.
- the CPU 65 controls the processing of the SAM module 8 as a whole.
- the CPU 65 when confirming that it is a valid partner in the mutual authentication, allows the authenticated means to perform a process associated with the mutual authentication key data described later, and Execute.
- the storage area of the external memory 7 includes an AP storage area 220-1 (service AP resource area) in which the application program AP-1 of the service provider 15-1 is stored.
- AP storage area 2-20-2 where application program AP-2 of service provider 15 ⁇ 2 is stored and application program AP-3 of service provider 15-3 is stored
- AP management storage area 221 system AP resource area and manufacturer AP resource area
- the application program AP-1 stored in the AP storage area 222-0-1 is composed of a plurality of application elements A PE (data module of the present invention) described later. Access to the AP storage area 220-1 is restricted by the firewall FW-1.
- the application program AP-2 stored in the AP storage area 220-2 is composed of a plurality of application elements AP E as shown in FIG. Access to the AP storage area 220-2 is restricted by the firewall FW-2.
- the application program AP-3 stored in the AP storage area 220-3 is composed of a plurality of application element data APE. Access to the AP storage area 220-3 is restricted by firewall FW-3 (shown in Figure 8).
- the above-mentioned abrication element data AP is, for example, the minimum unit downloaded from the outside of the SAM unit 9a to the external memory 7.
- the number of application element data APs that constitute each application program can be determined arbitrarily by the corresponding service provider.
- the application programs AP-1, AP-2, and AP-3 are, for example, personal computers 15-1, 15-2, 15-3 shown in FIG. Created by one 1, 16-2, 16-3, S AM Downloaded to external memory 7 via module 8.
- FIG. 10 is a diagram for explaining the application element data APE described above.
- the application element data APE is configured using an instance specified by an APE type indicating a classification specified based on an attribute (type) of the APE.
- Each instance is specified by an element ID, element properties, and element version.
- the service AP storage area 220-1 stores data accessible to each service provider.
- the AP management storage area 221 includes a system AP storage area for storing data accessible to a system administrator, and a manufacturer AP storage area for storing data accessible to a system manufacturer. Having.
- the AP storage area is configured by the service AP storage areas 220-1, 220-2, 220-3 and the AP management storage area 221.
- an ID (AP storage area ID) is assigned to each of the above-described service AP storage areas 220-1, 220-2, 220-3 and the AP management storage area 221.
- An identification number (APE type number, instance number, and element version number) is assigned to each instance and element version.
- FIG. 11 is a diagram for explaining one example of the APE type.
- the APE type includes IC system key data, IC area key data, IC service key data, IC degenerate key data, IC key change package, IC issuance key package, and IC extension issuance key packet.
- Each APE type is assigned an APE type number.
- the IC system key data, the IC area key data, the IC service key data, and the IC degenerate key data are stored in the card access used for reading / writing data from / to the C card 3 and the memory 50 of the IC module 42. It's a key night.
- the SAM mutual authentication key data is a key data used when the corresponding application element data AP E is accessed from another AP or another SAM in the same SAM.
- the key package for dividing the IC memory is a data package used by the service provider to divide the storage area of the external memory 7 and the memory of the IC card 3 before the operation of the service using the IC card 3 is started. is there.
- the IC area registration key package is data used when the service provider registers an area in the memory area of the memory of the IC card 3 before the operation of the service using the IC card 3 is started.
- the IC area deletion key package is a package that can be automatically generated inside the SAM from the moment the card access key is deleted.
- the key package for IC service registration is provided by the service provider before the operation of the service using the IC card 3 starts. Used to register a PE.
- the IC service deletion key package is used to delete the application element data APE registered in the external memory 7.
- FIG. 12 is a flowchart for explaining the procedure for creating the owner card 72 and the user card 73.
- FIG. 12 shows steps ST1 and ST2 shown in FIG. 3 in detail.
- the administrator when the administrator creates the owner card 72, the administrator selects the processes related to the SAM units 9a and 9b to be permitted to the owner card 72 user.
- the administrator when the administrator or the like creates the user card 73, the administrator selects the processes related to the SAM units 9a and 9b that are permitted to the user of the user card 73.
- the processing related to the SAM units 9a and 9b includes, for example, processing for executing the functions provided by the SAM units 9a and 9b or data held by the SAM units 9a and 9b (for example, application element data). Access to APE overnight.
- the administrator or the like selects the mutual authentication key data associated with the process selected in step ST11, and inputs or designates it in the card management function unit 58 of the management device 20.
- the mutual authentication key data will be described later in detail.
- the card management function unit 58 of the management device 20 uses the one or more mutual authentication key data selected in step ST12 to perform a degeneration key based on a degeneration processing method (predetermined generation method of the present invention) described later. Produce de overnight.
- Step ST 14 The force management function unit 58 of the management device 20 generates key designation data indicating the mutual authentication code used to generate the degenerate key data used in step ST13 to identify the mutual authentication key data. I do.
- the key designation data is a data which is obtained by the user of the owner card 72 or the user card 73 and indicates the authority to execute the processing related to the SAM units 9a and 9b.
- the force management function unit 58 of the management device 20 transmits the degenerated key data generated in step ST13 and the key designation data generated in step ST14 to the owner card 72 or the user. Write to IC of card 73.
- the card management function unit 58 of the management device 20 registers the mutual authentication key data used for generating the degenerate key data in step ST13 in the SAM units 9a and 9b.
- the mutual authentication key data to be selected in step ST12 shown in FIG. 12 will be described.
- FIG. 13 is a diagram for explaining the mutual authentication key data to be selected in step ST12 shown in FIG.
- the mutual authentication key data includes, for example, a device key data, an evening mine key data, a manufacturing setting service mutual authentication key data, and a device management service data.
- Authentication key data communication management service mutual authentication key data, mutual authentication service mutual authentication key data, AP storage area management service mutual authentication key data, service AP storage area mutual authentication key data, system There are AP storage area mutual authentication key data and manufacturer AP storage area mutual authentication key data.
- the mutual authentication code of the mutual authentication key data is changed to the AP storage area ID and the element type number described with reference to FIG. 10 as shown in FIG. , Element instance number and element version number.
- the key designation data generated in step ST14 shown in FIG. 12 will be described.
- the key designation data is a mutual authentication code list configured using the mutual authentication code of the plurality of mutual authentication key data described above.
- FIG. 15 is a diagram for describing an example of key designation data.
- step ST12 of Fig. 12 for example, the device key data, the device management service mutual authentication key data, the communication management service mutual authentication key data, the AP storage area management service mutual authentication key data, and the service shown in Fig. 13
- the AP storage area mutual authentication key data and the evening / minute key data are selected, as shown in Fig. 15 (A)
- all of the selected mutual authentication key data are displayed.
- step ST13 shown in FIG. 12 when the degenerated key data is generated using the mutual authentication key data of the mutual authentication code shown in FIG. 15 (A), the degenerated key data is generated.
- the device management service, communication management service, and 1C service (IC) are managed by the mutual authentication with the used SAM units 9a and 9b.
- Service 3 and IC module 4 2 1) mutual authentication service and AP storage area management service are permitted.
- the access to the equipments of the SAM units 9a and 9 and the data (for example, the application element data APE) held by the SAM units 9a and 9b are included.
- the degenerate key data can be generated using the mutual authentication key data associated with each process.
- the SAM units 9a and 9b hold the data of the SAM units 9a and 9b and the data held by the SAM units 9a and 9b. It is possible to judge collectively whether or not to permit access to the means to be authenticated for both access to overnight.
- the SAM units 9 a and 9 b authenticate the means to be authenticated as valid.
- the processing related to the predetermined function associated with the mutual authentication key data is executed, and the data stored in the SAM units 9a and 9b are held. Is permitted from the authenticated means.
- step ST13 shown in FIG. 12
- FIG. 16 is a flowchart for explaining the degeneration processing method.
- the force management function unit 58 of the management device 20 uses the device key data as a message, and stores the data other than the device key data and the minute key data selected in step ST12 shown in FIG. Using the first one of the mutual authentication key data as an encryption key, the device key data is decrypted to generate intermediate key data.
- the card management function unit 58 sends the intermediate key data The processing of the next step ST22 is performed using one night.
- the card management The encryption is performed using the key data as a message and the next mutual authentication key data as an encryption key.
- the card management function unit 58 repeats the above processing until the above encryption is performed using the device key data selected in step ST12 and all the mutual authentication key data other than the termination key data as an encryption key. When the processing is completed, the process proceeds to step ST22.
- the card management function unit 58 performs encryption using the intermediate key data obtained in step ST21 as a message, and the evening mine key data as an encryption key, and performs degeneration key decoding. Produce evening.
- the evening key data is tamper-proof key data and is retained only by the administrator are doing.
- the above-mentioned evening termination key data includes the owner termination key data possessed only by the administrator (owner) and the user authorization key data given by the administrator.
- degenerate key data is generated by a predetermined degeneracy processing method using the user's user one minute key and one key owned by the user.
- FIG. 17 is a flowchart for explaining the degeneration processing method.
- steps ST 31 and S 32 has been described using FIG. 16 except that the above-mentioned owner / minute key data is used as the evening / minute key data—evening. This is the same as the processing in steps ST2 1 and ST2.
- the degenerated key data generated in step ST32 is the user termination key data.
- a user who is given an evening is a degenerate key that can be expanded in the sense that it can be expanded.
- the key management function unit 58 of the management device 20 uses the extensible degenerate key data generated by the owner as a message and a mutual authentication key data other than the user's user selection key data selected by the user. Using the first one as an encryption key, encrypts the device key data to generate intermediate key data.
- step ST22 the key management function unit 58 sends the intermediate key key to the key.
- the process of step ST22 is performed.
- the card management function unit 58 sends the intermediate key data to the The encryption is performed using the next mutual authentication key as an encryption key.
- the card management function unit 58 stores the selected user key and minion key data after the selected user key. The above process is repeated until the above encryption is performed using all the other mutual authentication key data as an encryption key, and when the process is completed, the process proceeds to step ST34.
- the card management function unit 58 performs encryption using the intermediate key data obtained in step ST33 as a message and the user data and the minion key data as a symbol key to degenerate. Generate a key key overnight.
- the user evening key data is falsification prevention key data, and is held only by the owner and the user.
- the degenerate key data generated by the process shown in FIG. 17 is obtained by encrypting the mutual authentication key in the hierarchy as shown in FIG.
- a single mutual authentication key data (for example, the service, system, and manufacturer AP storage area mutual authentication key data shown in FIG. 13) includes a plurality of application element data.
- AP E may be associated.
- SAM units 9a and 9b determine whether or not to permit access to the application element data APE associated with the single mutual authentication key data by performing authentication using the degenerate key data. You can judge all at once.
- the mutual authentication key data 500 is associated with the permission C of the instance a of the application element database A and the permission B of the instance b. Therefore, if authentication using the degenerated key data obtained by degenerating the mutual authentication key data 500 is successful, the SAM units 9a and 9b permit access to both the instances a and b.
- the key and the MK 2 may be used in pairs.
- the online mutual authentication key data MK1 is used when performing mutual authentication
- the corresponding offline mutual authentication key data MK1 is used when exchanging data with the partner who has performed mutual authentication.
- the data to be exchanged using 2 is encrypted.
- the management device 20 is the means to be authenticated, and the SAM units 9a and 9b are the means for authentication.
- FIGS. 21 and 22 are flowcharts for explaining the mutual authentication between the SAM management function unit 57 of the management device 20 and the SAM unit 9a.
- the administrator or the user sets the owner power 72 or the user power 73 to the card reader / writer 53.
- the degenerated key data Ka (the first authentication data of the present invention) and the key designation data stored in the owner password 72 and the user card 73 are stored in the management device 20. Read into the SAM management function section 57.
- the SAM management function unit 57 generates a random number Ra.
- the SAM management function unit 57 uses the degenerate key data Ka read in step ST51 to encrypt the random number Ra generated in step ST51 using the B-conversion algorithm 1. To generate a day Ra R '.
- the SAM management function unit 57 outputs the key designation data read in step ST51 and the data Ra generated in step ST52 to the SAM unit 9a.
- the SAM unit 9 a inputs the key designation data and the data Ra ′ via the external I / F 62 shown in FIG. 8 and stores them in the memory 63.
- Step ST 54
- the authentication unit 64 of the SAM unit 9a extracts the mutual authentication key data indicated by the key designation data input in step ST53 from the mutual authentication key data stored in the memory 63 or the external memory 7. Identify.
- the authentication unit 64 of the SAM unit 9a performs the above-described degeneration processing with reference to FIG. 16 or FIG. 17 using the mutual authentication key data identified in step ST54 to generate the degeneration key data Kb.
- the authentication unit 64 of the S AM unit 9a uses the degenerate key data Kb generated in step ST55 to perform the decryption algorithm 1 corresponding to the encryption algorithm 1 and the data Ra ′ input in step ST53. To generate a random number Ra.
- the authentication unit 64 of the SAM unit 9a encrypts the random number: a generated in step ST56 with the encryption key algorithm Kb using the degenerate key data Kb to generate data Ra " I do.
- Step ST 58
- the authentication unit 64 of the SAM unit 9a generates a random number Rb.
- Step ST 59
- the authentication unit 64 of the SAM unit 9a uses the degenerate key data Kb to W random number Rb generated at flop ST58, Isseki de encrypted with B sound No. algorithm 2 to generate R b 5.
- Step ST 60
- the authentication unit 64 of the SAM unit 9a outputs the data Ra "generated in step ST57 and the data Rb 'generated in step ST59 to the management device 20.
- the SAM management function unit 57 of the management device 20 decrypts the data Ra ′ and Rb ′ input in step ST60 using the decryption algorithm 2 corresponding to the above signal algorithm 2. To generate Ra and Rb.
- Step ST 62
- the SAM management function unit 57 of the management device 20 compares the random number Ra generated in step ST51 with the data Ra generated in step ST61.
- the degenerated key data Kb held by the SAM unit 9a is replaced by the degenerated key data Kb held by the SAM management function unit 57.
- Ka authenticates that SAM unit 9a is a valid authentication means.
- Step ST 63
- the SAM management function unit 57 of the management device 20 encrypts the data Rb generated in step ST61 using the degenerate key data Ka in the encryption algorithm 1, and converts the data Rb " Generate.
- the SAM management function unit 57 of the management device 20 outputs the data Rb 55 generated in step ST63 to the SAM unit 9a.
- the authentication unit 64 of the SAM unit 9a decrypts the data Rb ,, input in step ST64, using the decryption algorithm 1 to obtain the data Rb. Generate.
- Step S T 66
- the authentication unit 64 of the SAM unit 9a compares the random number Rb generated in step ST58 with the data Rb generated in step ST65.
- the degenerated key Kb held by the SA unit 9a is replaced by the degenerated key held by the SAM management function unit 57. This is the same as the data Ka, and the SAM management function unit 57 authenticates it as a valid authentication means.
- FIG. 23 is a diagram for explaining the processing of the SAM units 9a and 9b. Step ST 71:
- step ST66 shown in FIG. 22 the CPUs 65 of the SAM units 9a and 9b shown in FIG. 8 determine whether or not the authentication unit 64 has authenticated the authentication means. If it is determined that the process has been performed, the process proceeds to step ST72; otherwise, the process ends (that is, it is determined that the user does not have the authority to perform the process, and the process is not executed).
- the CPUs 65 of the SAM units 9a and 9b execute a process associated with the mutual authentication key data identified in step ST54 shown in FIG. As a result, a predetermined service requested by the means to be authenticated is provided. That is, the SAM units 9a and 9b determine that the means to be authenticated has the predetermined authority and execute the process permitted for the authority.
- An administrator or the like operates the operation unit 56 shown in FIG.
- the SAM management screen 750 is displayed on the display 54.
- an image 751 for instructing the creation of a management card for the management server is displayed.
- an image 752 indicating the network configuration of the SAM connected to the SAM network is displayed.
- the image 753 is displayed.
- Image 753 displays an image instructing creation of a personal card, creation of a user card, creation of an AP encryption card, and creation of a transport card.
- the force management function unit 58 shown in Fig. 2 creates the owner card shown in Fig. 25.
- Screen 760 is displayed on display 54.
- the used service selection image 761 is, for example, an image for selecting the contents of the service permitted to the created password 72.
- the service AP storage area designation image 762 is an image for selecting a form allowed for access to the service AP storage area using the created password 72.
- the system AP storage area designation image 763 is an image for selecting a form permitted for access to the system AP storage area using the owner card 72 to be created.
- the device / evening / minion key designation image 764 is an image for designating the device key data and evening / minion key data used to create the owner card 72.
- the designation confirmation instruction image 765 is an image for inputting an instruction for confirming the specified content.
- the administrator When the administrator completes the specification of necessary items on the owner password creation screen 760, the administrator specifies the specification confirmation instruction image 765 with the mouse or the like.
- the card set instruction screen 770 shown in FIG. 26 is displayed on the display 54.
- the force reset instruction screen 770 indicates that the default card 71 is to be set.
- the administrator causes the card reader 'writer 53 to read the data of the IC of the default card 71 1.
- the management function unit 57 checks the validity of the default card 71, and selects the mutual authentication key data associated with the service or the like selected by the administrator on the password creation screen 760. I do. This selection corresponds to the selection of step ST12 described using FIG.
- the card management function unit 58 shown in Fig. 2 displays the user card creation image shown in Fig. 27.
- the face 780 is displayed on the display 54.
- the user card creation screen 780 has a service selection image 781, a service AP storage area designation image 782, a system AP area designation image 783, a device / Yuichi minion key designation image 784, and The designation confirmation instruction image 7 8 5 is displayed.
- the used service selection image 781 for example, is an image for selecting the contents of the service permitted to the user card 73 to be created.
- the service AP storage area designation image 7 8 2 uses the user card 7 3 to be created. This is an image for selecting the form allowed for access to the service AP storage area.
- the system AP storage area designation image 783 is an image for selecting a form permitted for access to the system AP storage area using the user card 73 to be created.
- the device / evening / minion key designation image 784 is an image for designating device key data and evening / minion key data used to create the user card 73.
- the designation confirmation instruction image 785 is an image for inputting an instruction for confirming the specified content.
- the administrator When the administrator completes the specification of necessary items on the password creation screen 780, the administrator specifies the specification confirmation instruction image 785 with the mouse or the like.
- the card set instruction screen 770 shown in FIG. 26 is displayed on the display 54.
- the card setting instruction screen 770 instructs the user to set the password 72.
- the administrator causes the card reader / writer 53 to read the data of the IC of the password 72 2.
- the SAM management function section 57 Upon confirming the validity of the password 72, the SAM management function section 57 confirms the validity of the user password 72 on the user-created screen 780, which is associated with the service or the like selected by the administrator. Select the authentication key data. The selection corresponds to the selection in step ST12 described with reference to FIG.
- the card management function unit 58 shown in FIG. 2 causes the AP encryption function shown in FIG.
- the screen 90 90 is displayed on the display 54.
- the used service selection image 791 is, for example, an image for selecting the contents of a service permitted to the AP encryption key 75 to be created.
- the service AP storage area designation image 792 is an image for selecting a form permitted to access the service AP storage area using the AP encryption card 75 to be created.
- the system AP storage area designation image 793 is an image for selecting a form permitted for access to the system AP storage area using the AP encryption card 75 to be created.
- the device Z setting key designation image 794 is an image for designating the device key setting and the setting key key setting key used to create the APB encryption card 75.
- the designation confirmation instruction image 795 is an image for inputting an instruction for confirming the specified content.
- the administrator When the administrator completes the specification of the necessary items on the AP encryption card creation screen 790, the administrator specifies the specification confirmation instruction image 795 with the mouse or the like.
- the card set instruction screen 770 shown in FIG. 26 is displayed on the display 54.
- the card setting instruction screen 770 instructs, for example, to set the owner card 72.
- the administrator causes the card reader 530 to read the data of the IC of the owner card 72.
- the SAM management function section 57 Upon confirming the validity of the owner card 72, the SAM management function section 57 checks the mutual relations associated with the service or the like selected by the administrator on the AP encryption card creation screen 790. Select the authentication key. This selection corresponds to the selection in step ST12 described with reference to FIG.
- the force management function unit 58 shown in Fig. 2 causes the transport card creation screen shown in Fig. 29 to be displayed. 8 00 is displayed on the display 54.
- the transport card creation screen 800 specify the IP address of the SAM, AP storage area, APE type of application element data AP E, installation number, and version to be allowed as a target for data transfer. Display the image.
- the force management function unit 58 stores, based on the information specified on the transport force creation screen 800, the data permitted to be accessed in the storage areas of the SAM units 9a and 9b.
- the mutual authentication key data associated with the evening is reduced to generate a reduced key data, and this is written to the transport card 74.
- the administrator or the like selects that function and issues various types of force.
- the administrator can issue a card having the authority according to his or her own intention without explicitly giving the administrator the details of the mutual authentication key used in the process. As a result, it is possible to prevent information related to security of the SAM units 9a and 9b from leaking.
- FIG. 30 is a diagram for explaining the SAM management screen 1001.
- the SAM management screen 1001 has a menu bar 1002, a SAM area 1003, an attribute information display area 1004, a detailed information display area 1005, and a console area 1006.
- the menu bar 1002 is used to specify various operations of the force management function unit 58 shown in FIG.
- Such operations include file operations, SAM command operations, management tool card operations, console port operations, and help operations.
- the SAM directory area 1003 displays the SAMs (SAM units 9a and 9b) operated by the SAM management function unit 57 and the group to which the SAM belongs. The user does not want to select the SAM to be operated on the SAM area 1003.
- attribute information display area 1004 information on the SAM or group selected in the SAM directory area 1003 is displayed.
- the detailed information display area 1005 displays a list of the SAM selected in the SAM directory area 1003 and various information in the group.
- FIG. 31 is a view for explaining a screen showing an example of the display contents of the SAM directory area 1003.
- the SAM directory area 1003 displays the SAM operated by the SAM management function unit 57 and various icons indicating the group to which the SAM belongs.
- FIG. 32 is a diagram for explaining icons displayed in the SAM directory area 1003.
- the icons displayed in the SAM area 1003 include SAM network and guzo ), SAM (one SAM), AP storage area, APE type, and instance icons.
- an image corresponding to the SAM is displayed in the SAM area 1003 using a plurality of different patterns according to the operation state of the SAM.
- the SAM area 1003 includes an image corresponding to the SAM, and a pattern that can identify whether the SAM has been mutually authenticated, that is, whether or not the authenticity of the means to be authenticated has already been recognized. For display, the user can easily specify whether each SAM has completed mutual authentication.
- FIG. 33 is a diagram for explaining the SAM network screen 1010.
- the user designates a SAM network icon with a mouse or the like on the SAM network area 1003 shown in FIG. 31, a SAM network screen 1010 shown in FIG.
- SAM network screen L010 displays information about the IP address, port and status of the SAM connected to the SAM network, and groups.
- FIG. 34 is a diagram for explaining the group screen 1020.
- a group screen 1020 shown in FIG. 34 is displayed on the display 54.
- the group screen 1 0 0 0 displays information about the IP address, port and status of the SAM belonging to the specified group.
- FIG. 35 is a diagram for explaining the SAM screen 10030.
- the SAM screen 1 030 displays the ID of the AP storage area of the specified SAM and information on the use of the AP storage area.
- FIG. 36 is a diagram for explaining the AP storage area screen 104.
- the AP storage area screen 104 shown in FIG. 36 is displayed. Displayed on ray 54.
- the AP storage area screen 104 displays information on the type of the AP type and the number of the AP type of the specified AP storage area.
- FIG. 37 is a diagram for explaining the APE type screen 1550.
- the AP E type screen 1 050 displays information about the instance number, system code, area / service code, etc., that are configured using the specified AP E type.
- FIG. 38 is a diagram for explaining the instance screen 106.
- the instance screen 160 shown in FIG. 38 is displayed on the display 54. Is displayed.
- the instance screen 1 0 6 0 displays the operating status of the specified instance and the storage area. Area, I c service key, and instance number.
- FIG. 39 shows a screen when the SAM command of menu bar 1002 shown in FIG. 30 is specified.
- a SAM command screen 1070 shown in FIG. 39 is displayed on the display 54.
- the SAM command screen 1070 displays character images such as communication management, AP storage area management, log recording, negative list, and manufacturing settings, which are operations performed by SAM.
- character images such as status acquisition, service start, activation code change, single connection start, and connection disconnection are displayed.
- FIG. 40 is a diagram for explaining a case where a SAM group is created on the SAM management screen 1001 shown in FIG. '
- an operation screen 1100 is displayed.
- the operation screen 1100 displays a character image for giving instructions such as creating a SAM group, adding a SAM, and acquiring the latest status of the SAM.
- the user can specify a group consisting of a plurality of selected SAMs, for example, by specifying a character image created by the SAM group using a mouse or the like.
- the SAM management function unit 57 simply issues an instruction to output the key designation data to the group, and all SAMs (SAM units 9a and 9b) belonging to the group will receive the key designation. Data is provided collectively.
- the process associated with the mutual authentication data corresponding to the degenerate key data held by the SAM management function unit 57 can be collectively performed for the SAM.
- FIG. 41 is a diagram for explaining the AP storage area editing screen 1200. As shown in Fig. 41, the AP storage area editing screen 12000 displays the APE type and instance number of the APE stored in the AP storage area to be edited. .
- an icon 1200 indicating addition, an icon 122 indicating deletion, and an icon 1203 indicating editing are displayed.
- the process of adding an instance to the AP storage area is performed.
- FIG. 42 is a diagram for explaining a screen 1303 for adding a package of Application Element Data AP.
- the screen 1300 has a column 1303 for specifying whether to create an element or add a version, a column 1302 for selecting an APE type, and a column for specifying an instance number. There are 1 3 0 3
- the user enters information about the package to be added in fields 131, 1302 and 1303.
- the AP editing tool 51 automatically adds the element package.
- Figure 43 shows a screen for creating an application element. It is a figure for demonstrating 1400.
- an APE creation screen 1404 shown in FIG. 43 is displayed.
- the type of the application element data to be created and the number of its instance are displayed.
- the APE creation screen 1400 has a column 1401 for specifying the tag, a column 1402 for specifying the number of used purges, a column 1404 for specifying whether or not to acquire elements, A field 1444 for specifying whether or not automatic generation is possible and a field 1445 for specifying element deletion are displayed.
- a field 1406 for designating attribute information names and values of various mutual authentication key data and the like associated with the application element to be created APE is displayed.
- FIG. 44 is a diagram for describing a screen 1500 for adding a version of the application element data AP.
- the type of the application element to be created and the number of the instance of the AP E are displayed.
- the AP E version addition screen 1500 includes a field 1501 for specifying the element version, a field 1502 for specifying the key data input method, and an item name for the element data. And a field 1503 for specifying the value is displayed.
- the report on AP E appears in column 1240.
- a plurality of mutual authentication keys associated with the processes related to the SAM units 9a and 9b The degenerate process is performed using the data to generate a degenerate key.
- the degenerated key data and the key designation data for specifying the mutual authentication key data used for its generation are written in the owner key 72 and the user key 73.
- the SAM The unit 9a generates a degenerate key data based on the key designation data received from the management device 20, and if the generated key data matches the one held by the management device 20, the unit 9a The validity of the management device 20 as the authentication means can be confirmed.
- the SAM units 9a and 9b which are the authentication means, are connected to all the authenticated means (for example, the management device 20 using the owner card 72 and the user card 73) as in the past. There is no need to store the corresponding mutual authentication key data, and there is no need to manage the processing permitted for the means to be authenticated in the management table, so that the processing load is reduced.
- the present invention is not limited to the embodiments described above.
- the biometric information of the user of the card is stored in the IC of any one of the owner card 72, the user card 73, the transport card 74, and the AP encryption card 75.
- the SAM units 9a and 9b may store the biometric information stored in the card together with the mutual authentication described above to authenticate the user's validity.
- the SAM units 9a and 9b perform mutual authentication with the management device 20 has been illustrated.
- the SAM units 9a and 9b use the ASP server devices 19a and 1b.
- Authentication may be performed with a means to be authenticated such as 9b or another SAM unit.
- the means to be authenticated holds the above-described degenerated key data and key designation data.
- the present invention is applicable to a data processing method for performing a predetermined process based on an authentication result, a program therefor, and a device therefor.
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2003264450A AU2003264450A1 (en) | 2002-09-19 | 2003-09-17 | Data processing method, its program and its device |
US10/527,072 US20060039557A1 (en) | 2002-09-19 | 2003-09-17 | Data processing method, its program,and its device |
EP03797618A EP1542391A1 (en) | 2002-09-19 | 2003-09-17 | Data processing method, its program and its device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2002-273903 | 2002-09-19 | ||
JP2002273903A JP2004112510A (ja) | 2002-09-19 | 2002-09-19 | データ処理方法、そのプログラムおよびその装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2004028079A1 true WO2004028079A1 (ja) | 2004-04-01 |
Family
ID=32024972
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2003/011802 WO2004028079A1 (ja) | 2002-09-19 | 2003-09-17 | データ処理方法、そのプログラムおよびその装置 |
Country Status (6)
Country | Link |
---|---|
US (1) | US20060039557A1 (ja) |
EP (1) | EP1542391A1 (ja) |
JP (1) | JP2004112510A (ja) |
CN (1) | CN1695344A (ja) |
AU (1) | AU2003264450A1 (ja) |
WO (1) | WO2004028079A1 (ja) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7630499B2 (en) * | 2004-08-18 | 2009-12-08 | Scientific-Atlanta, Inc. | Retrieval and transfer of encrypted hard drive content from DVR set-top boxes |
JP4516394B2 (ja) * | 2004-09-30 | 2010-08-04 | フェリカネットワークス株式会社 | 情報管理装置および方法、並びにプログラム |
CN100388298C (zh) * | 2005-01-21 | 2008-05-14 | 高晶 | 共享sam_v实现二代身份证联网阅读的系统及方法 |
JP4670585B2 (ja) * | 2005-10-26 | 2011-04-13 | ソニー株式会社 | 設定装置および方法、並びにプログラム |
JP2007336441A (ja) * | 2006-06-19 | 2007-12-27 | National Institute Of Advanced Industrial & Technology | 暗号化によるコンピュータデータ保護システム |
JP5080837B2 (ja) * | 2007-03-27 | 2012-11-21 | パナソニック株式会社 | ネットワークシステム |
JP4526574B2 (ja) * | 2008-03-31 | 2010-08-18 | 富士通株式会社 | 暗号データ管理システム、および暗号データ管理方法 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH06261034A (ja) * | 1993-03-09 | 1994-09-16 | N T T Data Tsushin Kk | 文書通信システム |
JPH11102471A (ja) * | 1997-09-26 | 1999-04-13 | Ntt Data Corp | プリペイドカードシステム、認証システム、読書装置、管理装置及び装置認証方法 |
JPH11163853A (ja) * | 1997-11-27 | 1999-06-18 | Kdd | 認証システム |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH04143881A (ja) * | 1990-10-05 | 1992-05-18 | Toshiba Corp | 相互認証方式 |
US5272754A (en) * | 1991-03-28 | 1993-12-21 | Secure Computing Corporation | Secure computer interface |
JP2883243B2 (ja) * | 1992-06-11 | 1999-04-19 | ケイディディ株式会社 | 相手認証/暗号鍵配送方式 |
JP3272213B2 (ja) * | 1995-10-02 | 2002-04-08 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Icカード及び情報処理装置の認証方法 |
JPH10222618A (ja) * | 1997-01-31 | 1998-08-21 | Toshiba Corp | Icカード及びicカード処理システム |
JP4268690B2 (ja) * | 1997-03-26 | 2009-05-27 | ソニー株式会社 | 認証システムおよび方法、並びに認証方法 |
JP2000181803A (ja) * | 1998-12-18 | 2000-06-30 | Fujitsu Ltd | 鍵管理機能付電子データ保管装置および電子データ保管方法 |
US7362868B2 (en) * | 2000-10-20 | 2008-04-22 | Eruces, Inc. | Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data |
US7711122B2 (en) * | 2001-03-09 | 2010-05-04 | Arcot Systems, Inc. | Method and apparatus for cryptographic key storage wherein key servers are authenticated by possession and secure distribution of stored keys |
-
2002
- 2002-09-19 JP JP2002273903A patent/JP2004112510A/ja not_active Abandoned
-
2003
- 2003-09-17 CN CNA038251868A patent/CN1695344A/zh active Pending
- 2003-09-17 AU AU2003264450A patent/AU2003264450A1/en not_active Abandoned
- 2003-09-17 EP EP03797618A patent/EP1542391A1/en not_active Withdrawn
- 2003-09-17 WO PCT/JP2003/011802 patent/WO2004028079A1/ja active Application Filing
- 2003-09-17 US US10/527,072 patent/US20060039557A1/en not_active Abandoned
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH06261034A (ja) * | 1993-03-09 | 1994-09-16 | N T T Data Tsushin Kk | 文書通信システム |
JPH11102471A (ja) * | 1997-09-26 | 1999-04-13 | Ntt Data Corp | プリペイドカードシステム、認証システム、読書装置、管理装置及び装置認証方法 |
JPH11163853A (ja) * | 1997-11-27 | 1999-06-18 | Kdd | 認証システム |
Also Published As
Publication number | Publication date |
---|---|
EP1542391A1 (en) | 2005-06-15 |
JP2004112510A (ja) | 2004-04-08 |
US20060039557A1 (en) | 2006-02-23 |
AU2003264450A1 (en) | 2004-04-08 |
CN1695344A (zh) | 2005-11-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8447889B2 (en) | Portable mass storage device with virtual machine activation | |
JP4118092B2 (ja) | 記憶装置および情報処理装置 | |
EP1388989B1 (en) | Digital contents issuing system and digital contents issuing method | |
JP4326443B2 (ja) | 情報処理装置および情報処理方法、並びにプログラム | |
US20100122094A1 (en) | Software ic card system, management server, terminal, service providing server, service providing method, and program | |
US20080126705A1 (en) | Methods Used In A Portable Mass Storage Device With Virtual Machine Activation | |
JP2008090864A (ja) | セキュアリモートアクセスシステム | |
US7500605B2 (en) | Tamper resistant device and file generation method | |
JP4055393B2 (ja) | データ処理装置およびその方法とプログラム | |
JPWO2005117336A1 (ja) | 親子カード認証システム | |
WO2003104997A1 (ja) | Icカード、端末装置及びデータ通信方法 | |
KR101038133B1 (ko) | 데이터 처리 방법, 그 프로그램을 기록한 기록 매체 및 그 장치 | |
JP4536330B2 (ja) | データ処理装置、および、その方法 | |
JP3826764B2 (ja) | データ処理方法、データ処理装置およびプログラム | |
EP2049991A2 (en) | Portable mass storage with virtual machine activation | |
WO2007119594A1 (ja) | セキュアデバイス及び読み書き装置 | |
WO2004028079A1 (ja) | データ処理方法、そのプログラムおよびその装置 | |
WO2004028080A1 (ja) | データ処理方法、そのプログラムおよびその装置 | |
WO2004088557A1 (ja) | 情報処理システム、情報処理装置および方法、並びにプログラム | |
Lambrinoudakis | Smart card technology for deploying a secure information management framework | |
JP4207409B2 (ja) | データ処理装置およびその方法 | |
JP4453678B2 (ja) | データ処理方法およびデータ処理システム | |
JP2001109625A (ja) | ソフトウェア課金システム | |
Ferreira | The practical application of state of the art security in real environments | |
JP2008102943A (ja) | データ処理装置およびその方法とプログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
ENP | Entry into the national phase |
Ref document number: 2006039557 Country of ref document: US Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10527072 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2003797618 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 20038251868 Country of ref document: CN |
|
WWP | Wipo information: published in national office |
Ref document number: 2003797618 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 10527072 Country of ref document: US |