JPS6329785A - Encrypting apparatus - Google Patents

Abstract

(57) [Abstract] This bulletin contains application data before electronic filing, so abstract data is not recorded.

Description

DETAILED DESCRIPTION OF THE INVENTION [Object of the Invention] (Industrial Application Field) The present invention relates to a cryptographic device for realizing transactions safely and reliably in an online transaction system or the like.

(Prior Art) In recent years, with advances in electronic technology, advanced communication network systems such as home banking, home shopping, and farm banking systems have been developed. The most important point when implementing a communication network system related to such monetary transactions is that the secrecy and security of transactions on the network can be sufficiently ensured. In other words, in transactions or document communications between trading parties mediated by a network, it is necessary to increase the evidentiary value of transaction documents and correspondence.

By the way, typical fraud in transactions and document communications using communication networks is as follows.

(1) False declaration: The sender (5ender) declares to the receiver that he or she did not send the message, even though the sender (5ender) truly sent the message. Also, even though the sender did not send it,
Declare that you sent it to the recipient.

(2) Forgery of transaction documents; the recipient tampering with the correspondence recorded on the recipient's side without permission, or creating the correspondence without permission.

These frauds lead to fraud such as embezzlement of money.

Therefore, in order to prevent such fraud on the network, each terminal in the communication network is equipped with DES (Data
It has been considered to prevent forgery of correspondence as much as possible by incorporating an encryption program such as encryption (5 standard) system.

That is, each terminal is provided with an encryption/decryption function, and on the sending side, the sender uses his/her own keyword to encrypt the message to be communicated according to an encryption program. This encrypted message is then sent to the recipient's terminal via a communication line. Then, on the receiver's side, a decryption circuit decrypts the received encrypted message using a keyword unique to the sender stored in the key memory, and also records it.

Therefore, if the receiving side manages the keywords stored in the key memory so that they are not leaked to the outside, and it is assumed that the receiving party does not commit fraud such as forging correspondence, then the recorded encrypted message Only the sender who knows the keyword can create the keyword. Therefore, in this case, the evidence of the encrypted message recorded on the recipient side is high, making it possible to digitally sign the communication document.

However, if the communicating party switches the operating mode of the receiving terminal from decryption mode to encryption mode, it is possible to illegally create an encrypted message using the sender's keyword.

As described above, in a communication network system based on an encryption/decryption method, fraud cannot be completely prevented on both the sending side and the receiving side. For this reason, it is difficult to ensure the safety of transactions.

(Problems to be Solved by the Invention) The present invention has been made in consideration of the above circumstances, and its purpose is to enable reliable digital signatures for communication information, such as commercial transactions and document communications. The purpose of the present invention is to provide a communication system that can sufficiently ensure safety.

[Structure of the Invention] (Means for Solving the Problems) This invention stores identification information unique to the device in a cryptographic device, and makes it possible to reseparate this identification information from external mechanical messages. The combined results are encrypted and sent to the outside.

However, the key that defines the encryption, the storage means for storing the above-mentioned identification information, the encryption means, and the synthesis means are sealed inside the device.

(Operation) When a communication message is encrypted, it is always encrypted after information identifying the encryption device is added. Therefore,
On the receiving side, after decoding, by checking the identification information,
It becomes possible to identify the device (sender) that encrypted the message. Furthermore, by recording the encrypted text without decoding it, it can be used as evidence of the content of the message and its source.

(Example) Hereinafter, an example system according to the present invention will be described with reference to the drawings.

In this embodiment, an IC card is used as the encryption device.

FIG. 2 is a schematic diagram of a communication network that is applied to home banking, home shopping, farm banking systems, etc., and performs encrypted communication using an IC card equipped with encryption/decryption functions.

This communication network constitutes an (n:1) system. For example, a plurality of customer side terminals 11a, 11b, ~11n installed in homes, businesses, etc. are connected to the communication line 13.
a, 13b, to 13n, respectively, to a center-side terminal 12 installed at a single center such as a bank or department store.

In this embodiment, customer terminals 11a, llb, ~11n
A transaction message M is transmitted from the center terminal 12 to the center side terminal 12.

The customer side terminals 11a, llb, to lln each have a portable IC card 14a which is an encryption device.

14b, to L4n are attached in an insertable form.

Furthermore, a portable IC card 15 serving as a decoding device is attached to the center terminal 12 in an insertable form.

FIG. 3 shows the configuration of such a customer terminal. The terminals 11a, llb, to lln are basically configured with information processing devices such as personal computers. On the other hand, the center side terminal has a similar configuration, but the center side has each user's information in a database 39 (see FIG. 4).

The central processing unit (CPU) 21.31 has memory 22.32.32 storing control programs, just like a normal personal computer. Keyboards 23, 33 configuring input devices. and CR7 display devices 24, 33 . and printer 25.35. and floppy disk devices 28, 36, etc. are connected.

Card reader into which IC card 14 (15) is loaded/
Writers 27 and 37 are coupled to CPUs 2L and 3L,
The information from the CPUs 21 and 31 is transferred to the IC card 14 (
15), and also supplies information on the IC card 14 (15) to the CPU 21.31. Furthermore, C.P.
U 21,31j is coupled to the communication line via a modem 28.38.

The IC card 14 (15) is constructed by sealing a semiconductor large-scale integrated circuit inside, and is configured so that information other than specific information (encrypted information) cannot be extracted to the outside.

The IC card used in the system of the present invention has the same basic configuration as a well-known conventional IC card, for example, as shown in FIG. chipmlcropr
program memory 4 containing a built-in encryption (decryption) program and operation program.
2 (preferably a mask ROM) and a data memory 43 (
(preferably a permanent memory TA type FROM or EP ROM), an I10 interface 44, and a contact section 45.

Card reader/writer 2, 37 has IC card 1 there.
4 (15), the operating power supply voltage, operating clock pulses, various function command codes, and data are supplied from the outside via the contact portion 45. Furthermore, M.P.
U41 includes RAM 41a inside thereof.

The program memory 42 stores various programs for executing the basic functions of the IC card. The basic functions of this IC card are: (1) a function to read data from the data memory 43 or write data to the data memory 43;
■An encryption/decryption function that encrypts messages to prevent leakage or forgery when sending messages to other terminals via communication lines, and decrypts received encrypted messages, and■ It consists of a function that confirms the validity of IC card communication partners such as users, terminals, and hosts.

The MPU 41 interprets the function command code inputted from the CPU 21.3L via the card reader/writer 27, 37, or the function command code to which data is added, and selects a necessary function from among the above basic functions. and execute it.

The card reader/writers 27 and 37 are
5), CP 02, and 31 exchange function command codes and data, break down macro instructions from the CPUs 21 and 31 into commands for the IC card, and supply these commands to the IC card. ing.

The above is an overview of the system configuration. Next, communication between IC cards in this system will be explained.

FIG. 1 schematically represents the functions of an IC card.

The actual hardware configuration is as described above, and the following functions are realized.

As mentioned above, this embodiment employs an IC card as the encryption device. The IC card has an encryption circuit 2a
, 2b, and decoding circuits 5a and 5b.

By definition, the encryption circuits 2a and 2b have a function of converting plaintext into a message on the line, and the decryption circuits 5a and 5b have a function of converting a message on the line into plaintext.

Data is input to the encryption circuit 2a from a higher-level processing device or a reader/writer 27 via a synthesizing means 4a. The synthesizing means 4a synthesizes the identification word with the plain text from the reader/writer 27 and supplies it to the encryption circuit 2a. As for the synthesis here, for example, an identification word is serially synthesized with a bit string that is plain text.

The identification word is stored in an identification word register 3a which, together with other components, is sealed within the IC card.

A key register 1a is provided together with the identification word register 3a, and a "key" is stored in this register 3a. This "key" defines the encryption and decryption algorithms in the encryption circuit 2a and decryption circuit 5a. The technique used for encryption and decryption may be, for example, the DES method.

The data encrypted by the "key" is sent outside the IC card and used for communication.
Received by C card.

The data is then decoded at the decoding port 5b. This data is supplied to a higher-level processing device and a reader/writer, where identification words are separated and predetermined processing is performed.

By doing so, the following effects can be obtained.

- By setting the identification word to be unique to the IC card, it is possible to specify which device has encrypted the received data.

■ By recording the encrypted text without decoding it, it can be used as evidence of the message's content and its source.

This is because if at least one of the encryption algorithm or the encryption key is undisclosed, and the encryption device is hardware-secure, it is possible to create a ciphertext that includes identification information indicating a specific device. This is because it is only for that specific device.

Even if the receiver tries to forge records, the receiver's device can only create a different identification word (the identification word is unique for each device and IC card, and the identification word is unique to the encryption circuit 2. Note that the message is forcibly synthesized when inputting the message), and is difficult to forge. Next, the transaction procedure will be explained according to FIG.

To conduct a transaction, the transaction message sent from the customer terminal to the center is encrypted within the IC card, and the encrypted message C is sent to the communication line. This makes it difficult for a third party to forge a transaction message.

FIG. 6 shows an example of a key generation method. Encrypt transaction messages! 1165 is generated from the personal keyword 162; secret keyword S61 and random number data R63.

The personal keyword is a number code set for each user, such as an account number. The secret keyword is a number common to this communication network.

The random number data is data that is generated on the center side and indicates a transaction number. The personal keyword 1 and random number data here are exchanged between the center and the user's IC card prior to encrypted communication.

The MPU 41 generates a keyword K for encryption by executing an exclusive OR operation 64 such as (1+A+R) according to these keywords I, S, and R. And M.P.
U41 uses this encryption keyword K, for example, DES
Encrypt according to an encryption algorithm such as . If the secret keyword S is a random number that is unknown even to the center, the keyword can be a completely secret keyword that is unknown not only to third parties but also to users and sensors.

The transaction message M input from the terminal to the IC card first contains I.
The identification number N unique to the C card is synthesized by a synthesizer 7°.

An example thereof is shown in FIG.

For example, when N71 is n bits, M72 is m bits, and the message after N is added is M', M' may be determined as follows.

M' -2n-M+N M' is m + where M is the upper bit and N is the lower bit.
This is n-bit data. The above example is the simplest method. Any other method can be applied as long as M and N can be separated and extracted on the receiving side.

The message M' to which N is added is encrypted according to the keyword and encryption algorithm.

Since the ciphertext depends on N and M, let this be E(N.

I will write it as M). E (N, M) is sent to the terminal via the reader/writer, and further sent from the terminal to the center. The center terminal that receives the encrypted message E (N, M) sends it to the IC card loaded in the terminal, decrypts it with the decoder inside the card, and receives the result M' from the IC card. I'll take it. Further, the message M and the identification number N are separated from M', and N is checked first to confirm the other party's device. For this purpose, the center needs to store the identification number N of each IC card in a database together with the user name, account number, etc. After confirming the identification number N, the next step is to check the transaction message M and execute its contents. Then, as a record of the transaction, information related to the transaction such as the transaction date and transaction number, as well as the message E (N, M) before decryption and information necessary for key generation 1. Output R to the printer. At the same time, it is also possible to leave records on an electronic storage device such as a floppy disk.

In this way, by adding E (N, M): I, R to the record, the evidentiality of the record is greatly improved.

Before entering into the explanation, it is necessary to clarify the premise of this embodiment. First, it is assumed that the user and center IC cards are hardware-perfect and the internal data cannot be retrieved except by legitimate means. It is assumed that the card identifier N is different for each card. Further, although the cryptographic algorithm may be well known, the key for each transaction is completely secret and unknown to third parties, users, and even the center. As mentioned above, this can be done by setting the secret parameter S for key generation to a random number that is unknown even to the center. As a means for generating a random number in the IC card that is unknown even to the center, it may be possible to add a secret key SM created by the card manufacturer and stored in the card to the key SC created by the center.

5-5M +SC (+: exclusive OR) Under such a premise, only a specific card with the identifier N can create E (N, M). This is because other user cards do not have N and key K, so E (N, M)
cannot be forged.

Furthermore, even if we consider the case where the center attempts forgery, as long as an IC card is used, it would be difficult to reproduce E(N,M) as with other users.

On the other hand, even if the center tries to encrypt it externally with a card using N obtained from the database, it does not know the value of mK, so
(N,M) cannot be forged. From the above, adding E (N, M) greatly increases the evidentiary value of transaction records. If a trouble related to a transaction occurs later, this record can be used to resolve the trouble.

In the explanation so far, it is also possible to prove the fact that the message was sent from the center by recording the encrypted message from the center on the user side terminal in the same way as when sending a message from the user to the center. This is because when a message is encrypted inside the center-side IC card, an identification number N' unique to the center-side IC card is added to the message.

Next, as a second embodiment of the present invention, a case will be described in which the encryption and decryption algorithms are kept secret from the center and the users. In the second embodiment, the system configuration, transaction message exchange procedure, and key delivery procedure are the same as in the first embodiment.
This is the same as in the embodiment. However, in the second embodiment, the value of the key may be known by the user and the center who are parties to the communication. However, it is assumed that neither the center nor the user knows the encryption/decryption algorithm.

This is the case, for example, when a card manufacturer implements an algorithm in secret.

Even when the user sends the encrypted message E (N, M) to the center under these conditions, E (N, M
) can only be generated inside an IC card with N as the identification number. Therefore, the center is E (N.

By recording M), it can be used as evidence that the message M was sent by the user.

Conversely, as in the case of the first embodiment, the user can record the encrypted message from the center as evidence of the fact that the message was communicated from the center to the user.

As can be seen from the first and second embodiments, in order for the ciphertext generated by the encryptor according to the present invention to effectively act as evidence indicating the fact that a message has been sent, it is necessary to At least one of the algorithms must be completely secret, unknown to the user and the center. Otherwise, it would be relatively easy, at least for the center, to create a fake message E (N, M) using the key, identifier N, and algorithm outside the IC card. If the center is not sufficiently reliable, the ability of E (N, M) as evidence will be reduced.

In the embodiments described above, the function of re-separating the decrypted message into message M and card identification number N was realized outside the card, but this re-separation function was realized within the card. However, even with a configuration in which separate N and M are output to the outside of the card, the purpose of the present invention, which is transaction verification, can be achieved.

In addition, one of the forms of the cryptographic device that best realizes the features of the present invention is a card-shaped and portable one, specifically an IC card, but it incorporates the same functions as the embodiments of the present invention. There are no restrictions as long as it is any possible cryptographic device.

In addition, the combining means does not only simply serially combine two messages as in the example, but also what kind of processing can be done if it is known that the same processing will be performed at the sender and sender. In principle, it doesn't matter. In other words, it can also be said to be a process that can be reseparated.

Note that the transmission source here refers to the level at which the received message is used as evidence, and does not necessarily need to be known by all receiving terminals and overerators.

Further, in the above embodiment, an identification word unique to the device (IC card) is synthesized with the plain text, but it is technically valuable to add a word that specifies the transaction to the message. For example, plaintext is encrypted using a "key" and the result is combined with the plaintext. It is preferable to encrypt the message obtained in this way using an encryption device and send it to the outside.

However, considering the processing capacity of the encryption device (IC card), I
It is also preferable that the composition means is encrypted by an encryption means provided outside the C card.

The encryption means here usually refers to one that is provided when transmitting a message (signal) to an outside line.

Furthermore, the encryption of the plain text is performed using the IC as in the above embodiment.
This is realized by the MPU inside the card.

[Effects of the Invention] According to the present invention, when an encrypted message is decrypted, the encryption device that created the message is determined, and by using this as a transaction proof, troubles regarding transactions between the user and the center can be solved. It becomes possible to do so.

[Brief explanation of the drawing]

FIG. 1 is a block diagram when encryption devices according to an embodiment of the present invention are used face to face, FIG. 2 is a diagram showing a system configuration when the present invention is applied to an IC card, and FIG. 3 teeth,
A diagram showing the configuration of a user terminal in the system shown in FIG. 2,
Fig. 4 is a diagram showing the configuration of the center terminal in the same system, Fig. 5 is a diagram showing the configuration of the IC card, Fig. 6 is a diagram for explaining the key generation method, and Fig. 7 is a diagram showing the configuration of the IC card. Synthesis means (;■
FIG. 8 is a diagram showing the concept of the procedure of the system of FIG. 2. DESCRIPTION OF SYMBOLS 1... Key register, 2... Encryption circuit, 3... Identification word register, 4... Synthesis means, 5... Decryption circuit, 6... Encryption device

Claims (3)

[Claims] (1) In a cryptographic device comprising a first storage means for storing a key that defines cryptographic conversion, and an encryption means for performing cryptographic conversion according to the key stored in the first storage means, a second storage means for storing the identification information of the second storage means; and a synthesis means for combining the identification information stored in the second storage means and the input message from the outside in a form that can be reseparated; The first and second storage means, the encryption means, and the synthesis means are sealed inside, the message from the synthesis means is encrypted by the encryption means, and the obtained message is output to the outside. A cryptographic device characterized by: (2) The encryption system according to claim 1, further comprising a decryption means for performing inverse conversion by the encryption means according to the key stored in the first storage means. Device. (3) An encryption device according to claim 1, characterized in that the first and second storage means, encryption means, and synthesis means are sealed inside a portable card.