JP2007067890A - Data loading method, program, and terminal device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a data load method, a program, and a terminal capable of loading data by securing leakage protection and safety of the data content. <P>SOLUTION: The terminal 4 acquires a public key PK1 from a terminal manager 1 (a step S102). Moreover, from the terminal manager 1, a public key PK2 to which a signature SG1 by a secret key SK1 is added is acquired (a step S104), and is verified with the public key PK1 (a step S402). Also, from a service provider 2, a program PG to which a signature SG2 by a secret key SK2 is added is acquired (a step S205), the signature SG2 is verified by using the public key PK2 (a step S404), and the program PG is acquired (a step S405). <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a data loading method, a program, and a terminal device for loading data such as a program to a terminal device or the like.

  When loading a program into a terminal device such as a payment terminal, it is necessary to prevent unauthorized writing of the program. For example, Patent Document 1 discloses a payment terminal that extracts signature data from an update program and downloads the update program when the signature data is valid, thereby preventing writing of the unauthorized program and preventing unauthorized acts on the device. Is described.

  As a method for controlling access to a restricted resource, for example, Patent Document 2 describes a method for controlling access to a resource by a program using a digital signature. In this way, when delegating access to a resource to a secondary owner that is a different party than the primary owner of the code, the code will have the primary owner in an encryption key that checks the secondary owner's signature. And the secondary owner's signature associated with the delegation certificate, the resource access control device can permit the secondary owner to access the resource.

JP 2003-140761 A JP 2003-524252 A

  By the way, in a terminal device such as a payment terminal, for example, when corresponding to an application by a service provider such as a plurality of different companies, a data provider that provides data such as a program for the application, and the data to the terminal device It is assumed that the terminal administrator to load is different.

  However, in the payment terminal described in Patent Document 1, it is necessary to hand over the data such as a program to a trader who actually loads data, so that the content of the data is viewed by anyone other than the creator or provider of the data. There were circumstances such as being in a possible state, and there was a circumstance that the creator could not guarantee the integrity of the data provided. In particular, when the data to be loaded is a program or an encryption key that is secret information, there is a situation in which safety cannot be secured unless the data is loaded separately.

  Further, in the access control method described in Patent Document 2, access to a resource for a code associated with a signature is permitted, and the data provider and the terminal manager are different for the terminal device or the like. No consideration is given to the loading of data into other terminal devices.

  The present invention has been made in view of the above circumstances, and provides a data loading method, a program, and a terminal device capable of loading data while ensuring the prevention and completeness of data content leakage. With the goal.

  According to the present invention, firstly, a step of obtaining a first public key and a second public key to which a first signature is attached with a first private key corresponding to the first public key are obtained. Verifying the first signature with the first public key, obtaining the second public key, and a second with a second secret key corresponding to the second public key A data loading method comprising the steps of: obtaining data with the signature of; and verifying the second signature using the second public key to obtain the data. .

  By this method, it becomes possible for a person other than the administrator of the terminal to load the data, and it is possible to prevent leakage and completeness of the contents of the data from the data provider.

  A second aspect of the present invention is the data loading method according to the first aspect, wherein the first public key and the second public key to which the first signature is attached are terminals for loading the data. The data provided by the administrator of the apparatus and attached with the second signature is provided by the data provider.

  By this method, the data provider prevents the leakage of the data contents by loading the data, and the integrity of the loaded data is guaranteed by verifying the signature attached to the data using the public key. be able to.

  Thirdly, the present invention provides a data load program for causing a computer to execute each step described in the first or second.

  This program enables a person other than the administrator of the terminal to load the data, and can prevent leakage and completeness of the contents of the data from the data provider.

  Fourthly, the present invention provides a terminal device including an arithmetic processor that executes the data load program described in the third.

  With this configuration, it is possible for a person other than the administrator of the terminal device to load the data, and it is possible to guarantee the leakage prevention and completeness of the contents of the data from the data provider.

  The fifth aspect of the present invention is the terminal device according to the fourth aspect, in which the data to be loaded is a settlement program.

  With this configuration, the payment processing means can be safely loaded into a vending machine or the like.

  According to the present invention, it is possible to provide a data loading method, a program, and a terminal device capable of loading data while guaranteeing prevention of data content leakage and completeness.

  FIG. 1 is an explanatory diagram showing an outline of a data loading method according to the embodiment of the present invention, and FIG. 2 is a sequence diagram showing a procedure of the data loading method according to the embodiment of the present invention.

  As shown in FIG. 1 and FIG. 2, in this embodiment, a service is provided by using a terminal manager 1 that manages the setting and updating of all data including programs for the terminal device 4 and the terminal device 4. There is a service provider 2.

  In the present embodiment, a case where the service provider 2 is used as an example of a data provider that provides data to the terminal device 4 will be described. Furthermore, the case where it is a program as an example of the data loaded to the terminal device 4 provided to the terminal device 4 is demonstrated.

  In the following description, a pair of encryption keys in the public key encryption method is referred to as a public key and a secret key corresponding to the public key. Data encrypted using a public key can be decrypted using a secret key corresponding to the public key. In addition, data to which an electronic signature (hereinafter referred to as a signature) is attached using a certain secret key can be verified using a public key corresponding to the secret key.

  Hereinafter, the data loading method of this embodiment will be described. The service provider 2 generates a program PG for providing a service at the terminal device 4 (step S201). Also, the public key PK2 and the private key SK2 corresponding to the public key PK2 are generated (step S202), and the generated public key PK2 is disclosed to the terminal administrator 1 (step S203).

  Further, the signature SG2 is attached to the program PG using the secret key SK2 (step S204). Thereafter, the program PG with the signature SG2 is transferred to the terminal device 4 (step S205).

  The terminal manager 1 generates a public key PK1 and a secret key SK1 corresponding to the public key PK1 (step S101), and transfers the public key PK1 to the terminal device 4 (step S102). Then, the signature SG1 is attached to the public key PK2 published in step S203 by the service provider using the secret key SK1 (step S103). Thereafter, the public key PK2 with the signature SG1 is transferred to the terminal device 4 (step S104).

  The terminal device 4 acquires and implements the public key PK1 transferred from the terminal manager 1 in step S102 (step S401). When the public key PK2 with the signature SG1 transferred from the terminal manager 1 in step S104 is acquired, the signature SG1 is verified using the public key PK1 implemented in step S402 (step S402). If the validity of the signature SG1 is confirmed as a result of the verification, the public key PK2 is mounted (step S403).

  When the program PG attached with the signature SG2 transferred in step S205 is acquired, the signature SG2 is verified with the public key PK2 implemented in step S403 (step S404). If the validity of the signature SG2 is confirmed as a result of this verification, the program PG is acquired (step S405) and loaded using a loading program (step S406). In this way, loading of the program PG to the terminal device 4 is completed.

  According to such a data loading method of this embodiment, even if a person different from the terminal manager 1 such as the service provider 2 performs the loading operation of the program PG, the signature SG2 attached to the program PG is verified. Since the public key PK2 to be acquired is acquired from the state in which the signature SG1 of the terminal manager 1 is attached, it is possible to prevent unauthorized loading into the terminal device 4 and to ensure the integrity of the program PG to be loaded. 2 can be guaranteed by itself. As a result, since the service provider 2 can load data to the terminal device 4 without passing the program PG to the outside, the contents of the program PG can be prevented from leaking to the outside.

  FIG. 3 is a block diagram showing an example of the data load system according to the embodiment of the present invention. As shown in FIG. 3, in this example, there are a vending machine company 1a as an example of a terminal manager 1 that manages terminal devices, and payment providers 2a and 2b as examples of service providers. The vending machine company 1a has a management server 10, and the payment providers 2a and 2b have management servers 20a and 20b, respectively. A payment service is performed as an example of a service performed through the vending machine 40. The management servers 10, 20 a, 20 b and the vending machine 40 are connected to each other via a communication line 50. In the example of FIG. 3, the vending machine 40 is described as an example of the terminal device 4, but a POS (Point Of Sales) terminal, a payment terminal using electronic money, a payment terminal using a credit card, or the like. Various terminal devices can be applied. For example, when applied to a POS terminal in a supermarket, the vending machine company 1a shown in FIG. 3 has a center with a server for selling and managing the supermarket, the payment provider 2a is a credit company, and the vending machine 40 is in each register. This corresponds to the POS terminal installed. Similarly, in the case of a system for exchanging points for goods and money, such as point service of an airline company, the vending machine company 1a in FIG. 3 is a terminal of an airline point center, and the vending machine 40 is a terminal of an airline counter. Or the automatic ticketing apparatus, the payment provider 2a corresponds to a point processing center, and the payment provider 2b corresponds to a credit company.

  The management server 10 includes a data input / output unit 11, a key management unit 12, a data management unit 13, and a control unit 14. The data input / output unit 11 has a configuration capable of inputting and outputting data communication with respect to the communication line 50, the vending machine 40, an external storage medium, and the like.

  The key management unit 12 manages the public key PK1 and the secret key SK1 corresponding to the public key PK1. The public key PK1 and the secret key SK1 may be generated by the key management unit 12 or may be generated externally via the data input / output unit 11. Also good.

  The data management unit 13 includes the public key PK2A acquired from the management server 20a of the payment provider 2a and a signature SG1A attached to the public key PK2A using the secret key SK1 or the management server 20b of the payment provider 2b. The control unit 14 manages the public key PK2B obtained from the above with the signature SG1B attached using the secret key SK1.

  The control unit 14 controls the overall operation of the management server 10 and is mainly composed of a processor that operates according to a predetermined program. For example, data acquired from the payment providers 2a, 2b, etc. via the data input / output unit 11 is managed by the key management unit 12 or the data management unit 13, or a data signature is added using the secret key SK1. Or

  The management server 20a includes a data input / output unit 21a, a key management unit 22a, a data management unit 23a, and a control unit 24a. The data input / output unit 21a has a configuration capable of inputting / outputting data communication with respect to the communication line 50 or an external storage medium.

  The key management unit 22a manages the public key PK2A and the secret key SK2A corresponding to the public key PK2A. Note that the public key PK2A and the secret key SK2A may be generated by the key management unit 22a or acquired externally via the data input / output unit 21a. Also good.

  The data management unit 23a manages the program PGA with the signature SG2A using the secret key SK2A. The program PGA may be generated in the management server 20a, or may be generated externally through the data input / output unit 21a.

  The control unit 24a controls the overall operation of the management server 20a, and is configured mainly with a processor that operates according to a predetermined program. For example, the public key PK2A is disclosed to the management server 10 via the data input / output unit 11, or a data signature is added using the secret key SK2A.

  The management server 20b includes a data input / output unit 21b, a key management unit 22b, a data management unit 23b, and a control unit 24b. The data input / output unit 21b has a configuration capable of inputting / outputting data communication with respect to the communication line 50 or an external storage medium.

  The key management unit 22b manages the public key PK2B and the secret key SK2B corresponding to the public key PK2B. The public key PK2B and the secret key SK2B may be generated by the key management unit 22b, or may be generated externally through the data input / output unit 21b. Also good.

  The data management unit 23b manages the program PGB with the signature SG2B using the secret key SK2B. Note that the program PGB may be generated in the management server 20b, or may be generated externally through the data input / output unit 21b.

  The control unit 24b controls the overall operation of the management server 20b, and is configured mainly with a processor that operates according to a predetermined program. For example, the public key PK2B is disclosed to the management server 10 via the data input / output unit 21b, or a data signature is added using the secret key SK2B.

  The vending machine 40 includes a non-contact IC reader / writer (hereinafter referred to as a non-contact ICR / W) 41, a data input / output unit 42, a key management unit 43, and an application management unit (hereinafter referred to as an AP management unit) 44. And a control unit 45.

  The non-contact ICR / W 41 performs data communication by non-contact communication with a non-contact IC card in which electronic money or the like is stored. For example, data is read from a contactless IC card for performing electronic money settlement. Note that the interface is not limited to the non-contact ICR / W 41, and may be another interface as long as it is an example of an interface for payment processing such as a magnetic card.

  The data input / output unit 42 has a configuration capable of inputting / outputting data communication with respect to the communication line 50, the management server 10, the portable electronic device 70, an external storage medium, and the like.

  The key management unit 43 manages the public key PK1 acquired from the management server 10 and the public keys PK2A and PK2B acquired from the management servers 20a and 20b. The public keys PK2A and PK2B are obtained by being verified by the control unit 45 with the signatures SG1A and SG1B from the management server 10 attached thereto.

  The AP management unit 44 manages the load program LPG for loading the acquired program and the programs PG2A and PG2B acquired from the management servers 20a and 20b.

  The control unit 45 controls the entire operation of the vending machine 40, and is configured mainly with a processor that operates according to a predetermined program. For example, signature verification processing acquired from the management servers 10, 20 a, 20 b and the like via the data input / output unit 42 is performed and managed by the key management unit 43. Also, settlement processing using a non-contact IC card via the non-contact ICR / W 41 is performed by the programs PG2A, PG2B and the like managed by the AP management unit 44.

  Here, the data transfer of the public key PK1 and the public keys PK2A and PK2B with the signatures SG1A and SG1B to the vending machine 40 is performed by, for example, the data input / output unit 11 and the data input in the vending machine company 1a. This is performed by directly connecting the output unit 42. The data of the program PGA with the signature SG2A and the program PGB with the signature SG2B is transferred via the communication line 50 after the vending machine 40 is installed at a predetermined installation location, or the data to be transferred is stored. The portable electronic device 70 having the storage unit 71 is used.

  All data may be transferred via the communication line 50 or the portable electronic device 70 after the vending machine 40 is installed. The portable electronic device 70 only needs to have at least a storage function, and may be a storage medium such as a memory card.

  According to the embodiment of the present invention, the integrity of data provided by the data provider can be ensured even when a person different from the terminal manager loads or updates data. . As a result, the data provider can load the data to the terminal device without passing the data to the outside, so that the content of the data can be prevented from leaking to the outside and the confidentiality can be improved.

  In addition, since all secret information such as an encryption key can be written simultaneously with loading of data such as a program, it is possible to perform operations up to the start of operation with a simple procedure. Since the data provider can start the operation of the service by transferring data such as a program, for example, for actual service operation using the loaded program after the terminal administrator loads the program The work such as authentication by the data provider is unnecessary.

  The data loading method, program, and terminal device of the present invention have an effect that data can be loaded while preventing leakage and completeness of data contents, and are useful for a program loading method to a settlement terminal device, etc. It is.

Explanatory drawing which shows the outline of the data loading method which concerns on embodiment of this invention The sequence diagram which shows the procedure of the data load method which concerns on embodiment of this invention The block diagram which shows an example of the data load system which concerns on embodiment of this invention

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Terminal administrator 1a Vending machine company 2 Service provider 2a, 2b Payment provider 4 Terminal device 10, 20a, 20b Management server 11, 21a, 21b, 42 Data input / output unit 12, 22a, 22b, 43 Key management unit 13, 23a, 23b Data management unit 14, 24a, 24b, 45 Control unit 40 Vending machine 41 Non-contact IC reader / writer 44 Application management unit 50 Communication network 70 Portable electronic device 71 Storage unit

Claims (5)

Obtaining a first public key;
Obtaining a second public key attached with a first signature by a first private key corresponding to the first public key;
Verifying the first signature with the first public key and obtaining the second public key;
Obtaining data with a second signature by a second private key corresponding to the second public key;
Verifying the second signature using the second public key and obtaining the data. The data loading method according to claim 1,
The first public key and the second public key to which the first signature is attached are provided by an administrator of the terminal device that loads the data, and the data to which the second signature is attached is the data Data loading method provided by other providers.   A data loading program for causing a computer to execute each step according to claim 1.   A terminal device for executing the data load program according to claim 3.   5. The terminal device according to claim 4, wherein the data to be loaded is a program for performing settlement.

Images