JP2018037877A - IC card for one-time authentication - Google Patents

Abstract

An IC card can be used for authentication of one or more services. An authentication seed 141 of an FeRAM 14 of an IC card 1 stores a set of authentication seeds common to one or more services and a common encryption key. A set of authentication seed and common encryption key common to one or more services is copied from the authentication seed 141 to the operation stack 131 and used for one-time mutual authentication with the server device. The authentication seed 141 includes concealment / fixed information that is not transmitted from the IC card 1 to the server device. A one-time authenticator is created based on the concealment / fixed information. There is no fear of being done. [Selection] Figure 4

Description

  The present invention relates to a one-time authentication IC card that performs authentication between server devices using a one-time authenticator.

  Conventionally, when authenticating between a client and a server, a seed such as a random number is updated each time authentication is successful, and a one-time authenticator is generated from the seed at the next authentication and used for authentication. A time mutual authentication system is known (see, for example, Patent Document 1).

JP 2012-34292 A

(1) The client device in Patent Document 1 is a terminal device. Even in Patent Document 1, an IC card is used, but it is used as a portable storage device, not as a client device. Therefore, in the one-time mutual authentication system in Patent Document 1, a terminal device is required as a client device separately from the IC card.
(2) When the server-side seed used for generating the client-side authenticator and the server-side authenticator is common, the client-side authenticator and the server-side authenticator use the client-side current authentication random number and the client-side next time You may be asked for a random number for authentication. If the random number for the next authentication on the client side is obtained, a common encryption key can be derived, and there is a risk of impersonating the client or server in the next authentication.

(3) Conventionally, since only one set of authentication seeds was stored in the non-volatile memory of the IC card, authentication for only one service was basically possible.
(4) It is necessary to prevent information stored in the card from being stolen (skimmed) and forged from being used.

  The present invention has been made in view of the above problems, does not require a terminal device, is less likely to be impersonated as a client or a server at the next authentication, and has one card with one or more services. An object of the present invention is to provide an IC card that can be authenticated.

(1) An IC card according to the present invention is an IC card incorporating a nonvolatile memory and a RAM,
Storing a set of authentication seed and common encryption key common to one or more services in the non-volatile memory;
A set of authentication seeds and a common encryption key common to the one or more services are copied from the non-volatile memory to the operation stack on the RAM, and then copied to the operation stack on the RAM Based on a set of authentication seeds that are used for mutual authentication between the IC card and the server device and copied to the operation stack on the RAM, from the server device. The validity of the received one-time authenticator is determined.

  According to the configuration of (1), a terminal device is unnecessary, and one IC card can be used for authentication of one or more services. Moreover, since the authentication seed and the common encryption key are stored in the nonvolatile memory, they are not stolen by skimming.

  (2) The IC card according to the present invention is characterized in that the authentication seed includes concealment fixing information that is not transmitted from the IC card to the server device and is not updated after mutual authentication.

  According to the configuration of (2), since the one-time authenticator is generated based on the concealment fixed information that is not transmitted from the IC card to the server device, even if a common encryption key is requested, it is impersonated as a client or a server. There is no fear.

  (3) In the IC card according to the present invention, the common encryption key used when the transmission data is encrypted by the IC card is different from the common encryption key used when the server device encrypts the transmission data. It is a common encryption key.

  According to the configuration of (3), the transmission data is encrypted with different encryption keys in the IC card and the server device, so that security can be enhanced.

  (4) In the IC card according to the present invention, the IC card side authentication seed used for generating the IC card side authenticator is a seed different from the IC card side authentication seed used for generating the server device side one-time authenticator. It is characterized by being.

  According to the configuration of (4), there is no overlap between the IC card side authentication seed used for IC card side authenticator generation and the IC card side authentication seed used for server device side one-time authenticator generation. It is difficult for a third party to ask for an IC card authentication seed.

  (5) The IC card according to the present invention is generated by the server device, encrypted and transmitted, and the IC card side authentication seed is received by the IC card and decrypted and used to create a one-time authenticator. It is characterized by.

  According to the configuration of (5), it is possible to use a chip that does not have a random number generation function as the IC chip of the IC card. In addition, no matter how much a malicious third party examines the IC card, it is impossible to predict the generated random number, so safety is increased.

  (6) The IC card according to the present invention is characterized in that a client-side one-time authenticator for the current authentication is stored in the nonvolatile memory at the end of the previous authentication.

  According to the configuration of (6), the time required for the current authentication process can be shortened.

(7) An IC card according to the present invention is an IC card incorporating a nonvolatile memory and a RAM,
Storing in the non-volatile memory one or more sets of authentication seeds and a common encryption key corresponding to one or more service request identifications;
A set of authentication seeds and a common encryption key corresponding to a specific service request identification are copied from the non-volatile memory to the operation stack on the RAM, and then copied to the operation stack on the RAM. Based on a set of authentication seeds that are used for mutual authentication between the IC card and the server device and copied to the operation stack on the RAM, from the server device. The validity of the received one-time authenticator is determined.

  According to the configuration of (7), the terminal device is unnecessary, and one IC card can be used for authentication in one or more services.

  According to the present invention, one IC card can be used for authentication of one or more services, and it is possible to provide an IC card that can be impersonated as a client or a server. Moreover, since the authentication seed and the common encryption key are stored in the nonvolatile memory, they are not stolen by skimming.

It is a figure which shows the structure of the one-time authentication system which concerns on Embodiment 1 of this invention. It is a figure which shows the 1st method of providing one or more services by one card | curd. It is a figure which shows the 2nd method of providing one or more services by one card | curd. It is a figure which shows the structure of the IC card which concerns on Embodiment 1 of this invention. It is a figure which shows the structure of the authentication seed which concerns on Embodiment 1 of this invention. It is a figure which shows the structure of the arithmetic stack which concerns on Embodiment 1 of this invention. It is a figure which shows the structure of the logic circuit which concerns on Embodiment 1 of this invention. It is a figure which shows the structure of the output memory which concerns on Embodiment 1 of this invention. It is a figure which shows the structure of the input memory which concerns on Embodiment 1 of this invention. It is a figure which shows the structure of the server apparatus which concerns on Embodiment 1 of this invention. It is a figure which shows the process part implement | achieved in the server apparatus which concerns on Embodiment 1 of this invention. It is a sequence diagram explaining the process in the one-time authentication implement | achieved in Embodiment 1 of this invention. It is a sequence diagram explaining the process in the one-time authentication implement | achieved in Embodiment 1 of this invention. It is a sequence diagram explaining the process in the one-time authentication implement | achieved in Embodiment 1 of this invention. It is a figure which shows an example of the structure of the seed table in Embodiment 1 of this invention. It is a figure which shows an example of the authenticator table in Embodiment 1 of this invention. It is a flowchart explaining the data processing by the server apparatus in Embodiment 1 of this invention. It is a flowchart explaining the data processing by the server apparatus in Embodiment 1 of this invention. It is a figure which shows the structure of the output memory in Embodiment 2 of this invention. It is a figure which shows the structure of the input memory in Embodiment 2 of this invention. It is a sequence diagram explaining the process in the one-time authentication implement | achieved in Embodiment 2 of this invention. It is a sequence diagram explaining the process in the one-time authentication implement | achieved in Embodiment 2 of this invention. It is a sequence diagram explaining the process in the one-time authentication implement | achieved in Embodiment 2 of this invention. It is a flowchart explaining the data processing by the server apparatus in Embodiment 2 of this invention. It is a flowchart explaining the data processing by the server apparatus in Embodiment 2 of this invention.

Embodiment 1 FIG.
FIG. 1 is a diagram showing a configuration of a one-time authentication system according to an embodiment of the present invention.
In the system shown in FIG. 1, an IC card reader / writer 2 is connected to a network 3. A server device 4 is also connected to the network 3. The IC card reader / writer 2 may include a display. The IC card 1 is used in proximity to the reader / writer 2 or electrically connected to the reader / writer 2. The IC card 1 can perform data communication with the server device 4 using the reader / writer 2.

The IC card of the present invention can be used for authentication in one or more services.
As a method of providing one or more services with one IC card, the following two methods are conceivable.
The first method is a method in which a set of authentication seeds is stored in the IC card, and the user designates which service to use.

FIG. 2 shows an outline of the first method.
The IC card 1 in FIG. 2 is assumed to be a non-contact type. When the IC card 1 approaches the reader / writer 2 with a display, the reader / writer 2 that has detected the approach transmits a read request signal not including parameters to the IC card 1.

There is an authentication server 4 associated with the reader / writer 2, and one-time authentication is started and executed between the activated IC card 1 and the authentication server 4. The authentication server 4 stores services available to the owner of the IC card 1 and displays a list of services on the display of the reader / writer 2. The user looks at the display and selects a service to be used. The reader / writer 2 connects to the service server of the selected service.
In this way, a set of authentication seeds can be stored in the IC card, and one or more services can be used.

  The second method is a method in which one or more sets of authentication seeds are stored in the IC card 1 and a service to be used is determined according to which reader / writer is used.

FIG. 3 shows an outline of the second method.
The IC card 1 in FIG. 3 is also assumed to be a non-contact type. The reader / writer 2 in FIG. 3 exists for each service. Therefore, the reader / writer 2 stores which service the reader / writer is as a service request identification.

When the IC card 1 approaches the reader / writer 2 with a display, the reader / writer 2 that has detected the approach transmits to the IC card 1 a read request signal that includes a service request identification that identifies the service as a parameter. The reader / writer 2 also transmits service request identification data to the authentication server.
The IC card 1 reads out one set of authentication seeds specified by the received service request identification from one or more sets of authentication seeds stored in the IC card 1 and uses them for one-time authentication processing.

  Since the second method for storing one or more sets of authentication seeds is more complicated as the configuration and operation of the IC card, the following embodiments will use one or more sets of authentication seeds in the second method. A description will be given of the storage configuration.

(1) Configuration of Each Device FIG. 4 is a functional block diagram of the IC card 1.
The IC card 1 includes an IC chip 10 that is a semiconductor device.
The IC chip 10 is a control unit 11, a ROM 12, a RAM 13, a FeRAM (Ferroelectric Random Access Memory) 14 which is a kind of nonvolatile memory, an antenna 17 for transmitting and receiving signals from the outside, and a receiving unit. The receiving circuit 15 includes a transmitting circuit 16 as a transmitting unit, and an internal bus 18. The FeRAM 14 is a non-volatile memory using a ferroelectric, can be accessed at high speed, and has high reliability.

The control unit 11 is a part for performing various determinations such as processing for generating a random number, creating a one-time authenticator, updating a common encryption key, encrypting and decrypting data. The control unit 11 can be configured by a CPU executing a program, but can also be configured by an electronic circuit without a CPU. Here, an electronic circuit without a CPU is used.
The ROM 12 stores data that does not need to be changed, such as a card ID 121 unique to the IC card.
The FeRAM 14 stores a seed for creating a one-time authenticator and an authentication seed 141 for holding a common encryption key.
The RAM 13 stores an arithmetic stack 131 for temporarily storing data, an input memory 132 for storing input data to the IC card 1, and an output memory 133 for storing output data from the IC card 1. Is provided.

  FIG. 5 shows data held in the area of the authentication seed 141.

One or a plurality of authentication seeds are stored in the authentication seed 141. FIG. 5 shows an example of a pair of authentication seeds specified by an arbitrary service request identification i.
CRi (n−1) is a first seed on the client side that is generated on the client side and used as an argument when creating a one-time authenticator on the client side.
CQi (n-1) is a second seed on the client side that is generated on the client side and used as an argument when creating a one-time authenticator on the server side.
CKi (n-1) is a common encryption key for encrypting data on the client side.
CZi is concealment fixed information used as an argument when creating a one-time authenticator on the client side. CZi is not transmitted / received by communication between the IC card 1 and the server device 4.

SRi (n-1) is a first seed on the server side that is generated on the server side and used as an argument when creating a one-time authenticator on the server side.
SQi (n-1) is a second seed on the server side that is generated on the server side and used as an argument when creating a one-time authenticator on the client side.
SKi (n-1) is a common encryption key used when encrypting data on the server side.
SZi is concealment fixed information used as an argument when creating a one-time authenticator on the server side. SZi is not transmitted / received by communication between the IC card 1 and the server device 4.

FIG. 6 shows a plurality of data stacks provided in the area of the arithmetic stack 131.
CR1 (n-1) is the first seed on the client side for the current (n-1) one-time authentication.
CQ1 (n-1) is the second seed on the client side for the one-time authentication of this time (n-1).
CK1 (n-1) is a client when encrypting and transmitting to the server apparatus 4 the seed CR1 (n) and CQ1 (n) on the client side for the next authentication at the time of this time (n-1) one-time authentication. Side encryption key.
CZ1 is concealment fixed information used as an argument when creating a one-time authenticator on the client side.

SR1 (n-1) is the first seed on the server side for the current (n-1) one-time authentication.
SQ1 (n-1) is the second seed on the server side for the current (n-1) one-time authentication.
SK1 (n-1) is the server side when encrypting and transmitting the server side seed SR1 (n) and SQ1 (n) for the next authentication to the IC card 1 at the time of this time (n-1) one-time authentication. It is an encryption key.
SZ1 is concealment fixed information used as an argument when creating a one-time authenticator on the server side.

CR1 (n) is the first seed on the client side for the next (n) one-time authentication.
CQ1 (n) is the second seed on the client side for the next (n) one-time authentication.

exS is an area for storing a scheduled server ID, and is collated with a one-time authenticator transmitted from the server side.
The check code CHECK-S is an area in which data to be collated with the falsification check code CheckIN transmitted from the server is stored.

  FIG. 7 shows a logic circuit in the control unit 11.

RAND is a random number generation circuit that generates random numbers.
ENC is an encryption circuit.
DEC is a decoding circuit.
CMP is a comparison circuit.

  The hash circuit Hash1 is a hash circuit that calculates a one-time authenticator C1 (n-1) on the client side at this time.

  The hash circuit Hash2 is a hash circuit that calculates exS that is a reception scheduled server ID.

  The hash circuit Hash3 is a hash circuit that calculates the falsification check code CheckOUT.

  The hash circuit Hash4 is a hash circuit that calculates a check code CHECK-S that is checked against the falsification check code CheckIN transmitted from the server.

  The hash circuit Hash5 is a hash circuit that updates the common encryption key CK1 on the client side.

  The hash circuit Hash6 is a hash circuit that updates the server-side common encryption key SK1.

  FIG. 8 shows an area of the output memory 133 that stores data output from the IC card 1.

Area C1 (n-1) is an area for storing the current client-side one-time authenticator C1 (n-1).
The area CK1 (n-1) * CR1 (n) is an area for storing the current client-side common encryption key CK1 (n-1) obtained by encrypting the next authentication client-side first seed CR1 (n). It is.
Area CK1 (n-1) * CQ1 (n) is an area for storing the current client-side common encryption key CK1 (n-1), which is an encrypted version of the next authentication client-side second seed CQ1 (n). It is.
The area CheckOUT is an area for storing the falsification check code CheckOUT.

  FIG. 9 shows an area of the input memory 132 that stores data to be input to the IC card 1.

The area Si (n−1) is an area for storing the current one-time authenticator Si (n−1) on the server side.
Area SKi (n-1) * SRi (n) is an area for storing the current server-side common encryption key SKi (n-1), which is obtained by encrypting the next authentication server-side first seed SRi (n). It is.
Area SKi (n-1) * SQi (n) is an area for storing the current server-side common encryption key SKi (n-1), which is obtained by encrypting the next authentication server-side second seed SQi (n). It is.
The area CheckIN is an area for storing the falsification check code CheckIN.

FIG. 10 is a diagram showing a configuration of the server device 4 in FIG.
In FIG. 10, a CPU 51 is an arithmetic processing unit that executes a program and executes a process described in the program. The ROM 52 is a nonvolatile memory that stores programs and data in advance. The RAM 53 is a memory that temporarily stores the program and data when the program is executed.

  The interface 54 is an interface circuit to which the storage device 55 can be connected. The storage device 55 is connected to the interface 54 and has a storage medium that stores an operating system (not shown), a one-time authentication program 61, data used for authentication, and the like. As the storage device 55, a hard disk drive, SSD, or the like is used. The storage device 55 holds a seed table group 71, an authenticator table group 72, and an IC card attribute table 73 as data used for authentication.

  The seed table group 71 stores one or more seed tables for each service request identification. A seed table corresponding to an arbitrary service request identification i is represented by a seed table 71i. The seed table 71i has a seed for next authentication and a common encryption key for next authentication updated at the time of the last mutual authentication. The next authentication seed and the next authentication common encryption key are held separately for each of one or a plurality of IC cards 1.

  The authenticator table group 72 stores one or more authenticator tables for each service request identification. An authenticator table corresponding to an arbitrary service request identification i is represented by an authenticator table 72i. The authenticator table 72i has a client-side one-time authenticator for next authentication updated at the last authentication. The client side one-time authenticator for the next authentication is held separately for each of one or a plurality of IC cards 1.

  The IC card attribute table 73 is a table having a card ID of the IC card 1 and attribute information (such as card owner information) associated with the card ID. The IC card attribute table 73 is referred to when determining the validity of the card ID received together with the one-time authenticator when the one-time authenticator is a one-time password.

  The interface 56 is an interface circuit to which the communication device 57 can be connected. The communication device 57 is a device connectable to the network 3 such as a network interface card or a modem.

  The CPU 51, the ROM 52, the RAM 53, and the interfaces 54 and 56 are connected to each other via a bus or a control chip so that data communication can be performed.

  FIG. 11 is a block diagram illustrating a processing unit realized by the server device 4. As shown in FIG. 11, a communication processing unit 81 and a server side authentication processing unit 82 are realized in the server device 4.

  The communication processing unit 81 uses the communication device 57 to perform data communication with the IC card via a network using a predetermined communication protocol.

  The server-side authentication processing unit 82 is realized by the CPU 51 executing the one-time authentication program 61, and based on the one-time authenticator with one or a plurality of IC cards 1 using the communication processing unit 81. Execute server side processing in mutual authentication.

(2) Operation of each device The IC card 1 stores the concealment fixed information CZi, SZi, seed CRi (n−1), CQi (n−1), SRi (n−) in the authentication seed area 141 for each service request identification. 1), SQi (n-1), common encryption keys CKi (n-1), and SKi (n-1).
The server device also has the same hidden fixed information CZi, SZi, seed CRi (n-1), CQi (n-1), SRi (n-1), SQi (n-1) for each service request identification. , Common encryption keys CKi (n−1) and SKi (n−1) are held.

  Here, seeds CRi (n−1) and CQi (n−1) are client-side seeds in the current mutual authentication session corresponding to service request identification i, and seed CRi (n−1) is a client-side seed. The seed CQi is used as an argument when creating the one-time authenticator on the server side.

  The seeds SRi (n−1) and SQi (n−1) are server-side seeds in the current mutual authentication session corresponding to the service request identification i, and the seed SRi (n−1) is a server-side seed. When creating a time authenticator, it is used as an argument, and the seed SQi (n-1) is used as an argument when creating a one-time authenticator on the client side.

  The common encryption key CKi (n−1) is used to transfer the client side seeds CRi (n) and CQi (n) for the next authentication from the IC card 1 to the server device 4 in the current mutual authentication session corresponding to the service request identification i. This is a common encryption key for encrypting CRi (n) and CQi (n) when transmitting.

  In the current mutual authentication session corresponding to the service request identification i, the common encryption key SKi (n-1) is sent from the server device 4 to the IC card 1 for the next authentication server-side seed SRi (n), SQi (n). This is a common encryption key for encrypting the SRi (n) and SQi (n) when transmitting to.

  Seed CRi (n-1), CQi (n-1), SRi (n-1), SQi (n-1), and common encryption key CKi (n-1), SKi (n-1) are service requests A mutual authentication session corresponding to the identification i is executed and updated each time the mutual authentication is successful.

(3) Mutual Authentication Based on One-Time Authenticator FIGS. 12 to 14 are sequence diagrams illustrating mutual authentication based on the one-time authenticator executed in the system of FIG.

  In step S1, the reader / writer 2 detects the approach of the IC card 1.

  In step S2, upon request for reading from the reader / writer 2, a service request identification is given to the IC card 1 as a parameter. The service request identification data is also transmitted to the server device 4. Here, it is assumed that the service request identification “i” is given to the IC card 1 and the server device 4.

In step S3, the control unit 11 of the IC card 1 copies the concealment fixed information, the seed, and the common encryption key corresponding to the given service request identification from the authentication seed 141 to the operation stack 131.
Since the given service request identification is “i”, CRi (n−1), CQi (n−1), CKi (n−1), CZi, SRi (n−1), SQi (n−) of the authentication seed 141 1), SKi (n-1), and SZi are converted into CR1 (n-1), CQ1 (n-1), CK1 (n-1), CZ1, SR1 (n-1), SQ1 ( n-1), SK1 (n-1), and SZ1 are copied.

In step S4, the random number generation circuit RAND generates a first random number CR, and sets the generated first random number CR in the client-side first seed CR1 (n) for next authentication on the arithmetic stack 131.
The random number generation circuit RAND generates a second random number CQ, and sets the generated second random number CQ in the client-side second seed CQ1 (n) for next authentication on the arithmetic stack 131.

In step S5, the hash circuit Hash2 calculates exS by the following expression using SZ1, CQ1 (n-1), SR1 (n-1) held in the operation stack 131, and the correspondence of the operation stack 131. Store in the area. exS is calculated as a one-way function. The one-way function hash2 is a function that takes three arguments and has different function values depending on the order of the arguments.
exS = hash2 {SZ1, SR1 (n-1), CQ1 (n-1)}

In step S <b> 6, the hash circuit Hash <b> 1 calculates the client-side one-time authenticator C <b> 1 (n−1) for the current one-time authentication according to the following equation and stores it in the corresponding area of the output memory 133. C1 (n-1) is calculated by a one-way function. The one-way function hash1 is a function that takes three arguments and has different function values depending on the order of the arguments.
C1 (n-1) = hash1 {CZ1, CR1 (n-1), SQ1 (n-1)}

  In step S7, the encryption circuit ENC encrypts the next authentication client-side first seed CR1 (n) with the common encryption key CK1 (n-1) and stores it in the corresponding area of the output memory 133. Note that CR1 (n) encrypted with the common encryption key CK1 (n-1) is expressed as CK1 (n-1) * CR1 (n).

  In step S7, the encryption circuit ENC encrypts the client-side second seed CQ1 (n) for next authentication with the encryption key CK1 (n-1) and stores it in the corresponding area of the output memory. Note that CQ1 (n) after encryption with the common encryption key CK1 (n-1) is expressed as CK1 (n-1) * CQ1 (n).

In step S <b> 8, the hash circuit Hash <b> 3 calculates the falsification check code CheckOUT according to the following equation and stores it in the corresponding area of the output memory 133. The falsification check code CheckOUT is calculated by a one-way function. The one-way function hash3 is a function that takes four arguments and has different function values depending on the order of the arguments.
CheckOUT = hash3 {CK1 (n-1), C1 (n-1), CK1 (n-1) * CR1 (n), CK1 (n-1) * CQ1 (n)}

  In step S9, C1 (n-1), CK1 (n-1) * CR1 (n), CK1 (n-1) * CQ1 (n), and CheckOUT are transmitted from the IC card 1 to the server device 4.

  After step S10, the server-side authentication processing unit 82 on the server side uses the seed table and authenticator table corresponding to the service request identification received in step S2.

  In step S10, the server-side authentication processing unit 82 on the server side receives the client-side one-time authenticator Ci () corresponding to the service request identification i held by the received client-side one-time authenticator C1 (n-1). n-1) is determined.

  When it is determined that the received one-time authenticator C1 (n-1) is an unauthorized one-time authenticator, the server-side authentication processing unit 82 determines that the authentication has failed, and indicates that the authentication has failed. Then, the reader / writer 2 is notified and the processing is terminated. If the received one-time authenticator C1 (n-1) matches the one-time authenticator stored in the authenticator table 72i, the server-side authentication processing unit proceeds to step S11.

In step S11, the server-side authentication processing unit 82 on the server side holds the client-side common encryption key CKi (n−1) and the received C1 (n−1), CK1 (n−1) * CR1 ( n) and CK1 (n-1) * CQ1 (n) are used to calculate a check code CHECK-C according to the following equation. The check code CHECK-C is calculated as a one-way function. This one-way function takes four arguments, and the function value varies depending on the order of the arguments.
CHECK-C = hash3 {CKi (n-1), C1 (n-1), CK1 (n-1) * CR1 (n), CK1 (n-1) * CQ1 (n)}

In step S12, the server-side authentication processing unit 82 on the server side compares the received CheckOUT with the check code CHECK-C created in step S11.
If the received CheckOUT does not match the check code CHECK-C, the server-side authentication processing unit 82 determines that the authentication has failed, notifies the IC card 1 and the reader / writer 2 that the authentication has failed, and ends the processing. . If the received CheckOUT matches the check code CHECK-C, the process proceeds to step S13.

In step S13, the server-side authentication processing unit 82 on the server side decrypts CK1 (n−1) * CR1 (n) to obtain the next authentication client-side first seed CRi (n).
In step S13, the server-side authentication processing unit 82 on the server side decrypts CK1 (n−1) * CQ1 (n) to obtain the next authentication client-side second seed CQi (n).

In step S14, the server-side authentication processing unit 82 on the server side generates the first random number SR and sets the random number SR as the next authentication server-side first seed SRi (n).
Further, the server-side authentication processing unit 82 on the server side generates a second random number SQ, and uses the random number SQ as the next authentication server-side second seed SQi (n).

  As a random number generation method in the server-side authentication processing unit 82, a method using a pseudo random number sequence created by a function, a natural random number created using a random natural phenomenon such as a nuclear decay or a thermal noise of a resistor is used. In addition to the method, the random number may be read out from a random number file that stores a separately generated natural random number.

In step S15, the server-side authentication processing unit 82 on the server side creates a server-side one-time authenticator Si (n−1) for the current one-time authentication according to the following equation.
Si (n-1) = hash2 {SZi, SRi (n-1), CQi (n-1)}

In step S16, the server-side authentication processing unit 82 on the server side encrypts the next authentication server-side first seed SRi (n) with the common encryption key SKi (n−1). Note that SRi (n) encrypted with the common encryption key SKi (n−1) is expressed as SKi (n−1) * SRi (n).
In step S16, the server-side authentication processing unit 82 on the server side encrypts the next authentication server-side second seed SQi (n) with the common encryption key SKi (n-1). Note that SQi (n) encrypted with the common encryption key SKi (n-1) is expressed as SKi (n-1) * SQi (n).

In step S17, the server-side authentication processing unit 82 on the server side creates a falsification check code CheckIN according to the following equation.
CheckIN = hash4 {SKi (n−1), Si (n−1), SKi (n−1) * SRi (n), SKi (n−1) * SQi (n)}

  In step S18, Si (n-1), SKi (n-1) * SRi (n), SKi (n-1) * SQi (n), and CheckIN are transmitted from the server apparatus 4 to the IC card 1.

  In step S19, the comparison circuit CMP compares exS with Si (n−1) received from the server side. If they do not match, it is determined that the authentication has failed, the server error is notified to the reader / writer 2, and the processing is terminated. If they match, the process proceeds to step S20.

In step S20, the hash circuit Hash4, SK1 (n-1) stored in the arithmetic stack 131, Si (n-1), SKi (n-1) * SRi (n) received from the server side, and Using SKi (n-1) * SQi (n), check code CHECK-S is calculated by the following equation.
CHECK-S = hash4 {SK1 (n-1), Si (n-1), SKi (n-1) * SRi (n), SKi (n-1) * SQi (n)}

  In step S21, the comparison circuit CMP compares the received CheckIN with the check code CHECK-S created in step 22. If they do not match, it is determined that the authentication has failed, the server error is notified to the reader / writer 2, and the processing is terminated. If they match, the process proceeds to step S22.

In step S <b> 22, the control unit 11 stores the client side first seed CR <b> 1 (n) for next authentication in CRi (n−1) of the authentication seed 141.
In step S <b> 22, the control unit 11 stores the client side second seed CQ <b> 1 (n) for the next authentication in CQi (n−1) of the authentication seed 141.

In step S 23, the decryption circuit DEC uses the server-side common encryption key SK 1 (n−1) held on the arithmetic stack 131 to store the received SKi (n−1) * SRi (n) with SRi (n). To decrypt. The decrypted SRi (n) is stored in SRi (n−1) of the authentication seed 141.
In step S 23, the decryption circuit DEC uses the server-side common encryption key SK 1 (n−1) held on the arithmetic stack 131 to store the received SKi (n−1) * SQi (n) with SQi ( Decode to n). The decrypted SQi (n) is stored in SQi (n−1) of the authentication seed 141.

In step S24, the hash circuit Hash5 updates the common encryption key CK1 on the client side with the following equation.
CK1 (n) = hash5 (CR1 (n), CQ1 (n), CK1 (n-1))
In step S24, the hash circuit Hash6 updates the server-side common encryption key SK1 with the following equation.
SK1 (n) = hash6 (SR1 (n), SQ1 (n), SK1 (n-1))
The control unit 11 writes the updated CK1 (n) and SK1 (n) to CKi (n−1) and SKi (n−1) of the authentication seed 141, respectively.

  In step S25, the control unit 11 notifies the reader / writer 2 of completion.

In step S26, the server-side authentication processing unit 82 on the server side calculates the client-side one-time authenticator Ci (n) used at the next one-time authentication according to the following equation, and stores it in the authenticator table 72i until the next mutual authentication. Hold.
Ci (n) = hash1 {CZi, CRi (n), SQi (n)}

  In step S27, the server-side authentication processing unit 82 updates the data in the seed table 71i with CRi (n), CQi (n), SRi (n), and SQi (n), and authenticator table 72i with Ci (n). Update the client-side one-time authenticator at.

In step S28, the server-side authentication processing unit 82 on the server side updates the client-side common encryption key CKi using the following hash function.
CKi (n) = hash5 {CRi (n), CQi (n), CKi (n-1)}
In step S28, the server-side authentication processing unit 82 on the server side updates the server-side common encryption key SKi using the following hash function.
SKi (n) = hash6 {SRi (n), SQi (n), SKi (n-1)}

  In step S29, the server-side authentication processing unit 82 on the server side uses the seed table 71 for the next authentication seed and the common encryption key CRi (n), CQi (n), CKi (n), SRi ( n), SQi (n), SKi (n), and the seed and common encryption key CRi (n-1), CQi (n-1), CKi (n-1), SRi (n-1) for the current authentication , SQi (n-1), SKi (n-1) are updated.

  With this configuration, one IC card can support authentication of one or more services, and the arguments of the hash function for creating one-time authenticators C1 (n) and Si (n) Since the hidden fixed information CZ1 and SZi that are not communicated between the server apparatuses 4 are included, even if the common encryption key or seed is decrypted, impersonation is not performed.

  Next, details of the structures of the seed table 71i and the authenticator table 72i will be described, and then details of step S10, step S14, and step S27 will be described.

First, the data structure will be described.
In the server device 4, a seed table 71i and an authenticator table 72i are managed for each service request identification.

  In the authenticator table 72i corresponding to the service request identification i, a unique management number (IC card ID) is assigned to each of one or a plurality of IC cards, similar to the IC card 1, and associated with the management number. Thus, the next authentication client side one-time authenticator Ci (n-1) is held.

  In the seed table 71i corresponding to the service request identification i, the concealment fixed information CZi and SZi, the current (n-1) seed CRi (n-1), CQi (n-1), SRi (n) are associated with the management number. -1), SQi (n-1) and common encryption keys CKi (n-1), SKi (n-1) and seeds CRi (n), CQi (n), SRi (n), SQi ( n) and the common encryption keys CKi (n) and SKi (n) are held.

  FIG. 15 is a diagram illustrating an example of the structure of the seed table 71i. FIG. 16 is a diagram illustrating an example of the structure of the authenticator table 72i.

  The authentication address in FIG. 15 is data indicating the position of a record having the same management number as the management number associated with the authentication address in the authenticator table 72i.

  In FIG. 16, the server side authentication processing unit 82 sorts records in the authenticator table 72i (a set of one-time authenticators and management numbers) in ascending order with respect to the values of the one-time authenticators. Thereby, it is possible to quickly determine whether or not the one-time authenticator received from the client is registered in the authenticator table 72i during the one-time authentication.

  The seed table 71i and the authenticator table 72i have a predetermined number of records (that is, the number of IC cards) in advance, and initial values are set in fields other than the management number in the records.

Next, details of step S10 will be described.
In step S10, the server-side authentication processing unit 82 determines whether the client-side one-time authenticator C1 (n−1) received from the IC card 1 is one of the client-side one-time authenticators registered in the authenticator table 72i. It is determined whether or not.
If the received client-side one-time authenticator C1 (n-1) is one of the client-side one-time authenticators registered in the authenticator table 72i, the authentication is successful, and the server-side authentication processing unit 82 In the authenticator table 72i, the management number associated with the received client-side one-time authenticator C1 (n-1) is specified.
Then, the server-side authentication processing unit 82 proceeds with subsequent processing using the record in the seed table 71i corresponding to the specified management number.

  If the received client-side one-time authenticator C1 (n-1) is not one of the client-side one-time authenticators registered in the authenticator table 72i, authentication fails.

Next, details of step S14 will be described.
FIG. 17 is a flowchart illustrating the details of step S14.

  In step S101, in the server device 4, the server side authentication processing unit 82 generates a random number SR and sets it to the next authentication server side seed SRi (n).

  In step S102, the server-side authentication processing unit 82 creates a random number SQ.

In step S103, when this random number SQ is used as the next authentication server-side seed, it is determined whether or not the next authentication client-side one-time authenticator matches the client-side one-time authenticator of another IC card. To do. That is, it is determined whether or not the uniqueness of the client-side one-time authenticator when the generated random number SQ is used (that is, there is no client-side one-time authenticator having the same value) is determined.
At this time, the server side authentication processing unit 82 calculates the next authentication client side authenticator X1 when this random number SQ is used as the next authentication server side seed according to the following equation. It is determined whether or not it is registered in the authenticator table 72i.
X1 = hash1 {CZi, CRi (n), SQ}

  When it is determined that the generated random number SQ does not ensure uniqueness, the server-side authentication processing unit 82 regenerates the random number SQ until the uniqueness is ensured. On the other hand, if it is determined that the generated random number SQ ensures uniqueness, the process proceeds to step S104.

  In step S104, the server-side authentication processing unit 82 sets the random number SQ to the next authentication server-side seed SQi (n).

Next, details of step S27 will be described.
FIG. 18 is a flowchart illustrating details of step S27.

  In step S105, the server side authentication processing unit 82 writes the seed CRi (n), CQi (n), SRi (n), and SQi (n) for the next authentication of the management number in the seed table 71i.

In step S106, X1 calculated at the time of determination in step S103 is set as the next authentication client-side one-time authenticator Ci (n), and that Ci (n) is associated with the management number in the authenticator table 72i. Update the one-time authenticator.
That is, the server-side authentication processing unit 82 reads the authentication address associated with the management number from the seed table 71i, identifies the record of the management number in the authenticator table 72i with the normal authentication address, Update one-time authenticator for.

  In step S107, the server-side authentication processing unit 82 sorts the records in the authenticator table 72i so that the values of the one-time authenticators are in ascending order. Update the authentication address associated with the record management number.

[Modification of Embodiment 1]
The current client-side one-time authenticator for the service request identification i is obtained by the following equation.
Ci (n-1) = hash1 {CZi, CRi (n-1), SQi (n-1)}

Of the three arguments, CZi is concealment fixed information, and CRi (n−1) and SQi (n−1)
) Is a value written in the authentication seed 141 at the end of the previous one-time authentication, Ci (n-1) is a value determined at the end of the previous one-time authentication. Therefore, at the end of the previous one-time authentication, the first embodiment can be modified such that the value of the current client-side one-time authenticator Ci (n-1) is obtained and written in the authentication seed 141. It is. According to this modification, since the step of calculating the client-side one-time authenticator using a hash circuit can be omitted in step S5 at the beginning of the current authentication process, the time required for the current authentication can be shortened. Can do.

  In the case of the first method for providing one or more services with one IC card, since only one set of authentication seeds is stored in the IC card 1, the IC card 1 uses the authentication seed. And just one-time authentication.

Embodiment 2. FIG.
The first embodiment has been described on the assumption that the RAND circuit is formed by the electronic circuit in the IC chip 10. However, depending on the IC chip 10, the RAND circuit may not be formed.
In the second embodiment, the case where the RAND circuit is not formed by the electronic circuit in the IC chip 10 will be described.

  In the second embodiment, the server device 4 is also configured to generate random numbers CR and CQ that are originally generated on the client side.

  FIG. 19 shows an example of the configuration of the output memory 133. In the second embodiment, the next authentication seeds CRi (n) and CQi (n) are also generated on the server device 4 side, encrypted with the common encryption key on the server device side, and transmitted to the IC card 1. The memory 133 does not have the areas of CK1 (n−1) * CR1 (n) and CK1 (n−1) * CQ1 (n).

  FIG. 20 shows an example of the configuration of the input memory 132. In the second embodiment, the area of SKi (n−1) * CRi (n) and SKi (n−1) * CQi (n) is increased in the input memory 132 as compared with the first embodiment.

  FIG. 21 to FIG. 23 are sequence diagrams for explaining mutual authentication based on the one-time authenticator of the second embodiment, which is executed in the system of FIG.

  In step S201, the reader / writer 2 detects the approach of the IC card 1.

  In step S202, a service request identification is given to the IC card 1 as a parameter at the time of a read request from the reader / writer 2. The service request identification data is also transmitted to the server device 4. Here, it is assumed that the service request identification “i” is given to the IC card 1 and the server device 4.

In step S203, the control unit 11 of the IC card 1 copies the concealment fixing information, the seed, and the common encryption key corresponding to the given service request identification from the authentication seed 141 to the operation stack 131.
Since the given service request identification is “i”, CRi (n−1), CQi (n−1), CKi (n−1), CZi, SRi (n−1), SQi ( n-1), SKi (n-1), and SZi are converted into CR1 (n-1), CQ1 (n-1), CK1 (n-1), CZ1, SR1 (n-1), Copy to SQ1 (n-1), SK1 (n-1), and SZ1, respectively.

In step S204, the hash circuit Hash2 calculates exS by the following expression using SZ1, CQ1 (n-1), SR1 (n-1) held in the operation stack 131, Store in the area. exS is calculated as a one-way function. The one-way function hash2 is a function that takes three arguments and has different function values depending on the order of the arguments.
exS = hash2 {SZ1, SR1 (n-1), CQ1 (n-1)}

In step S <b> 205, the hash circuit Hash <b> 1 calculates the client-side one-time authenticator C <b> 1 (n−1) for the current one-time authentication according to the following equation and stores it in the corresponding area of the output memory 133. C1 (n-1) is calculated by a one-way function. The one-way function hash1 is a function that takes three arguments and has different function values depending on the order of the arguments.
C1 (n-1) = hash1 {CZ1, CR1 (n-1), SQ1 (n-1)}

In step S <b> 206, the hash circuit Hash <b> 3 calculates the falsification check code CheckOUT according to the following expression and stores it in the corresponding area of the output memory 133. The falsification check code CheckOUT is calculated by a one-way function. The one-way function hash3 is a function that takes two arguments and has different function values depending on the order of the arguments.
CheckOUT = hash3 {CK1 (n-1), C1 (n-1)}

  In step S207, C1 (n-1) and CheckOUT are transmitted from the client to the server.

  In step S208 and subsequent steps, the server-side authentication processing unit 82 on the server side uses the authentication seed corresponding to the service request identification received in step S202.

  In step S208, the server-side authentication processing unit 82 on the server side receives the client-side one-time authenticator Ci () corresponding to the service request identification i held by the received client-side one-time authenticator C1 (n-1). n-1) is determined.

  When it is determined that the received one-time authenticator C1 (n-1) is an unauthorized one-time authenticator, the server-side authentication processing unit 82 determines that the authentication has failed, and indicates that the authentication has failed. Then, the reader / writer 2 is notified, and the process is terminated and terminated. If the received one-time authenticator C1 (n-1) matches the one-time authenticator stored in the authenticator table 72i, the server-side authentication processing unit proceeds to step S209.

In step S209, the server-side authentication processing unit 82 on the server side uses the held client-side common encryption key CKi (n-1) and the received C1 (n-1) to check code CHECK according to the following equation: -C is calculated. The check code CHECK-C is calculated as a one-way function. This one-way function takes two arguments and is a function whose function value varies depending on the order of the arguments.
CHECK-C = hash3 {CKi (n-1), C1 (n-1)}

In step S210, the server-side authentication processing unit 82 on the server side compares the received CheckOUT with the check code CHECK-C created in step S209.
If the received CheckOUT does not match the check code CHECK-C, the server-side authentication processing unit 82 determines that the authentication has failed, notifies the IC card 1 and the reader / writer 2 that the authentication has failed, and ends the processing. . If the received CheckOUT matches the check code CHECK-C, the process proceeds to step S211.

In step S211, the server-side authentication processing unit 82 on the server side generates a first random number CR, and sets the random number CR as the first authentication client-side first seed CRi (n).
Further, the server-side authentication processing unit 82 on the server side generates a second random number CQ, and sets the random number CQ as the next authentication client-side second seed CQi (n).
Further, the server-side authentication processing unit 82 on the server side generates the third random number SR, and sets the random number SR as the first authentication server-side first seed SRi (n).
Further, the server-side authentication processing unit 82 on the server side generates the fourth random number SQ, and sets the random number SQ as the next authentication server-side second seed SQi (n).

  As a random number generation method in the server-side authentication processing unit 82, a method using a pseudo random number sequence created by a function, a natural random number created using a random natural phenomenon such as a nuclear decay or a thermal noise of a resistor is used. In addition to the method, the random number may be read out from a random number file that stores a separately generated natural random number.

In step S212, the server-side authentication processing unit 82 on the server side creates a server-side one-time authenticator Si (n−1) for the current one-time authentication according to the following equation.
Si (n-1) = hash2 (SZi, SRi (n-1), CQi (n-1))

  In step S213, the server-side authentication processing unit 82 on the server side uses the common encryption key SKi (n−1), and next authentication seed CRi (n), CQi (n), SRi (n), and SQi (n). Is encrypted. CRi (n), CQi (n), SRi (n), and SQi (n) after being encrypted with SKi (n-1) are converted into SKi (n-1) * CRi (n), SKi (n) -1) * CQi (n), SKi (n-1) * SRi (n), and SKi (n-1) * SQi (n).

In step S214, the server-side authentication processing unit 82 on the server side creates a falsification check code CheckIN according to the following equation.
CheckIN = hash4 {SKi (n−1), Si (n−1), SKi (n−1) * CRi (n), SKi (n−1) * CQi (n), SKi (n−1) * SRi (N), SKi (n-1) * SQi (n)}

  In step S215, from the server apparatus 4 to the IC card 1, Si (n-1), SKi (n-1) * CRi (n), SKi (n-1) * CQi (n), SKi (n-1) * SRi (n), SKi (n-1) * SQi (n), and CheckIN are transmitted.

  In step S216, the comparison circuit CMP compares exS with Si (n−1) received from the server side. If they do not match, it is determined that the authentication has failed, the server error is notified to the reader / writer 2, and the processing is terminated. If they match, the process proceeds to step S217.

In step S217, the hash circuit Hash4, SK1 (n-1) stored in the arithmetic stack 131, and Si (n-1), SKi (n-1) * CRi (n), SKi received from the server side. (N-1) * CQi (n), SKi (n-1) * SRi (n), and SKi (n-1) * SQi (n) are used to calculate the check code CHECK-S according to the following equation: .
CHECK-S = hash4 {SK1 (n-1), Si (n-1), SKi (n-1) * CRi (n), SKi (n-1) * CQi (n), SKi (n-1) * SRi (n), SKi (n-1) * SQi (n)}

  In step S218, the comparison circuit CMP compares the received CheckIN with the check code CHECK-S created in step 217. If they do not match, it is determined that the authentication has failed, the server error is notified to the reader / writer 2, and the processing is terminated. If they match, the process proceeds to step S219.

  In step S219, the decoding circuit DEC receives the received SKi (n-1) * CRi (n), SKi (n-1) * CQi (n), SKi (n-1) * SRi (n), and SKi ( n-1) * SQi (n) is decrypted with the server side common encryption key SK1 (n-1) held on the arithmetic stack 131. The decrypted CRi (n), CQi (n), SRi (n), and SQi (n) are stored in the authentication seed 141.

In step S220, the hash circuit Hash5 updates the common encryption key CK1 on the client side with the following equation.
CK1 (n) = hash5 {CRi (n), CQi (n), CK1 (n-1)}
In step S220, the hash circuit Hash6 updates the server-side common encryption key SK1 with the following equation.
SK1 (n) = hash6 {SRi (n), SQi (n), SK1 (n-1)}
The control unit 11 writes the updated CK1 (n) and SK1 (n) to CKi (n−1) and SKi (n−1) of the authentication seed 141, respectively.

  In step S221, the control unit 11 notifies the reader / writer 2 of completion.

In step S222, the server-side authentication processing unit 82 on the server side calculates the client-side one-time authenticator Ci (n) used at the next one-time authentication according to the following equation, and stores it in the authenticator table 72i until the next mutual authentication. Hold.
Ci (n) = hash1 {CZi, CRi (n), SQi (n)}

  In step S223, the server-side authentication processing unit 82 updates data in the seed table 71i with CRi (n), CQi (n), SRi (n), and SQi (n), and authenticator table 72i with Ci (n). Update the client-side one-time authenticator at.

In step S224, the server-side authentication processing unit 82 on the server side updates the client-side common encryption key CKi using the following hash function.
CKi (n) = hash5 {CRi (n), CQi (n), CKi (n-1)}
In step S224, the server-side authentication processing unit 82 on the server side updates the server-side common encryption key SKi using the following hash function.
SKi (n) = hash6 {SRi (n), SQi (n), SKi (n-1)}

  In step S225, the server-side authentication processing unit 82 on the server side uses the seed table 71 for the next authentication seed and common encryption key CRi (n), CQi (n), CKi (n), SRi ( n), SQi (n), SKi (n), and the seed and common encryption key CRi (n-1), CQi (n-1), CKi (n-1), SRi (n-1) for the current authentication , SQi (n-1), SKi (n-1) are updated.

Next, details of step S208 will be described.
In step S208, the server-side authentication processing unit 82 determines that the client-side one-time authenticator C1 (n-1) received from the IC card 1 is one of the client-side one-time authenticators registered in the authenticator table 72i. It is determined whether or not.
If the received client-side one-time authenticator C1 (n-1) is one of the client-side one-time authenticators registered in the authenticator table 72i, the authentication is successful, and the server-side authentication processing unit 82 In the authenticator table 72i, the management number associated with the received client-side one-time authenticator C1 (n-1) is specified.
Then, the server-side authentication processing unit 82 proceeds with subsequent processing using the record in the seed table 71i corresponding to the specified management number.

  If the received client-side one-time authenticator C1 (n-1) is not one of the client-side one-time authenticators registered in the authenticator table 72i, authentication fails.

Next, details of step S211 will be described.
FIG. 24 is a flowchart illustrating the details of step S211.

  In step S301, the server-side authentication processing unit 82 creates random numbers CR, CQ, SR, and sets them in the next authentication seeds CRi (n), CQi (n), SRi (n).

  In step S302, the server side authentication processing unit 82 creates a random number SQ.

In step S303, when this random number SQ is used as the next authentication server-side seed, it is determined whether or not the next authentication client-side one-time authenticator matches the client-side one-time authenticator of another IC card. To do. That is, it is determined whether or not the uniqueness of the client-side one-time authenticator when the generated random number SQ is used (that is, there is no client-side one-time authenticator having the same value) is determined.
At this time, the server side authentication processing unit 82 calculates the next authentication client side authenticator X1 when this random number SQ is used as the next authentication server side seed according to the following equation. It is determined whether or not it is registered in the authenticator table 72i.
X1 = hash1 {CZi, CRi (n), SQ}

  When it is determined that the generated random number SQ does not ensure uniqueness, the server-side authentication processing unit 82 regenerates the random number SQ until the uniqueness is ensured. On the other hand, if it is determined that the generated random number SQ ensures uniqueness, the process proceeds to step S304.

  In step S304, the server side authentication processing unit 82 sets the random number SQ to the next authentication server side seed SQi (n).

Next, details of step S223 will be described.
FIG. 25 is a flowchart illustrating the details of step S223.

  In step S305, the server side authentication processing unit 82 writes the seed CRi (n), CQi (n), SRi (n), and SQi (n) for the next authentication of the management number in the seed table 71i.

In step S306, X1 calculated at the time of determination in step S303 is set as the next authentication client-side one-time authenticator Ci (n), and that Ci (n) is associated with the management number in the authenticator table 72i. Update the one-time authenticator.
That is, the server-side authentication processing unit 82 reads the authentication address associated with the management number from the seed table 71i, specifies the record of the management number in the authenticator table 72i with the authentication address, Update the one-time authenticator.

  In step S307, the server-side authentication processing unit 82 sorts the records in the authenticator table 72i so that the values of the one-time authenticators are in ascending order, and records whose position has been changed by sorting in the seed table 71i. Update the authentication address associated with the record management number.

[Modification of Embodiment 2]
In the second embodiment, as in the modification of the first embodiment, when the previous one-time authentication ends, the value of the current client-side one-time authenticator Ci (n−1) is obtained and the authentication seed 141 is obtained. It can be transformed to write. According to this modification, since the step of calculating the client-side one-time authenticator using a hash circuit can be omitted in step S204 at the beginning of the current authentication process, the time required for the current authentication can be shortened. Can do.

  In the case of the first method for providing one or more services with one IC card, since only one set of authentication seeds is stored in the IC card 1, the IC card 1 uses the authentication seed. And just one-time authentication.

  Each of the above embodiments is a preferred example of the present invention, but the present invention is not limited to these, and various modifications and changes can be made without departing from the scope of the present invention. It is.

  Although the IC card 1 has been described as communicating with the reader / writer 2 in a non-contact manner, a contact type in which the reader / writer 2 communicates via a contact (terminal) installed on the card side may be used.

  Further, the non-volatile memory in the IC card may be a flash memory other than FeRAM or an EEPROM.

  Although the control unit 11 of the IC card 1 is configured by an electronic circuit without a CPU, the control unit 11 may be configured to be realized by the CPU executing a program recorded in the ROM.

  In the first and second embodiments, the one-time authenticator may be a one-time password. When the one-time authenticator is a one-time password, it is not necessary to determine the uniqueness of the client-side one-time authenticator (steps S108 and S308). In this case, the card ID 121 is read from the IC card 1 and The card ID 121 is transmitted to the server device 4 together with the time authenticator, and the server device 4 refers to the card attribute table 73 and specifies the IC card 1 based on the card ID 121.

  In the first and second embodiments, in the server device 4, the server-side authentication processing unit 82 reads the seed table 71 and the authenticator table 72 from the storage device 55 to the RAM 53 when the server device 4 is activated, and performs one-time authentication. The mutual authentication based on the child is executed based on the seed table 71 and the authenticator table 72 on the RAM 53. When the server apparatus 4 is shut down, the seed table 71 and the authenticator table 72 on the RAM 53 The table 71 and the authenticator table 72 may be updated.

DESCRIPTION OF SYMBOLS 1 IC card 2 IC card reader / writer 3 Network 4 Server device 10 IC chip 11 Control unit 12 ROM
13 RAM
14 FeRAM
15 Receiving Circuit 16 Transmitting Circuit 17 Antenna 18 Internal Bus 121 Card ID
131 Operation Stack 132 Input Memory 133 Output Memory 141 Authentication Seed 142 Card ID
51 CPU
52 ROM
53 RAM
54 interface 55 storage device 56 interface 57 communication device 61 one-time authentication program 71 seed table group 71i seed table 72 authenticator table group 72i authenticator table 73 IC card attribute table 81 communication processing unit 82 server side authentication processing unit

Claims (9)

An IC card with built-in nonvolatile memory and RAM,
Storing a set of authentication seed and common encryption key common to one or more services in the non-volatile memory;
A set of authentication seeds and a common encryption key common to the one or more services are copied from the non-volatile memory to the operation stack on the RAM, and then copied to the operation stack on the RAM Based on a set of authentication seeds that are used for mutual authentication between the IC card and the server device and copied to the operation stack on the RAM, from the server device. An IC card characterized by determining the validity of a received one-time authenticator.   The IC card according to claim 1, wherein the authentication seed includes concealment fixing information that is not transmitted from the IC card to the server device and is not updated after mutual authentication.   The common encryption key used when encrypting transmission data with the IC card is a common encryption key different from the common encryption key used when encrypting transmission data with the server device The IC card according to claim 1 or 2.   The IC card side authentication seed used for IC card side authenticator generation is a seed different from the IC card side authentication seed used for server apparatus side one-time authenticator generation. The IC card according to claim 3.   5. The IC card side authentication seed generated in the server device and transmitted after being encrypted is received and decrypted by the IC card and used to create a one-time authenticator. IC card of description.   6. The IC card according to claim 1, wherein a client-side one-time authenticator for the current authentication is stored in the nonvolatile memory at the end of the previous authentication. An IC card with built-in nonvolatile memory and RAM,
Storing in the non-volatile memory one or more sets of authentication seeds and a common encryption key corresponding to one or more service request identifications;
A set of authentication seeds and a common encryption key corresponding to a specific service request identification are copied from the non-volatile memory to the operation stack on the RAM, and then copied to the operation stack on the RAM. Based on a set of authentication seeds that are used for mutual authentication between the IC card and the server device and copied to the operation stack on the RAM, from the server device. An IC card characterized by determining the validity of a received one-time authenticator. Server device and IC card,
The server device and the IC card store a set of authentication seeds common to one or more services,
The server device and the IC card each generate an authentication seed, encrypt the authentication seed and transmit each other, generate and transmit a one-time authenticator from the authentication seed, and the server device Based on the authentication seed and the authentication seed generated by the IC card, the one-time authenticator is mutually authenticated, and the authentication seed is updated and held with the next authentication seed each time the authentication is successful. ,
The IC card generates a client-side one-time authenticator based on an authentication seed, transmits the client-side one-time authenticator to the server device, and transmits the client-side one-time authenticator transmitted to the server device and the server-side one-time received from the server device. When the authentication for the time authenticator is successful, the next authentication seed is updated,
When the server device succeeds in authenticating the client-side one-time authenticator received from the IC card, it updates the next authentication seed and holds it until the next authentication time,
One-time authentication system characterized by A server device used for one-time mutual authentication with an IC card,
The server device and the IC card store a set of authentication seeds common to one or more services,
The server device and the IC card each generate an authentication seed, encrypt the authentication seed, and transmit to each other,
Generate a server-side one-time authenticator based on the authentication seed and send it to the IC card,
If the client-side one-time authenticator received from the IC card is successfully authenticated, the next authentication seed is updated and held until the next authentication.
A server device.

Images