JPH02165186A - IC card device - Google Patents

Abstract

(57) [Summary] This bulletin contains application data before electronic filing, so abstract data is not recorded.

Description

DETAILED DESCRIPTION OF THE INVENTION Field of Industrial Application The present invention relates to digital signatures in IC card systems.

2. Description of the Related Art Conventionally, an IC card device for concealing a message and applying a digital signature to an IC card has had a configuration as shown in FIG. In Figure 3, 61 is 1% of IC cars.
62 is a terminal that communicates with the IC card 61; 63 is a decryption function for public key cryptography; 64 is a cryptographic function for public key cryptography; 66 is a contracted one-way function (hereinafter referred to as a hash function);
66 is a cryptographic function that performs an inverse operation of the decryption function 83; 67 is a decryption function that performs an inverse operation of the cryptographic function 64; and 68 is a hash function that performs exactly the same operation as the hash function 66.

69 is a comparison means. Further, the IC card 61 is an IC card 61.
Private key Ksa of card 61 and public key Kp of terminal 62
b, and the terminal 62 has the public iJ! of the IC card 61.
It has K p a and the private key Ksb of the terminal 62. KSa and Kpa are public key cryptography (IC3/D3)6
It forms a pair of 3°66 private key and public key, and satisfies KsKpa(DsKsa(m))=m (m: arbitrary plaintext)−(1). Here, D3Ksa(m) indicates the result of decrypting the plaintext m using the key Ksa using the decryption function D3 (the same applies to the cryptographic function IC3). On the other hand, Ksb and Kpb form a pair of private key and public key of public key cryptography (IC4/D4) 64°67, D4Ksb (K4Kp1) (m )) = m (m
: arbitrary plaintext) − (2) is satisfied.

The operation of the IC card device configured as described above will be explained below. First, the IC card 61 uses the cryptographic function 64 to encrypt the plaintext M using the public key Kpb of the terminal and sends it to the terminal 62 (this data is converted into a cryptogram C=4kp).
(denoted as b(M)). At the same time, data h(M)? that is shorter than the plaintext M is input to the plaintext Mi hash function 66. :,
h(M) is decrypted using the private key Ksλ of the IC card 61 using the decryption function 63, and sent to the terminal 62 (this data is converted into a signature text S = D3 kga(h(M
)). Here, the reason for using the hash function h6 is to shorten the processing time by the decoding function 63.

On the other hand, the terminal 62 decrypts 4 kpb (M) of the cryptogram C= sent from the IC card 61 using the decryption function 67 and the terminal's private key Ksb. If normal communication is performed, plaintext M can be restored according to equation (2). Here, the cryptogram C cannot be decrypted without using Ksb, which only the authorized terminal 62 has. This allows messages to be kept confidential.

Further, the terminal 62 uses the cryptographic function 66 to generate the signature text S=D3ksa(
h(M)) is subjected to cryptographic processing. Signature text S is private key Ksa
If it is generated by a valid IC card 1 with
According to equation (1), h(M) can be obtained. Conversely, the signature text S cannot be created without using the Ksa that only the valid IC card 61 has. therefore,
By comparing this value with the value obtained by applying the no-sh function 68 to the restored plaintext M using the comparison means 69, it is determined that the plaintext M is definitely sent from a legitimate IC card 61. can be confirmed. With this, it is possible to confirm the authenticity of the source of the plaintext M, that is, to achieve a digital signature.

Problems to be Solved by the Invention In such a conventional configuration, since Ksa, Kpa, Ksb and Kpb are fixed values, the cryptogram C and the signature text S are always constant for the same plaintext M. Therefore, by eavesdropping on a certain pair of cryptographic text C and signature text S, fraud through retransmission becomes possible. For example, consider a case where plaintext M is a response indicating whether or not to approve a certain transaction. If a person with malicious intent is able to send the previously eavesdropped code C and signature S of the response "accept" to the terminal when the response should have been "disapprove", this could be a serious problem. It becomes a problem. In normal encrypted communication, this problem is solved by adding a time stamp, but since an IC card does not have battery backup, a time stamp cannot be added to the IC card. As described above, the conventional configuration has a very serious security problem in that it is possible to commit fraud by retransmitting a digital signature.

In view of these problems, it is an object of the present invention to provide an IC card device that can prevent fraud due to retransmission of a digital signature with a simple configuration without using a time stamp.

Means for Solving the Problems To achieve this object, the present invention includes an IC card and a terminal that communicates with the IC card, and the IC card stores a private key stored in the IC card. signature generation means for generating a first signature text from the first plaintext using
The method includes a linking unit that connects the first condolence message and the first signature text to generate a second condolence message, and a cryptographic processing unit that generates a coded text from the second plaintext and sends it to the terminal. The terminal further includes a decryption processing means for performing an inverse operation of the cryptographic processing means on the cryptographic text received from the cryptographic processing means to generate a third plaintext, and a decryption processing means that generates a third plaintext, and converts the third condolence message into a fourth plaintext. a separation means for separating the second signature text into a second signature text; a signature restoration means for generating a sixth condolence text from the second signature text using a public key paired with the private key; It has a confirmation means for checking consistency with the sixth message of condolence, and is configured such that the encryption processing means and the decryption processing means output different data each time they process the same input data. It is something.

Effect: With this configuration, the first signature text is also input to the encryption processing means, and the encryption processing means also inputs the same input data.
Since different data is output each time the process is performed, the data on the communication line for the first signature text has a specific value each time. By this, without using timestamps,
With a simple configuration.

Fraud due to retransmission of digital signatures can be prevented.

Embodiment FIG. 1 is a block diagram of an IC card device according to an embodiment of the present invention. In Figure 1, %1 is an XC card, 2 is a terminal that performs all communications with the IC card 1, 3 is a decryption function for public key cryptography, 4 is a cryptographic processing means, 5 is a hash function, 6 is a cryptographic function for public key cryptography, 7 is a decryption processing means, 8 is a hash function that performs exactly the same operation as the hash function 6, 9 is a comparison means, 16 is a connection means, 17 is a separation means, and the encryption processing means 4 is a secret key encryption cryptographic function 10. ．． The decryption processing means 7 is composed of a register 11 that holds the output of the cryptographic function 10 and an exclusive OR operation means 12, and the decryption processing means 7 includes a decryption function 13. It is composed of a register 14 and exclusive OR operation means 16. In addition, IC card IVi
It has a private key Ks of IC card 1 and a common key Kc of IC card 1 and terminal 2, and terminal 2 has a public key Kp of IC card 1.
and a common key Kc. Ks and Kp are public key cryptography (
X1/D1) s and e form a pair of private keys and public keys, and satisfy Elkp(Dlks(m))=m (m: arbitrary message of condolence) --------(s). On the other hand, Kc is the secret key of secret key encryption (12/D2) 10.13, and D 2 kc (E2kc (m))=m (m:
(arbitrary plaintext)...mark...(4) is satisfied.

The present embodiment will be explained below with reference to FIG. First, the IC card 1 inputs the plaintext Mi to the hash function 6 to generate h(M), which is shorter than the plaintext M. Next, using the decryption function 3, h(M) is calculated using the private key Ks of the IC card 1.
is subjected to decryption processing.

Signature text 5=D1 kg(h(M)) is obtained. after that.

The plain text M and the signature text S are concatenated using the concatenation process 16 and input into the cryptographic processing means 4 (details of the cryptographic processing means 4 will be described later), encrypted, and transmitted to the terminal 2. In the terminal 2, the received data is decoded by the decoding processing means 7.

If the communication is carried out normally, the concatenation of the condolence letter V and the signature sentence S can be restored, and the condolence letter M and the signature sentence S can be obtained using the separating means 17. Furthermore, using the terminal 2 I/i cryptographic function 6, the public key Kp of the IC card 1 is
Therefore, the signature S = D 1kg (h (M) )
Perform vc encryption processing. If the signature S is generated by a valid IC card 1 having the private key Ks1, h(M) can be obtained from equation (3). Therefore, by comparing this value with the value obtained by applying the hash function 8 to the restored plaintext M using the comparison means 9, it can be confirmed that the plaintext M has definitely been sent from a legitimate IC card 1. It can be confirmed.

Here, the encryption processing means 4 and the decryption processing means 7 are generally OB C (C1pher Block Chain
ing) mode, in which the exclusive OR calculation means 12 encrypts the exclusive OR of the current input and the previously encrypted data held in the register 11 using the cryptographic function 10. The output is fed back to the register 11 for use in the next encryption.

The decryption processing means 7 is symmetrical to the encryption processing means 4, and the plaintext can be restored using equation (4). In such a configuration, the output of the cryptographic function 10 also depends on the data in the register 11, ie, the previous output of the cryptographic function 10.

This means that the output of the cryptographic processing means 4 is
This means that it depends on both all previous inputs to and the initial value initially set in register 11 at the start of communication. Therefore, even if the input to the cryptographic processing means 4 is the same data, if the previous input data differs by even one bit, or if a different value is set to the initial value of the register 11, the output will be different. becomes. With this configuration, it is possible to change the data on the communication line corresponding to the digital signature each time communication is performed even for the same plaintext M, and it is possible to prevent fraud due to retransmission of the digital signature.

A similar effect can be obtained by configuring the cryptographic processing means 4 as shown in FIG. The configuration shown in Figure 2 is
Generally CF B (C1phar Feedback)
There are many cryptographic functions called modes. Register 11. Each component of the exclusive OR calculation means 12 is exactly the same as in FIG. In the case of FIG. 2, the operation result of the exclusive OR operation means 12 of the input to the cryptographic processing means 4 and the output of the cryptographic function 10 is the output of the cryptographic processing means 4, and is fed back to the register 11. . This feedback function allows different data to be output in response to the same input to the cryptographic processing means 4. The configuration of the cryptographic processing means 4 that produces similar effects is not limited to the examples shown in FIGS. 1 and 2, and can be easily designed.

Effects of the Invention As described above, according to the present invention, even for the same input data, by inputting a digital signature to the cryptographic processing means that outputs different data each time it is processed, the communication line corresponding to the digital signature can be The data will be a specific value every time.

This makes it possible to prevent fraud due to retransmission of digital signatures with a simple configuration, which is very effective for IC cards that cannot use time stamps.

[Brief explanation of the drawing]

FIG. 1 is a block diagram showing an IC card device according to an embodiment of the present invention, FIG. 2 is a block diagram of a cryptographic processing means according to another embodiment of the invention, and FIG. 3 is a block diagram showing a conventional IC card device. It is a diagram. 1...XC card, 2...terminal, 3.
... decryption function of public key cryptography, 4 ... cryptographic processing means, 5, 8 ... hash function, 6 ...
...Cryptographic function of public key cryptography. 7... Decryption processing means, 9... Comparison means, 10... Cryptographic function of private key cryptography, 11.14
...Register, 12.16i...Exclusive OR operation means, 13.Decryption function for private key encryption,
16... Connection means, 17... Separation means.

Claims (4)

[Claims] (1) Comprising an IC card and a terminal that communicates with the IC card, the IC card generates a first signature text from a first plaintext using a private key stored in the IC card. a signature generating means, a connecting means for generating a second plaintext by concatenating the first plaintext and the first signature text, and a cipher for generating a cryptogram from the second plaintext and transmitting it to the terminal. a processing means, the terminal has a decryption processing means for performing an inverse operation of the cryptographic processing means on the cryptogram received from the cryptographic processing means to generate a third plaintext; Separation means for separating a fourth plaintext and a second signature text;
signature restoration means for generating a sixth plaintext from the second signature text using a public key paired with the private key; and confirmation for checking consistency between the fourth plaintext and the fifth plaintext. An IC card device characterized in that the encryption processing means and the decryption processing means output different data each time they process the same input data. (2) Claim 1 in which the cryptographic processing means has a register for holding the final result or intermediate data of the previous processing.
The IC card device described. (3) The cryptographic processing means includes an exclusive OR operation means for calculating an exclusive OR of the input data to the cryptographic processing means and the data stored in the register, and an output of the exclusive OR operation means. 3. The IC card device according to claim 2, further comprising a block cipher function that performs an operation on the block cipher function, and stores an output of the block cipher function in the register. (4) An exclusive logic in which the cryptographic processing means calculates the exclusive OR of the block cipher function that performs an operation on the data stored in the register, the input data to the cryptographic processing means, and the output of the block cipher function. 3. The IC card device according to claim 2, further comprising a sum calculation means, and an output of said exclusive OR calculation means is stored in said register.