JP5354663B2 - Server integrated IC card system - Google Patents

Description

  The present invention relates to an IC card system in which an existing IC card system is enhanced, and in particular, by transferring a part of the IC card function to an individual card dedicated area provided on a server, and causing the server to function as an IC card. The present invention relates to a server-integrated IC card system that realizes multiple functions and high functions.

Currently, multipurpose IC cards such as Basic Resident Register cards are gradually spreading, and the convenience and economy of multipurpose IC cards are being recognized. However, on the other hand, there is a limit to increasing the functions of the IC card due to restrictions on the capacity and processing performance of the IC card.
Currently, there is criticism that it is difficult to use the public personal authentication service, which is one of the applications installed in the Basic Resident Register Card, but in order to improve the usability, card applications that are currently in circulation Needs to be improved. However, this is not easy because it is already in circulation. Since the operation of the IC card already distributed is described in detail in the following Patent Document 1 or Patent Document 2, the description thereof will be omitted.

The main purpose of using a multi-purpose IC card is electronic authentication and electronic signature, but for the above reasons, even if a problem such as vulnerability is found in the encryption technology used in these, It is difficult to replace it with an improved version in a short period of time.
On the other hand, in today's highly developed network communications, it has become possible to operate a server installed on a network from a terminal device connected to the network and use it as if it were a personal computer. Also, by managing with IDs and passwords, it is possible to use a part of the server as a dedicated virtual machine.

Japanese Patent Laid-Open No. 2001-069140 JP 2005-258878 A

Therefore, the present inventors can make the above-mentioned server load the function to be added to the IC card, not the IC card itself, in order to increase the functionality and functionality of the already-distributed IC card. Focused on that.
The present invention has been made in view of the circumstances as described above, and has been made multifunctional by moving a part of the IC card functions to an individual card dedicated area provided on the server and causing the server to function as an IC card. -An object is to provide a server integrated IC card system realizing high functionality.

According to the present invention, a user device provided with an IC card and an IC card read / write means, an issue / registration device and a server device possessed by an IC card issue / management organization that issues and manages the IC card are mutually connected. The above-described object of the present invention relates to a server-integrated IC card system that is communicably connected, and the IC card includes an electronic authentication provided with a public key certificate for electronic authentication (UPKC) and a corresponding private key (UPKEY). IC card management means for managing data transmission / reception between the means and external devices such as the issuing / registration device and the server device, and managing data in the IC card,
The issuance / registration device receives the user IC card corresponding area generation request information and the electronic authentication public key certificate sent from the IC card, and based on the electronic authentication public key certificate, Authentication is performed, the server device is requested to generate a user IC card corresponding area, the registration information (SI) of the user IC card corresponding area returned from the server device, and the user IC card compatible Server registration certificate generation means for generating a registration certificate (SPKC) based on area information (SID) including an address for accessing the area and the like and transmitting it to the server device together with the electronic authentication public key certificate ,
The server device generates the user IC card corresponding region, the registration information, and the region information based on the user IC card corresponding region generation request information sent from the issuing / registering device. A generating unit, a user IC card corresponding region processing unit that performs processing for storing the registration information and the region information sent from the user IC card corresponding region generating unit in the user IC card corresponding region, and the server registration Receiving the registration certificate and the electronic authentication public key certificate sent from the certificate generating means, verifying the correspondence between the registration information and the registration certificate, and if the verification result is correct, the registration certificate and the electronic authentication certificate A registration certificate verification unit that sends a public key certificate to the user IC card corresponding area processing unit and stores the public key certificate in the IC card corresponding area;
The user IC card corresponding area processing unit sends the area information and the registration certificate to the IC card managing means, and stores the information in the IC card managing means, whereby the user IC card corresponding area processing section is changed to the IC card. It is achieved by a server integrated IC card system characterized in that it can be used in an integrated manner.

  Also, the object of the present invention is to perform mutual authentication by communication between the IC card management means and the user IC card corresponding area processing unit, and establish a secure channel when the authentication is correctly performed. Effectively achieved. Furthermore, the mutual authentication is achieved more effectively by using challenge-response authentication using a one-time password.

Furthermore, the above object of the present invention is such that when the user IC card compatible area stores server stored application information (SAID) and corresponding server stored application data (SAPD),
When the external system using the server stored application data calls the server stored application data using the server stored application information to the IC card managing unit of the IC card, the IC card managing unit uses the user IC After establishing a secure channel with the card corresponding area processing unit, the external system directly sends the server application data from the user IC card corresponding area processing unit to the user IC card corresponding area processing unit. A temporary connection permit (TK) for calling is requested, and the user IC card corresponding area processing unit creates the temporary connection permit and returns it to the IC card management means via the secure channel. And the IC card management means includes the area information and the temporary information. A continuous permit is sent to the external system, and the external system sends the received temporary connection permit and the server stored application information directly to the user IC card corresponding area processing unit to call the server stored application data. The user IC card corresponding area processing unit verifies the received temporary connection permit, and permits the external system to use the server-stored application data if the permit is issued by itself. This is achieved more effectively by the server integrated IC card system.

As a result, it is possible not only to improve the functionality of the card application, which has been a problem in the past, and to facilitate the management of the application, but also to use various rights that the individual has, which was difficult due to the capacity problem with the conventional card. The new multipurpose IC card system can be used.
A further advantage of the present invention is that such a system can guarantee various rights owned by each individual from anywhere on the network.
Further, according to a preferred embodiment of the present invention, by mounting the cryptographic processing function of the user IC card compatible area or the user IC card compatible area processing unit which is a secure area on the hardware security module, Security is further improved.

1 is a diagram showing a basic configuration of an IC card system according to the present invention. It is a figure for demonstrating the mechanism which sets the user IC card corresponding | compatible area | region set for every IC card in a server, and registers it. It is a flowchart which shows the procedure of registration of an IC card corresponding | compatible area | region. It is a figure which shows the structure of a user IC card corresponding | compatible area process part. It is a system configuration diagram for registering application data (SAPD) from the application providing apparatus to the user IC card compatible area. It is a flowchart which shows the procedure when registering application data with a server. It is a figure which shows the system configuration (the 1) in case the external system using an IC card calls AP data from a server. It is a flowchart which shows the flow of a process of the system of FIG. It is a figure which shows a system configuration | structure (the 2) in case the external system using an IC card calls AP data from a server. It is a flowchart which shows the flow of a process of the system of FIG. 1 is a diagram illustrating a system configuration when a server is used as an IC card without using an IC card. FIG. It is a flowchart which shows the flow of a process of the system of FIG. An example in which the user IC card corresponding area processing unit is mounted in a single server device, and the cryptographic processing means and the data holding function are mounted in the hardware security module (HSM). It is. An example in which the user IC card compatible area processing unit is implemented separately in a plurality of devices, and the cryptographic processing means and the data holding function are implemented in the HSM in the HSM device housed in a separate housing. It is shown. A plurality of server apparatuses shown in FIG. 13 are installed, and when one fails, the server apparatus can be switched to the other and used. Two HSM mounting parts in FIG. 13 are arranged in a single server device, and when one fails, it can be switched to the other and used. Two server devices and two HSM devices each incorporating HSM shown in FIG. 14 are installed so that they can be used by combinations of four types of connections.

  The IC card system according to the present invention realizes a part of the functions of the current multi-purpose IC card on the server side arranged on the network, and the individual card linked to each individual IC card on the server. By using the IC card to access the server dedicated area, the external area is operated as if it were one multifunction IC card. By doing so, it is possible to increase the functionality and functionality of the IC card without modifying the IC card body.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
FIG. 1 is a diagram showing a basic configuration of an IC card system according to the present invention. As shown in the figure, a user device including a user IC card (hereinafter simply referred to as an IC card), a reader / writer that is a read / write means of the IC card, and an external communication means (not shown), an IC A registration / issuance device possessed by an IC card issuance / management organization that issues and manages cards and a server device (hereinafter referred to as a server) that realizes part of the functions of the IC card on the network in cooperation with the IC card. They are connected so that they can communicate with each other. Communication between the user device and the issuing / registering device and the server can be performed using a public line such as the Internet. Communication between the issuing / registration apparatus and the server may be either a dedicated line or a public line.

  In the IC card, there are various electronic authentication means for performing user authentication and card authentication for authenticating whether the card is genuine, and various kinds of functions for operating as a single IC card together with the server. A server-integrated IC card management means for performing control (corresponding to a version upgrade of the conventional card manager software of an IC card, hereinafter referred to as IC card management means) is stored.

  An issuance / registration device stores an electronic authentication public key certificate (UPKC) and a corresponding private key (UPKEY) in an IC card to be issued, and stores it in a database to manage the IC card issuance / management means The area information of the secure area for each IC card provided in the server by associating the server with the IC card (which has a data holding function and is referred to as a user IC card corresponding area). A server registration certificate generating means for generating a user IC card compatible area registration certificate (SPKC) based on (SID) and registration information (SI) including the area secret key / public key.

  In addition, the server generates a user IC card corresponding area in response to a request from the issuing / registration device, registration information (SI) including the area secret key / public key, and an address for accessing the user IC card corresponding area. A user IC card corresponding area generating unit that generates area information (SID) including a registration information verification unit that verifies the association between SPKC and SI, and various information to the user IC card corresponding area (for details A control means (not shown) for processing loading / unloading (to be described later) is provided, and the above-described user IC card correspondence area and control means constitute a user IC card correspondence area processing section. Further, the control means includes “IC card and external system communication processing means” and “encryption processing means”. As will be described later, the user IC card corresponding area processing unit is connected to the IC card through a one-to-one secure channel.

FIG. 2 is a diagram for explaining a mechanism for setting a user IC card corresponding area set for each IC card in the server and registering it, which is a feature of the IC card system according to the present invention. . FIG. 3 is a flowchart showing the procedure, which will be described with reference to the drawings.
[Process when registering user IC card compatible area]
From the IC card, UPKC is sent to the issuance / registration device, and a request is made to generate a user IC card compatible area (step S1). When the issuing / registration device receives the generation request for the user IC card compatible area, it uses the UPKC to authenticate the IC card (step S2). An IC card corresponding area generation is requested (step S4). The server generates a user IC card corresponding area in the user IC card corresponding area generation unit, generates registration information (SI) including the area secret key / public key, and accesses the user IC card corresponding area. The area information (SID) including the address and the like is transmitted to the issuing / registering apparatus (step S5). At this time, SI and SID are stored in a user IC card corresponding area.
The issuing / registration device generates a user IC card compatible area registration certificate (SPKC) and sends it to the server together with UPKC (step S6).
The server verifies the association between SPKC and SI in the registration certificate verification unit (step S7), and if correct, stores SPKC and UPKC in the user IC card corresponding area (step S8).
The user IC card compatible area processing unit of the server stores the IC card management means (program) in the user IC card using the card management function (conventional technology) of the multipurpose IC card (or in the case of a new IC card) May be installed at the time of manufacture.) SID and SPKC are sent to the IC card (step S9) and stored in the IC card management means (step S10).

  FIG. 4 is a diagram showing the configuration of the user IC card corresponding area processing unit, and each user IC card is provided with an area (secure operation unit, ie, user IC card corresponding area processing unit) connected by a secure channel. It shows that. The stored application in the secure operation unit is an application program that is permitted to be used in the IC card, and is set for each IC card. The stored data includes registration information (SI), area information (SID), user IC card compatible area registration certificate (SPKC), public key certificate (UPKC), server storage application information (SAID), and the like.

This user IC card compatible area processing unit manages key information safely, and installs / operates software components according to the user, and securely stores / operates user information.
In the case of an IC card or the like, if the internal operation or processing procedure leaks to the outside, it is generally difficult to ensure security, so that the contents of devices and circuits are often difficult to analyze from the outside. Such protection against internal analysis (reverse engineering) and modification is called tamper resistance, but since IC cards are required to ensure tamper resistance, this part has an individual CPU. A secure virtual machine (assigning a virtual CPU to each user) having safety equivalent to that of the secure machine is operated in the server and realized.
Furthermore, in order to ensure strong safety, a secure machine having a physically independent CPU (for example, use of a hardware security module (hereinafter referred to as “HSM”) can be considered). It may be prepared for each individual IC card, and the processing may be executed on it. The use of HSM will be described later.
As described above, the user IC card corresponding area processing unit is connected to the user IC card through a secure channel, and connection / commands from the outside are basically performed via the user IC card.

FIG. 5 shows a user from an AP providing apparatus owned and managed by a service provider (for example, a department store, a gas station, a membership sports club, etc.) that provides various services using an IC card application (AP). FIG. 6 is a system configuration diagram for registering AP data in an IC card corresponding area, and FIG. 6 is a flowchart showing a procedure of AP registration. This will be described in detail with reference to the drawings.
[Process during AP registration]
First, the user inserts the IC card into the reader / writer of the user device (step S11). The IC card management means in the IC card generates a challenge code (C1) and sends the challenge code (C1) to the user IC card corresponding area processing section (hereinafter referred to as the card corresponding area processing section) of the server to make a connection request ( Step S12).
The card corresponding area processing unit performs an encryption process on the C1 sent from the IC card using a secret key corresponding to SPKC, and generates a response code (R1) (step S13). At the same time, a challenge code (C2) is generated and sent together with R1 to the IC card management means in the IC card (step S14).

The IC card management means in the IC card verifies R1 using SPKC (step S15), and if it is correct, the electronic key authentication means (electronic authentication application) is used to make C2 a secret key corresponding to UPKC. A response code (R2) is generated by performing encryption processing using (UPKEY), and is sent to the card corresponding area processing unit of the server (step S17).
The card corresponding area processing unit verifies the sent R2 using UPKC (step S18), and if it is correct, establishes a secure channel with the IC card management means (step S20). The card corresponding area processing unit does not respond to application calls from other than the secure channel.
The server transmits SPKC and SAID to the AP providing apparatus (step S21). The AP providing apparatus verifies the SPKC in the certificate verification unit. At the same time, the area verification unit acquires the SAID from the server and verifies its validity (step S22). If both verification results are correct, the certificate creation unit creates a server storage data request certificate (DLR) including the SAID and transmits it to the issuing / registration device (step S24).

The issuing / registering apparatus verifies the DLR in the certificate verification unit. At the same time, the validity of the SAID is verified by the AP verification unit (step S25). If both verification results are correct, the certificate creation unit generates a storage permit (DLP) for the SAID, and transmits the DLP to the AP providing apparatus (step S27). At the same time, the certificate creation unit notifies the registration DB of SPKC and SAID in order to store the AP storage information for the server in the registration database for IC card management.
The AP providing apparatus verifies the DLP in the certificate verification unit (step S28), and sends the DLP to the server if the verification result is correct. At the same time, server storage AP data (SAPD) corresponding to the SAID is transmitted from the registration DB to the server (step S30).

The server verifies the DLP in the certificate verification unit, verifies the correspondence between the received SAPD and the SAID by some method using the data confirmation unit (step S31), and if the verification result is correct, the server supports the SAPD. Store in the area processing unit (step S33). In addition, instead of storing the SAPD in the server, it is possible to delete the SAPD already in the card corresponding area processing unit by the same processing. It is also possible to store the SAID in the IC card management means of the IC card.
By using such an AP registration method, the issuing / registering device does not need to acquire the substance of the SAPD installed in the server, and therefore issues / registers personal information that may be stored in the SAPD. It is possible to keep secret from the device.
Management of the card corresponding area processing unit in the server is performed by the issuing / registration device, but the organization that operates the AP providing device may be different from the organization that manages the issuing / registration device. At this time, the organization that manages the issue / registration device can request the usage fee of the server from the organization that operates the AP providing device based on the issue information of the DLP.

FIG. 7 is a diagram showing a system configuration (part 1) when an external system using an IC card calls AP data from a server, and FIG. 8 is a flowchart showing the processing flow. This will be described in detail with reference to the drawings.
First, the user inserts an IC card into the user device (step S41). The IC card management means in the IC card generates a challenge code (C1) and sends a connection and connection request to the card corresponding area processing unit of the server (step S42). The card corresponding area processing unit performs an encryption process on the C1 sent from the IC card using a secret key corresponding to SPKC, and generates a response code (R1). At the same time, a challenge code (C2) is generated and sent together to the IC card management means in the IC card (step S43).
The IC card management means in the IC card verifies R1 using SPKC (step S44), and if it is correct, uses the electronic authentication means and uses the secret key (UPKEY) corresponding to UPKC for C2. The encryption process is performed to generate a response code (R2), which is sent to the card corresponding area processing unit of the server (step S46).
The card corresponding area processing unit verifies the sent R2 using UPKC (step S47), and if it is correct, establishes a secure channel with the IC card management means (step S49). The card corresponding area processing unit does not respond to application calls from other than the secure channel.

  The external system using the IC card calls the card application (AP) from the server using the stored AP information (AID or SAID) through the IC card management means (step S50). If the SAID is not stored in the IC card management means, the SAID called from the external system is transferred to the card corresponding area processing unit using the secure channel. If the called SAID does not exist in the server, an error is returned (step S51). Since all communication between the card application operating on the server side and the external system using the IC card is relayed by the IC card through the secure channel, the external system using the IC card need only be aware of the IC card.

FIG. 9 is a diagram showing a system configuration (part 2) when an external system using an IC card calls AP data from a server, and FIG. 10 is a flowchart showing the processing flow. This will be described in detail with reference to the drawings.
First, the user inserts an IC card into the user device (step S61). Next, the IC card management means in the IC card generates a challenge code (C1), and sends a connection and connection request to the card corresponding area processing unit of the server (step S62). The card corresponding area processing unit performs an encryption process on the C1 sent from the IC card using a secret key corresponding to SPKC, and generates a response code (R1). At the same time, a challenge code (C2) is generated and sent together to the IC card management means in the IC card (step S63). The IC card management means in the IC card verifies R1 using SPKC (step S64), and if it is correct, uses the electronic authentication means to encrypt C2 using a secret key (UPKEY) corresponding to UPKC. Processing is performed to generate a response code (R2), which is sent to the card corresponding area processing unit of the server (step S66).
The card corresponding area processing unit verifies the sent R2 using UPKC (step S67), and if it is correct, establishes a secure channel with the IC card management means (step S69). While the secure channel is established, the card corresponding area processing unit responds to a call to the server storage application from the outside.

  The external system using the IC card calls the card application (AP) using the stored AP information (AID or SAID) through the IC card management means (step S70). When the SAID is called, the IC card management means uses a secure channel to request a temporary connection permit (TK) for the external system to call the SAID directly from the card corresponding area processing unit ( Step S71). The card corresponding area processing unit creates a TK and returns it to the IC card management means using the secure channel (step S72). The IC card management means transmits the SID and TK to the external system (step S73). The external system directly transmits the TK to the card corresponding area processing unit and calls the AP using the SAID (step S74). The card corresponding area processing unit verifies the TK, and permits the use of the AP if the TK is issued by itself (step S75). Thereafter, the external system uses the AP by directly communicating with the card corresponding area processing unit.

FIG. 11 is a diagram showing a system configuration when a server is used as an IC card without using an IC card, and FIG. 12 is a flowchart showing the processing flow. This will be described in detail with reference to the drawings.
First, the user inputs an ID and password to the user device, and the user device transmits the information to the card corresponding area processing unit of the server (step S81). The card corresponding area processing unit verifies the received ID and password (step S82), and if it is correct, the card corresponding area processing unit responds to a call to server storage AP data from the outside (step S84). The external system using IC card calls the card application (AP) using the SAID to the user device (step S85). The user device requests a TK for the external system to call the SAID from the card corresponding area processing unit (step S86). The card corresponding area processing unit creates TK and returns it to the user device (step S87). The user device transmits SID and TK to the external system (step S88). The external system directly transmits the TK to the card corresponding area processing unit of the server and calls the AP data using the SAID (step S89). The card corresponding area processing unit verifies the TK, and permits the use of the AP if the TK is issued by itself (step S90).
Thereafter, the external system can use the AP by directly communicating with the card corresponding area processing unit.

  Next, an embodiment using the above-described HSM will be described with reference to the drawings. HSM is not as versatile as software because all processing is done in hardware, but it is difficult to solve with the key generation using true random numbers and the problem of key storage in a physically secure place. Since the encryption processing function is provided instead of the server, it is possible to improve the security and performance of the entire system, such as improving the safety of computation using the key and reducing the load on the server.

FIG. 13 shows a case where the user IC card corresponding area processing unit is mounted in a single server device, and the encryption processing means and the user IC card corresponding area (data holding means) are mounted in the HSM. It is.
On the other hand, what is shown in FIG. 14 shows a case where the user IC card corresponding area processing unit is divided and mounted on a plurality of devices. Among the control means, “IC card and external system communication processing” The “means” is in the server device, and the “encryption processing means” and the “data holding means” are mounted in an HSM housed in another casing (HSM built-in device). Since the HSM is housed in a separate housing from the server device, there is an advantage that management such as replacement and expansion becomes easy.

When a server-linked multi-purpose IC card system is operated continuously, it is necessary to prepare a standby server in advance in preparation for failure of a tamper-resistant server. However, since it reduces security, it is stored in the HSM of the active server. The authentication key cannot be copied to the HSM of the standby server. Therefore, when a failure occurs in the HSM of the active server, there arises a problem that a user whose authentication key is stored in the HSM cannot use the service unless a new authentication key is reissued.
In order to avoid this problem, two authentication keys, active and spare, are issued to a single user in advance, and the two authentication keys are stored in the two active and spare HSMs, respectively. If a failure occurs in the HSM that stores the current authentication key, the user can continue to use the authentication key stored in the standby HSM without being aware of the failure of the HSM. Can be used.
In the following, a description will be given of an implementation form of two HSMs each storing the current and spare authentication keys with reference to the drawings.

  FIG. 15 shows that two server devices with a built-in HSM as shown in FIG. 13 are installed in parallel, the server device monitoring device monitors the operation of the active server (for example, server device A), and a failure occurs in the active server. When this is detected, a mode of switching to a standby server (for example, server apparatus B) is shown. It can be determined that a failure has occurred in the server device A by, for example, monitoring the data flow in the secure channel between the user IC card and the server IC card corresponding area processing unit of the server. For example, if no data is flowing, it is determined that the server apparatus A has failed, and the connection destination of the secure channel is switched to the server apparatus B. The HSM-B in the server apparatus B stores registration information SIB including a spare authentication key and a registration certificate SPKCB associated with the spare authentication key, and is integrated with the server in the user IC card. Since the SPKCB is stored in the IC card management means, the IC card can be used as soon as the server device B is switched. That is, from the viewpoint of the user, it becomes possible to continuously receive the service without noticing that the server device has been switched.

  FIG. 16 shows a mode in which two HSMs are mounted on a single server device. The server device monitoring device shown in FIG. 15 serves as a user IC card corresponding area processing unit in the server device. HSM operation monitoring function included in “IC card and external system communication processing means” in FIG. Although the operation is almost the same as in FIG. 15, the space occupied by the device is reduced as a whole, but there is a demerit that the IC card cannot be used if the server device itself is down. is there.

FIG. 17 shows an extended version of an aspect in which the HSM is housed in a housing (HSM device) separate from the server as shown in FIG. That is, two server devices and two HSM devices are respectively installed to make a multi-connection. Since each server device is connected to two HSMs, even if the current server device goes down, the authentication key can be changed by switching to the spare server device and connecting to the current HSM. You can continue to receive services without any problems. On the other hand, when the current HSM (HSM-A) fails, the service can be continued by switching the connection to the standby HSM (HSM-B).
When the server device monitoring device detects that secure channel data communication has been stopped, it cannot be distinguished whether the failure is on the server device side or on the HSM side. For example, switching is performed in the following sequence: You may do it.
Assume that server device A and HSM-A are connected by default. When the server apparatus monitoring apparatus detects an abnormality, the connection is switched between the server apparatus A and HSM-B. If communication is restored, it can be determined that the HSM-A has failed. If the secure channel communication is not restored due to this, it is determined that the server apparatus A is out of order (it is determined that the server apparatus B is normal because HSM-B is not used), and the server apparatus B is switched. That is, the server apparatus B and the HSM-B are connected. The communication should be restored by this, but if it does not return, it can be restored by switching to the connection between the server device B and the HSM-A (the reason for the abnormality detected first is the failure of the server device A). This is because HSM-A is considered normal.) In other words, if one of the two server devices is normal and one of the two HSMs is normal, there is at least one combination of normal ones. Will not be interrupted.

Claims (9)

A user device comprising an IC card and a means for reading and writing the IC card;
An issuance / registration device and a server device possessed by an IC card issuance / management organization that issues and manages the IC card are server-integrated IC card systems that are communicably connected to each other,
The IC card is
An electronic authentication means comprising an electronic authentication public key certificate (UPKC) and a corresponding private key (UPKEY);
IC card management means for managing data transmission / reception with external devices such as the issuing / registration device and the server device, and managing data in the IC card,
The issuing / registering device is:
Receiving the user IC card corresponding area generation request information and the electronic authentication public key certificate sent from the IC card, authenticating the user based on the electronic authentication public key certificate, and the server Requests the device to generate a user IC card corresponding area, the registration information (SI) of the user IC card corresponding area returned from the server device, and an address for accessing the user IC card corresponding area Including a server registration certificate generating means for generating a registration certificate (SPKC) based on area information (SID) including, etc., and transmitting it to the server device together with the electronic authentication public key certificate,
The server device
A user IC card corresponding area generation unit that generates the user IC card corresponding area, the registration information, and area information based on the user IC card corresponding area generation request information sent from the issuing / registration device;
A user IC card corresponding area processing unit for performing processing for storing the registration information and area information sent from the user IC card corresponding area generating unit in the user IC card corresponding area;
Receiving the registration certificate and electronic authentication public key certificate sent from the server registration certificate generating means, verifying the correspondence between the registration information and the registration certificate, and if the verification result is correct, A certificate verification unit that sends a public key certificate for electronic authentication to the user IC card corresponding region processing unit and stores the electronic certificate public key certificate in the IC card corresponding region;
The user IC card corresponding area processing unit sends the area information and the registration certificate to the IC card managing means, and stores the information in the IC card managing means, whereby the user IC card corresponding area processing section is changed to the IC card. A server integrated IC card system characterized in that it can be used in an integrated manner.   The mutual authentication is performed by communication between the IC card management unit and the user IC card corresponding area processing unit, and a secure channel is opened when the authentication is correctly performed. Server integrated IC card system.   3. The server integrated IC card system according to claim 2, wherein the mutual authentication is challenge-response authentication using a one-time password. In the case where server storage application information (SAID) and corresponding server storage application data (SAPD) are stored in the user IC card compatible area,
When the external system using the server stored application data calls the server stored application data using the server stored application information to the IC card management means of the IC card,
After the IC card management means establishes a secure channel with the user IC card corresponding area processing section, the external system sends the user IC card corresponding area processing section to the user IC card corresponding area processing section. Requesting a temporary connection permit (TK) for directly calling the server-stored application data from the processing unit;
When the user IC card corresponding area processing unit creates the temporary connection permit and returns it to the IC card management means via the secure channel,
The IC card management means sends the area information and the temporary connection permit to the external system,
The external system directly sends the received temporary connection permit and the server storage application information to the user IC card corresponding area processing unit to call the server storage application data,
The user IC card corresponding area processing unit verifies the received temporary connection permit, and permits the external system to use the server-stored application data if the permit is issued by itself. The server-integrated IC card system according to claim 2 or 3. The user IC card corresponding area processing unit includes a user IC card corresponding area having a data holding function, and a control means having an IC card, an external system communication processing means, and an encryption processing means,
5. The user IC card corresponding area and the encryption processing means are mounted on a hardware security module (HSM) built in the server device. Server integrated IC card system. The user IC card corresponding area processing unit includes a user IC card corresponding area having a data holding function, and a control means having an IC card and an external system communication processing means and an encryption processing means,
5. The user IC card corresponding area and the encryption processing means are mounted on an HSM built in an HSM built-in device provided separately from the server device. Server integrated IC card system. Two server devices are arranged and connected in parallel, one of the two server devices is used as a working server device for normal use, and the remaining server devices are used as spare server devices,
The user IC card corresponding area of the spare server device includes registration information (SI) including a spare area secret key, and a registration certificate (SPKC) associated with the spare area secret key, Is also stored in the server integrated IC card management means in the user IC card,
When a server device monitoring device is inserted between each of the server devices and the user device, and the communication abnormality between the active server device and the user device is detected, the server device monitoring device detects the active server device. 6. The server integrated IC card system according to claim 5, wherein the server is switched to the spare server device. Two HSMs on which the user IC card corresponding area and the cryptographic processing means are mounted are arranged in the server device and connected to the user device via the IC card and external system communication processing means, respectively. With
Of the two HSMs, one is an active HSM (HSM-A) and the other is a spare HSM (HSM-B). The user IC card corresponding area in the spare HSM is a spare area secret key. And a registration certificate (SPKCB) associated with the spare area secret key, and the spare registration certificate (SPKCB) is integrated with the server in the user IC card. It is also stored in the IC card management means,
When the HSM operation monitoring function included in the IC card and the external system communication processing means detects a communication abnormality between the active HSM and the user device, the HSM operation monitoring function detects the active HSM (HSM-A). 6. The server integrated IC card system according to claim 5, wherein the server integrated IC card system is switched to the spare HSM (HSM-B). Two server devices are installed, one is assigned for current use and the other is assigned for backup,
The two HSM built-in devices are arranged, one is assigned for current use and the other is assigned for backup,
The active server device (A) is connected to the active HSM internal device (A) and the spare HSM internal device (B),
Connecting the spare server device (B) to the current HSM built-in device (A) and the spare HSM built-in device (B);
The active server device (A) and the spare server device (B) are connected to the user device via a server device monitoring device;
The user IC card corresponding area in the HSM (HSM-B) in the spare HSM built-in device (B) is associated with the registration information (SIB) including the spare area secret key and the spare area secret key. And the spare registration certificate (SPKCB) is also stored in the server integrated IC card management means in the user IC card,
When the server device monitoring device detects a communication error between the active server device (A) or the spare server device (B) and the user device, the active server device (A) or the spare server 7. The server integrated IC card according to claim 6, wherein the connection between the device (B) and the active HSM built-in device (A) or the spare HSM built-in device (B) is switched according to a predetermined sequence. system.

Images