JP4986926B2 - Encrypted communication system - Google Patents

Description

  The present invention relates to an encrypted communication system in which one central terminal receives information including card information of an individual identification card transmitted secretly from one or more base terminals.

  Currently, a communication system that inputs card information of an individual identification card such as an IC card or a magnetic card from a base terminal and transmits the card information to a central terminal is a cash card communication system issued by a bank, a credit card payment system Widely applied. As a method of ensuring the secrecy of card information transmitted / received in a communication system for transmitting / receiving the card information of these general individual identification cards, there are protection measures by multilayering of magnetic recording parts and optical measures of the magnetic card. At present, physical measures such as methods for measuring security are at the center.

  On the other hand, in view of the high technical level of wiretapping devices in recent years, it is necessary to take measures against information leakage using a physical communication network, for example, a wireless device from a telephone line (dedicated line). The above-described physical measures are effective in preventing impersonation due to card forgery due to skimming or the like, but cannot cope with such information leakage due to wiretapping of communication. Therefore, there is a need for information leakage countermeasure technology that can be easily introduced into a communication system that has already taken physical measures.

  As a communication system that combines physical countermeasures and information leakage countermeasures, the n-th card number Cn updated for each transaction and the identification number Tn of the base terminal are recorded in the individual identification card. Patent Document 1 discloses a technique in which Cn and Tn are encrypted together with card information and transmitted to the central terminal, and the central terminal collates the history of recording Cn and Tn to confirm the validity of the individual identification card. ing.

  In addition, as a technique for preventing information leakage due to eavesdropping of the communication system, the data transfer destination transmits transfer key information for encrypting data to the data transfer source, and the data transfer source uses the transfer key information as an encryption key. Patent Document 2 discloses a technique for encrypting transfer data and transmitting it to a data transfer destination.

JP 2003-108903 A JP 2004-260367 A

  However, according to the technique of the above-mentioned patent document 1, since it is necessary to change hardware such as a base terminal and an individual identification card, there is a problem that it takes too much cost and labor when introduced into a conventional communication system. . Further, according to the technique of Patent Document 2, since the random number generated by the random number generator is used as it is for the key for data encryption, there is a problem that the degree of freedom is low and it cannot be said that the encryption method is robust. there were.

  The present invention has been made in view of the above, and can be easily introduced into an existing communication system for transmitting and receiving information including card information of an individual identification card, and can be used for information transmitted and received by a highly flexible encryption method. An object is to obtain an encrypted communication system that improves confidentiality.

  In order to solve the above-described problems and achieve the object, the present invention provides an encrypted communication system that transmits information data in a secret manner from at least one base terminal to one central terminal, wherein the central terminal And each of the base terminals outputs the same output value from the same input value, and inputs the input value to a pseudo-random number generation algorithm that is the same for all terminals, and calculates an output random number sequence. A random number sequence for a predetermined number of digits is cut out from the generating means and the calculated output random number sequence based on the same rule for all terminals, and each element of the random number sequence is binarized to be binary A parameter corresponding to the created binarization number sequence based on a management table that is created in the same manner in all terminals showing a correspondence relationship between the binarization number sequence stored in the terminal and the parameter value in advance. The value Each having a pseudo-random number management means to be output, and when the base terminal receives information data to be transmitted to the central terminal and a first storage means for holding one input value different for each base terminal in advance And encrypting the information data using an encryption key as a parameter value calculated by using the pseudo-random number generator and the pseudo-random number manager provided in the terminal from an input value held in the first storage unit, Data encryption means for transmitting encrypted information data to the central terminal together with identification information of the terminal itself, and the central terminal corresponds to all the input values different for each base terminal with the identification information of the base terminal When the encrypted information data is received together with the second storage means to be stored and the identification information of the base terminal, the received identification information is stored in the second storage means. As a decryption key, a parameter value that is the same as the parameter value used as the encryption key calculated by using the pseudorandom number generator and the pseudorandom number manager provided in the terminal from the input value associated with Data decrypting means for decrypting the received encrypted information data.

  According to the present invention, there is provided an encrypted communication system that can be easily introduced into an existing communication system that transmits / receives information including card information of an individual identification card and enhances confidentiality of information transmitted / received by a highly flexible encryption method. There is an effect that it can be obtained.

  Embodiments of an encrypted communication system according to the present invention will be described below in detail with reference to the drawings. Note that the present invention is not limited to the embodiments.

Embodiment.
FIG. 1 is a diagram showing a configuration of an encrypted communication system according to an embodiment of the present invention. In FIG. 1, an encrypted communication system 100 includes a plurality of (in this case, two) base terminals 2a and 2b installed in a remote place and the destination central terminal 1 to which the base terminals 2a and 2b transmit data. Are connected via the network 3.

  The base terminals 2a and 2b are terminals for a user to input and transmit information including card information of an individual identification card, and the central terminal 1 is a terminal that receives and centrally manages information including the card information. is there. For example, when the encryption communication system 100 according to the present embodiment is applied to a payment system for a credit card, the central terminal 1 is a credit card company host computer, and the base terminals 1a and 1b are buyer credit cards at each store. Corresponds to a computer terminal to which is input.

  The central terminal 1, the base terminal 2a, and the base terminal 2b may have any hardware configuration as long as each of the functional units described below is realized. For example, the central terminal 1 and the base terminals 2a and 2b each include a central processing unit (CPU), a storage device composed of a ROM, a RAM, and a hard disk, and a communication interface for connecting to the network 3. Each computer may be configured to realize the respective functional units of the central terminal 1 and the base terminals 2a and 2b by causing the CPU to execute predetermined programs stored in the storage devices. The network 3 is a network for transmitting and receiving data to and from the central terminal 1 and the base terminals 1a and 1b installed at remote locations. A telephone line network, a dedicated telephone line network, an Internet line, an intranet line There are no particular limitations on the type of network such as wireless networks of various standards.

  The central terminal 1 includes functional units such as a base terminal-specific input value generation unit 11, a pseudo random number generation unit 12, a pseudo random number management unit 13, a data decryption unit 14, a storage unit 15, and a communication unit 16. The base-terminal-specific input value generation unit 11 obtains an input value as a base for calculating a parameter value that is an encryption key for encrypting data transmitted from the base terminals 1 a and 1 b to the central terminal 1. 1a and 1b are generated and transmitted to the base terminals 1a and 1b via the communication unit 16, and stored in the storage unit 15 in association with identification information for identifying the base terminals 1a and 1b.

  The pseudo random number generation unit 12 calculates a parameter value from the output random number sequence, which is a pseudo random number, using the pseudo random number generation algorithm from the created input values of the respective base terminals 1a and 1b. A cutout start layer that is a start digit for cutting out a portion to be used and a cutout digit that is the number of digits to be cut out are calculated. Here, the pseudo random number is a number sequence such as a random number sequence having a uniform distribution and the next number being unpredictable from the past number, and is obtained by deterministic calculation. That is, according to this calculation, the same pseudo-random number can be obtained from the same input value. The pseudo-random number generator 12 calculates the same output random number sequence, cut-out start layer, and cut-out digit from the same input value using a pseudo-random number generation algorithm that performs such calculation.

  Note that the type of pseudorandom number generation algorithm used by the pseudorandom number generator 12 in the embodiment of the present invention is not particularly limited, but as described above, the same output random number sequence from the same input value. Any cutout start layer and cutout digit can be calculated. That is, the pseudo random number generation unit 12 may use one pseudo random number generation algorithm that outputs three values of an output random number sequence, a cutout start layer, and a cutout digit, or one pseudorandom number generation algorithm from one input value. Random numbers may be output, and different portions of the output pseudo-random numbers may be used as an output random number sequence, a cut-out start layer, and a cut-out digit, or separate pseudo-random number generation algorithms from one input value The output random number sequence, the cutout start layer, and the cutout digit may be calculated respectively.

  The pseudo-random number management unit 13 cuts out a random number sequence having the number of digits indicated by the cut-out digit from the digits of the output random number sequence indicated by the cut-out start layer, and binarizes each element of the cut-out random number sequence to create a binary number sequence. Here, the binarization method is not particularly limited, but in this embodiment, it is set to 1 when the element is an odd number and 0 when the element is an even number. Then, the pseudo-random number management unit 13 refers to a management table that associates a binarized number sequence and a parameter value, which is stored in advance in the storage unit 15, and obtains a parameter value. The obtained parameter value is stored in the storage unit 15 in association with the identification information of the corresponding base terminal 1a, 1b.

  Here, details of the management table stored in advance in the storage unit 15 of the central terminal 1 of the present embodiment will be described. FIG. 2 is a diagram illustrating an example of the management table. The management table shown in FIG. 2 is a management table that is referred to when the cut-out digit is m. In this management table, the correspondence between the value from the first digit to the m-th digit of the created binary number sequence and the parameter value is managed. It is assumed that the management table is stored in the storage unit 15 by the number of variations of values that can be taken out by the cut-out digits, and a management table corresponding to the value of the cut-out digits is used.

  Returning to FIG. 1, when the data decryption unit 14 receives encrypted data together with the identification information of the terminal from any one of the base terminals 1a and 1b via the communication unit 16, the identification information of the terminal Is read from the storage unit 15, the read parameter value is used as a decryption key, the encrypted data is decrypted using a decryption algorithm, and the decrypted data is stored in the storage unit 15.

  The storage unit 15 is a storage device that stores the input values, management tables, parameter values, decrypted data, and the like described above. The communication unit 16 is a functional unit that controls communication with the base terminals 1 a and 1 b via the network 3.

  The base terminals 1a and 1b each have the same function unit. That is, the base terminals 1a and 1b include a pseudo random number generation unit 21, a pseudo random number management unit 22, a data input unit 23, a data encryption unit 24, a storage unit 25, and a communication unit 26.

  The storage unit 25 is created and transmitted by the base terminal-specific input value generation unit 11 of the central terminal 1, the same management table as the management table stored in the storage unit 15 of the central terminal 1, Stores the parameter value created in the terminal itself.

  The pseudo-random number generation unit 21 uses the same pseudo-random number generation algorithm as the pseudo-random number generation unit 12 included in the central terminal 1, and outputs an output random number sequence based on the input value stored in the storage unit 25 of its own terminal. The layer and the cutout digit are calculated. Similarly, the pseudo-random number management unit 22 is based on the same binarization method as the pseudo-random number generation unit 12 included in the central terminal 1, and the output random number sequence calculated by the pseudo-random number generation unit 21, the cut-out start layer, and the cut-out digit The parameter value is calculated using the management table stored in the storage unit 25 of the own terminal, and the calculated parameter value is stored in the storage unit 25 of the own terminal.

  The data input unit 23 is a functional unit that receives information including card information of the individual identification card input to the terminal. The information is not limited to card information. For example, when the encrypted communication system 100 of the present embodiment is applied to a credit card payment system, a transaction amount such as a purchase amount or a password entered separately by the user is used. Data transmitted every time may be included.

  The data encryption unit 24 encrypts the data of the received card information using an encryption algorithm using the parameter value stored in the storage unit 25 of the terminal as an encryption key, and the encrypted data The communication unit 26 is instructed to transmit to the central terminal 1. Here, the type of the encryption algorithm used by the data encryption unit 24 and the type of the decryption algorithm used by the data decryption unit 14 of the central terminal 1 are not particularly limited, but the decryption algorithm is used when the encrypted data is created. It must be able to decrypt the encrypted data using the same key as the encryption key used by the encryption algorithm as the decryption key.

  The communication unit 26 is a functional unit that performs control to transmit and receive data between the own terminal and the central terminal 1 via the network 3.

  As described above, in the encrypted communication system 100 according to the present embodiment, the central terminal 1 generates and transmits an input value to each of the base terminals 1a and 1b, and calculates a parameter value from the generated input value. . Each base terminal 1a, 1b calculates a parameter value from the input value transmitted. Since each terminal calculates the parameter value using the same algorithm, the parameter value calculated from the input value stored in the storage unit 15 in the central terminal 1 and the base terminal 1a or 1b that has received the input value are The parameter value calculated from the input value is the same value. The central terminal 1 decrypts the encrypted data by using the same parameter value as the parameter value used as the encryption key when the base terminal 1a or 1b encrypts.

  Next, the operation of the encrypted communication system 100 of the present embodiment configured as described above will be described. First, an operation in which the central terminal 1 generates an input value and transmits it to each base terminal 1a, 1b, and each terminal stores the input value will be described. FIG. 3 is a flowchart for explaining the operation.

  In FIG. 3, the base terminal-specific input value generation unit 11 of the central terminal 1 generates different input values to be transmitted to the base terminals 1a and 1b (step S1). Then, the base terminal specific input value generation unit 11 stores the generated input values in the storage unit 15 in association with the identification information of the base terminals 1a and 1b, respectively (step S2). Then, the base terminal-specific input value generation unit 11 transmits the generated input values to the corresponding base terminals 1a and 1b (step S3). And base terminal 1a, 1b stores the received input value in the memory | storage part 25 of an own terminal (step S4). Thereby, the same input value as the input value for each base terminal generated and held by the central terminal 1 is also held in each corresponding base terminal 1a, 1b.

  Subsequently, an operation in which each terminal calculates a parameter value from an input value will be described. Here, since the operation of calculating the parameter values of the central terminal 1 and the base terminals 1a and 1b is the same, the base terminal 1a will be described as an example. In the following description of the operation, the pseudo random number generation unit 21, the pseudo random number management unit 22, and the storage unit 25 of the base terminal 1a are respectively connected to the pseudo random number generation unit 12, the pseudo random number management unit 13, and the storage unit 15 of the central terminal 1. It goes without saying that it corresponds. FIG. 4 is a flowchart for explaining the operation of calculating the parameter value.

  First, the pseudorandom number generator 21 calculates an output random number sequence, a cutout start layer, and a cutout digit based on the input values stored in the storage unit 25 (step S11). Then, the pseudo-random number management unit 22 cuts out a random number sequence for the cut-out digits from the cut-out start layer of the output column number sequence (step S12). Then, the pseudo random number management unit 22 binarizes each element of the extracted random number sequence (step S13). That is, 1 is used when the number of elements is odd, and 0 when the number of elements is even. Then, the pseudo-random number management unit 22 calculates a parameter value from the binarized random number sequence and the management table stored in the storage unit 15, and stores the parameter value in the storage unit 15 (step S14).

  For example, assume that “13248”, “1”, and “5” are calculated as the output random number sequence, the cutout start layer, and the cutout digit, respectively, in step S11. In this case, “13248” is obtained as a random number sequence calculated by cutting out in step S12. In step S13, the random number sequence is binarized to obtain “11000”. In step S14, the management table shown in FIG. 2 is referred to. For example, when “11000” corresponds to the entry on the third line from the top of the management table in FIG. 2, “03” is obtained as the parameter value.

  The central terminal 1 calculates parameter values for all input values stored in the storage unit 15 and stores them in the storage unit 15 in association with the identification information of the base terminals 1a and 1b, respectively.

  In this way, the parameter values used as the encryption key and the decryption key are calculated in each terminal. The parameter values that are the same as the parameter values calculated by the base terminals 1a and 1b and stored in the storage unit 25 of the own terminal are also calculated in the central terminal 1 and stored in the storage unit 25 of the central terminal 1. By performing this operation, more robust secrecy can be obtained compared to a communication system that uses pseudo-random numbers as encryption / decryption keys as they are.

  Next, an operation in which information including the card information of the individual identification card input to the base terminals 1a and 1b is encrypted and transmitted to the central terminal 1 and decrypted in the central terminal 1 will be described. Here, description will be made assuming that information is transmitted from the base terminal 1a to the central terminal 1. FIG. 5 is a flowchart for explaining the operation.

  In FIG. 5, when the data including the card information of the individual identification card is input to the data input unit 23 of the base terminal 1a (step S21), the data encryption unit 24 of the base terminal 1a stores the data in the storage unit 25 of its own terminal. The data is encrypted using the stored parameter value as an encryption key (step S22). Then, the communication unit 26 of the base terminal 1a transmits the encrypted data to the central terminal 1 together with the identification information of the own terminal (step S23). When the communication unit 16 of the central terminal 1 receives the encrypted data together with the identification information (step S24), the data decryption unit 14 of the central terminal 1 determines the parameter value associated with the received identification information. Is decrypted using the read parameter value as a decryption key and stored in the storage unit 15 (step S25).

  In this way, the data input by the user using the individual identification card at the base terminals 1a and 1b is transmitted after being encrypted and stored in the storage unit 15 of the central terminal 1.

  In the above description, the management table is stored in advance in each storage unit. However, the management table may be changed periodically at the same time. That is, it can be said that the encrypted communication system 100 according to the present embodiment is a method with a higher degree of freedom than the conventional technique disclosed in Patent Document 2.

  Each terminal has been described as calculating parameter values from input values in advance and storing them in the storage unit. However, the base terminals 1a and 1b calculate parameter values each time data is encrypted. May be. Similarly, the central terminal 1 may calculate the parameter value every time the encrypted data is received.

  Further, the operations shown in steps S1 to S4 in FIG. 3 may be performed at predetermined time intervals, for example, every day. In this way, parameter values used for encryption / decryption are periodically updated, so that more robust secrecy can be obtained.

  Further, in the above description, an example that is frequently applied to a credit card payment system has been described. However, the encrypted communication system according to the present embodiment includes encrypted data transmitted and received in addition to the card information of the individual identification card. Any security-related information input as a countermeasure from the physical aspect can be included, so that at least one base terminal conceals the contents from one central terminal and transmits information data including an individual identification card If it is a system, it can be easily introduced into a communication system other than a credit card payment system without changing hardware.

  As described above, according to the present embodiment, a pseudo random number can be obtained from an original input value for a key used for an encryption and decryption algorithm that can be introduced only by a software change, and the pseudo random number is further obtained. Since it is configured to binarize, obtain a parameter value from the binarized pseudorandom number based on a preset management table, and use the parameter value, information including card information of the individual identification card is transmitted / received It is possible to obtain an encrypted communication system that can be easily introduced into an existing communication system and enhances the confidentiality of information transmitted and received by a highly flexible encryption method.

  As described above, the encryption communication system according to the present invention is an encryption communication system in which one central terminal receives information including card information of an individual identification card that is transmitted in a secret manner from one or more base terminals. It is suitable to apply.

It is a figure which shows the structure of the encryption communication system of this Embodiment. It is a figure which shows an example of a management table. It is a flowchart explaining the operation | movement which produces | generates an input value. It is a flowchart explaining the operation | movement which calculates a parameter value. It is a flowchart explaining the operation | movement which transmits / receives data.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Central terminal 2a, 2b Base terminal 3 Network 11 Base terminal input value generation part 12 Pseudo random number generation part 13 Pseudo random number management part 14 Data decoding part 15 Storage part 16 Communication part 21 Pseudo random number generation part 22 Pseudo random number management part 23 Data input unit 24 Data encryption unit 25 Storage unit 26 Communication unit 100 Encrypted communication system

Claims (3)

An encryption communication system for transmitting information data in a secret manner from at least one base terminal to one central terminal,
The central terminal and each of the base terminals are
A pseudo-random number generating means for outputting the same output value from the same input value, inputting the input value to a pseudo-random number generation algorithm that is uniformly unified in all terminals, and calculating an output random number sequence;
A random number sequence corresponding to a predetermined number of digits is cut out from the calculated output random number sequence based on the same unified rule for all terminals, and each element of the random number sequence is binarized to create a binary number sequence Then, the parameter value corresponding to the created binary number sequence is calculated based on the management table which is uniformly unified in all terminals showing the correspondence relationship between the binarized number sequence held in advance in the terminal and the parameter value. Pseudo-random number management means;
With each
The base terminal is
A first storage means for holding one input value different for each base terminal in advance;
When the information data to be transmitted to the central terminal is input, the parameter value calculated by using the pseudo-random number generator and the pseudo-random number manager provided in the terminal from the input value held in the first storage unit Data encryption means for encrypting the information data using the encryption key and transmitting the encrypted information data together with the identification information of the terminal to the central terminal;
With
The central terminal is
Second storage means for storing all input values different for each base terminal in association with the identification information of the base terminal;
When the encrypted information data is received together with the identification information of the base terminal, the pseudo random number generation means provided in the own terminal from the input value stored in the second storage means and associated with the received identification information And a data decryption means for decrypting the received encrypted information data, using the same parameter value as the encryption key calculated as the encryption key calculated using the pseudo-random number management means as a decryption key;
An encryption communication system comprising: The pseudo random number generating means includes
Input an input value to the pseudo-random number generation algorithm to calculate an output random number sequence, a cutout start layer, and a cutout digit,
The pseudo random number management means
From the calculated output random number sequence, a random number sequence corresponding to the number of digits indicated by the value of the extraction digit is extracted from the digit indicated by the value of the extraction start layer of the output random number sequence.
The encrypted communication system according to claim 1. The central terminal generates a different input value for each base terminal at a predetermined time interval, stores the generated input value in association with identification information of the base terminal in the second storage unit, and A base terminal-specific input value generation means for transmitting the generated input values to the corresponding base terminals, respectively.
When the base terminal receives an input value from the central terminal, the base terminal stores the transmitted input value in the first storage means of its own terminal.
The encrypted communication system according to claim 1 or 2, characterized in that

Images