JP2008090424A - Management system, management method, electronic appliance and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To more certainly prevent tracing to certainly protect privacy. <P>SOLUTION: An RFID (Radio Frequency Identification) tag 13-1 holds identification information m for identifying the RFID tag 13-1 as cipher identification information C in an encrypted state, and a proxy 12-1 having ownership of the RFID tag 13-1 holds the identification information m of the RFID tag 13-1 and a private key x necessary to decrypt the cipher identification information C. When the ownership of the RFID tag 13-1 moves to a proxy 12-3 from the proxy 12-1, the proxy 12-3 acquires the identification information m and a private key x' different from the private key x from a server 11, encrypts the acquired identification information m such that the encrypted identification information m can be decrypted by the private key x', generates cipher identification information C' different from the cipher identification information C already held by the RFID tag 13-1, and makes the RFID tag 13-1 hold the cipher identification information C'in place of the cipher identification information C. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a management system, a management method, an electronic device, and a program, and more particularly, to a management system, a management method, an electronic device, and a program that can prevent tracking.

  Various types of product information can be stored in RFID (Radio Frequency Identification) tags. Therefore, if this RFID tag is attached to the product, the information can be quickly and easily read out wirelessly by a reader placed in the store, which facilitates the management of product sales, inventory, etc. .

  The RFID tag stores identification information for identifying it. Therefore, when the consumer who purchased the product moves while holding the product with the tag attached, the identification information is read by a reader arranged everywhere, and the consumer's behavior is There is a risk of being traced, which is a problem from the viewpoint of privacy protection.

  Therefore, it has been proposed that when a clerk hands over a purchased product to a consumer, the reply function of the RFID tag attached to the product is disabled (for example, Patent Document 1). According to this proposal, when the RFID tag receives an invalid instruction, the built-in timer performs a time counting operation so that it does not respond to a call from the reader when a predetermined period has elapsed. Become. Therefore, by matching the period with the period that can be returned, when the product is returned, it is allowed to read the information in the RFID tag, the return processing is possible, and after the period, Since the information in the RFID tag cannot be read, it cannot be tracked.

JP 2006-178770 A Philippe Golle, Markus Jakobsson, Ari Juels and Paul Syverson, “Universal Re-encryption for Mixnets”, The Cryptographers' Track at the RSA Conference CT-RSA, LNCS 2964, Feb. 2004, San Francisco, California, USA.

  However, the method of Patent Document 1 can be traced within a period. Therefore, it is desirable to protect the privacy more sufficiently.

  The present invention has been made in view of such a situation, and prevents tracking more reliably, thereby ensuring privacy protection.

  According to a first aspect of the present invention, in the management system or management method for managing an object, the identification information for identifying the object is encrypted identification information for identifying the object. And the electronic device having ownership of the object holds the identification information of the object having ownership and the object key necessary for decrypting the encryption identification information, and the owner When the ship is transferred from the first electronic device to the second electronic device, the second electronic device has the identification information and the first object key held in the first electronic device. A different second object key is acquired from the management device, the acquired identification information is encrypted so that it can be decrypted with the second object key, and the first cipher already held by the object Generate second cryptographic identification information that is different from the identification information Then, the management system or the management method causes the object to hold the second cryptographic identification information instead of the first cryptographic identification information.

  The electronic device can further hold position information for accessing the management device.

  The object further holds extraction information used to extract the encryption identification information from the reception data acquired wirelessly from the electronic device, and the second electronic device includes the extraction information When transmitting the cryptographic identification information wirelessly to the object, the object is further transmitted with second extraction information different from the first extraction information used by the first electronic device. Can update the first extraction information with the second extraction information.

  The electronic device can generate the encryption identification information by encrypting the identification information by a general re-encryption method.

  According to a second aspect of the present invention, in an electronic device that is used in the vicinity of an object and wirelessly communicates with the object, the ownership of the object is transferred from another electronic device, The identification information of the object is acquired from the management apparatus, and the first encryption identification information that is held by the other electronic device and is encrypted identification information obtained by encrypting the identification information is decrypted. Acquisition means for acquiring a second object key different from the one object key from the management device, holding means for holding the acquired identification information and the second object key, and the acquired The second encryption identification information is generated by encrypting the identification information so that it can be decrypted by the second object key, and the first object held by the object is generated by the second encryption identification information. An electronic apparatus comprising: encryption means for updating encryption identification information It is.

  According to a second aspect of the present invention, in the electronic device management method or program used in the vicinity of an object and wirelessly communicating with the object, the ownership of the object is another electronic device. The identification information of the object is acquired from the management device, and the first cryptographic identification information that is the cryptographic identification information obtained by encrypting the identification information is held by the other electronic device. A second object key different from the first object key required for decryption is acquired from the management device, the acquired identification information and the second object key are held, and acquired. The identification information is encrypted so that it can be decrypted with the second object key, thereby generating second encryption identification information, and the first object held by the object by the second encryption identification information. A tube comprising the step of updating the encryption identification information of It is a method or a program.

  In the first aspect of the present invention, when the ownership is transferred from the first electronic device to the second electronic device, the second electronic device is held in the identification information and the first electronic device. A second object key that is different from the first object key is acquired from the management device, and the acquired identification information is encrypted so that it can be decrypted by the second object key. Second encryption identification information different from the first encryption identification information is generated, and the second encryption identification information is held in the object instead of the first encryption identification information.

  In the second aspect of the present invention, when the ownership of an object is transferred from another electronic device, the identification information of the object is acquired from the management apparatus and held by the other electronic device. Then, a second object key different from the first object key necessary for decrypting the first encryption identification information that is the encryption identification information obtained by encrypting the identification information is acquired from the management apparatus. The second identification information is generated by encrypting the acquired identification information so that it can be decrypted with the second object key, and the first encryption held by the object is generated by the second encryption identification information. The identification information is updated.

  As described above, according to the aspects of the present invention, it is possible to more reliably prevent tracking and thus protect privacy.

  Embodiments of the present invention will be described below. Correspondences between constituent elements of the present invention and the embodiments described in the specification or the drawings are exemplified as follows. This description is intended to confirm that the embodiments supporting the present invention are described in the specification or the drawings. Therefore, even if there is an embodiment which is described in the specification or the drawings but is not described here as an embodiment corresponding to the constituent elements of the present invention, that is not the case. It does not mean that the form does not correspond to the constituent requirements. Conversely, even if an embodiment is described here as corresponding to a configuration requirement, that means that the embodiment does not correspond to a configuration requirement other than the configuration requirement. It's not something to do.

A first aspect of the present invention relates to a management system (for example, tag management system 1 in FIG. 1) or a management method for managing an object.
The object (for example, the RFID tag 13 in FIG. 1) is used to identify identification information (for example, identification information m) for identifying the object. 4 as cryptographic identification information C),
An electronic device having ownership of the object (for example, proxy 12 in FIG. 1) decrypts the identification information (for example, identification information m in FIG. 3) of the object having ownership and the encryption identification information. Holding an object key (for example, secret key x in FIG. 3) necessary for
When the ownership is transferred from the first electronic device (for example, the proxy 12A in FIG. 25) to the second electronic device (for example, the proxy 12B in FIG. 25), the second electronic device has the identification information and A second object key (for example, the secret key x ′ in step S309 of FIG. 26) different from the first object key (for example, the secret key x of FIG. 3) held in the first electronic device. ) Is encrypted from the management device (for example, the server 11 in FIG. 25), and the obtained identification information is encrypted so that it can be decrypted with the second object key. Generating second cryptographic identification information (for example, cryptographic identification information C ′ in step S314 of FIG. 26) different from the first cryptographic identification information, and replacing the first cryptographic identification information with the second cryptographic identification information Is a management system or a management method for holding the object on the object.

  The electronic apparatus can further hold position information (for example, position information SL in FIG. 3) for accessing the management apparatus.

The object further holds extraction information (for example, the extraction information PIN in FIG. 4) used to extract the encryption identification information from the reception data acquired wirelessly from the electronic device,
The second electronic device has a second extraction information different from the first extraction information used by the first electronic device when the cryptographic identification information is wirelessly transmitted to the object. Information (for example, extraction information PIN ′ in step S315 of FIG. 26) is further transmitted,
The object can update the first extraction information with the second extraction information.

  The electronic device can generate the encryption identification information by encrypting the identification information by a general-purpose re-encryption method (for example, Universal Re-encryption).

The second aspect of the present invention is an electronic device (for example, the proxy 12 in FIG. 3) used in the vicinity of an object (for example, the RFID tag 13 in FIG. 1) and wirelessly communicating with the object.
When the ownership of the object is transferred from another electronic device (for example, the proxy 12A in FIG. 25), the identification information of the object (for example, the identification information m in step S309 in FIG. For example, first cipher identification information (for example, cipher identification of FIG. 4) obtained from the server 11) of FIG. 25 and held by the other electronic device, which is cipher identification information obtained by encrypting the identification information. A second object key (for example, the secret key x ′ in step S309 in FIG. 26) different from the first object key (for example, the secret key x in FIG. 3) necessary for decrypting the information C). Acquisition means (for example, the communication unit 201 in FIG. 3) to acquire from the management device;
Holding means for holding the acquired identification information and the second object key (for example, the storage unit 208 in FIG. 3);
The obtained identification information is encrypted so that it can be decrypted with the second object key to generate second encryption identification information, and the object is held by the second encryption identification information. An electronic device comprising: encryption means for updating the first encryption identification information (for example, the encryption unit 202 in FIG. 3).

The second aspect of the present invention is also a management method or program for an electronic device used by wirelessly communicating with the object in the vicinity of the object.
When the ownership of the object is transferred from another electronic device, the identification information of the object is acquired from a management device, and the identification information held by the other electronic device is encrypted. A second object key different from the first object key necessary for decrypting the first encryption identification information that is the encryption identification information is acquired from the management device (for example, step S309 in FIG. 26),
Holding the acquired identification information and the second object key (for example, step S310 of FIG. 26),
The obtained identification information is encrypted so that it can be decrypted with the second object key to generate second encryption identification information, and the object is held by the second encryption identification information. Update the first encryption identification information (for example, step S315 of FIG. 26)
A management method or program comprising steps.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 shows the configuration of a tag management system as an embodiment of the management system of the present invention. The tag management system 1 includes a server 11, a proxy 12-0, RFID tags 13-1 to 13-n, a network 14, and stores 15-1 and 15-2.

  The server 11 as a management device manages the RFID tags 13-1 to 13-n as objects. The proxy 12-0 is controlled by the server 11, and stores the cryptographic identification information as an initial state in the RFID tags 13-1 to 13-n.

  The network 14 is a network including a LAN (Local Area Network), a WAN (Wide Area Network), a telephone line, the Internet, and the like. The server 11, the reader / writer 31-1 of the store 15-1, the proxy 12-1, the store 15 -2 reader / writer 31-2, proxy 12-2, etc. are connected to each other.

  Here, the network refers to a mechanism in which at least two devices are connected and information can be transmitted from one device to another device. The devices that communicate via the network may be independent devices, or may be internal blocks that constitute one device.

  The store 15-1 includes a reader / writer 31-1, a proxy 12-1, a product 32-1, and an RFID tag 13-1. The RFID tag 13-1 stores the encrypted identification information obtained by encrypting the unique identification information (tag ID) by the server 11 through the proxy 12-0, and then the administrator of the server 11 It was provided to the administrator. The RFID tag 13-1 is attached to the product 32-1. The administrator of the product 32-1 can store various information related to the product 32-1 wirelessly in the RFID tag 13-1 via the reader / writer 31-1.

  The reader / writer 31-1 periodically emits radio waves, and transmits a command to an RFID tag arranged in the vicinity (range where radio waves can reach), and has a function of reading information stored therein. . The proxy 12-1 can wirelessly communicate with the RFID tag 13-1 and the reader / writer 31-1. Further, the proxy 12-1 can communicate with the server 11 or the proxy 12-0 managed by the server 11 via the network 14.

  The store 15-2 has a reader / writer 31-2, a proxy 12-2, a product 32-2, and an RFID tag 13-2. The RFID tag 13-2 stores encrypted identification information obtained by encrypting unique identification information through the proxy 12-0 by the server 11, and is provided from the administrator of the server 11 to the administrator of the product 32-2. It is a thing. The RFID tag 13-2 is attached to the product 32-2. The administrator of the product 32-2 can store various information regarding the product 32-2 wirelessly in the RFID tag 13-2 via the reader / writer 31-2.

  The reader / writer 31-2 has a function of periodically emitting radio waves, transmitting a command to an RFID tag arranged in the vicinity, and reading information stored therein. The proxy 12-2 can wirelessly communicate with the RFID tag 13-2 and the reader / writer 31-2. Further, the proxy 12-2 can communicate with the server 11 or the proxy 12-0 managed by the server 11 via the network 14.

  The user 16 has a proxy 12-3. For example, when the user 16 purchases the product 32-1 at the store 15-1, the product 32-1 is delivered to the user 16 with the RFID tag 13-1 attached. At this time, the proxy 12-3 can communicate with the RFID tag 13-1 attached to the nearby product 32-1.

  The proxies 12-1 to 12-3 include, for example, a mobile phone, a PDA (Personal Digital Assistants) that is a portable electronic notebook, a wristwatch, and the like. Hereinafter, the proxies 12-1 to 12-3 are simply referred to as proxies 12 when it is not necessary to distinguish them individually. The same applies to other devices.

  FIG. 2 shows the configuration of an embodiment of the server 11 that manages the RFID tag 13. The server 11 includes a database 101, a communication unit 102, a storage unit 103, a key generation unit 104, a control unit 105, a decryption unit 106, and an encryption unit 107.

The database 101 holds a secret key, a public key, an EPC (Electronic Product Code), a tag ID (m), a tag owner, and data for each RFID tag. The secret key SK (Secret Key) _T and the corresponding public key PK (Public Key) _T are generated by the key generation unit 104. EPC is the original identification information, and the tag ID is identification information generated based on the EPC. As the tag owner, the identification information of the proxy having the ownership at that time is registered. The data is provided when the RFID tag is accessed from the reader / writer, and is classified for each authorization level. The authorization level A is a level at which only the data Data A can be provided, and the authorization level B is a level at which not only the data Data A but also the data Data B can be provided.

In this embodiment, for the RFID tag 13-1, as a secret key, public key, EPC, tag ID, tag owner, and data (Data A and Data B), SK _T1 , PK _T1 , EPC respectively _T1 , _mT1 , P1, Data 1A, and Data 1B are registered. Similarly, for the RFID tag 13-2, SK _T2 , PK _T2 , EPC _T2 , m _T2 , P 2, Data 2A, Data as the secret key, public key, EPC, tag ID, tag owner, and data, respectively. 2B for the RFID tag 13-3, SK _T3 , PK _T3 , EPC _T3 , m _T3 , P3, Data 3A, Data as the private key, public key, EPC, tag ID, tag owner, and data, respectively. 3B is registered.

In addition to communicating with the proxy 12-0, the communication unit 102 communicates with the reader / writers 31-1 and 31-2 and the proxies 12-1 to 12-3 via the network 14. The storage unit 103 stores the server 11's own private key SK _S and certificate Cert _S , respectively. These are issued from a predetermined certificate authority (not shown). In addition, the storage unit 103 acquires and stores in advance the public key PK _P of the proxy 12-0 and a default value g which is a default value. The key generation unit 104 generates a public key PK _T and secret key SK _T for each RFID tag 13. The control unit 105 controls the operation of each unit of the server 11. The decryption unit 106 decrypts the encryption. The encryption unit 107 encrypts plain text.

  FIG. 3 shows the configuration of an embodiment of the proxy 12. The proxy 12 includes a communication unit 201, an encryption unit 202, a decryption unit 203, a control unit 204, a time variable generation unit 205, a calculation unit 206, a signature creation unit 207, and a storage unit 208.

  The communication unit 201 communicates with the server 11 and the proxy 12-0 via the network 14, and communicates with the reader / writer 31 and the RFID tag 13 in addition to the nearest other proxy 12.

  The longest communicable distance between the proxy 12 and the RFID tag 13 is 1 to 2 meters. Therefore, the proxy 12 can communicate only with the RFID tag 13 located at most within a radius of 2 meters. Increasing this distance is convenient, but as will be described later, if the extraction information PIN is stolen, the cryptographic identification information C transmitted from the proxy 12 to the RFID tag 13 may be read out. However, if this distance is shortened, the encryption identification information C cannot be substantially read unless it is located within the range of this distance, so that confidentiality can be maintained.

  The encryption unit 202 uses the public key of the RFID tag 13 to re-encrypt the encryption identification information C read from the RFID tag 13 using a universal re-encryption method to create a new encryption Identification information C ′ is generated. The general-purpose re-encryption method is an encryption method proposed in Non-Patent Document 1, and it is possible to easily convert (re-encrypt) a ciphertext for one plaintext into another ciphertext for the same plaintext. It is a simple encryption method.

The decryption unit 203 uses the secret key of the RFID tag 13 to decrypt the cryptographic identification information C read from the RFID tag 13 to obtain identification information (tag ID) m. The control unit 204 controls the operation of each unit of the proxy 12. When the variable generator 205 generates a variable N _P when a random number that changes each generation. The calculation unit 206 has various functions and functions as a pseudorandom number generator that generates pseudorandom numbers of the extracted information PIN. This pseudo-random number is a random number that is deterministically calculated based on the argument. If the argument is the same, the same random number can always be obtained. The signature creation unit 207 creates signatures of various information using the secret key of the proxy 12.

The storage unit 208 holds an access control list 209. In this access control list 209, the secret key x of the RFID tag 13 having the ownership, the identification information m, the extracted information PIN, the information for accessing the server 11, that is, the position information SL indicating the position of the server 11 It is remembered. In addition, the storage unit 208 stores the certificate Cert _P and the private key SK _P of the proxy 12 itself. The certificate Cert _P and the secret key SK _P are issued from a predetermined certificate authority. In addition, the storage unit 208, previously obtained the public key PK _S of the server 11 stores.

  FIG. 4 shows the configuration of an embodiment of the RFID tag 13. The RFID tag 13 includes a calculation unit 301, a storage unit 302, a communication unit 303, and a control unit 304.

  The calculation unit 301 has a function as a pseudo-random number generator that generates pseudo-random numbers of the extracted information PIN. This pseudo-random number is a random number that is deterministically calculated based on the argument. If the argument is the same, the same random number can always be obtained. The storage unit 302 stores the encryption identification information C and the extracted information PIN received from the proxy 12. The communication unit 303 performs communication with the proxy 12 or the reader / writer 31. The control unit 304 controls the operation of each unit of the RFID tag 13.

  FIG. 5 shows the configuration of an embodiment of the reader / writer 31. The reader / writer 31 includes a communication unit 401, a storage unit 402, a time variable generation unit 403, a signature creation unit 404, a control unit 405, a decryption unit 406, and an encryption unit 407.

The communication unit 401 communicates with the server 11 via the network 14 and also communicates with the nearest proxy 12 or RFID tag 13. Storage unit 402 stores a certificate Cert _R and the secret key SK _R interrogator 31 itself. These are issued from a predetermined certificate authority. In addition, the storage unit 402, previously obtained the public key PK _S of the server 11, holds.

The time variable generator 403 generates a time variable N _R that is a random number that changes every time it is generated. Signature creation unit 404, using the secret key SK _R of the reader-writer 31, to create a signature of the various types of information. The control unit 405 controls the operation of each unit of the reader / writer 31. The decryption unit 406 decrypts the encryption. The encryption unit 407 encrypts plain text.

  6A shows communication paths between the server 11 and the proxy 12, the server 11 and the reader / writer 31, the proxy 12 and the reader / writer 31, the proxy 12 and the RFID tag 13, and the reader / writer 31 and the RFID tag 13. This represents a communication path at the time of authorization described later. Similarly, FIG. 6B shows a proxy 12A that is the tag owner of the transfer source at the time of ownership transfer, which will be described later, and a proxy 12B that is the tag owner of the transfer destination at the time of ownership transfer and the server 11, and the proxy 12A and proxy 12B. Communication paths between 12A and the RFID tag 13, and between the proxy 12B and the RFID tag 13 are shown. This represents a communication path at the time of ownership transfer. Each of these communication channels is composed of an insecure channel. That is, no special measures are taken to maintain confidentiality.

  Next, a process for storing the cryptographic identification information C in the RFID tag 13 when the RFID tag 13 is manufactured will be described with reference to FIGS. 7 shows the processing of the server 11, FIG. 8 shows the processing of the proxy 12-0 as a tag owner, and FIG. 9 shows the processing of the RFID tag 13, respectively. FIG. The relationship between the processing of 12-0 and the RFID tag 13 is shown.

  At the start of this process, it is assumed that no information related to the RFID tags 13-1 to 13-n to be manufactured is registered in the access control list 209 of the storage unit 208 of the proxy 12-0.

  7 and 10, the control unit 105 of the server 11 determines identification information m for identifying one RFID tag 13. The identification information m is an arbitrary number that can be used to identify the product, but other than the EPC that represents the product to which the RFID tag 13 is attached, or the EPC itself obtained by encrypting the EPC, etc. There may be no pseudo-EPC. When pseudo EPC is used as the identification information m, it is difficult to obtain product information only from the pseudo EPC, so that leakage of information from the RFID tag can be prevented more reliably.

In step S2, the key generation unit 104 generates a secret key SK _T (x) and a public key PK _T (y = g ^x ) for the RFID tag 13, respectively. The default value g is a generation source of the group constituting the El Gamar encryption, and is shared in advance with the proxy 12-0. In step S3, the encryption unit 107 obtains a cipher E (PK _P , x‖m). That is, the encryption unit 107 uses the public key PK _P of the proxy 12-0 as a tag owner having the ownership of the RFID tag 13, and generates a concatenation of the secret key x of the RFID tag 13 and the identification information m Encrypt ‖m. A‖B represents the connection between A and B. Then, the communication unit 102 transmits the encryption E (PK _P , x‖m) to the proxy 12-0 as the tag owner.

8 and 10, the communication unit 201 of the proxy 12-0 receives the cipher E (PK _P , x‖m) transmitted from the server 11, and the decryption unit 203 stores in the storage unit 208. Using the stored secret key SK _P , the cipher E (PK _P , x‖m) is decrypted to obtain the secret key x of the RFID tag 13 and the identification information m. In step S32, the calculation unit 206 generates a factor r = (k ₀ , k ₁ ) described later. In step S33, the encryption unit 202 uses the general-purpose identification information m by using k ₀ and k ₁ constituting the factor r, the public key y, and the default value g as shown in the equation (1). Encryption is performed using the re-encryption method to generate encryption identification information C.

Note that, as expressed in Expression (2), the factor r = (k ₀ , k ₁ ) is a set of factors in which k ₀ and k _{1 as} components are integers of 0 or more and q−1 or less, respectively. It is an element of Z _q ² . Here, q represents the order of the group constituting the ElGamal Encryption.

In the general-purpose re-encryption method, the identification information m is obtained by performing a predetermined operation on α ₀ , β ₀ , α ₁ , and β ₁ constituting the encryption identification information C using the secret key x. Can do.
Even when the cryptographic identification information C ′ generated based on the cryptographic identification information C is decrypted, the same identification information m is obtained as in the case where the cryptographic identification information C is decrypted.

In addition, when decrypting the cryptographic identification information C = [(α ₀ , β ₀ ); (α ₁ , β ₁ )] in equation (1), for example, first, α ₀ , α ₁ , β ₀ , and β ₁ Confirm that they belong to the group that constitutes the Elgamamar cryptosystem. Then, when it is confirmed that all of α ₀ , α ₁ , β ₀ , and β ₁ belong to the group constituting the Elgamal encryption, m ₀ = α ₀ / (β ₀ ^x ) using the secret key x. , M ₁ = α ₁ / β ₁ ^x is calculated. According to equation (1), if m ₁ calculated is 1, m ₀ = α ₀ / (β ₀ ^x ) becomes the original plaintext (identification number m), and decryption is successful. In this way, the encryption identification information C can be decrypted to obtain the identification number m. Note that if any of α ₀ , α ₁ , β ₀ , and β ₁ does not belong to the group constituting the Elgamal cipher, or if the calculated m ₁ is not 1, decryption is unsuccessful.

  In step S34, the communication unit 201 transmits the cryptographic identification information C generated in step S33 to the RFID tag 13. In addition, the calculation unit 206 generates extraction information PIN, and the communication unit 201 also transmits the extraction information PIN to the RFID tag 13.

  9 and 10, the communication unit 303 of the RFID tag 13 receives the encryption identification information C transmitted from the proxy 12-0 as the tag owner. In step S62, the storage unit 302 stores the encryption identification information C received in step S61. At this time, the extracted information PIN transmitted from the proxy 12-0 is also stored in the storage unit 302.

  As described above, one RFID tag 13 holds the encryption identification information C and the extracted information PIN obtained by encrypting the identification information m. This process is performed for each RFID tag 13.

  In this way, the RFID tag 13 recorded as the encryption identification information C after each identification information m is encrypted is distributed to each product manager. Since the server 11 manages the ownership of the RFID tag 13, when the distribution of the RFID tag 13 is received, the merchandise manager of the stores 15-1 and 15-2 determines the ownership of the RFID tag 13, The proxy 12-0 representing the server administrator is transferred to the proxies 12-1 and 12-2 representing the product manager. As a result, the tag owner registered in the database 101 of the server 11 is changed from the proxy 12-0 to the proxy 12-1 or the proxy 12-2. Then, the product manager attaches the RFID tag 13 to the product 32.

  Further, the product manager operates the reader / writer 31 or a personal computer (not shown), etc., and information about the product such as price, producer, raw material, date of purchase, etc. of each product Data iA, Data iB, (I = 1, 2, 3,...) Are registered in the server 11 via the network 14. Thereby, in the database of the server 11, information related to the product to which the RFID tag 13 is attached is registered in correspondence with the identification information of each RFID tag 13. Therefore, the product manager manages the product by causing the reader / writer 31 to transmit radio waves periodically or at a necessary timing, accessing the RFID tag 13 and reading out information related to the product. Can do.

  Of course, if the product 32 to which the RFID tag 13 is affixed is determined in advance, the proxy of the manager of the product is registered as the tag owner from the beginning at the time of manufacture, and information about the product is also provided when the RFID tag 13 is manufactured. You can register.

  When the user 16 purchases a product at the store 15, the product is transferred to the user 16, and accordingly, the ownership of the RFID tag affixed to the product is also displayed by the product manager (the stores 15-1, 15 -2 proxy 12-1, 12-2) is transferred to user 16 (the proxy 12-3).

  Next, when accessing the RFID tag 13 from the reader / writer 31 and reading the information of the product to which the RFID tag 13 is attached, that is, the processing at the time of authorization and the transfer of ownership of the RFID tag 13 The process will be described. Description of the process of registering product information is omitted.

  First, processing at the time of authorization will be described with reference to FIG. 11 to FIG. This process is started periodically or when the execution of the process is instructed by the merchandise manager. 11 shows the processing of the reader / writer 31, FIG. 12 shows the processing of the RFID tag 13, FIGS. 13 and 14 show the processing of the proxy 12, and FIG. 15 shows the processing of the server 11, respectively. FIG. 19 shows the mutual processing relationship among the reader / writer 31, the RFID tag 13, the proxy 12, and the server 11.

  Hereinafter, a case will be described in which the reader / writer 31-1 reads information on the product 32-1 to which the RFID tag 13-1 is attached in the store 15-1.

In step S101 of FIGS. 11 and 16, the time variable generation unit 403 of the reader / writer 31 generates a time variable N _R. At this time, the variable N _R is a random number having a different value when the generation timing is different. The communication unit 401 generates a connection Q‖N _R between a query Q for calling a response to the RFID tag 13 and a time variable N _R by radio waves. This radio wave is received by the RFID tag 13 located in the vicinity of the reader / writer 31.

In step S131, the communication unit 303 of the RFID tag 13 receives the connection Q‖N _R transmitted from the reader / writer 31. In step S132, the control unit 304 reads the cipher identification information C stored in the storage unit 302, and generates a connection C‖N _R with the received time variable N _R. The communication unit 303 transmits the connected C‖N _R.
$
The connected C161N _R transmitted from the RFID tag 13 is the proxy 12 (in this case, the proxy 12) arranged in the vicinity of the RFID tag 13 (within a radius of 2 meters) in step S161 of FIG. 13 and FIG. -1) is received by the communication unit 201. In step S162, the decoding unit 203, an encryption identification information C of the connecting C‖N _R received at step S161, the RFID tag 13 stored in the access control list 209 stored in the storage unit 208 Using the secret key x (secret key SK _T ), decryption is performed as described above to obtain identification information m in an unencrypted state. As will be described later, the proxy 12 that has the ownership of the RFID tag 13, that is, the proxy 12 that is the tag owner of the RFID tag 13, has the secret key x of the RFID tag 13 that is the subject of the ownership. In other words, the information in the access control list 209 that holds the secret key x is registered when the ownership is transferred (the process in step S310 in FIGS. 20 and 26 described later). Now, since the proxy 12 is a tag owner of the RFID tag 13, it has the secret key x.

  In step S163, the control unit 204 searches for the identification information m registered in the access control list 209. In step S164, the control unit 204 determines whether or not the identification information m obtained in step S162 matches the identification information m retrieved from the access control list 209 in step S163. If the identification information m obtained in step S162 does not match the identification information m registered in the access control list 209, the proxy 12 is not the tag owner of the RFID tag 13. Therefore, in this case, in step S165, the time variable generation unit 205 generates a predetermined random number. This random number means that the reader / writer 31 does not have the authority to read. The communication unit 201 transmits this random number.

  In step S102, the communication unit 401 of the reader / writer 31 located in the vicinity of the proxy 12 receives this random number. When the control unit 405 receives the random number, the control unit 405 knows that the acquisition of information related to the product 32 to which the RFID tag 13 is attached has not been granted, and ends the process at the time of authorization.

On the other hand, if it does not receive the random number in step S103, the signature creating unit 404 of the reader-writer 31, by using the secret key SK _R in the storage unit 402 is stored, the variable N _R when generated in step S101 Create a signature Sig _R (N _R ) that contains it. The control unit 405 reads the certificate Cert _R that contains the public key PK _R of the reader-writer 31 stored in the storage unit 402, generates a connection _{Sig R (N R) ‖Cert R} . The communication unit 401 transmits the linked Sig _R (N _R ) ‖Cert _R to the proxy 12.

Signature Sig _X (M) is the digital signature of entity X for message M and includes both message M and its digital signature authenticator. Entities other than the entity X can verify the signature Sig _X (M) using the public key of the entity X and can acquire the message M from the signature Sig _X (M).

In step S166, the communication unit 201 of the proxy 12 receives the concatenated Sig _R (N _R ) RCert _R transmitted from the reader / writer 31. In step S167, the decoding unit 203, the public key of the certificate authority that has been previously acquired, connecting Sig _R (N _R) ‖Cert verifies the certificate Cert _R of _R, also a reader-writer from the certificate Cert _R 31 to obtain a public key PK _R of. Further, the decryption unit 203 verifies the signature Sig _R (N _R ) of the concatenated Sig _R (N _R ) ‖Cert _R with the public key PK _R of the reader / writer 31 and obtains a time variable N _R.

In step S168, the control unit 204 determines whether or not the time variable N _R obtained from the reader / writer 31 in step S161 matches the time variable N _R obtained in step S167. If the two do not match (including the case where the time variable N _R has been tampered with), the reader / writer 31 is not a legitimate reader / writer, and therefore it is not possible to permit the provision of product information. Therefore, in step S170, the time variable generation unit 205 generates a random number. This random number means that the reader / writer 31 does not have the authority to read. The communication unit 201 transmits this random number.

On the other hand, if it is determined in step S168 that the time variable N _R obtained from the reader / writer 31 in step S161 matches the time variable N _R obtained in step S167, in step S169, the control unit 204 executes step S167. It is determined whether both the certificate Cert _R and the signature Sig _R (N _R ) verification that have been performed are successful. If any of the verification of the certificate Cert _R and the signature Sig _R (N _R ) is determined to be unsuccessful, the reader / writer 31 is not a legitimate reader / writer. The offer cannot be permitted. Therefore, in step S170, the time variable generation unit 205 generates a random number. This random number means that the reader / writer 31 does not have the authority to read. The communication unit 201 transmits this random number.

  In step S104, the communication unit 401 of the reader / writer 31 receives the random number transmitted by the proxy 12. When the control unit 405 receives this random number, the control unit 405 knows that the acquisition of information regarding the product 32 to which the RFID tag 13 is attached has not been granted, and ends the authorization process.

On the other hand, if it is determined in step S169 that the verification of the certificate Cert _R and the signature Sig _R (N _R ) performed in step S167 is successful, the reader / writer 31 is an authorized reader / writer, that is, When the validity of the reader / writer 31 is confirmed, in step S171, the signature creation unit 207 of the proxy 12 uses the secret key SK _P stored in the storage unit 208 to connect the concatenated m‖N _P ‖cmd. Create a signature Sig _P (m‖N _P ‖cmd) containing. Here, the identification information m is stored in the access control list 209. The time variable N _P is generated by the time variable generation unit 205. The command cmd designates the authorization level of the reader / writer 31, and the authorization level for each reader / writer is assumed to be preset by the administrator of the proxy 12.

Encryption unit 202 uses the public key PK _S of the server 11 which is previously stored in the storage unit 208, it encrypts the concatenation of signature Sig _P (m‖N _P ‖cmd) and certificate Cert _P, encryption M _P = E (PK _S , Sig _P (m ‖ _{N P} ‖ cmd) ‖ Cert _P ) is generated. Here, the certificate Cert _P is issued from the certificate authority and is stored in the storage unit 208. Furthermore, the encryption unit 202, a connecting M _P ‖SL the location SL of the server 11 which is previously stored cipher M _P in the storage unit 208, encrypted with the public key PK _R obtained in step S167, the encryption E (PK _R , M _P ‖SL) is generated. Here, the position information SL is stored in advance in the access control list 209 at the time of ownership transfer. Then, the communication unit 201 transmits the encryption E (PK _R , M _P ‖SL) to the reader / writer 31.

In step S105, the communication unit 401 of the reader / writer 31 receives the encryption E (PK _R , M _P ‖SL) transmitted from the proxy 12. In step S106, the decoding unit 406, the encryption _{E (PK R, M P ‖SL} ) received in step S105, and decrypts the secret key SK _R stored in the storage unit 402 of the reader-writer 31, the cryptographic M _P And position information SL is obtained.

In step S107, the signature creating unit 404 uses the secret key SK _R stored in the storage unit 402, to create a signature Sig _R (M _P) containing cryptographic M _P obtained in step S106. Encryption section 407 uses the public key PK _S of the server 11 in the storage unit 402 is stored, the signature Sig _R (M _P) and the connecting Sig _R certificate Cert _R stored in the storage unit 402 (M _P ) ‖Cert _R is encrypted to generate a cipher E (PK _S , Sig _R (M _P ) ‖Cert _R ). This certificate Cert _R is obtained in advance by the reader / writer 31 from a predetermined certificate authority. The certificate Cert _R includes identification information of the reader / writer 31. The communication unit 401 identifies the server 11 based on the position information SL obtained in step S106, and transmits the cipher E (PK _S , Sig _R (M _P ) ‖Cert _R ) to the server 11.

In step S201 of FIG. 15 and FIG. 17, the communication unit 102 of the server 11 receives the cipher E (PK _S , Sig _R (M _P ) ‖Cert _R ) transmitted from the reader / writer 31. In step S202, the decoding unit 106, the encryption _{E (PK S, Sig R (} M P) ‖Cert R) and decrypted by the secret key SK _S stored in the storage unit 103, the signature Sig _R (M _P ) And get the certificate Cert _R. In step S203, the decoding unit 106 verifies the certificate Cert _R with the public key of the predetermined authentication station acquired in advance, also obtain the public key PK _R of the reader writer 31. In step S204, the decoding unit 106 further, the signature Sig _R a (M _P), verified by using the public key PK _R of the reader writer 31, the contents of the signature Sig _R (M _P) encryption M _P = E Check that the signature is correct for (PK _S , Sig _P (m‖N _P ‖cmd) ‖Cert _P ).

In step S205, the decoding unit 106, the cryptographic _{M P = E (PK S,} Sig P (m‖N P ‖cmd) ‖Cert P) and decrypted by the secret key SK _S, the signature Sig _P (m‖N _P ‖Cmd) and certificate Cert _P. The decryption unit 106 verifies the certificate Cert _P with the public key of a predetermined certificate authority acquired in advance, and obtains the public key PK _P of the proxy 12.

In step S206, the decryption unit 106 further verifies the signature Sig _P (m‖N _P ‖cmd) with the public key PK _P obtained in step S205, and uses the contents of the signature Sig _P (m‖N _P ‖cmd). The identification information m, the time variable N _P , and the command cmd that specifies the authorization level of the reader / writer 31 are confirmed to be a correct signature, and the identification information m, the time variable N _P , and the command cmd are obtained. In step S207, the decryption unit 106 verifies the certificate Cert _P with the public key of a predetermined certificate authority, and obtains the identification information (proxy ID) of the proxy 12.

  In step S208, the decryption unit 106 determines whether any of the signature or certificate verification performed in steps S203, S204, S206, and S207 has succeeded. When it is determined that any of the signature and certificate verification performed in steps S203, S204, S206, and S207 is unsuccessful, in step S210, the communication unit 102 reads the random number generated by the calculation unit 206. Send to writer 31.

  On the other hand, if it is determined in step S208 that all of the signature and certificate verification performed in steps S203, S204, S206, and S207 have been successful, in step S209, the control unit 105 obtains in step S205. It is determined whether the proxy ID of the proxy 12 is registered in the database 101 as a tag owner.

  If it is determined in step S209 that the proxy ID of the proxy 12 obtained in step S207 is not registered as a tag owner in the database 101, in step S210, the communication unit 102 uses the random number generated by the calculation unit 206 as a reader / writer. Send to 31.

  In step S108, the communication unit 401 of the reader / writer 31 receives this random number. When receiving the random number, the control unit 405 determines that reading of data is not permitted and ends the process.

On the other hand, if it is determined in step S209 that the proxy ID of the proxy 12 obtained in step S207 is registered as a tag owner in the database 101, the encryption unit 107 is specified by the command cmd of the proxy 12 in step S211. The data 101 of the database 101 that is allowed to be provided according to the authorization level, that is, for example, if the authorization level is A, the data Data A, and if the authorization level is B, the data Data A‖ Data B is encrypted with the public key PK _R obtained in step S203 to generate a cipher E (PK _R , Data). The communication unit 102 transmits the encryption E (PK _R , Data) to the reader / writer 31.

In step S109, the communication unit 401 of the reader writer 31 receives the encryption sent from the server _{11 E (PK R, Data)} . Then, in step S110, the decoding unit 406 decrypts the encrypted E (PK _R, Data) with the secret key SK _R in the storage unit 402 is stored, obtaining the data of the RFID tag 13.

  As a result, the reader / writer 31 is permitted to read the RFID tag 13 having the ownership of the proxy 12, so that the RFID tag 13 data permitted to be provided according to the authorization level of the reader / writer 31, that is, the RFID tag Information about the product 32 to which 13 is attached can be read.

On the other hand, in the proxy 12, after the encryption E (PK _R , M _P ‖SL) is transmitted to the reader / writer 31 in step S171, the arithmetic unit 206 stores the access control list 209 in the storage unit 208 in step S172. Then, a pseudo random number G (PIN) is generated with the extracted information PIN stored in advance at the time of ownership transfer as an argument. In step S173, the arithmetic unit 206 generates new extracted information PIN ′ other than the extracted information PIN stored in the access control list 209. In step S174, the calculation unit 206 further generates a new factor r ′ = (k ₀ ′, k ₁ ′) different from the factor r = (k ₀ , k ₁ ) generated in step S32 in FIG. In step S175, the arithmetic unit 206 re-encrypts the cipher identification information C by the general-purpose re-encryption method to generate the cipher identification information C ′, as expressed in Expression (3).

Note that, as expressed in Expression (4), k ₀ ′ and k ₁ ′ constituting the factor r ′ are the elements of Z _q ² described above.

  As described above, in the general-purpose re-encryption method, the new encryption identification information C ′ can be generated only from the current encryption identification information C and the factor r ′. Even when the new encryption identification information C ′ is decrypted, the same identification information m as when the current encryption identification information C is decrypted is obtained.

  In step S176, the calculation unit 206 combines the cipher identification information C ′ generated in step S175 and the concatenation C′‖PIN ′ of the extracted information PIN ′ generated in step S173, and the pseudo random number G ( Calculates an exclusive OR with (PIN). The communication unit 201 transmits the exclusive OR of the concatenated C′‖PIN ′ and the pseudo random number G (PIN) to the RFID tag 13. In step S177, the storage unit 208 updates the stored current encryption identification information C with the new encryption identification information C ′, and updates the stored current extraction information PIN with the new extraction information PIN ′.

On the other hand, in the RFID tag 13, in step S132, after the coupling C‖N _R is sent to the proxy 12, in step S133, the communication unit 303, a connecting C'‖PIN 'sent from the proxy 12 pseudo Receive exclusive OR with random number G (PIN). In step S134, the arithmetic unit 301 calculates a pseudo random number G (PIN) using the extracted information PIN stored in the storage unit 302 as an argument. As described above, the pseudo random number G (PIN) has the same value as the pseudo random number G (PIN) calculated by the proxy 12 in step S172. In step S135, the arithmetic unit 301 excludes the exclusive OR of the concatenated C′‖PIN ′ received in step S133 and the pseudo random number G (PIN) and the pseudo random number G (PIN) calculated in step S134. A concatenated C'‖PIN 'is obtained by calculating a logical OR.

  The encryption identification information C is transmitted from the proxy 12 to the RFID tag 13 not only at the time of authorization but also by simply generating noise using the extracted information PIN. That is, the extracted information PIN functions so as not to directly expose the encryption identification information C to the outside. However, since only exclusive logical operations are performed and complicated encryption and decryption processing combined with addition / subtraction, shift, table reference processing, and the like are not performed, an inexpensive RFID tag 13 can be used. .

  In step S136, the storage unit 302 of the RFID tag 13 updates the stored current encryption identification information C to the new encryption identification information C ′, and also stores the current extraction information PIN stored in the new extraction information PIN ′. Update to

  As described above, not only the reader / writer 31 but also every time an electronic device attempts to read data from the RFID tag, authorization (authentication) of the electronic device is performed. When the validity of the electronic device is confirmed by the authorization, the electronic device can read the data related to the RFID tag 13 held in the server 11. Further, when an unauthorized electronic device attempts to read, since the validity of the electronic device is not confirmed by the authorization, leakage of data to the unauthorized electronic device, that is, an attacker can be prevented.

  Next, with reference to FIGS. 20 to 26, processing at the time of ownership transfer of the RFID tag 13 will be described. In this process, for example, when buying and selling a product, the ownership of the RFID tag affixed to the product is changed from the current tag owner (hereinafter referred to as the current tag owner) to the new tag owner (hereinafter referred to as the new tag owner as appropriate). It is done when moving to. 20 and 21 are the processing of the proxy 12B as the new tag owner, FIG. 22 is the processing of the RFID tag 13, FIG. 23 is the processing of the proxy 12A as the current tag owner, and FIG. 24 is the processing of the server 11 individually. FIG. 25 and FIG. 26 show the mutual processing relationship among the proxy 12B, the RFID tag 13, the proxy 12A, and the server 11.

  In the following, at the store 15-1, the user 16 purchases the product 32-1, and the ownership of the RFID tag 13-1 attached to the product 32-1 is the proxy 12-1 as the current tag owner (proxy It shall be transferred from 12A) to proxy 12-3 (proxy 12B) as a new tag owner.

For example, when the user 16 instructs the proxy 12B as the new tag owner to start the ownership transfer process, in step S301 of FIGS. 20 and 25, the time variable generation unit 205 of the proxy 12B sets the time variable N _B Is generated. At this time the variable N _B is the case where the timing for generating different is a random number to be different values. The communication unit 201, a connection Q‖N _B query Q and the time variable N _B calling the response to RFID tag 13, generated by radio waves. This radio wave is received by the RFID tag 13 located in the vicinity of the proxy 12B.

In step S341 of FIG. 22 and FIG. 25, the communication unit 303 of the RFID tag 13 receives the connection Q‖N _B transmitted from the proxy 12B as new Taguona. In step S342, the control unit 304 reads the encrypted identification information C stored in the storage unit 302, generates a connection C‖N _B with variable N _B when received. The communication unit 303 transmits the connection C‖N _B to the proxy 12A as current Taguona.

In step S361 of FIG. 23 and FIG. 25, the connecting C‖N _B transmitted from the RFID tag 13 is received by the communication unit 201 of the proxy 12A as current Taguona disposed in the vicinity of the RFID tag 13.

In step S362, the decoding unit 203 of the proxy 12A is, RFID held the encryption identification information C of the received connected C‖N _B at step S361, the access control list 209 stored in the storage unit 208 Using the secret key x (SK _T ) of the tag 13, decryption is performed as described above to obtain identification information m in an unencrypted state. Note that the proxy 12 having the ownership of the RFID tag 13, that is, the proxy 12A that is the current tag owner has the secret key x of the RFID tag 13 that is the subject of the ownership.

  In step S363, the control unit 204 searches for the identification information m registered in the access control list 209. In step S364, the control unit 204 determines whether or not the identification information m obtained in step S362 matches the identification information m registered in the access control list 209. If the identification information m obtained in step S362 is not registered in the access control list 209, the proxy 12A is not the tag owner of the RFID tag 13. Therefore, in this case, in step S365, the time variable generation unit 205 generates a predetermined random number. This random number means that the proxy 12B as the new tag owner does not have the authority to retain the ownership of the RFID tag 13 possessed by the proxy 12A by transfer. The communication unit 201 transmits this random number.

  In step S302, the communication unit 201 of the proxy 12B as the new tag owner located in the vicinity of the proxy 12A as the current tag owner receives this random number. When the control unit 204 receives this random number, the control unit 204 knows that permission to transfer the ownership of the RFID tag 13 has not been granted, and ends the processing at the time of ownership transfer.

On the other hand, if the random number has not been received, in step S303, the signature creation unit 207 of the proxy 12B uses the proxy 12B's own private key SK _B (SK _P ) stored in the storage unit 208, and in step S301 Create a signature Sig _B (N _B ) that includes the variable N _B when it occurs. The control unit 204 reads the certificate Cert _B that contains the public key PK _B of proxy 12B itself in the storage unit 208 is stored, generates a connection _{Sig B (N B) ‖Cert B} . The communication unit 401 transmits this linked Sig _B (N _B ) ‖Cert _B to the proxy 12A as the current tag owner.

In step S366, the communication unit 201 of the proxy 12A as the current tag owner receives the concatenated Sig _B (N _B ) ‖Cert _B transmitted from the proxy 12B as the new tag owner. Decoding unit 203, the public key of the certificate authority that has been previously acquired, to verify the certificate Cert _B of the coupling _{Sig B (N B) ‖Cert B} , also to obtain the public key PK _B of proxy 12B.

Using the proxy 12A's own private key SK _A (SK _P ) stored in the storage unit 208, the signature creation unit 207 uses the identification information m of the RFID tag 13, the command cmd indicating ownership transfer, and the proxy 12A _A signature Sig _A (m‖cmd‖Cert _A ) including a concatenated m‖cmd‖Cert _A of a certificate Cert _A including its own public key PK _A is generated. The encryption unit 202 encrypts the signature Sig _A (m‖cmd‖Cert _A ) with the public key PK _S of the server 11 stored in advance in the storage unit 208, and the encryption M _A = E (PK _S , Sig _A (m‖cmd‖Cert _A )). Furthermore, the encryption unit 202, encryption M _A, the position information SL of the server 11, and the coupling M _A ‖SL‖PIN extraction information PIN, encrypted with the public key PK _B of proxy 12B obtained in the step S366. The communication unit 201 in step S367, and transmits the encryption _{E (PK B, M A ‖SL‖PIN} ) to the proxy 12B as new Taguona.

  In step S368, the proxy 12A deletes the record of the RFID tag 13 registered in the access control list 209, that is, the secret key x, the identification information m, the extraction information PIN, and the position information SL.

  As a result, the proxy 12A as the current tag owner releases the ownership of the RFID tag 13.

In step S304, the communication unit 201 of the proxy 12B as the new tag owner receives the encryption E (PK _B , M _A ‖SL‖PIN) transmitted from the proxy 12A as the current tag owner. In step S305, the decryption unit 203 decrypts the cipher E (PK _B , M _A ‖ SL ‖ PIN) with the secret key SK _B (SK _P ) stored in the storage unit 208, and the cipher M _A , the server 11 Position information SL and extraction information PIN of the RFID tag 13 are obtained.

In step S306, the signature creating unit 207, a secret key SK _B of proxy 12B in the storage unit 208 is stored (SK _P) using a signature Sig _B containing cryptographic M _A obtained in step S305 (M _A) Is generated. Encryption unit 202 uses the public key PK _S of the server 11 which is previously stored in the storage unit 208, the signature Sig _B (M _A) and stored in the storage unit 208 the proxy 12B own certificate Cert _The connection Sig _B (M _A ) ‖Cert _B , which is the connection with _B, is encrypted to generate a cipher E (PK _S, Sig _B (M _A ) ‖Cert _B ). Then, the communication unit 201 transmits the encryption E (PK _S, Sig _B (M _A ) ‖Cert _B ) to the server 11.

24 and FIG. 25, the communication unit 102 of the server 11 receives the cipher E (PK _S, Sig _B (M _A ) BCert _B ) transmitted from the proxy 12B as the new tag owner. In step S402, the decoding unit 106, the encryption _{E (PK S, Sig B (} M A) ‖Cert B) and decrypted by the secret key SK _S stored in the storage unit 103, the signature Sig _B (M _A ) And get a certificate Cert _B. In step S403, the decryption unit 106 verifies the signature Sig _B (M _A ) with the public key PK _B of the proxy 12B obtained from the certificate Cert _B, and obtains the cipher M _A. Further, the decryption unit 106 verifies the certificate Cert _B with the public key acquired in advance from the certificate authority, and further obtains identification information (proxy ID) of the proxy 12B.

In step S404, the decoding unit 106, the cryptographic M _A = E obtained in step _{S403 (PK S, Sig A (} m‖cmd) ‖Cert A) and decrypted with the secret key SK _S stored in the storage unit 103 And obtain a signature Sig _A (m‖cmd) and a certificate Cert _A. In step S405, the decryption unit 106 verifies the certificate Cert _A obtained in step S404 with the public key of the certificate authority, and obtains the public key PK _A and identification information (proxy ID) of the proxy 12A as the current tag owner. In step S406, the decryption unit 106 verifies the signature Sig _A (m‖cmd) obtained in step S404 with the public key PK _A obtained in step S405, and also uses the RFID tag 13 (in this case, the RFID tag 13 -1) The identification information m and the command cmd indicating ownership transfer are obtained.

  In step S407, the control unit 105 determines whether the proxy ID of the proxy 12A as the current tag owner obtained in step S405 is registered as a tag owner in the database 101. When it is determined that the proxy ID of the proxy 12A as the current tag owner obtained in step S405 is not registered as a tag owner in the database 101, in step S409, the communication unit 102 transmits a random number to the proxy 12B as the new tag owner. . This random number means that the proxy 12B as the new tag owner is not authorized to receive ownership transfer of the RFID tag 13 held by the proxy 12A.

  On the other hand, if it is determined in step S407 that the proxy ID of the proxy 12A as the current tag owner obtained in step S405 is registered as a tag owner in the database 101, in step S408, the decryption unit 106 performs steps S401 to S406. It is determined whether both the performed signature and certificate verification are successful. If it is determined that either the signature or certificate verification performed in steps S401 to S406 is unsuccessful, in step S409, the communication unit 102 transmits a random number to the proxy 12B as the new tag owner. This random number means that the proxy 12B as the new tag owner is not authorized to receive ownership transfer of the RFID tag 13 held by the proxy 12A.

  In step S307, the communication unit 201 of the proxy 12B as the new tag owner determines whether a random number from the server 11 has been received. When it is determined that the random number from the server 11 has been received, the control unit 204 knows that permission to transfer the ownership of the RFID tag 13 has not been granted, and ends the processing at the time of ownership transfer.

On the other hand, if it is determined in step S408 that both the signature and certificate verification performed in steps S401 to S406 are successful, the key generation unit 104 of the server 11 in FIG. As in step S2, a new secret key SK _T '(x') and a new public key PK _T '(y') for the RFID tag 13 are generated. The control unit 105 converts the secret key SK _T (x) and the public key PK _T (y) for the RFID tag 13 stored in the database 101 into the secret key SK _T ′ (x ′) and the public key PK _T ′ ( Update to y '). Note that the secret key SK _T '(x') is a secret key different from the secret key SK _T (x). The public key PK _T '(y') is a public key different from the public key PK _T (y).

In step S411, the control unit 105 updates the tag owner for the RFID tag 13 in the database 101 from the proxy ID of the proxy 12A as the current tag owner to the proxy ID of the proxy 12B as the new tag owner obtained in step S403. Encryption unit 107, at step S412, the connection x'‖m the identification information m of the new private key SK _T '(x') and RFID tag 13, and encrypted with the public key PK _B of proxy 12B, the encryption E (PK _B , x'‖m) is generated. The communication unit 102 transmits the encryption E (PK _B , x′‖m) to the proxy 12B as a new tag owner.

In step S308, the communication unit 201 of the proxy 12B as a new tag owner receives the encryption E (PK _B , x′‖m) transmitted from the server 11. In step S309, the decryption unit 203 decrypts the cipher E (PK _B , x′‖m) with the secret key SK _B (SK _P ), and obtains the ownership by ownership transfer. 'And the identification information m of the RFID tag 13 are obtained. In step S310, the storage unit 208 records in the access control list 209 the RFID tag 13 that has received ownership transfer, that is, the secret key x ′, the identification information m, the extraction information PIN, and the location information of the server 11. Insert each SL.

  As a result, the proxy 12B as the new tag owner obtains the ownership of the RFID tag 13.

In step S311, the calculation unit 206 of the proxy 12B generates a pseudo random number G (PIN) using the extracted information PIN stored in the storage unit 208 as an argument. In step S312, the calculation unit 206 generates new extraction information PIN ′ other than the current extraction information PIN. In step S313, the calculation unit 206 further generates a new factor r ′ = (k ₀ ′, k ₁ ′). In step S314, the arithmetic unit 206 generates new cipher identification information C ′ using the general-purpose re-encryption method, as expressed in Expression (5).

Note that, as expressed in Expression (6), k ₀ ′ and k ₁ ′ constituting the factor r ′ are elements of Z _q ² described above.

  In the general-purpose re-encryption method, when the new encryption identification information C ′ is decrypted, the same identification information m as when the current encryption identification information C is decrypted is obtained.

  In step S315, the calculation unit 206 generates a concatenation C′‖PIN ′ between the cryptographic identification information C ′ generated in step S314 and the extracted information PIN ′ generated in step S312 and the pseudo random number G generated in step S311. Calculates an exclusive OR with (PIN). The communication unit 201 transmits an exclusive OR of the concatenated C′‖PIN ′ and the pseudo random number G (PIN) to the RFID tag 13 having ownership. In step S316, the storage unit 208 updates the stored current encryption identification information C to the new encryption identification information C ′, and updates the stored current extraction information PIN to the new extraction information PIN ′.

  In step S343, the ownership 303 is transferred to the proxy 12B as the new tag owner by the ownership transfer, and the communication unit 303 of the RFID tag 13 simulates the connection C'‖PIN 'transmitted from the proxy 12B as the new tag owner. Receive exclusive OR with random number G (PIN). In step S344, the arithmetic unit 301 calculates a pseudo random number G (PIN) using the extracted information PIN stored in the storage unit 302. As described above, the pseudo random number G (PIN) has the same value as the pseudo random number G (PIN) calculated by the proxy 12B as the new tag owner. In step S345, the arithmetic unit 301 excludes the exclusive OR of the concatenated C′‖PIN ′ received in step S343 and the pseudorandom number G (PIN) and the pseudorandom number G (PIN) calculated in step S344. A concatenated C'‖PIN 'is obtained by calculating a logical OR.

  In step S346, the storage unit 302 of the RFID tag 13 updates the stored current encryption identification information C to the new encryption identification information C ′, and also stores the current extraction information PIN stored in the new extraction information PIN ′. Update to

  As described above, according to the embodiment of the present invention, when the ownership is transferred, the encryption identification information in the RFID tag 13 can be decrypted only with the private key of the new tag owner, that is, the current tag owner. Therefore, when the ownership is transferred, the original tag owner cannot immediately follow the consumer having the RFID tag 13 when the ownership is transferred. Therefore, privacy can be more reliably protected.

  Furthermore, according to the embodiment of the present invention, since the RFID tag is not encrypted or decrypted, it is possible to prevent the RFID tag from becoming expensive and to spread the RFID tag. It becomes. Further, since portable electronic devices such as mobile phones, PDAs (Personal Digital Assistants), and wristwatches can be used as proxies, a low-cost system can be realized as a whole system.

  Next, with reference to FIG. 27, the state of the proxy managing the RFID tag and the transition of the state of the proxy will be described.

  As shown in FIG. 27, the proxy state is composed of six states: tag acquisition, key management, authentication, access control, relabeling, and tag release.

  The tag acquisition is, for example, a proxy state corresponding to the processing of steps S301 to S309 in FIG. 20 and steps S311 to S315 in FIG. 21 by the proxy 12B as a new tag owner. In tag acquisition, the proxy obtains a record of an RFID tag for which ownership is to be obtained by ownership transfer, that is, a secret key, identification information, encryption identification information, and extraction information, and also stores the current tag owner in the RFID tag. The new encryption identification information and the extracted information that are different from those held by the client are transmitted and stored. When the above-described processing ends, the proxy state transitions from tag acquisition to key management.

  Key management is, for example, the process of deleting or updating the record of the RFID tag 13 having ownership by the proxy 12, that is, the state holding the secret key, identification information, encryption identification information, or extraction information For example, step S177 of FIG. 14, processing of step S310 of FIG. 20 by proxy 12B as a new tag owner and step S316 of FIG. 21, or step of FIG. 23 by proxy 12A as the current tag owner There is a proxy status corresponding to the processing of S368. In the key management, the proxy updates the record of the RFID tag having the ownership by the authorization, and inserts or deletes the record by the ownership transfer. After the above-described processing ends, the proxy state transitions from key management to authentication as necessary.

  The authentication is, for example, a proxy state corresponding to the processing of steps S166 to S169 in FIG. In the authentication, at the time of authorization, the proxy authenticates (confirms) whether the reader / writer that has transmitted the query to the RFID tag having the ownership is a reader / writer having the authority to read data. After the above-described processing is completed, the proxy state transitions from authentication to access control.

  The access control is, for example, the state of the proxy corresponding to the processing of step S171 in FIG. 13 by the proxy 12. In the access control, the proxy confirms the authorization level of the reader / writer that has transmitted the query at the time of authorization, Appropriate data corresponding to the authorization level is provided to the reader / writer. If the reader / writer does not have access authority, the proxy does not provide data. After the above-described processing ends, the proxy state transitions from access control to relabeling.

  Relabeling is, for example, the state of the proxy corresponding to the processing of steps S172 to S175 of FIG. In the relabeling, the proxy updates the cryptographic identification information stored in the RFID tag by authorization or ownership transfer. After the above-described processing ends, the proxy state returns from relabeling to key management.

  The tag release is, for example, a proxy state corresponding to the processing in steps S361 to S367 in FIG. 23 by the proxy 12A as the current tag owner. In the tag release, the proxy deletes the record of the RFID tag having the ownership at the time of ownership transfer, and releases the ownership of the RFID tag.

  In this embodiment, the proxy 12 holds the position information SL of the server and provides the position information SL to a legitimate reader / writer, so that the reader / writer manages RFID tags from among many servers. Can access the server directly.

  Further, in the tag management system 1, since the communication with the server 11 is performed after authenticating the validity of the reader / writer with the proxy at the time of authorization, the calculation amount of the server 11 can be reduced.

  As shown in step S135 in FIG. 12, step S176 in FIG. 14, step S315 in FIG. 21, or step S345 in FIG. 22, on the transmission side, new encryption identification information etc. transmitted from the proxy 12 to the RFID tag 13 etc. The information is encrypted by performing an exclusive OR operation with information (extraction information) shared with the receiving side. For the encryption of such information, other general encryption methods such as AES (Advanced Encryption Standard) and DES (Data Encryption Standard) can also be used. However, when such other encryption methods are used, a large-scale arithmetic circuit, for example, a circuit of several thousand to several tens of thousands of gates, is required for performing various operations complicatedly combined for encryption. become.

  The series of processes described above can be executed by hardware, or can be executed by software.

  Furthermore, communication is communication in which wireless communication and wired communication are mixed as well as wireless communication and wired communication, that is, wireless communication is performed in one section and wired communication is performed in another section. May be. Further, communication from one device to another device may be performed by wired communication, and communication from another device to one device may be performed by wireless communication.

  In the present specification, the step of describing the program stored in the program recording medium is not limited to the processing performed in time series in the described order, but is not necessarily performed in time series. Or the process performed separately is also included.

  Further, in this specification, the system represents the entire apparatus constituted by a plurality of apparatuses.

  The present invention can be applied to an electronic device having ownership of an object such as an RFID tag, such as a mobile phone, a portable electronic notebook, and a wristwatch. The present invention can also be applied to managing ID cards that hold identification information other than RFID tags and other objects as objects. The transfer of ownership includes not only the transfer of ownership but also the transfer of ownership.

  The embodiment of the present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the gist of the present invention.

It is a block diagram showing the structure of the tag management system as one Embodiment of the management system of this invention. It is a block diagram showing the structure of one Embodiment of a server. It is a block diagram showing the structure of one Embodiment of a proxy. It is a block diagram showing the structure of one Embodiment of a RFID tag. It is a block diagram showing the structure of one Embodiment of a reader / writer. It is a figure showing the communication path at the time of authorization and ownership transfer. It is a flowchart explaining the process of the server at the time of manufacture of a RFID tag. It is a flowchart explaining the process of the proxy as a tag owner at the time of manufacture of an RFID tag. It is a flowchart explaining the process of the RFID tag at the time of manufacture of an RFID tag. It is a flowchart explaining the relationship of the mutual process of the server at the time of manufacture of a RFID tag, the proxy as a tag owner, and a RFID tag. It is a flowchart explaining the process of the reader / writer at the time of authorization. It is a flowchart explaining the process of the RFID tag at the time of authorization. It is a flowchart explaining the process of the proxy at the time of authorization. It is a flowchart explaining the process of the proxy at the time of authorization. It is a flowchart explaining the process of the server at the time of authorization. It is a flowchart explaining the relationship of the mutual processing of the reader / writer, RFID tag, proxy, and server at the time of authorization. It is a flowchart explaining the relationship of the mutual processing of the reader / writer, RFID tag, proxy, and server at the time of authorization. It is a flowchart explaining the relationship of the mutual processing of the reader / writer, RFID tag, proxy, and server at the time of authorization. It is a flowchart explaining the relationship of the mutual processing of the reader / writer, RFID tag, proxy, and server at the time of authorization. It is a flowchart explaining the process of the proxy as a new tag owner at the time of ownership transfer of an RFID tag. It is a flowchart explaining the process of the proxy as a new tag owner at the time of ownership transfer of an RFID tag. 6 is a flowchart for explaining processing of an RFID tag at the time of transfer of ownership of the RFID tag. It is a flowchart explaining the process of the proxy as a current tag owner at the time of ownership transfer of an RFID tag. It is a flowchart explaining the process of the server at the time of ownership transfer of an RFID tag. 6 is a flowchart for explaining a relationship among processing of a proxy, an RFID tag, a proxy, and a server when transferring ownership of an RFID tag. 6 is a flowchart for explaining a relationship among processing of a proxy, an RFID tag, a proxy, and a server when transferring ownership of an RFID tag. It is a figure for demonstrating the state of the proxy which manages an RFID tag, and the transition of the state of the proxy.

Explanation of symbols

  1 Tag management system, 11 servers, 12, 12A, 12B, and 12-1 to 12-3 proxy, 13, and 13-1 to 13-n RFID tags, 14 networks, 15-1 and 15-2 stores, 31 , 31-1, and 31-2 reader / writer, 101 database, 102 communication unit, 103 storage unit, 104 key generation unit, 105 control unit, 106 decryption unit, 107 encryption unit, 201 communication unit, 202 encryption unit, 203 Decryption unit, 204 Control unit, 205 Time variable generation unit, 206 Calculation unit, 207 Signature generation unit, 208 Storage unit, 209 Access control list, 301 Calculation unit, 302 Storage unit, 303 Communication unit, 304 Control unit, 401 communication Part, 402 storage part, 403 time variable generation part, 404 signature creation part, 405 control part, 406 decryption part, 407 encryption part

Claims (17)

In a management system that manages objects,
The object holds identification information for identifying the object as encryption identification information which is identification information in an encrypted state,
An electronic device having ownership of the object holds the identification information of the object having ownership and an object key necessary for decrypting the encryption identification information;
When the ownership is transferred from the first electronic device to the second electronic device, the second electronic device has the identification information and a first object key held in the first electronic device. A second object key different from the first object key is obtained from the management device, and the obtained identification information is encrypted so that it can be decrypted with the second object key, and the object already holds the first object key. A management system that generates second cryptographic identification information different from the cryptographic identification information of the first, and holds the second cryptographic identification information in the object instead of the first cryptographic identification information. The management system according to claim 1, wherein the object is an RFID tag. The management system according to claim 2, wherein the electronic device is a mobile phone, a portable electronic notebook, or a wristwatch. The management system according to claim 2, wherein the electronic device is an electronic device used at a position within 2 m away from the RFID tag. The management system according to claim 2, wherein the electronic device further holds position information for accessing the management device. The object further holds extraction information used to extract the cryptographic identification information from reception data acquired wirelessly from the electronic device,
The second electronic device has second extraction information different from the first extraction information used by the first electronic device when the cryptographic identification information is wirelessly transmitted to the object. Also send further,
The management system according to claim 5, wherein the object updates the first extraction information with the second extraction information. The management system according to claim 2, wherein the electronic device generates the encryption identification information by encrypting the identification information using a general-purpose re-encryption method. In a management method for managing objects,
The object holds identification information for identifying the object as encryption identification information which is identification information in an encrypted state,
An electronic device having ownership of the object holds the identification information of the object having ownership and an object key necessary for decrypting the encryption identification information;
When the ownership is transferred from the first electronic device to the second electronic device, the second electronic device has the identification information and a first object key held in the first electronic device. A second object key different from the first object key is obtained from the management device, and the obtained identification information is encrypted so that it can be decrypted with the second object key, and the object already holds the first object key. The second encryption identification information different from the encryption identification information is generated, and the second encryption identification information is held in the object instead of the first encryption identification information. In an electronic device used in the vicinity of an object and wirelessly communicating with the object,
When the ownership of the object is transferred from another electronic device, the identification information of the object is acquired from a management device, and the identification information held by the other electronic device is encrypted. Obtaining means for obtaining, from the management device, a second object key different from the first object key necessary for decrypting the first encryption identification information that is the encryption identification information;
Holding means for holding the acquired identification information and the second object key;
The obtained identification information is encrypted so that it can be decrypted with the second object key to generate second encryption identification information, and the object is held by the second encryption identification information. An electronic device comprising: encryption means for updating the first encryption identification information. The electronic device according to claim 9, wherein the object is an RFID tag. The electronic device according to claim 9, wherein the electronic device is a mobile phone, a portable electronic notebook, or a wristwatch. The electronic device according to claim 9, wherein the electronic device is an electronic device used at a position within 2 m from the object. The electronic device according to claim 9, wherein the electronic device further holds position information for accessing the management device. The object further holds extraction information used to extract the second encryption identification information from reception data acquired wirelessly from the electronic device,
When the electronic device transmits the second encryption identification information wirelessly to the object, second extraction information that is different from the first extraction information used by the other electronic device is also included. Send more,
The electronic device according to claim 9, wherein the object updates the first extraction information with the second extraction information. The electronic device according to claim 9, wherein the electronic device generates the encryption identification information by encrypting the identification information using a general-purpose re-encryption method. In the management method of the electronic device used in the vicinity of the target object and wirelessly communicating with the target object,
When the ownership of the object is transferred from another electronic device, the identification information of the object is acquired from a management device, and the identification information held by the other electronic device is encrypted. Obtaining a second object key different from the first object key necessary for decrypting the first encryption identification information that is the encryption identification information from the management device,
Holding the acquired identification information and the second object key;
The obtained identification information is encrypted so that it can be decrypted with the second object key to generate second encryption identification information, and the object is held by the second encryption identification information. A management method comprising a step of updating the first encryption identification information. In the program of the electronic device used in the vicinity of the target object and wirelessly communicating with the target object,
When the ownership of the object is transferred from another electronic device, the identification information of the object is acquired from a management device, and the identification information held by the other electronic device is encrypted. Obtaining a second object key different from the first object key necessary for decrypting the first encryption identification information that is the encryption identification information from the management device,
Holding the acquired identification information and the second object key;
The obtained identification information is encrypted so that it can be decrypted with the second object key to generate second encryption identification information, and the object is held by the second encryption identification information. A program for causing a computer to execute the step of updating the first encryption identification information.

Images