_
`
`United States Patent [19]
`Ishiguro et al.
`
`US005396558A
`
`[11] Patent Number:
`[45] Date of Patent:
`
`5,396,558
`Mar. 7, 1995
`
`[54] METHOD AND APPARATUS FOR
`SE'ITLEMENT OF ACCOUNTS BY 1C CARDS
`
`[75] Inventors: Ginya Ishiguro; Toshiyasu Muta;
`Kazutaka Sakita, all of Yokosuka;
`Shoji Miyaguchi, Yokohama;
`Tatsuaki Okamoto, Yokosuka;
`Atsushi Fujioka, Yokohama, all of
`Japan
`[73] Assignee: Nippon Telegraph and Telephone
`Corporation, Tokyo, Japan
`[21] App]. No.: 119,850
`[22] Filed:
`Sep. 13, 1993
`[30]
`Foreign Application Priority Data
`Sep. 18, 1992 [JP]
`Japan ................................ .. 4249293
`Sep. 18, 1992 [JP]
`Japan
`4-249294
`Sep. 18, 1992 [JP]
`.. 4-308688
`Japan
`.
`Nov- 26, 1992 [JP]
`.
`Japan
`.. 4-317254
`Nov. 26, 1992 [JP]
`Japan
`4-317255
`
`51
`Int. Cl.6 ............................................. .. H04L 9/30
`iszi us. 01. . . . . . . . . . . . .
`. . . .. 380/25; 380/30
`[58] Field of Search
`380/24 25 30
`"""""""""""""" "
`’
`’
`References Cited
`U_S_ PATENT DOCUMENTS
`4,438,824 3/1984 Muellur-Schloer ................. .. 380/ 30
`
`[56]
`
`5,016,276 5/1991 Matumoto et a1. ................. .. 380/25
`5,018,196 5/1991 Takaragi et a1. ...... .
`, .... .. 380/30
`5,046,094 9/1991 Kawamura et a1. ............ .. 380/30
`5,199,070 3/1993 Matsuzaki et a1. .............. .. 380/30
`Primary Examiner-Sa1vatore Cangialosi
`Attorney, Agent, or Firm—Pol1ock, Vande Sande and
`Priddy
`ABSTRACI
`[57]
`An IC card has a card information memory area
`wherein there are written a master public key nA, card
`secret keys pU and qU, a card public key nU, a card
`identi?cation number IDU, and a ?rst master digital
`signature SAl for information including the card identi
`?cation number. An IC card terminal has terminal in
`formation memory area wherein there are written a
`master public key nA, terminal secret keys pT and qT,
`a terminal public key nT, a terminal identi?cation num
`ber IDT, and a second master digital signature SA2 for
`information including the terminal identi?cation num
`ber IDT. When inserted into the IC card terminal, the
`IC card sends thereto the data nU IDU and SAl. The
`.
`.
`.
`.’
`.
`’
`1C card tam?‘ ven?es ‘116915191 515mm” S91 by
`the master public key nA and, 1f1t 1s val1d, transmits the
`data nT, IDT and SA2 to the IC card. The IC card
`veri?es the digital signature SA2 by the master public
`key
`aI11:d,tl11;1t 1S valitd, transrgits 1I1ll‘O1'm$tltOnt;Of§f(§-;
`o e
`s on m o e curren remam er va ue
`cgrd tel-gninal The IC card terminal makes a check to
`
`the received information comes ondin to the
`MllIlCk Ct 8.1. . . . . . . . . . . .
`. . . . ..
`. d
`4,807,288 2/1989 Ugon et al. ............. .. 380/30
`a1 V .
`. t
`dPIf
`%
`4,862,501 8/1989 Kamitake et a1. ..
`380/25 “mm er ‘’ “"1 . ‘S aPPmPna e’ an 1 5°’ ecomes
`4,885,777 12/1989 Takaragi et a1.
`.... .. 380/30
`enabled for Pmvldmg a 86m“
`4,885,788 12/1989 Takaragi et a1.
`.... .. 380/25
`,
`4,969,189 11/1990 Ohta et a1. .................. .. 380/25
`12 Claims, 16 Drawing Sheets
`
`See
`
`r- — — — — - — — -1V
`
`6M1/: nA,pU, W, nU {;
`' IDU SA( nU=l<|DU)l
`L-L ---- --J 00, lDU,SA(nT*IDU)
`
`1- ------- " ":
`
`;nA,PT. qT, nT, M2,,1
`IIDT, 5A(nT*|DT)'
`L ----- ----|
`
`[Ir-'- - - - :4
`
`nT, |DT,SA(nT*lDT)
`
`1'
`.:v,
`| <
`l SA( V * IDU) |
`l ,mc
`
`V, SUlV), SA(V*IDU),IDC ; D|AL THE NUMBER
`L
`DIA
`
`,
`(END OF SERVICE)
`
`_
`
`7
`
`1C CARD TERM
`
`l L. _ _ _ _ _ _ _
`
`W ,_
`2
`
`I
`-,. ______ __, < v, snv *mu)
`: V, nT, IDT,
`:
`,. ST(V*|DU) |_
`1.519112‘ LDI )_.J
`|
`l
`[(3 CARD
`
`I
`
`I
`
`OK
`
`PNC-JP MORGAN EXHIBIT 1015
`
`Page 1 of 33
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 1 of 16
`
`5,396,558
`
`FIG. 1
`
`/2b
`
`3
`
`IC CARD
`
`/2a
`
`IC CARD
`TERM
`
`;
`,
`l
`I
`:
`I
`
`MANAGEMENT
`CENT
`
`5
`/
`
`1c CARD
`DISPENSER
`/'°‘
`IC CARD
`
`Page 2 of 33
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 2 of 16
`
`5,396,558
`
`FIG. 2
`
`,13
`DISPLAY
`/12
`
`2
`J
`,16
`HANDSE'I;
`
`,17
`SPEECH CKT
`[14
`
`/11
`
`‘ IC CARD
`READER/WRITER
`
`/15
`
`NETWORK
`INTERFACE
`
`,
`
`FIG. 3
`)61
`ROM
`
`,62
`RAM
`
`I5
`
`CONTACTS
`66
`
`I
`
`65
`
`/
`
`CPU
`
`EEPROM
`
`/6"
`
`/I'
`I 0
`INTERFACE
`
`Page 3 of 33
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 3 of 16
`
`5,396,558
`
`FIG. 4A
`
`1c CARDTERMZ
`
`MANAG CENM
`
`
`
`nA,pT, qT,nT,
`T
`A T
`IDES nT>HD'T
`n .P,q,
`. him—3....
`um, nT,
`SA(nT*IDT)
`
`PA,QA
`
`FIG. AB
`
`[C CARD 6
`
`:c CARD DEF;
`
`SA(nU*lDU)
`
`nA, pU,qU,
`IDU, nU,
`
`IDU,
`nA,pU,qU,
`nU,SA(nU*lDU)
`
`FIG. 4C
`
`
`
`nU,lDU, SA(nU *IDU)
`———-————-——————>
`
`nA,pU, qU,
`IDU, nU,
`SA(nU * IDU)
`V,SA(V*IDU),W IV,SA(V*|DU)I
`IDC
`L- ----- J
`
`:-
`
`Page 4 0f 33
`
`Page 4 of 33
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 4 of 16
`
`5,396,558
`
`Pl | I I I I l ‘ I..|..
`
`
`
`
`
`maria vl<w .5.“
`
`52*.E2m52 5:
`
`wmméz ME .25
`
`32>; “a 2m:
`
`N/
`2%; E5 2
`
`Alilwal
`
`
`
`A ueéeizm .53 .>
`
`£556.51?!
`
`VS
`
`252x35 \_> v
`
`._ _ _ _ r.
`
`I | | I i I IIIIL
`
`
`_.l I l i l I IIIL
`2 .36 2.2 x
`
`_. ||||| IA IJ
`
`
`
`zgizczm :2.
`
`Page 5 of 33
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 5 of 16
`
`5,396,558
`
`<N
`
`UN
`
`:aisé.5.Ea.£2:
`
`seéczqse
`
`2:5a.2.<=
`
`zooz<m
`
`2mm
`
`mm55EE
`
`
`ozEEmo$25.me
`
`2m95e5En
`
`ON
`
`.EEoz:.<onS
`
`«3222mm
`
`.._2_mam:
`
`<mm<2w:
`
`
`
`mm.oE5<m.07..
`
`Page 6 0f 33
`
`Page 6 of 33
`
`
`
`
`
`
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 6 0f 16
`
`5,396,558
`
`.1 _ L _ _l
`
`
`
`“PU Maia“
`
`m zoczé
`
`.25 :55
`
`525mm “5 czm:
`
`21.“; E5 2
`N,
`
`mggmamlg
`59 $53.59.?
`
`‘Illllllll
`
`m dais/age .2 v
`
`llullallllllll
`
`_ _
`
`_ _
`
`u 59;? “ £3
`
`v5
`
`_" 5e jznxaze.
`“I [A gamma
`_ 2 .E_.E..>L“
`
`Fllllllllll-llll
`
`w,
`25 2
`
`w .oE
`
`a
`
`r
`
`Page 7 of 33
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 7 of 16
`
`5,396,558
`
`5m 95
`
`?ll-Ill. _ v9.2.
`Fllll-L
`
`N. .oI
`
`32.2.
`
`
`
`_.. llllll IIJ
`
`_ 213.241
`rlllll IIIL
`
`"592C225
`
`'llllullllllll'
`llnllllllllullllllllllll'
`
`‘II
`
`‘
`
`x zoozé
`
`> Eoazé
`
`lllll'llll'
`
`‘lllllllllllllllll
`52255
`
`.)
`
`
`
`Pzmo 35.2
`
`m/
`H55 920 2
`
`m;
`26 2
`
`uscziizq
`
`
`
`.l llll IIJ _ 0E.
`
`Page 8 of 33
`
`

`

`U.S. Patent
`
`Mar. 7, 1995
`
`Sheet 8 of 16
`
`5,396,558
`
`QEBx
`
`ox
`
`6v. 6: 9.2x w
`
`Puma E6 2
`
`6x .9; 9:5 w
`
`
`
`A . . . . ifzw
`
`hvoxm
`
`
`
`w SEEP Qm<u u_
`
`952
`
`Ox
`.E
`
`w, 86 u.
`
`Ox
`3x
`
`aEwQ
`
`Page 9 of 33
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 9 of 16
`
`5,396,558
`
`MANAG CENT :IDUMIH,
`| \DU2,hz1,h22
`4M E
`
`I'- - _ _ — _ -—1
`
`|
`I
`:
`i
`
`:
`
`l_ ____ __.__J
`|
`AL”: DUwo
`
`Page 10 of 33
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 10 of 16
`
`5,396,558
`
`!C CARD 6
`
`IC CARD TERM 2b
`
`FIG. 10
`
`mu SAHDU)
`
`LpnTASA(nTb*IDTb)I
`
`v,nT°,mT°,t°
`ST°(TS°t),SA(nT°*lDT°) L—
`
`—————————_—-’
`
` I
`
`
`L__._._.__._._..J
`
`
`.
`
`MANAG CENT
`
`ST,b(TSbt)
`
`4
`
`,I ST(TSbt)
`l
`b
`L_SA(nT *IDT
`
`b
`
`Page 11 0f 33
`
`Page 11 of 33
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 11 of 16
`
`5,396,558
`
`IC CARD 6
`______ ___I
`
`IC CARD TERM 2b
`_________
`2M1
`5M1
`{bHASA(nTb*IDTb)'
`nU,lDU,SA(nU*lDU)
`———--—--- TpT, qT", nT", 10sz
`nTb, IDT,SA(nTb*lDTb)
`—————
`IV
`'
`‘—-—'—'————
`'R°,X,°,IDT nT° t“ '
`':ST“(R°*X*V*IDU) : M
`2M‘
`F SCl
`'
`R,X,V, nT‘i IDT‘: t“
`' ST“(R°*X*V*IDU)=S°
`5T“(Ts“t *5“)
`
`SA(nT“*|DT°) :STb(RbfltX*V*lDU)|
`
`DIAL
`
`v’tb
`STb(Rb*X*V*|DU)=sb
`
`MANAG CENT
`
`I= Sb
`.ISTb(TSb:*Sb)
`LSA(nTb*IDTb)
`
`Page 12 0f 33
`
`Page 12 of 33
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 12 of 16
`
`5,396,558
`
`
`
`L <=.,E.G_E"
`
`“1.11.1.3”
`
`.. l l I | l IIL
`
`3?: as 2
`
`2 .QE
`
`
`
`
`
`17am @0521 55mm
`
`
`
`.- ?zzfaim255
`
`
`wmvmw “ ?zz? Dev/5r
`“I 1 I ..
`_ m a a _ r - I 121%.?
`
`
`
`‘203% 5%..
`
`
`22mg $5..
`E52 2 55..
`
`‘ .Emiaz @zFEm
`
`
`b9
`
`~mz
`
`Ea ow‘...
`
`v6
`
`2.25.02!
`Fill...
`.lltlJ _
`
`Page 13 of 33
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 13 of 16
`
`5,396,558
`
`FIG. 14
`
`IC CARD/6
`F'WsTnT'E-'6M*
`
`IC CARD TERM;
`2141-1511511]
`
`: SQELDUSSNNS»: mu, SA(Ns),SA(lDU*SA(Ns)) “““ "
`s
`“"1
`‘- ————— ———’
`N5
`ENTER PASSWORD"
`
`.-----.
`L35”!
`
`Nc
`‘
`
`OK
`
`»
`START SERVICE
`END SERVICE
`2M5"{IDU,D,V
`IDU1, D12,V12
`|DU2,Dz2,V22
`
`}
`
`4 n/Fl 5613/51 (D513?
`:IDUZ,V11(D11) |
`| IDU3,V21(D21) :
`I
`I
`L__;__.__J
`|
`MANAG CENT
`
`I
`
`Page 14 of 33
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`5,396,558
`
`
`
`s.EmzazozEmmAllmal
`
` mm.80353%AAIIIIIwIIFIIIImvs
`w.j‘.
`
`
`
`
`
`325%E5».11...!!!
`
`=§§ze3%.,If:258a
`
`‘llllllllllll'lllllll
`
`
`
`0mmomogmmé53mm
`
`‘llllllllllllllllll
`
`£138.2;
`
`aziézmiaz
`
`___
`
`.ul
`
`
`
`N2%:as.o.m..2...
`
`‘llllullllll'lllllllllll'lllllll
`AGE/ageV<mxmzv<mje
`szzméezm._m2.
`
`Page 15 0f 33
`
`Page 15 of 33
`
`
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 15 0f 16
`
`5,396,558
`
`PEN)
`
`m 25 a3 2
`
`3 .oE
`
`‘WAGE/age232222
`
`
`
`‘265mg 5%.,
`
`PlulllnlL
`‘Ill-ll
`
`.52
`
`.2 .1 v
`
`PIIIIIL
`
`FIIlI-L
`
`2%855
`#IIIJ
`
`Page 16 of 33
`
`

`

`US. Patent
`
`Mar. 7, 1995
`
`Sheet 16 of 16
`
`5,396,558
`
`IC CARD ,6
`
`FIG. 17
`
`IC CARD TERM 2
`
`/
`
`[1E1
`RENEW“:
`2M,
`LEADER“?! nU,IDU,SA(nU*lDU)’
`“ENTER PASSWORD"
`6M
`NC,
`Ir---'---—-|
`;——_"' F“"""""'-I
`L__r‘_l_c__ll
`_ R’ NC
`L-_R---:
`[15:]
`X,nU,SU(R*X*NC)_
`
`l-"—"'"'“l
`I
`M |
`
`|__.__...J
`
`M
`
`4
`
`SU(M*|DU)
`
`START SERVICE
`END SERVICE
`
`,_ _ _ _ _ .._.L_,
`
`2M5
`-_ : ‘DU’ nu’ M
`i
`l SU(M*IDU) '
`
`L_ _ _ _ _ _ _-J
`
`IDU,M
`
`v
`4"“ FIDUL M1 ‘5
`l IDUZ, M2 I
`.l
`I
`l
`l
`'
`I
`L__.__'___._..|
`MANAG CENT
`
`Page 17 of 33
`
`

`

`1
`
`5,396,558
`
`METHOD AND APPARATUS FOR SETTLEMENT
`OF ACCOUNTS BY IC CARDS
`
`5
`
`15
`
`25
`
`BACKGROUND OF THE INVENTION
`The present invention relates to a method and appara
`tus for settlement of accounts by IC cards which are
`used as prepaid cards or credit cards.
`For instance, in an IC card which is used as a prepaid
`card, there is written the amount of money paid for its
`purchase, and before or after receiving a service the
`card user inserts the IC card into an IC card terminal,
`wherein the remaining value after subtracting the
`charge for the service from the initial value is transmit
`ted to and written into the IC card.
`In a conventional system of this kind, the IC card and
`the IC card terminal use the same cipher system and
`have the same secret key and communicate to each
`other the balance information enciphered by the com
`mon secret key. The IC card and IC card terminal are
`designed so that such a secret key cannot be found nor
`can it be altered even if the IC card terminal should be
`revealed to an outsider.
`On the other hand, in the case of an IC card for use as
`a credit card, its identi?cation number and other neces
`sary information are preregistered and the user is al
`lowed to receive his desired service when inserting the
`IC card into an IC card terminal and is charged for the
`service afterward. In a conventional IC credit card
`system, upon insertion of the IC card into the IC card
`30
`terminal, the latter is connected online to a management
`center where IC card identi?cation numbers and other
`user information are registered, then the user inputs his
`registration number and other required information by
`dialing, the thus input information is sent to the manage
`35
`ment center, wherein the user information registered in
`advance is used to verify the validity of the user. After
`the user’s validity is thus proved, the user is allowed to
`receive his or her desired service at the IC card termi
`nal.
`Such an 10 credit card system similarly adopts, with
`a view to providing increased security, a method in
`which: the IC card and the IC card terminal use the
`same cryptographic scheme and have the same secret
`key and they each authenticate the other’s validity; a
`password input into the IC terminal is checked with its
`counterpart prestored in the IC card; the IC card identi
`?cation number read out of the IC card is sent from the
`IC card terminal to the management center which has a
`data base of identi?cation numbers and other informa
`tion of IC cards; the IC card identi?cation number is
`veri?ed in the management center; the result of the
`veri?cation is transmitted to the IC card terminal; and
`when the IC card identi?cation thus checked in the
`management center is valid, the service speci?ed by the
`card user starts through the IC card terminal. In some
`cases, the IC card and the management center each
`authenticate the other’s validity directly through use of
`the same secret key.
`The conventional methods mentioned above all call
`for communication between the management center
`and the IC card terminal and online processing for veri
`?cation before or after the service is provided, and
`hence they have shortcomings that the management
`center facility is inevitably large-scale and that the
`65
`charge for the service includes communication ex
`penses. Moreover, the history of service can be stored
`in the management center or IC card but difficulty is
`
`45
`
`55
`
`20
`
`2
`encountered in proving that the stored contents are not
`false. Although it is almost impossible to falsify the
`stored contents of the IC card unless the secret key is let
`out, the secret key information in the IC card or IC card
`terminal is not perfectly protected and may in some
`cases leak out over a long time. In the case where the
`cryptographic scheme used is broken by third parties
`and many IC terminals are used by them, particularly in
`the event that IC cards and IC terminals are abused by
`unauthorized persons over a wide range, it is very dif?
`cult to change all of the secret keys at the same time-
`this poses a serious social problem as well-intentioned
`users cannot use their IC cards for a long period of time,
`for instance.
`
`SUMMARY OF THE INVENTION
`It is therefore an object of the present invention to
`provide a method and apparatus for the payment of
`charges by IC cards which eliminate the need for com
`munication between the management center and the IC
`card terminal each time the card user inserts his IC card
`into the latter to get his desired service and which per
`mit detection of abuse of a forged IC card or intention
`ally altered IC card terminal.
`In the method for the payment of charges by IC cards
`according to a ?rst aspect of the present invention, the
`respective IC card has prestored in its memory means a
`master public key nA for verifying a master digital
`signature SA, a card identi?cation number IDU for
`specifying the IC card and a ?rst master digital signa
`ture SAl for information containing at least the card
`identi?cation number IDU, and the IC card terminal
`has prestored in its terminal memory the above-men
`tioned master public key nA, a terminal identi?cation
`number IDT for specifying the IC card terminal and a
`second master digital signature SA2 for information
`including at least the above-mentioned terminal identi?
`cation number IDT. This method includes:
`a step wherein the IC card transmits at least the card
`identi?cation number IDU and the ?rst master
`digital signature SAl to the IC card terminal;
`a step wherein the IC card terminal verti?es the va
`lidity of the ?rst master digital signature SAl
`through use of the master public key nA and the
`card identi?cation number IDU received from the
`IC card;
`a step wherein when the ?rst master digital signature
`SAl is valid, the IC card terminal transmits at least
`the terminal identi?cation number IDT and the
`second master digital signature SA2 to the IC card;
`a step wherein the IC card veri?es the validity of the
`second master digital signature SA2 through use of
`the master public key nA and the terminal identi?
`cation number IDT received from the IC card
`terminal; and
`a step wherein when the second master digital signa
`ture SA2 is valid, the IC card terminal generates a
`value V corresponding to the charge for a service
`speci?ed by the IC card after the service is pro
`vided.
`In the method for the payment of charges by IC cards
`according to a second aspect of the present invention,
`the respective IC card has card information memory
`means wherein there are written, as card information,
`from a management center a card identi?cation number
`IDU, a predetermined password setting number Ns, a
`second master digital signature SA2 for the password
`
`Page 18 of 33
`
`

`

`5,396,558
`4
`3
`card terminal, terminal secret keys pT and qT for
`setting number Ns, a ?rst master digital signature SA1
`creating a terminal digital signature, a terminal
`for information containing the card identi?cation num
`public key nT for verifying the terminal digital
`ber IDU and the second master digital signature SA2
`signature and a second master digital signature SA2
`and an IC card terminal has terminal information mem
`for information including the terminal identi?ca
`ory means wherein there are written, as terminal infor
`tion number IDT and the terminal public key nT,
`mation, from the management center a master public
`the second master digital signature SA2 being cre
`key nA for verifying the master digital signatures, ter
`ated using the master secret keys pA and qA;
`minal secret keys pT and qT for creating a terminal
`means for transmitting the terminal public key nT,
`digital signature and a terminal public key nT for verify
`the terminal identi?cation number IDT and the
`ing the terminal digital signature. This method includes:
`second master digital signature SA2 to an IC card;
`a step wherein the IC card transmits the card identi?
`means which receives a card identi?cation number
`cation number IDU and the ?rst and second master
`IDU, a card public key nU and a ?rst master digital
`digital signatures SA1 and SA2 to the IC card
`signature SA1 from the IC card, veri?es the ?rst
`terminal;
`master digital signature through use of the master
`a step wherein the IC card terminal veri?es the valid
`public key recorded in the memory means and, if it
`ity of the ?rst master digital signature SA1 and, if it
`is valid, enables the IC card terminal for providing
`is valid, prompts the card user to input a password
`Nc’ and transmits it to the IC card after it is input;
`a service; and
`means which updates remaining value through use of
`a step wherein the IC card compares the password
`the charge for the service rendered and transmits .
`Nc’ received from the IC card terminal with the
`to the IC card usage information including the
`password Nc stored in the card information mem
`updated remaining value.
`ory and, if they match, transmits an authentication
`A digital signature scheme capable of proving that a
`signal to the IC card terminal; and
`person who transmitted digital information acknowl
`step wherein upon receiving the authentication
`edged it, just like he puts his seal to a document, is
`signal, the IC card terminal becomes enabled for
`25
`already established as disclosed in, for example,
`providing a service, and after the service, the IC
`“ESIGN: An Ef?cient Digital Signature Scheme,”
`card terminal records information including a
`NTT R & D Vol. 40, No. 5, 1991, pp687-686, or U.S.
`value V corresponding to the charge for the ser
`Pat. No. 4,625,076. According to the digital signature
`vice rendered and the card identi?cation number
`scheme, a document M and a secret key Q are used and
`IDU received from the IC card, as usage/manage
`a digital signature S(M) is created using a signature
`ment information, in usage/management informa
`creating function, then the signature S(M) and the docu
`tion memory means.
`ment M are transmitted to the other party. The other
`According to a third aspect of the present invention,
`party performs a computation by substituting the re
`the IC card includes:
`ceived document M and signature S(M) and a public
`card information memory means for recording a mas
`key U into a signature verifying function. If the com
`ter public key nA for verifying a master digital
`puted result satis?es predetermined conditions, then it is
`signature SA created using master secret keys pA
`veri?ed that the digital signature S(M) was attached to
`and qA, a card identi?cation number IDU for spec
`the document M by a person having the secret key Q,
`ifying or identifying the IC card, card secret keys
`and he cannot deny the fact. In this instance, the Q and
`pU and qU for creating a digital signature, a card
`U are different prime numbers of extremely large values
`public key nU for verifying the digital signature,
`(that is, Q¢U), and this scheme features a mathematical
`and a ?rst master digital signature SA1 for informa
`property that the value Q cannot be computed even if
`tion containing the card identi?cation number IDU
`the value of U is known. Furthermore, even if slightly
`and the card public key nU, the ?rst master digital
`altered, the document can be proved invalid. It is set
`signature SA1 being created using the master se
`forth in the above-noted literature that these digital
`cret keys pA and qA;
`signature functions could be executed within a practical
`means for transmitting the card identi?cation number
`IDU, the card public key nU and the ?rst master
`processing time on the scale of a program mountable on
`IC cards, through utilization of an algorithm called
`digital signature SA1 to the IC card terminal;
`ESIGN.
`means which receives a terminal identi?cation num
`Other digital signature schemes applicable to the
`ber IDT, a terminal public key nT and a second
`present invention are an ElGamal scheme (T. E. ElGa
`master digital signature SA2 from the IC card ter
`mal: A public key cryptosystem and a signature scheme
`minal, veri?es the second master digital signal SA2
`based on discrete algorithm, Proc. of Crypto ’84, 1984),
`through use of the master public key nA recorded
`a DSA (Digital Signature Algorithm, made public by
`in the card information memory means and, if it is
`the National Institute of Standards and Technology of
`valid, transmits to the IC card terminal an authenti
`the US. Department of Commerce) scheme, and a
`cation signal which enables it for providing a ser
`Micali-Shamir scheme (S. Micali and A. Shamir: An
`vice; and
`improvement of the Fiat-Shamir identi?cation and sig
`usage information memory means for recording
`nature scheme, Proc. of Crypto ’88, pp 244-247, 1988),
`usage information including the remaining value V’
`updated by subtracting the charge for the service
`for instance.
`rendered.
`According to a fourth aspect of the present invention,
`the IC card terminal includes:
`memory means for recording a master public key nA
`65
`for verifying a master digital signature SA created
`using master secret keys pA and qA, a terminal
`identi?cation number IDT for identifying the IC
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 is a block diagram illustrating the system
`con?guration of an embodiment of the present inven
`tion;
`FIG. 2 is a block diagram showing an example of the
`con?guration of an IC card terminal;
`
`50
`
`55
`
`15
`
`35
`
`45
`
`Page 19 of 33
`
`

`

`5,396,558
`5
`FIG. 3 is a block diagram showing an example of the
`con?guration of an IC card;
`FIG. 4A is a diagram showing processing of a man
`agement center for setting the IC card terminal;
`FIG. 4B is a diagram showing processing of an IC
`card dispenser when dispensing the IC card;
`FIG. 4C is a diagram showing procedures between
`the IC card and the IC card dispenser for dispensing
`and recharging the latter;
`FIG. 5 is a diagram showing procedures between the
`IC card and the IC card terminal;
`FIG. 5A is a functional block diagram of the IC card
`in the embodiment of FIG. 5;
`FIG. 5B is a functional block diagram of the IC card
`terminal in the embodiment of FIGS. 5;
`FIG. 6 is a diagram showing another example of the
`procedure between the IC card and the IC card termi
`nal;
`FIG. 7 is a diagram showing, by _way of example,
`procedures between the IC card, the IC card terminal
`and the management center at the time of writing
`amount-of-money information into the IC card;
`FIG. 8 is a block diagram showing the distribution of
`encrypting keys for cipher communication between the
`IC card, the IC card terminal, the IC card dispenser and
`the management center;
`FIG. 9 is a diagram showing the payment of charges
`by the IC card according to another embodiment of the
`present invention;
`FIG. 10 is a diagram illustrating a modi?ed form of
`the FIG. 5 embodiment which utilizes a time stamp;
`FIG. 11 is a diagram showing a time stamp updating
`algorithm;
`FIG. 12 is a diagram illustrating a modi?cation of the
`FIG. 10 embodiment which employs random numbers;
`FIG. 13 is a diagram showing procedures for register
`ing a password in an IC card applied to a credit card, by
`use of the IC card terminal;
`FIG. 14 is a diagram showing procedures for receiv
`ing a service by use of the IC card with the password
`registered therein by the process depicted in FIG. 13;
`FIG. 15 is a diagram showing another example of the
`password registration procedure;
`FIG. 16 is a diagram showing procedures for receiv
`ing a service by use of an IC card with the password
`registered therein by the process depicted in FIG. 15;
`and
`FIG. 17 is a diagram illustrating another embodiment
`of procedures for receiving a service by use of an IC
`card applied to a credit card.
`
`40
`
`45
`
`55
`
`DESCRIPTION OF THE PREFERRED
`EMBODIMENTS
`In FIG. 1 there is illustrated in block form an example
`of the con?guration of a card system for making the
`payment of charges through use of an IC card accord
`ing to the present invention. IC card terminals 2a, 2b, .
`. . perform processing for the payment of charges for
`services rendered to an IC card 6. For example, when
`the IC card 6 is a prepaid telephone card, the IC card
`60
`terminals 20, 2b, . . . provide service by telephone. The
`IC card terminals 2a, 2b, . . . , when installed, are each
`connected via a communication network 3 to a manage
`ment center which sets and holds security information
`under its control. In the following description the IC
`65
`card terminals will be indicated generally by a numeral
`2 except when a particular one of them is intended. The
`IC card 6 has initial data written by the IC card dis
`
`5
`
`15
`
`25
`
`35
`
`6
`penser 5 when it is issued, and security information
`necessary for the IC card 6 is provided from the man
`agement center 4. Incidentally, in the case where some
`functions of the management center 4 are mounted on a
`portable telephone terminal or the like so that they are
`brought to the place where the IC card terminal 2 is
`located, the IC card terminal 2 need not always be
`connected via the communication network 3 to the
`management center 4 when it is installed.
`FIG. 2 illustrates an example of the internal con?gu
`ration of the IC card terminal 2 and FIG. 3 an example
`of the internal con?guration of the IC card 6. The IC
`card terminal 2 comprises an IC card reader/writer 11
`which reads and writes the IC card 6 inserted thereinto,
`function buttons 12 as of a keyboard, a display 13, a
`telephone controller 14, a network interface 15 for pro
`cessing communication via the communication network
`3, a handset 16 and a speech circuit
`In the IC card 6 there are stored in a ROM 61 pro
`grams for IC card procedures, digital signature creating
`and verifying algorithms and so forth, and a CPU 63
`controls the entire processing of the IC card while uti
`lizing a RAM 62 as a work area and communicates with
`the IC card reader/writer 11 of the IC card terminal 2
`via an I/O interface 65 and contacts 66.
`FIG. 4A shows the process that is performed when
`the IC card terminal 2 is installed. The IC card terminal
`2 receives from the management center 4 such pieces of
`terminal information as listed below when it is installed.
`(1) Master public key nA for verifying a master digi
`tal signature of the management center
`(2) Terminal secret keys pT and qT for the IC card
`terminal 2 to create a digital signature;
`(3) Terminal public key nT for verifying the digital
`signature of the 10 card terminal 2;
`(4) Terminal identi?cation number IDT for identify
`ing the IC card terminal 2; and
`(5) Master digital signature SA(nT:*IDT) by the
`management center for the terminal public key nT
`and the terminal identi?cation number IDT, where
`the symbol “*” represents concatenation~for ex
`ample, 001*O101=00l0101.
`After receiving these pieces of information, the IC
`card terminal 2 veri?es the validity of the master digital
`signature SA(nT*IDT) through use of the terminal
`public key nT, the terminal identi?cation number IDT
`and the master public key nA, and if the master digital
`signature SA(nT*IDT) is valid, then the IC card termi
`nal 2 records these pieces of information in a terminal
`information area 2M1 of a memory in the telephone
`controller 14. No description will be given of the
`method for verifying the digital signature, because it is
`disclosed in the afore-noted various digital signature
`schemes. As described previously, the veri?cation of
`the digital signature S(M) generally calls for an un
`signed full document M and a public key for veri?cation
`use, but in the following description there are cases
`where a simpli?ed description, “the digital signature is
`veri?ed using the public key” or “digital signature is
`veri?ed” is used.
`Incidentally, the management center 4 has set therein
`its master secret keys pA and 'qA and has functions of
`creating a different terminal identi?cation number IDT
`for each IC card terminal 2 and the terminal public key
`nT and the terminal secret keys pT and qT correspond
`ing to the terminal identi?cation number IDT.
`It is preferable that the terminal secret keys pT and
`qT be recorded in the terminal information area 2M1 in
`
`Page 20 of 33
`
`

`

`7
`the IC card terminal 2 which is not easily accessible
`from the outside, for example, in a RAM of a one-chip
`CPU or battery backup RAM of a construction wherein
`the power supply from the battery is cut off when the
`IC card terminal 2 is abused.
`In FIG. 4B there is shown the process that is per-
`formed by the IC card dispenser 5 when it issues the IC
`card 6. The IC card 6 receives from the IC card dis-
`
`penser 5 such pieces of card information listed below
`that need to be held in the IC card 6. These pieces of
`information are provided in advance from the manage-
`ment center 4 to the IC card dispenser 5.
`(1) Master public key nA for verifying the master
`digital signature of the management center 4;
`(2) Card secret keys pU and qU for the IC card 6 to
`create it digital signature;
`(3) Card public key nU for verifying the digital signa-
`ture of the IC card 6;
`(4) Card identification number IDU for identifying
`the IC card 6;
`(5) Master digital signature SA(nU*IDU) of the man-
`agement center 4 for the card public key nU and
`the card identification number IDU.
`
`After receiving these pieces of card information, the
`IC card 6 verifies the validity of the master digital signa-
`ture SA(nU*IDU) through use of the master public key
`nA and, if it is valid, the IC card 6 records these pieces
`of card information in a predetermined area (hereinafter
`referred to as a card information area) 6M1 in an EE-
`PROM 64. Since the EEPROM 64 in the IC card 6
`usually is not directly accessible from the outside, these
`pieces of card information cannot be read out to the
`outside of the IC card unless a predetermined procedure
`is executed. In particular, the card secret keys pU and
`qU need not be read out to the outside of the IC card 6
`after once recorded therein, and hence they may prefer-
`ably be held unreadable. In the process shown in FIG.
`4B an amount of money is not yet written into the IC
`card 6.
`
`The management center 4 has functions of creating a
`different card identification number IDU for each IC
`card and the card public key nU and the card secret
`keys pU and qU corresponding to the IC card identifi-
`cation number IDU.
`
`FIG. 4C shows processing for writing into the IC
`card 6 the amount of money prepaid therefor when it is
`a prepaid card. The procedure shown in FIG. 4C is
`used for initial issuing of the IC card 6 and recharging
`an amount of money into the IC card 6 when no money
`is left over.
`
`The IC card 6 transmits to the IC card dispenser 5 the
`public key nU, the identification number IDU and the
`master digital signature SA(nU*IDU) which it read out
`of the card information area 6M1. The IC card dispenser
`5 verifies the master digital signature SA(nU*IDU) by
`use of the master public key nA preset therein and, if
`valid, recognizes that the IC card is valid. In this in-
`stance, the IC card dispenser 5 transmits to the IC card
`6 a master digital signature SA(V*IDU) for a prepaid
`amount of money V (i.e. an initial value of the remain-
`der) and the card identification number IDU and the
`amount of money V, provided from the management
`center 4, and an IC card dispenser identification number
`IDC preset in the IC card dispenser 5. The IC card 6
`verifies the master digital signature SA(V*IDU) by use
`of the master public key nA and, if valid, records these
`pieces of information in a usage information area 6M2 of
`the EEPROM 64 in the IC card 6.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`45
`
`50
`
`55
`
`65
`
`Page 21 0f 33
`
`5,396,558
`
`8
`It is also possible to employ a system configuration in
`