Europaisches Patentamt
`
`European Patent Office
`
`Office european des brevets
`
`@ Publication number:
`
`111111111111111111111111111111111111111111111111111111111111111111111111111
`0 588 339 A2
`
`EUROPEAN PATENT APPLICATION
`
`@ Application number: 93114917.3
`
`@ Int. Cl.5: G07F 7/10, G06F 15/30
`
`@ Date of filing: 16.09.93
`
`@ Priority: 18.09.92 JP 249293/92
`18.09.92 JP 249294/92
`18.11.92 JP 308688/92
`26.11.92 JP 317254/92
`26.11.92 JP 317255/92
`
`@) Date of publication of application:
`23.03.94 Bulletin 94/12
`
`@ Designated Contracting States:
`DE FR GB
`
`E) Applicant: NIPPON TELEGRAPH AND
`TELEPHONE CORPORATION
`1·6 Uchisaiwai·cho 1-chome
`Chiyoda·ku
`Tokyo(JP)
`
`@ Inventor: lshiguro, Ginya
`Gurin Haitsu 12·2·403,
`580, Nagasawa
`Yokosuka-shi, Kanagawa(JP)
`Inventor: Muta, Toshiyasu
`
`1927, Nagasawa
`Yokosuka·shi, Kanagawa(JP)
`Inventor: Sakita, Kazutaka
`2·14·1·613, Kaneya
`Yokosuka-shi, Kanagawa(JP)
`Inventor: Miyaguchi, Shoji
`5·20·19, Bessho,
`Ninami·ku
`Yokohama·shi, Kanagawa(JP)
`Inventor: Okamoto, Tatsuaki
`94·2·5·503, Nagasawa
`Yokosuka·shi, Kanagawa(JP)
`Inventor: Fujioka, Atsushi
`B-305, 9·2·12, Sugita,
`lsogo-ku
`Yokohama-shi, Kanagawa(JP)
`
`@ Representative: Hoffmann, Eckart
`Patentanwalt,
`Blumbach & Partner,
`Bahnhofstrasse 103
`D-82166 Grafelfing (DE)
`
`@ Method and apparatus for settlement of accounts by IC cards.
`
`corresponding to the current remainder value V to
`the IC card terminal. The IC card terminal makes a
`check to see if the received information correspond·
`ing to the remainder value V is appropriate, and if
`so, becomes enabled for providing a service.
`
`@) An IC card (6) has a card information memory
`area wherein there are written a master public key
`nA, card secret keys pU and qU, a card public key
`nU, a card identification number IOU, and a first
`master digital signature SA 1 for information including
`the card identification number. An IC card terminal
`terminal
`information memory area
`(2a,2b) has
`wherein there are written a master public key nA,
`terminal secret keys pT and qT, a terminal public
`key nT, a terminal identification number lOT, and a
`second master digital signature SA2 for information
`including
`the
`terminal
`identification number
`lOT.
`When inserted into the IC card terminal, the IC card
`sends thereto the data nU, IOU, and SA1. The IC
`card terminal verifies the digital signature SA 1 by
`the master public key nA and, if it is valid, transmits
`the data nT, lOT and SA2 to the IC card. The IC
`card verifies the digital signature SA2 by the master
`public key nA and, if it is valid, transmits information
`
`N
`<C
`en
`(V)
`(V)
`co
`co
`Ln
`0
`0.. w
`
`Rank Xerox (UK) Business Services
`13.10/3.09/3.3.41
`
`UNITED SERVICES AUTOMOBILE ASSOCIATION
`Exhibit 1004
`
`Page 1 of 41
`
`

`
`EP 0 588 339 A2
`
`2
`
`BACKGROUND OF THE INVENTION
`
`The present invention relates to a method and
`apparatus for settlement of accounts by IC cards
`which are used as prepaid cards of credit cards.
`For instance, in an IC card which is used as a
`prepaid card, there is written the amount of money
`paid for its purchase, and before or after receiving
`a service the card user inserts the IC card into an
`IC card terminal, wherein the remaining value after
`subtracting the charge for the service from the
`initial value is transmitted to and written into the IC
`card.
`In a conventional system of this kind, the IC
`card and the IC card terminal use the same cipher
`system and have the same secret key and commu(cid:173)
`nicate to each other the balance information enci(cid:173)
`phered by the common secret key. IC card and IC
`card terminal are designed so that such a secret
`key cannot be found nor can it be altered even if
`IC card terminal should be revealed to an outsider.
`On the other hand, in the case of an IC card for
`use as a credit card, its identification number and
`other necessary information are preregistered and
`the user is allowed to receive his desired service
`when inserting the IC card into an IC card terminal
`and
`is charged for the service afterward.
`In a
`conventional IC credit card system, upon insertion
`of the IC card into the IC card terminal, the latter is
`connected online to a management center where
`IC card identification numbers and other user in(cid:173)
`formation are registered, then the user inputs his
`registration number and other required information
`by dialing, the thus input information is sent to the
`management center, wherein the user information
`registered in advance is used to verify the validity
`of the user. After the user's validity is thus proved,
`the user is allowed to receive his or her desired
`service at the IC card terminal.
`Such an IC credit card system similarly adopts,
`with a view to providing increased security, a meth(cid:173)
`od in which: the IC card and the IC card terminal
`use the same cryptographic scheme and have the
`same secret key and they each authenticate the
`other's validity; a password input into the IC termi(cid:173)
`nal is checked with its counterpart prestored in the
`IC card; the IC card identification number read out
`of the IC card is sent from the IC card terminal to
`the management center which has a data base of
`identification numbers and other information of IC
`cards; the IC card identification number is verified
`in the management center; the result of the ver(cid:173)
`ification is transmitted to the IC card terminal; and
`when the IC card identification thus checked in the
`management center is valid, the service specified
`by the card user starts through the IC card termi(cid:173)
`nal. In some cases, the IC card and the manage(cid:173)
`ment center each authenticate the other's validity
`
`directly through use of the same secret key.
`The conventional methods mentioned above all
`call for communication between the management
`center and the IC card terminal and online process-
`ing for verification before or after the service is
`provided, and hence they have shortcomings that
`the management center facility is inevitably large(cid:173)
`scale and that the charge for the service includes
`communication expenses. Moreover, the history of
`service can be stored in the management center or
`IC card but difficulty is encountered in proving that
`the stored contents are not false. Although it is
`almost impossible to falsify the stored contents of
`the IC card unless the secret key is let out, the
`secret key information in the IC card or IC card
`is not perfectly protected and may in
`terminal
`some cases leak out in a long time. In the case
`where the cryptographic scheme used is broken by
`third parties and many IC terminals are used by
`them, particularly in the event that IC cards and IC
`terminals are abused by unauthorized persons over
`a wide range, it is very difficult to change all of the
`secret keys at the same time--this poses a serious
`social problem as well-intentioned users cannot use
`their IC cards for a long period of time, for in(cid:173)
`stance.
`
`SUMMARY OF THE INVENTION
`
`It is therefore an object of the present invention
`to provide a method and apparatus for the payment
`of charges by IC cards which eliminate the need
`for communication between the management cen(cid:173)
`ter and the IC card terminal each time the card
`user inserts his IC card into the latter to receive his
`desired service and which permit detection of
`abuse of a forged IC card or intentionally altered IC
`card terminal.
`In the method for the payment of charges by
`IC cards according to a first aspect of the present
`invention, the respective IC card has prestored in
`its memory means a master public key nA for
`verifying a master digital signature SA, a card
`identification number IOU for specifying the IC card
`and a first master digital signature SA 1 for informa(cid:173)
`tion containing at least the card identification num(cid:173)
`ber IOU, and the IC card terminal has prestored in
`its terminal memory the above-mentioned master
`public key nA, a terminal identification number IDT
`for specifying the IC card terminal and a second
`master digital signature SA2 for information includ(cid:173)
`ing at least the above-mentioned terminal iden(cid:173)
`tification number IDT. This method includes:
`a step wherein the IC card transmits at least
`the card identification number IOU and the first
`master digital signature SA 1 to the IC card termi(cid:173)
`nal;
`
`a step wherein the IC card terminal vertifies the
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`2
`
`Page 2 of 41
`
`

`
`3
`
`EP 0 588 339 A2
`
`4
`
`validity of the first master digital signature SA 1
`through use of the master public key nA and the
`card identification number IOU received from the IC
`card;
`a step wherein when the first master digital
`signature SA 1 is valid, the IC card terminal trans(cid:173)
`mits at least the terminal identification number lOT
`and the second master digital signature SA2 to the
`IC card;
`a step wherein the IC card verifies the validity
`of the second master digital signature SA2 through
`use of the master public key nA and the terminal
`identification number lOT received from the IC card
`terminal; and
`a step wherein when the second master digital
`signature SA2 is valid, the IC card terminal gen(cid:173)
`erating a value V corresponding to the charge for a
`service specified by the IC card after the service is
`provided.
`In the method for the payment of charges by
`IC cards according to a second aspect of the
`present invention, the respective IC card has card
`information memory means wherein there are writ(cid:173)
`ten, as card information, from a management cen(cid:173)
`ter a card identification number IOU, a predeter(cid:173)
`mined password setting number Ns, a second mas(cid:173)
`ter digital signature SA2 for the password setting
`number Ns, a first master digital signature SA 1 for
`information containing the card identification num(cid:173)
`ber IOU and the second master digital signature
`SA2 and an IC card terminal has terminal informa(cid:173)
`tion memory means wherein there are written, as
`terminal information, from the management center
`a master public key nA for verifying the master
`digital signatures, terminal secret keys pT and qT
`for creating a terminal digital signature and a termi(cid:173)
`nal public key nT for verifying the terminal digital
`signature. This method includes:
`a step wherein the IC card transmits the card
`identification number IOU and the first and second
`master digital signatures SA 1 and SA2 to the IC
`card terminal;
`a step wherein the IC card terminal verifies the
`validity of the first master digital signature SA 1
`and, if it is valid, prompts the card user to input a
`password Nc' and transmits it to the IC card after it
`is input;
`a step wherein the IC card matches the pass(cid:173)
`word Nc' received from the IC card terminal with
`the password Nc stored in the card information
`memory and, if they match, transmits an authen(cid:173)
`tication signal to the IC card terminal; and
`a step wherein upon receiving the authentica(cid:173)
`tion signal, the IC card terminal becomes enabled
`for providing a service, and after the service, the IC
`card terminal records information including a value
`V corresponding to the charge for the service ren(cid:173)
`dered and the card identification number IOU re-
`
`5
`
`ceived from the IC card, as usage/management
`in usage/management
`information
`information,
`memory means.
`According to a third aspect of the present
`invention, the IC card includes:
`card information memory means for recording
`a master public key nA for verifying a master
`digital signature SA created using master secret
`keys pA and qA, a card identification number IOU
`for specifying or identifying the IC card, card secret
`keys pU and qU for creating a digital signature, a
`card public key nU for verifying the digital signa(cid:173)
`ture, and a first master digital signature SA 1 for
`information containing the card identification num-
`ber IOU and the card public key nU, the first
`master digital signature SA 1 being created using
`the master secret keys pA and qA;
`means for transmitting the card identification
`number IOU, the card public key nU and the first
`20 master digital signature SA 1 to the IC card termi(cid:173)
`nal;
`
`10
`
`15
`
`means which receives a terminal identification
`number lOT, a terminal public key nT and a sec(cid:173)
`ond master digital signature SA2 from the IC card
`terminal, verifies the second master digital signal
`SA2 through use of the master public key nA
`recorded in the card information memory means
`and, if it is valid, transmits to the IC card terminal
`an authentication signal which enables it for provid-
`ing a service; and
`usage information memory means for record(cid:173)
`ing usage information including the remaining value
`V' updated by subtracting using the charge for the
`service rendered.
`According to a fourth aspect of the present
`invention, the IC card terminal includes:
`memory means for recording a master public
`key nA for verifying a master digital signature SA
`created using master secret keys pA and qA, a
`terminal identification number lOT for identifying
`the IC card terminal, terminal secret keys pT and
`qT for creating a terminal digital signature, a termi(cid:173)
`nal public key nT for verifying the terminal digital
`signature and a second master digital signature
`SA2 for information including the terminal iden(cid:173)
`tification number lOT and the terminal public key
`nT, the second master digital signature SA2 being
`created using the master secret keys pA and qA;
`means for transmitting the terminal public key
`nT, the terminal identification number lOT and the
`second master digital signature SA2 to an IC card;
`means which receives a card
`identification
`number IOU, a card public key nU and a first
`from the IC card,
`master digital signature SA1
`verifies the first master digital signature through
`use of the master public key recorded in the mem(cid:173)
`ory means and, if it is valid, enables the IC card
`terminal for providing a service; and
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`3
`
`Page 3 of 41
`
`

`
`5
`
`EP 0 588 339 A2
`
`6
`
`means which updates remaining value through
`use of the charge for the service rendered and
`transmits to the IC card usage information including
`the updated remaining value.
`A digital signature scheme capable of proving
`that a person who transmitted digital information
`acknowledged it, just like he puts his seal to a
`document, is already established as disclosed in,
`for example, "ESIGN: An Efficient Digital Signature
`Scheme," NTT R & D Vol. 40, No. 5, 1991, pp687-
`686, or U.S. Patent No. 4,625,076. According to the
`digital signature scheme, a document M and a
`secret key Q are used and a digital signature S(M)
`is created using a signature creating function, then
`the signature S(M) and the document M are trans(cid:173)
`mitted to the other party. The other party performs
`a computation by substituting the received docu(cid:173)
`ment M and signature S(M) and a public key U into
`a signature verifying function. If the computed re(cid:173)
`sult satisfies predetermined conditions, then it is
`verified that the digital signature S(M) was attached
`to the document M by a person having the secret
`key Q, and he cannot deny the fact. In this in(cid:173)
`stance, the Q and U are different prime numbers of
`extremely large values (that is, Q + U), and this
`scheme features a mathematical property that the
`value Q cannot be computed even if the value of U
`is known. Furthermore, even if slightly altered, the
`document can be proved invalid. It is set forth in
`the above-noted literature that these digital signa(cid:173)
`ture functions could be executed within a practical
`processing time on the scale of a program mount(cid:173)
`able on IC cards, through utilization of an algorithm
`called ESIGN.
`Other digital signature schemes applicable to
`the present invention are an EIGamal scheme (T.
`E. EIGamal: A public key cryptosystem and a sig(cid:173)
`nature scheme based on discrete algorithm, Proc.
`of Crypto'84, 1984), a DSA (Digital Signature Al(cid:173)
`gorithm, made public by the National Institute of
`Standards and Technology of the U.S. Department
`of Commerce) scheme, and a Micali-Shamir
`scheme (S. Micali and A. Shamir: An improvement
`identification and signature
`of
`the Fiat-Shamir
`scheme, Proc. of Crypto '88, pp244-247, 1988), for
`instance.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Fig. 1 is a block diagram illustrating the system
`configuration of an embodiment of the present
`invention;
`Fig. 2 is a block diagram showing an example of
`the configuration of an IC card terminal;
`Fig. 3 is a block diagram showing an example of
`the configuration of an IC card;
`Fig. 4A is a diagram showing processing of a
`management center for setting the IC card ter-
`
`minal;
`Fig. 48 is a diagram showing processing of an
`IC card dispenser when dispensing the IC card;
`Fig. 4C is a diagram showing procedures be-
`tween the IC card and the IC card dispenser for
`dispensing and recharging the latter;
`Fig. 5 is a diagram showing procedures between
`the IC card and the IC card terminal;
`Fig. 5A is a functional block diagram of the IC
`card in the embodiment of Fig. 5;
`Fig. 58 is a functional block diagram of the IC
`card terminal in the embodiment of Fig. 5;
`Fig. 6 is a diagram showing another example of
`the procedure between the IC card and the IC
`card terminal;
`Fig. 7 is a diagram showing, by way of example,
`procedures between the IC card, the IC card
`terminal and the management center at the time
`of writing amount-of-money information into the
`IC card;
`Fig. 8 is a block diagram showing the distribu(cid:173)
`tion of encrypting keys for cipher communica(cid:173)
`tion between the IC card, the IC card terminal,
`the IC card dispenser and the management cen-
`ter;
`Fig. 9 is a diagram showing the payment of
`charges by the IC card according to another
`embodiment of the present invention;
`Fig. 10 is a diagram illustrating a modified form
`of the Fig. 5 embodiment which utilizes a time
`stamp;
`is a diagram showing a time stamp
`Fig. 11
`updating algorithm;
`Fig. 12 is a diagram illustrating a modification of
`the Fig. 10 embodiment which employs random
`numbers;
`Fig. 13 is a diagram showing procedures for
`registering a password in an IC card applied to a
`credit card, by use of the IC card terminal;
`Fig. 14 is a diagram showing procedures for
`receiving a service by use of the IC card with
`the password registered therein by the process
`depicted in Fig. 13;
`Fig. 15 is a diagram showing another example
`of the password registration procedure;
`Fig. 16 is a diagram showing procedures for
`receiving a service by use of an IC card with the
`password registered therein by the process de(cid:173)
`picted in Fig. 15; and
`Fig. 17 is a diagram illustrating another embodi(cid:173)
`ment of procedures for receiving a service by
`use of an IC card applied to a credit card.
`
`s
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`so
`
`DESCRIPTION OF THE PREFERRED EMBODI-
`ss MENTS
`
`In Fig. 1 there is illustrated in block form an
`example of the configuration of a card system for
`
`4
`
`Page 4 of 41
`
`

`
`7
`
`EP 0 588 339 A2
`
`8
`
`making the payment of charges through use of an
`IC card according to the present invention. IC card
`... perform processing for the
`terminals 2a, 2b,
`payment of charges for services rendered to an IC
`card 6. For example, when the IC card 6 is a
`prepaid telephone card, the IC card terminals 2a,
`2b, ... provide service by telephone. The IC card
`terminals 2a, 2b, ... , when installed, are each con(cid:173)
`nected via a communication network 3 to a man(cid:173)
`agement center 4 which sets and holds security
`information under its control. In the following de(cid:173)
`scription the IC card terminals will be indicated
`generally by a numeral 2 except when a particular
`one of them is intended. The IC card 6 has initial
`data written by the IC card dispenser 5 when it is
`issued, and security information necessary for the
`IC card 6 is provided from the management center
`4. Incidentally, in the case where some functions of
`the management center 4 are mounted on a porta(cid:173)
`ble telephone terminal or the like so that they are
`brought to the place where the IC card terminal 2
`is located, the IC card terminal 2 need not always
`be connected via the communication network 3 to
`the management center 4 when it is installed.
`Fig. 2 illustrates an example of the internal
`configuration of the IC card terminal 2 and Fig. 3
`an example of the internal configuration of the IC
`card 6. The IC card terminal 2 comprises an IC
`card reader/writer 11 which reads and writes the IC
`card 6 inserted thereinto, function buttons 12 as of
`a keyboard, a display 13, a telephone controller 14,
`a network interface 15 for processing communica(cid:173)
`tion via the communication network 3, a handset 16
`and a speech circuit 17.
`In the IC card 6 there are stored in a ROM 61
`programs for IC card procedures, digital signature
`creating and verifying algorithms and so forth, and
`a CPU 63 controls the entire processing of the IC
`card while utilizing a RAM 62 as a work area and
`communicates with the IC card reader/writer 11 of
`the IC card terminal 2 via an 1/0 interface 65 and
`contacts 66.
`Fig. 4A shows the process that is performed
`when the IC card terminal 2 is installed. The IC
`card terminal 2 receives from the management
`center 4 such pieces of terminal information as
`listed below when it is installed.
`(1) Master public key nA for verifying a master
`digital signature of the management center 4;
`(2) Terminal secret keys pT and qT for the IC
`card terminal 2 to create a digital signature;
`(3) Terminal public key nT for verifying the
`digital signature of the IC card terminal 2;
`(4) Terminal identification number lOT for iden(cid:173)
`tifying the IC card terminal 2; and
`(5) Master digital signature SA(nT:*IOT) by the
`management center for the terminal public key
`nT and the terminal identification number lOT,
`
`where the symbol "*" represents concatenation(cid:173)
`-for example, 001 *01 01 = 001 01 01.
`After receiving these pieces of information, the
`IC card terminal 2 verifies the validity of the master
`digital signature SA(nT*IOT) through use of the
`terminal public key nT, the terminal identificaion
`number lOT and the master public key nA, and if
`the master digital signature SA(nT*IOT) is valid,
`then the IC card terminal 2 records these pieces of
`information in a terminal information area 2M1 of a
`memory in the telephone controller 14. No descrip(cid:173)
`tion will be given of the method for verifying the
`digital signature, because it is disclosed in the
`afore-noted various digital signature schemes. As
`described previously, the verification of the digital
`signature S(M) generally calls for an unsigned full
`document M and a public key for verification use,
`but in the following description there are cases
`where a simplified description, "the digital signa-
`ture is verified using the public key" or "digital
`signature is verified" is used.
`Incidentally, the management center 4 has set
`therein its master secret keys pA and qA and has
`functions of creating a different terminal identifica-
`tion number lOT for each IC card terminal 2 and
`the terminal public key nT and the terminal secret
`keys pT and qT corresponding to the terminal
`identification number lOT.
`It is preferable that the terminal secret keys pT
`and qT be recorded in the terminal information
`area 2M1
`in the IC card terminal 2 which is not
`easily accessible from the outside, for example, in
`a RAM of a one-chip CPU or battery backup RAM
`of a construction wherein the power supply from
`the battery is cut off when the IC card terminal 2 is
`abused.
`In Fig. 48 there is shown the process that is
`performed by the IC card dispenser 5 when it
`issues the IC card 6. The IC card 6 receives from
`the IC card dispenser 5 such pieces of card in(cid:173)
`formation listed below that need to be held in the
`IC card 6. These pieces of information are provided
`in advance from the management center 4 to the
`IC card dispenser 5.
`(1) Master public key nA for verifying the master
`digital signature of the management center 4;
`(2) Card secret keys pU and qU for the IC card
`6 to create it digital signature;
`(3) Card public key nU for verifying the digital
`signature of the IC card 6;
`(4) Card identification number IOU for identifying
`the IC card 6;
`(5) Master digital signature SA(nU*IOU) of the
`management center 4 for the card public key nU
`and the card identification number IOU.
`After receiving these pieces of card informa(cid:173)
`tion, the IC card 6 verifies the validity of the master
`digital signature SA(nU*IOU) through use of the
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`5
`
`Page 5 of 41
`
`

`
`9
`
`EP 0 588 339 A2
`
`10
`
`master public key nA and, if it is valid, the IC card
`6 records these pieces of card information in a
`predetermined area (hereinafter referred to as a
`in an EEPROM 64.
`card information area) 6M1
`Since the EEPROM 64 in the IC card 6 usually is
`not directly accessible from
`the outside, these
`pieces of card information cannot be read out to
`the outside of the IC card unless a predetermined
`procedure is executed. In particular, the card secret
`keys pU and qU need not be read out to the
`outside of the IC card 6 after once recorded there(cid:173)
`in, and hence they may preferably be held un(cid:173)
`readable.
`In
`the process shown
`in Fig. 48 an
`amount of money is not yet written into the IC card
`6.
`
`The management center 4 has functions of
`creating a different card identification number IOU
`for each IC card and the card public key nU and
`the card secret keys pU and qU corresponding to
`the IC card identification number IOU.
`Fig. 4C shows processing for writing into the IC
`card 6 the amount of money prepaid therefor when
`it is a prepaid card. The procedure shown in Fig.
`4C is used for initial issuing of the IC card 6 and
`recharging an amount of money into the IC card 6
`when no money is left over.
`The IC card 6 transmits to the IC card dis(cid:173)
`penser 5 the public key nU, the identification num(cid:173)
`IOU and
`the master digital signature SA(cid:173)
`ber
`(nU*IOU) which it read out of the card information
`area 6M1 . The IC card dispenser 5 verifies the
`master digital signature SA(nU*IOU) by the master
`public key nA preset therein and, if valid, recog(cid:173)
`nizes that the IC card is valid. In this instance, the
`IC card dispenser 5 transmits to the IC card 6 a
`master digital signature SA(V*IOU) for a prepaid
`initial value of the
`amount of money V (i.e. an
`remainder) and the card identification number IOU
`and the amount of money V, provided from the
`management center 4, and an IC card dispenser
`identification number lOG preset in the IC card
`dispenser 5. The IC card 6 verifies the master
`digital signature SA(V*IOU) by the master public
`key nA and, if valid, records these pieces of in(cid:173)
`formation in a usage information area 6M2 of the
`EEPROM 64 in the IC card 6.
`It is also possible to employ a system configu(cid:173)
`ration in which, for each IC card issuing process,
`the IC card dispenser 5 is connected online to the
`management center 4 to transmit thereto the IC
`card identification number IOU and the value V
`received from the IC card 6 and the IC card dis(cid:173)
`penser 5 receives, in turn, the master digital signa(cid:173)
`ture SA(V*IOU) of the management center 4. Alter(cid:173)
`natively,
`these pieces of
`information may be
`prestored in the IC card dispenser 5.
`Fig. 5 shows processing for the card user to
`receive a service from the IC card terminal 2 by
`
`use of the IC card 6 which is a prepaid card. Figs.
`5A and 58 show functional blocks of the IC card 6
`and the IC card terminal 2. In this case, however,
`random generating parts 6C and 2C are shown
`corresponding to an embodiment described later in
`respect of Fig. 6.
`In the usage information area
`6M2 of the EEPROM 64 in the IC card 6 there are
`recorded, as card usage information, the initial val(cid:173)
`ue V, master digital signature SA(V*IOU) and card
`dispenser
`identification number
`lOG. When
`the
`user inserts the IC card 6 into the IC card read(cid:173)
`er/writer 11 of the IC card terminal 2, the card
`public key nU, the card identificaion number IOU
`and the master digital signature SA(nU*IOU) are
`sent from the IC card 6 to the IC card terminal 2.
`The
`IC card terminal 2 verifies the master
`digital signature SA(nU*IOU) by the master public
`key nA in a verifying part 2A (Fig. 58) and, if valid,
`sends via a transmitting/receiving part 2E to the IC
`card 2 the pieces of terminal information nT, lOT
`and SA(nT*IOT) read out of the terminal information
`area 2M1 . The IC card 6 receives these pieces of
`terminal information via a transmitting/receiving part
`60 and verifies the validity of the master digital
`signature SA(nT*IOT). If it is valid, then the remain(cid:173)
`ing value V, the identification number lOG and the
`master digital signature SA(V*IOU), which are
`pieces of card usage information read out of the
`usage information area 6M2 of the memory 64 in
`the IC card 6, and a digital signature SU(V) of the
`IC card, which is generated for the value V in a
`digital signature creating part 68 through use of the
`card secret keys pU and qU, are sent to the IC
`terminal 2.
`The IC card terminal 2 verifies the received
`digital signature SU(V) by the card public key nU
`and the value V in the verifying part 28. If it is
`valid, then the IC terminal 2 further checks the
`master digital signature SA(V * IOU) by the pieces
`of information nA, V and IOU to ensure that the
`value V has not been falsified, after which the IC
`terminal 2 displays the remaining value V of the IC
`card 6 on a display 13. While referring to the
`guidance provided on the display 13, the user
`specifies his desired service by pressing the func(cid:173)
`tion buttons 12. The IC card terminal 2 reads out
`the charge for the thus specified service from a list
`prestored in a memory of the telephone controller
`14 or accesses the communication network 3 and
`receives the necessary service charge information
`via the network interface 15 from the communica(cid:173)
`tion network 3 or a service center (not shown). The
`IC card terminal 2 compares the charge for the
`service (hereinafter referred to as a service charge)
`v and the remaining value V and, when the latter is
`larger than
`the former, the
`IC card terminal 2
`begins to provide the specified service. For exam(cid:173)
`ple, in the case of a telephone service, when the
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`6
`
`Page 6 of 41
`
`

`
`11
`
`EP 0 588 339 A2
`
`12
`
`value V is 1 0 yen or more, the IC card terminal 2
`provides a prompt on the display 13 for input of the
`telephone number of a subscriber to be called and
`originates a call as the user dials the number.
`In
`the above, when any one of the digital
`signatures is found invalid through verification, the
`IC card terminal 2 stops processing at that point
`and ejects or returns the IC card 6 to the user.
`After completion of the service or call, the
`telephone controller 14 of the IC card terminal 2 (a
`remaining value updating part 20 in Fig. 58) sub(cid:173)
`tracts the service charge v--prestored in the mem(cid:173)
`ory of the telephone controller 14 or transmitted
`from the communication network 3 or service cen(cid:173)
`ter--from the remaining value V to obtain a new
`remaining value V', after which the telephone con(cid:173)
`troller 14 creates, in its digital signature creating
`part 28, a terminal digital signature ST(V'*IOU) for
`the value V' and the card identification number IOU
`through use of the terminal private keys pT and qT.
`Then the IC card terminal 2 sends the value V' and
`the digital signature ST(V'*IOU) to the IC card 6.
`The IC card 6 verifies the received digital sig(cid:173)
`nature ST(V'*IOU) by the public key nT in the
`verifying part 6A and, if it is valid, records the
`remaining value V' and the other pieces of informa(cid:173)
`tion nT, lOT, SA(nT*IOT) and ST(V'*IOU) received
`from the IC card terminal 2, as card usage informa(cid:173)
`the usage information area 6M2 of the
`tion, in
`EEPROM 64, erasing the previous card usage in(cid:173)
`formation. That is, the card usage information in
`the usage information area 6M2
`is updated as
`indicated by the arrow in Fig. 5.
`It is also possible to employ a configuration in
`which in the case of upda