Europaisches Patentamt
`European Patent Office
`Office europeen des brevets
`
`@ Publication
`
`number:
`
`0 1 94 839
`A2
`
`@
`@ Application
`@ Date of filing: 10.03.86
`
`number: 86301704.2
`
`EUROPEAN PATENT APPLICATION
`@ lnt.CI.": G 07 F 7/10
`
`08.03.85 JP 46012/85
`
`@) Priority:
`@) Date of publication
`of application:
`17.09.86 Bulletin 86/38
`@ Designated Contracting
`DE FR GB
`
`States:
`
`72, Horikawa-cho Saiwai-ku
`
`
`Kawasaki-shi Kanagawa-ken 210(JP)
`
`@ Applicant: Kabushikl Kaisha Toshiba
`@ Inventor: Kamitake, Takashl clo Patent Division
`@ Inventor: Mizutani, Hiroyukl clo Patent Division
`@ Inventor: Kawamura, Shln-ichl
`@ Representative:
`Freed, Arthur Woolf et al,
`MARKS & CLERK 57-60 Lincoln's
`Inn Fields
`London WC2A 3LSIGB)
`
`Kabushiki Kaisha Toshiba 1-1 Shlbaura 1-chome
`Minato-ku Tokyo 105(JP)
`
`Kabushlki Kalsha Toshiba 1·1 Shlbaura 1-chome
`Minato-ku Tokyo 105IJP)
`
`clo Patent Division
`Kabushiki Kaisha Toshiba 1·1 Shibaura1-c:home
`Minato-ku Tokyo 105{JP)
`
`F I G. l
`
`CUSTOMERS
`
`@ Communications network using
`IC cards.
`@ A communication network has a plurality
`
`of customer
`terminals {111 � 11nl and a single center terminal (12) which
`
`are coupled through communication lines (131 • 13nl· A large
`
`scale integrated circuit (IC card 141 • 14n; 15) is operatively
`
`coupled to each terminal. The integrated circuit device has
`
`
`enciphering and deciphering functions and has a recording
`device (33). When a transaction
`request message is sent
`from one customer terminal to the center, the transaction
`request message is enciphered by the integrated circuit
`
`device, and the enciphered message is sent to the center. In
`
`
`
`order to increase the transaction verification capability, the
`transmission message is recorded, in association with
`
`encryption of the transmission message, in an area of the
`recording device which can be accessed from outside only
`for readout. In order to further improve the transaction
`
`
`
`verification capability, the response message is enciphered
`
`
`by the integrated circuit device in the center. The enciphered
`
`response message is deciphered by the integrated circuit
`
`device in the customer terminal. The response message is
`recorded in the area of the recording device such that the
`
`encrypted message and decrypted message can be distin­
`guished from each other.
`
`Croydon Prinllng Company ltd
`
`0
`D.
`w
`
`Page 376 of 544
`
`UNITED SERVICES AUTOMOBILE ASSOCIATION
`Exhibit 1008
`
`

`
`01 94839
`
`- 1 -
`
`Communications network using IC cards
`
`The present invention relates to a communications
`network and, more particularly , to a communications
`network that enables transactions based on encrypted
`messages between terminals.
`Recently , with developments i n electronic technol -
`ogy , there have been innovations i n communications
`network systems such as home banking and home shopping ,
`and office banking systems . A vital concern regarding
`communications networ k systems for handling f i nancial
`t r ansactions i s guaranteeing secrecy and security for
`It i s necessary to increase the
`these transactions.
`verifiability of a transactor ' s identity or a message
`which is transmitted and received between transactors
`through the communications network.
`The classical types of irregularities that can
`occur in the transmission of transactions or messages
`
`are as follows:
`( 1 ) False reports: A sender reports not sending
`to the receiver a lthough a transmission was i n fact
`made , o r the sender reports sending although n o trans­
`mission was made .
`( 2 ) Forgery of documents : A receiver rewrites
`a communication message that has been recorded on the
`�eceiving side , or forges a communication message.
`These irregularities make embez z lement possible.
`
`5
`
`1 0
`
`15
`
`2 0
`
`25
`
`Page 377 of 544
`
`

`
`- 2 -
`
`01 9 48 39
`
`I n a prior art system, in order to prevent such
`irregularities , an enciphering program such as DES ( Data
`Encryption Standard) is stored in each network terminal
`to prevent the forging of communication messages. This
`
`means that a n enciphering/dec iphering circuit i s provid­
`ed i n each terminal and that a sender, using h i s own
`key, enciphers a message according to this enciphering
`program. The enciphered message is transmitted to a
`receiver terminal through a communications network . On
`
`the receiver side, the received enc iphered message i s
`deciphered in the deciphering circuit using a key word
`which i s stored i n a key memory and i s peculiar to the
`sender and then recorded . Accordingly, assuming that
`
`the key word stored i n the key memory on the receiver
`s i de h a s not been leaked to the outside, and that the
`receiver has not forged the message, there i s no one
`other than the sender who knows the key word who can
`make the enciphered message. Accordingly, the verifi­
`abi l ity of the enciphered message stored on the receiver
`side i s very high. Therefore, a digital signature can
`be made on the communication document . However , when
`the receiver changes his terminal operat ion mode from
`the decryption mode to the encryption mode, he can make
`
`an enciphered message using the sender ' s key word.
`Therefore, i n a communciation network system based on an
`
`encryption/decryption scheme, irregularities between the
`sender and the receiver cannot be perfectly prevented,
`thus f a i l i ng to guarantee the security of transactions .
`European Patent Appl ication Serial N o . 8 5 30 3817 , 2
`f iled o n May 3 0 , 1 9 8 5 ; entitled " COMMUNICATIONS NETWORK
`USING AN ENCIPHERING AND DECIPHERING DEVICE" ; and
`assigned to the same assignee as this application dis­
`closes a communication network with LSI devices, such as
`
`IC cards, for enciphering/deciphering messages using a
`plurality of key words.
`It i s a n object of the present invention to provide
`a communications network for performing commu nications
`
`5
`
`10
`
`1 5
`
`2 0
`
`2 5
`
`3 0
`
`3 5
`
`Page 378 of 544
`
`

`
`- 3 -
`
`01 9 4 8 3 9
`between terminals using enciphered messages, which
`guarantees transaction secur ity.
`It i s another object of the present invention to
`provide a communications network system for performing
`communications between terminals u s ing enciphered
`messages which enables a safe digital signature .
`In a communications network system according to the
`present invention, f irst and second communication termi­
`nals are coupled via a commu� ications network . First
`and second integrated circuit devices having a semicon­
`ductor large scale integrated circuit sealed therein are
`operatively coupled to the f i rst and second termina l s ,
`resp�ctively. The f i rst IC dev i c e has at least a func­
`tion for enciphering a_ f i rst kind of messages input from
`the f i rst terminal . The second IC device has a t least a
`function for deciphering an enciphered message input
`from the second terminal . The f i r s t k i nd of messages
`enciphered by the f i rst IC device i s sent from the f irst
`terminal to the second terminal via the communi cations
`network.
`According to the present invention, the f i rst IC
`device has recording means . Together with encryption of
`the f i rst kind of messages input from the fi rst termi­
`nal , the f i rst IC device i s arranged to automatically
`( to be sent to the
`record the f i rst ki.nd o f messag�s
`second terminal ) in an area of the recording means, the
`area being accessible from outside of the IC device only
`for readout .
`Furthermore , according to the present invention,
`
`the second IC device has a function for enciphering a
`second kind of messages ( to be sent to the f i rst
`termina l ) i nput from the second term�nal in response to
`the f i rst k i nd of message s . The f i rst IC device has a
`function for deciphering the second kind of messages
`sent from the second terminal to the f i rst terminal and
`then i nput to the IC devic e . Together with decryption
`of the enci phered message the f i rst IC device i s
`
`5
`
`10
`
`1 5
`
`20
`
`2 5
`
`30
`
`35
`
`Page 379 of 544
`
`

`
`- 4 -
`
`01 9 4 8 39
`
`arranged to automatically record the second kind of
`
`messages in the area of the recording means that is
`
`accessible from outside only for readout .
`
`I n the first IC devi c e , the first and second kinds
`
`5
`
`o f messages are recorded i n the area of the recording
`
`means i n such a way that the distinction between the
`
`f irst kind of messages to be enciphered and the second
`
`kind of messages which has been deciphered can be made .
`
`This invention can be more fully understood from
`
`10
`
`the following detailed description when taken in
`
`conj unction wi�h the accompanying drawings , in which:
`
`Fig . 1 is a schematic diagram o f a communication
`
`system to which the present invention is applied;
`
`Fig. 2 is a block diagram of terminals in Fig. 1 ;
`Fig . 3 i s a block diagram of IC cards used i n the
`system in Fig . 1 ;
`Fig . 4 is a diagram for explaining memory areas of
`a data memory in the IC card o f Fig . 3 ;
`Fig. 5 is a table for explaining access enable
`conditions o f the memory areas;
`Fig . 6 shows an access enable condition table of
`
`the data memory;
`Fig. 7 i s a format of a message applied to the IC
`
`card from the terminal;
`
`Fig . 8 is a flow chart for explaining a communica-
`
`tion transaction according to a first embodiment of the
`
`present invention ;
`Fig. 9 is a flow chart for explaining a communica­
`
`tion transaction according to a second embodiment of the
`
`present invention;
`Fig. 10 is a block diagram of a terminal suitable
`f o r detecting communications network failures;
`Figs . 11 and 12 are diagrams for explaining
`recording methods for recording a transaction requesc
`
`message which is t o b e enciphered and a response message
`
`which has been deciphered in a data memory area i n a
`
`distinguishable manner ;
`
`1 5
`
`20
`
`25
`
`30
`
`35
`
`Page 380 of 544
`
`

`
`- 5 -
`
`01 94839
`
`F i g . 13 i s a flow chart for explaining a communica­
`tion transaction according ·to another embodiment oi the
`present invention;
`Fig s . 1 4A to 14E are diagrams for explaining de-
`tecting methods of communications network failur e s ; ana
`Fig . 1 5 i s a flow chart for explaining a communica­
`tion transaction according to s t i l l another embodiment
`of the present invention.
`Fig . 1 schematically shows a communications net-
`wor k , which is used for home banking and shoppi ng , and
`office banking systems , and uses IC ( i ntegrated circui t >
`cards having an encryption/decryption function. This
`communications networ� is an n
`: 1 system. A plurality
`, . . . l l
`, 112
`of customer terminals 11 1
`n ' installed i n
`homes or office s , are connected to a s ingle center ter­
`min�l 1 2 , installed i n a bank or department store , via
`communication l i nes 131 , 132 , . . • l 3
`In this embodi­
`.
`n
`ment , a transaction request message M i s sent from
`customer terminal 1 1 to center terminal 1 2 . Terminals
`111 t o l l
`n a r e equipped with insertable IC cards 14
`1
`to 14 which are enciphering devi ces , respectively.
`n
`Central terminal 12 i s equfpped with an insertable IC
`card 15 which is a deciphering device .
`Fig . 2 shows an arrangement of a customer or center
`terminal . The terminal is basically consti tuted by
`an information processing device such as a personal
`computer . To a central proces sing unit
`C CPU ) 2 1 are
`coupled a memory 22 for storing a control program, a
`keyboard 23 as an input device , CRT display 24 and
`printer 2 5 which constitute a n output device , and f loppy
`d i s k drive 26 a s i n existing personal computer s . A card
`reader/writer 27 i s coupled to CPU 2 1 . The IC card i s
`loaded i nto reader/writer 2 7 . Reader/writer 27 suppl ies
`information from CPU 21 to card 14
`( 1 5 ) or from card 14
`{ 1 5 ) t o CPU 2 1 . CPU 21 i s coupled t o a communication
`l ine through a modem 2 8 . A random . number generator 2 9
`i s equipped i n central terminal 1 2 , which sends to CPU
`
`S
`
`1 0
`
`15
`
`20
`
`2 5
`
`3 0
`
`3 5
`
`Page 381 of 544
`
`

`
`- 6 -
`
`01 94839
`
`2 1 random data R specifying a sending time of a trans­
`action message or a transaction number, or authentica­
`tion random number RN.
`
`A semiconductor LSI circuit � s sealed in IC card,
`which i s arranged such that only specific information
`can be read out from the IC card. The IC card used in
`the system of the present invention has the same basic
`arrangement as a conventional IC card. As shown in
`F i g . 3 , the IC card comprises a microprocessor unit
`<MPU: one-chip microprocessor > 3 1 , a program memory 3 2
`< preferably a mask ROM o r EPROM > for storing a n encryp­
`
`tion (decryptio n > program and an operation program, a
`data memory 3 3 < preferably permanent memory type PROM) ,
`an I/O interface 3 4 and contacts 3 5 . When the IC card
`is loaded into reader/writer 2 7 , an operat ion power
`source voltage, operation clock pulses , various function
`command codes and data are supplied to the IC card
`�hrough contacts 3 5 . MPU 3 1 i ncorporates a RAM
`( random
`access memory> 3 l a .
`Program memory 3 2 stores various programs for
`executing basic functions of the IC card. The basic
`functions of the IC card include a function for reading
`from or writing into memory 3 3 , an encipheri ng/decipher­
`ing function for enciphering a message, to prevent
`leakage o r forgery thereof, when sending the message
`from one terminal t o another terminal through a communi­
`cation line, and deciphering an enciphered message
`received from another termina l , and a password setting/
`verification function for storing a password set by a
`user in the data memory and verifying a n i nput password
`with the stored password. MPU 3 1 translates a function
`command, with or without data, input from CPU 21 through
`reader/writer 27 and performs a necessary one of the
`basic function s .
`Memory 3 3 i s divided into a plurality o f areas,
`e . g . , an area accessible for external readout only, an
`area accessible for writing only, an area accessible for
`
`5
`
`1 0
`
`15
`
`2 0
`
`2 5
`
`3 0
`
`3 5
`
`Page 382 of 544
`
`

`
`- 7 -
`
`01 94839
`
`reading and writing , an area which permits no reading
`
`and writing and an area accessible for wr iting and
`reading only after password verification. These memory
`
`areas are assigned with area numbers . The designation
`of memory addresses i s performed by specifying an area
`number . The access permit conditions for the data
`memory are determined in units of areas . The access
`permit conditions depend on accessor ' s qualif ication
`levels and access types ( i . e . , the writing and reading ) .
`
`The qualification levels include an IC card manufac­
`turer, an IC card i ssuer and an IC card use r . The
`
`qua l i f i cation level of the IC card is detected by a
`signal input by an IC card holder. Memory access is
`inhibited or permitted in accordance with subsequent
`command s .
`Reader/writer 2 7 l i nks card 14 < 15 ) with CPU 21
`for communication of functional command codes and data
`therebetween, and translates macroinstructions from CPU
`2 1 into commands for the IC card.
`Fig . 4 shows an arrangement of memory 33 in card
`1 4 . Memory 33 has five areas I , I I , I I I , IV and v. An
`access control table for determining access permit con-
`.
`ditions for other areas II
`to V is stored in area I .
`The secret key word S , personal key word ( account number )
`I and passwords of user and issuer are respectively
`stored in areas I I , III and IV at the i s suance stage of
`the IC card. A user ' s transaction message M to be sent
`to the center and a center response message M ' are
`stored in area V such that the discrimination between
`the transaction request message M from the user and the
`response message M ' from the center i s made possible.
`Fig . 5 is a table showing access permit conditions
`for areas II to v. The area II can be accessed only by
`the issuer for reading and writing . Thi s access permit
`condition i s defined a s type 1 . The area I I I can be
`accessed by users for readout only, but can be accessed
`by the issuer for reading and writing both. This access
`
`5
`
`10
`
`1 5
`
`2 0
`
`2 5
`
`30
`
`3 5
`
`Page 383 of 544
`
`

`
`- 8 -
`
`01 94839
`
`permit condition is defined as type 2 . The area I V has,
`l ike area II, the access permit condition of type 1.
`The area V has access permit condition of type 3 , in
`which the users and issuer can gain access for reading
`only .
`Fig. 6 shows the access permit condition table
`.stor·ed in area I . Area number s , the access permit
`condition types, and the respective start addresses of
`areas are registered i n this tabl e .
`A function command and data are supplied t o the IC
`card in such a format as shown in Fig. 7 . Only the
`function command may be supplied to the IC card. The
`function command includes a command code for sepcifying
`writing or reading and area number data specifying an
`area of memory 3 3 . Upon reception of a message shown in
`Fig . 7 , the I C card separates the message into the
`command code and the area number data. The IC card then
`references the access control table in the data memory
`area to read out the access-permit condition type infor-
`mation for a designated memory area. At the same time,
`the .command code is translated to distinguish between
`writing and reading . After the IC card is loaded into
`the card reader/writer, password identification is per­
`formed at the f i rst stage of processing . When an input
`password coincides with the user or issuer pa-ssword
`registered in area IV in memory 3 3 , a person using the
`IC card is determined to be the user or issuer. The
`user/issuer distinction data is then stored in RAM 3 la
`in MPU 3L A determination is made as to whether a
`command is executed or not for a specified memory area
`in accordance with the user/issuer distinction data
`and the access permit condition data for the specified
`memory area. As _a result, for example, even i f the user
`wants to write a message in area V in memory 33 without
`sending t o the center, the corresponding command i s not
`executed and thus the message is not written in area V ,
`as shown in Fig . 5 .
`
`5
`
`1 0
`
`is
`
`20
`
`25
`
`30
`
`3 5
`
`Page 384 of 544
`
`

`
`- 9 -
`
`01 94839
`In order to perform a transaction, a transaction
`request message M to be sent from a customer terminal to
`the center must be enciphered in the terminal , and an
`enciphered message C must be sent onto a communication
`line. As keys for enciphering the transaction message
`are used a key word such as an account number I set by
`the card user or issuer, a number ( secret key word) S
`common to the communication network, and random number
`data R representing a transaction number and generated
`at the center side. MPU 31 performs an exclusive OR
`operation, i . e . , I (? S (± R to produce an enciphering key
`word K . The key word may be obtained by any other
`method than the exclusive OR operation . By way of
`example, the key word may be obtained by concatenating I
`and R, and then enciphering the concatenated I and R
`with the key word S . MPU 31 enciphers message M using
`the enciphering key word K and in accordance with an
`encryption algorithm such as the DES. When the
`encryption algorithm i s defined as f, message C is
`defined as follows:
`C = fK(M) = f s , I , R(M)
`As described above, K = S (?: I (±:, R. The key word I
`inherent to a card user is stored in the predetermined
`area III which can be accessed by the user for reading
`only. The common key word S is stored in area II of
`data memory 33 such that it cannot be read out to the
`outside. The key word S is public only to a minority
`such as the card issuer . The key word R representing
`a transaction number is sent from a center terminal when
`a transaction is requested by the user and is stored in
`RAM 3la in MPU 31.
`The enciphered message C and personal key word I
`are sent from a customer terminal to the center termi­
`nal . According to the present invention, whenever MPU
`31 enciphers a message M, MPU 31 automatically records
`the message M in the predetermined area V i n memory 33
`such that the message M can be externally read out but
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`Page 385 of 544
`
`

`
`- 10 -
`
`01 9 4 8 3 9
`
`cannot be externally rewritten or erased .
`The center terminal 12 deciphers the enciphered
`message C sent from the customer terminal i n accordance
`with a decryption algorithm to recover the original
`transaction message M. Terminal 12 sends the key word
`I sent from the customer terminal together with the
`message C to IC card 15 . The center IC card 15 uses key
`words I , R and S to produce a decrypting key word K.
`The MPU deciphers the enciphered message C i n accordance
`with the decryption algorithm using the key word K.
`If the decryption algorithm is defined as f-1, the
`deciphered message M i s given by:
`-1
`-1
`M = f K C C ) = f S , I , R( C )
`where K = S '2 I 3 R.
`The deciphered message M is output from card 15 to
`be printed out by printer 2 5 . In center terminal 1 2 ,
`key words I and S are stored i n the predetermined areas
`in memory 33 in the same manner as in customer terminal
`11 . Key word R is stored in RAM 3la in MPU 31.
`In the center terminal the enciphered message C
`is deciphered, and then a responding message M ' i s
`produced, which is input t o card 1 5 . The message M ' i s
`enciphered t o produce enciphered message c • i n accord­
`ance with the same encryption algorithm as in card 14.
`Enciphered response message M' is sent back to the
`customer terminal which transmitted original message M .
`The general description of transactions using the
`communications network of the present invention will be
`described with reference to a flow chart of Fig . 8 .
`When a customer possessing card ·14 sends message M
`to the center , he f irst loads his IC card into reader/
`writer 27 in his terminal ( step 8 1 ) . The customer is
`instructed to i nput his password . When the customer
`enters h i s password through keyboard 2 3 , an input
`message with a format shown in Fig. 7 i s sent from CPU
`21 to card 14 through reader/writer 27. MPU 31 i n card
`14 translates the message and accesses memory 33 to read
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`Page 386 of 544
`
`

`
`- 11 -
`
`01 94839
`
`out a password from area IV. MPU 31 then compares the
`input password with the password read out from memory 3 3
`( step 8 2 ) . A comparison result t o sent t o CPU 2 1 . When
`ident i f i cation of the customer i s confirmed, CPU 2 1
`sends a transaction request signal to terminal 12
`through line 1 3 . Terminal 12 receives random number
`data R from generator 2 9 in response to the transaction
`request signal and sends data R to the customer terminal
`( step 8 3 ) . The customer terminal supplies random number
`data R to IC card 1 4 . Data R is stored i n RAM 3 la in
`MPU 3 1 in card 1 4 , as previously described. Random
`number data R is also stored in card 15 on the center
`side.
`Upon reception of data R, CPU 2 1 instructs entry of
`an input message to the customer. The customer types
`message M on keyboard 2 3 ( step 8 4 ) . CPU 2 1 suppl ies
`message M with a function command code in a format as
`shown in F i g . 7 to IC card 14 through reader/writer 2 7 .
`MPU 3 1 i n card 1 4 enciphers message M i n accordance with
`the encryption algorithm of C = f K ( M ) . MPU 31 writes
`message M i n area V in memory 3 3 . Message c , and key
`word I stored in area I I I in memory 3 3 are read out
`under the control of MPU 3 1 . CpU 2 1 in terminal 1 1
`sends t o terminal 1 2 through l i ne 1 3 the enciphered
`message C and key word I
`( account number > output from
`card 14 ( step 8 5 ) .
`Upon receiving message C and key word I , terminal
`12 suppl ies them to card 15 . Card 15 deciphers message
`C in accordance with the . decryption algorithm of
`M = f-lK ( C ) as described above . Deciphered message M
`i s thus output from card 15
`( step 8 6 ) . CPU 2 1 causes
`printer 2 5 to print out message M supplied from card
`15
`( step 87 > . Subsequently, message M' responding to
`message M is typed on keyboard 2 3 i n the center ( step
`8 8 ) . The responding message M' may be produced by a
`computer according to a constant rout i n e . Center
`terminal 12 sends message M' to customer terminal 11
`
`5
`
`10
`
`15
`
`20
`
`2 5
`
`30
`
`3 5
`
`Page 387 of 544
`
`

`
`- 12 -
`
`01 94839
`
`t�rough line 1 3 . Message M ' from terminal 1 1 is
`visually output by printer 25 or CRT d i s play 2 4 ( step
`89 ) . The customer con f i rms whether message M ' i s
`If acceptable, the transaction is
`acceptable o r not.
`completed < step 90 ) .
`According to the way o f transactions, t�e irregu­
`larities can be prevented as described later .
`As described above, the encryption o f message M at
`each customer terminal i s performed i n association with
`the recording of the message i n the data memory . As
`previously described, message M i s recorded in area V in
`memory 33 so as to permit external readout but prohibit
`external rewr iting.
`In other words , the transaction
`If the center can confirm
`message M cannot be forged .
`that the received enciphered message C has been properly
`enciphered, that i s , a meaningful message has been
`obtained by the decryption of message C, then it can be
`confirmed that the message M has been r ecorded i n non­
`rewritable manner on the customer side .
`Since message M
`i s recorded and preserved at the customer side, the
`transaction cannot be denied afterwards and therefore,
`the customer cannot report a false transaction .
`The possibility o f forging of message M at the
`center will be considered.
`In this case, a commqnica-
`t i o n of message M i s not performed i n practice. There­
`for e , message M representing a transaction content i s
`not recorded i n the I C card o f a custome r . Therefore,
`a false report of the center can be denied by the fact
`that message M i s not recorded in the customer IC card.
`However, the transaction way described above
`involves a sl ight problem i n transaction security. When
`a customer interrupts transmission o f message M to the
`center after message M i s recorded i n h i s IC card, or
`when transmi ssion i s not performed due. to a communica-
`tion l i ne failure, a false report can be made using
`message M recorded i n card 14 . Thi s problem can be
`solved by enciphering response message M ' at the center
`
`5
`
`10
`
`1 5
`
`2 0
`
`2 5
`
`30
`
`35
`
`Page 388 of 544
`
`

`
`- 13 -
`
`01 94839
`
`and recording the enciphered response message C ' or
`deciphered response message M ' in data memory 33 in
`customer ' s IC card 1 4 .
`
`A sequence for preventing such inconvenience i s
`shown i n Fig . 9 . Message M ' i s typed and then input into
`card 15 . Message C ' is enciphered in accordance with
`the encryption algor ithm of C ' = f K ( M ) and enciphered
`message C ' is output from the IC card ( step 9 1 ) . Message
`C ' is sent to the customer termina l . Message C ' is
`input into card 14 and deciphered in accordance with the
`-1
`decryption algori thm of M ' = f K < C ' ) , thereby reproduc-
`ing message M ' . Message M ' is recorded in memory 33 and
`output from the IC card ( step 92 > . Message M ' from the
`IC card i s printed out by printer 2 5 ( step 9 3 ) . The
`customer confirms message M ' and, i f acceptable, causes
`CPU 2 1 to send back message M ' to center terminal 12.
`However, when the response message i s not acceptable,
`CPU 21 sends a response message retransmission request
`instruction to center termi nal 12 ( step 9 4 ) .
`The center terminal determines whether o r not the
`response from th� customer terminal is the retrans­
`mission request for message M ' ( step 95 ) . When message
`M ' i s sent back, a determinat i on i s made as to whether
`or not the received message M ' coincides with the
`( step 9 6 ) . This can be done by
`transmitted message M '
`vi sually di splaying the recieved message M ' at printer
`2 5 or CRT display 2 4 . When the coincidence i s confi rm-
`ed, the transaction i s executed ( step 97 ) . However,
`when the retransmission of the response message is
`requested in step 95 or when the coincidence has not
`been established i n step 9 6 , the center terminal re­
`transmits message M ' to the customer terminal without
`executing the transaction.
`As stated above, the recording of the response
`message from the center terminal at the customer termi­
`na l di sables a false report of the customer .
`Another embodiment of the present invention will be
`
`5
`
`10
`
`15
`
`2 0
`
`2 5
`
`30
`
`3 5
`
`Page 389 of 544
`
`

`
`- 14 -
`
`01 94839
`
`described.
`Referring to Fig . �0, the arrangement of custome�
`terminal 11 and center terminal 12 used in this embodi­
`ment is shown which is basically the same as that in
`Fig. 2 . A timer C or counter) 101 is coupled to CPO 21
`to detect an abnormal state, such as a failure in the
`communication line between the customer and center
`terminals . In this embodiment , message M from the
`customer to the center and response message M ' from the
`center to the customer are stored in data memory 33 in
`IC card 14 in such a way that the distinguishment
`bet�een encryption and decription of messages is made.
`For this purpose , as shown in Fig. 11, area V of memory
`33 may be divided into subareas Vl and V2 . Message M
`from the customer to the center is automatically record­
`ed in subarea Vl in association with its enccyption.
`Message M' from the center to the customer is automati-
`cally recorded in subarea V2 in association with decryp­
`tion of message C ' . Otherwise , as shown in Fig. 12,
`di scinction information such as "1" or "0" may be added
`ahead of messages M and M ' so as to distinguish message
`M from message M' . With such a distinguishable record­
`ing of messages M and M ' , the customer cannot make a
`false report that a transmitted message is a received
`one.
`
`With reference to the flow chart shown in Fig . 1 3 ,
`the portions different from Fig . 8 will be described.
`Steps 81 to 88 up to production of message M' at the
`center are the same as those in Fig . 8 .
`In this embodiment, message M ' i s produced and at
`the same time a random number RN used for an authentica­
`tion of the transaction is supplied to CPU 21 in the
`center ( step 130 > . Message M ' and authentication random
`number RN are input to card 15. Authentication infor-
`mation RN is stored in RAM 3la in MPU 31 of card 15 . A
`concatenation M' //RN of message M' and number RN is
`enciphered in card 15 in accordance with the encryption
`
`5
`
`10
`
`15
`
`20
`
`2 5
`
`30
`
`35
`
`Page 390 of 544
`
`

`
`- 15 -
`
`01 94839
`
`algorithm of C ' K f K < M ' //RN ) , and enciphered message C '
`i s output from card 1 5 ( step 13 1 > . Thus, M ' //RN repre­
`sents a message in which M ' i s di sposed on the side of
`upper signif icant bits and RN on the side of lower sig-
`n i f i cant bits . Message C ' i s sent to the customer ter­
`minal through the communication line. At the c�stomer
`termi nal , message C ' is input to card 1 4 , M ' //RN i s
`deciphered in accordance with the decryption algorithm
`of M ' //RN = f- 1K < C > , and M' and RN are automat ically
`recorded in memory 3 3 . Message M ' and number RN are
`then output from card 14 ( step 13 2 ) . Message M ' i s
`printed out i n step 1 3 3 .
`In the subsequent step 1 3 4 ,
`authentication data RN i s sent back to the ce�ter termi­
`na l . The transmitted authent ication data RN i s compared
`in the center terminal with the received authenticacion
`data ( step 135 ) . The confirmation as to whet�er or not
`the coincidence i s found between the transmitted and
`received authent ication data may be made by displaying
`them on the CRT display or printing at the printer.
`Alternatively, the confirmation may be made in the
`routine in the CPU. Upon conf i rmation of the coinci­
`dence, the content of the transaction request is execut­
`ed with the result that the transaction communication i s
`completed ( step 136 ) .
`When all procedures are completed normally, as
`described above, the transaction and response messages
`are always stored in a pair in memory 33 of card 1 4 .
`S i nce the content of these messages coincides with the
`actual transaction content, a transaction ver i f i cation
`is realized. However, an unexpected interruption of