The present invention relates to a smart card managing system. More particularly, the invention relates to a managing method and an issuance processing method of card initializing information to be used in issuing a smart card (hereinafter sometimes referred to as xe2x80x9cmulti-application smart cardxe2x80x9d) on which a plurality of application programs can be dynamically loaded or removed and application information to be loaded on the smart card when it is issued, and in particular, to a managing method of application personalizing information based on an applicant (user) for a card.
As has been discussed in Technical Report of IEICE (The Institute of Electronics, Information and Communication Engineers), Vol, 100, No. 541, Knowledge-Based Software, KBSE2000-54 to 65 (Jan. 11, 2001), pages 25 to 32, conventionally, the managing system architecture for issuing and operating a multi-application smart card may be configured so flexibly as to match various business forms if it adopts such a system model as having a card issuer (often abbreviated as CI) and a service provider (often abbreviated as SP) separated from each other.
Concretely, a service provider who provides the service through the use of a card application may be an independent managing entity of a card issuer, based on the characteristic of the multi-application smart card, that is, the characteristic where a plurality of applications may be loaded on a single smart card. Under this managing entity model, the card issuer takes responsibility of an operation and management service on a smart card, owns a smart card issuance managing system of executing the service, and then operates the system. On the other hand, the service provider takes responsibility of an operation and management of the applications, owns an application managing system of executing the service, and operates the system. In executing the actual smart card operating and managing service, both of the systems are cooperated with each other for processing the service.
The foregoing prior art involves the problem that no sufficient considerations are given to the card issuance service, a typical operating and managing service involved in smart cards, such as the content of a service to be executed by the card issuer and the service provider through the use of their own card issuance managing system and application managing system, the cooperating method of the operating and managing processes to be executed by the two managing systems, the protecting method of the information owned by each managing entity, and so forth. Hereafter, this problem will be discussed in detail.
FIG. 1 illustrates a configuration of a conventional smart card system through the use of several entities such as a smart card issuer, a service provider for a smart card, a smart card issuance bureau (often abbreviated as a bureau), and a smart cart as well as a data flow in a card issuing service.
At first, the summary of a component of the system will be discussed below.
A numeral 101 denotes a smart card issuance managing system. A numeral 104 denotes an application managing system. A numeral 107 denotes a smart card issuance bureau system (often abbreviated as a bureau system). The xe2x80x9csmart card issuerxe2x80x9d is a managing entity who runs a service of issuing and managing a smart card through the use of the smart card issuance managing system 101. The xe2x80x9csmart card issuerxe2x80x9d also takes responsibility of a smart card. The smart card issuance managing system includes a database 103 related to smart card and a smart card issuing unit 102 as minimum components. The smart card issuer holds smart card management information in the database 103 related to smart card, and, based on data in the database, issues a smart card and delivers it to a user 111. The smart card management information includes application information given from a user and basic information required for issuing a smart card.
The xe2x80x9cservice providerxe2x80x9d is a managing entity who runs a service of issuing and managing an application to be loaded on the smart card through the use of an application managing system 104. The service provider loads an application on the smart card. The smart card load application may be created by the application managing system or may be obtained or purchased from a third-party system called an application developer 112. The application managing system includes a database 106 related to application and an application load processing unit 105 as minimum components. The database 106 related to application stores application data.
The xe2x80x9cbureauxe2x80x9d is a managing entity who runs a deputizing agency business of issuing a smart card through the use of the bureau managing system 107. The bureau acts for a smart card issuer in response to the request from the smart card issuer when issuing a massive amount of smart cards, for example. The bureau managing system 107 holds a smart card issuance system 108 for issuing a massive amount of smart cards. The smart card issuance system 108 may have a HSM (Hardware Security Module) built therein. The HSM is an information processing apparatus that encrypts or decrypts data to be inputted to the HSM itself through the use of a key held therein. This HSM is characterized by disability to access from the outside of the HSM to the internal information and the internal process of the HSM itself.
The smart card issuance managing system, the application managing system, and the bureau managing system realize transfer of information through a network 113, delivery of an information recording medium like a floppy disk by mail or by hand delivery or delivery of a form by mail or by hand delivery among those systems.
Further, the above-described smart card issuance managing system 101 of the card issuer and the application managing system 104 of the service provider include an issuing function of a smart card, a smart card issuance deputizing request processing function, and a personalizing function of an application (to be discussed below) in the processing units 102 and 105, respectively. Each processing function is realized as a computer program and is operated.
In turn, the description will be oriented to the problem of the conventional system by referring to the operating routine of the smart card issuing service in the foregoing system as an example.
In advance of a receipt of an issue application 121 from a user 111, the smart card issuance managing system 101 and the bureau managing system 107 operate to exchange a bureau key 109 served as a key for the purpose of protecting the card issuance information to be transferred between the card issuer and the card provider. The use of this key makes it possible to guarantee that the card issuance information created by the card issuer is hidden from another managing entity including the bureau and is entered into the smart card issuance system 108 without being interpolated or altered.
At first, the user 111 files an application of issuing a smart card to the smart card issuer (process 121). The user 111 enters requisite matters in an application form 114 for card issuer and an application form 115 for service provider, the form 115 being for an application to be intended to be loaded initially when the smart card is issued. The former application form is sent to the smart card issuer (process 122), while the latter is sent to the service provider (process 123). The matters to be entered on the applications include a user name and a password (PIN) to be set to the card or the application and personal information like an annual income. It is to be noted that the personal information items to be described on the application forms may be different according to each of the application forms. It means that one form for an application needs the name and the birth date of the user, while another form for an application needs the name and the password of the user. Further, it is to be noted that the personal information to be required to be described by a certain managing entity is basically not allowed to be disclosed to another managing entity from a viewpoint of security and privacy protection. Hence, the submitted application forms are independently stored in the systems. Concretely, the application form for card issuer is stored in the smart card issuance managing system, while the application form for service provider is stored in the application managing system.
Then, the smart card issuance managing system makes request for personalizing and sending an application to be loaded when issuing the card at an initial time (called an initial load application) to the application managing system (process 125). The personalizing process of the application means a process of setting the personal information for each user such as the name and the PIN of the user to the application.
Herein, the first problem involved in the conventional system is the fact that the application managing system that accepts the request of sending the personalized initial load application is unable to determine which of the applications should be selected and for which of the users the selected application is to be personalized. This problem results from the fact that the smart card issuer and the service provider are independent managing entities and when each managing entity stores the corresponding application information, the two systems can not cooperate with each other since there is no link information between the application information.
Hereafter, in order to address the second problem involved in the conventional system, the description will be expanded on the assumption that the initial load application and its object for personalizing can be specified or identified.
The application managing system operates to personalize the specified application on the application information of the object for personalizing and then send it to the application managing system as the personalized application (process 126).
Herein, as the second problem involved in the conventional system, it is possible to refer to the fact that the service provider cannot hide the content of the data of the personalized application from the card issuer. This results from the fact that no independent secret key information exists between the service provider and the bureau.
This is the end of the description of the two problems involved in the conventional system.
The remaining matters of the card issuing process in the conventional system will be briefly described. The smart card issuance managing system operates to encrypt the accepted data, that is, the personalized application data and the card issuance information required for issuing the card through the use of the bureau key having been exchanged with the bureau system and then to send it to the bureau system (process 128). The bureau system operates to enter the accepted data in the smart card issuance system. The smart card issuance system encrypts the data through the use of the bureau key held therein and then sends it to the smart card. This process completes the smart card issuing process 129 and the initial application loading process 130.
If the smart card issuance system includes the foregoing HSM built therein, the data sent through the pass denoted by 128 is decrypted only inside of the smart card issuance system itself, so that it may be hidden from the outside of the card issuance system like an operator of the bureau.
In order to solve the foregoing problems, it is an object of the present invention to provide a smart card issuance managing method and system which are allowed to cooperate a card issuer with a service provider through link information between the application informations owned by the card issuer and the service provider and to encrypt personalizing application data to be sent from the service provider to the card issuer.
Hereafter, the invention will be described in detail.
An embodiment of the invention solves the first problem, that is, the problem that no link information exists between the application information owned by the card issuer and the service provider respectively by adding a unique number to the smart card issue application filed by a user. When filing an application of issuing a smart card, the user describes the smart card issue application information that is requisite matters to issuing the smart card before submitting it. The smart card issue application information includes a name, a phone number, and an age of the user, and so forth. Likewise, the user describes the requisite application information of an initial load application in issuing the smart card before submitting it. The requisite application information, of the initial load application includes a user name that is common to that included in the smart card issue application information, PIN information for an application that is unique to the initial load application, and so forth. Further, two or more initial load applications may involve, not limited to one, so that a plurality of application information of the initial load applications may be filed. When the user files these smart card issue applications using these application information, apply codes are added to these application informations. The application managing system manages the smart cart issue application informations with the apply codes as the key information. The application load processing system manages the application informations for the initial load applications with the apply codes as the key information. This management allows the smart card issuance to be executed as cooperating the data of both of the systems with each other.
The smart card issuing process of the smart card issuance managing system with the apply codes will now be concretely described. The smart card issuance managing system receives the smart card issue application from the user and thereby accepts the smart card issuance application informations. The smart card issuance managing system adds the apply codes to the smart card issuance application informations and then store the application informations in the database related to application owned by the managing system itself with the apply codes as the key. Further, the smart card issuance managing system operates to send the application informations for the initial load applications in association with the added corresponding apply codes to the application managing system. As a sending means, when the application form is written on paper, it is mailed or when it is written as electronic data, it is sent as the electronic data. The destination application managing system is a system that manages the operation and management of the initial load applications. The applications to be initially loaded on the smart card to be issued may be already defined, so that no selection of these applications by the user be possible or they may be freely selected, depending on the policy of the smart card issuer.
In addition, as the apply code, xe2x80x9cpeculiar signxe2x80x9d or xe2x80x9ccorrespondence peculiarity signxe2x80x9d are available, for example.
The xe2x80x9csignxe2x80x9d means xe2x80x9ca code that is created on a certain system for representing an objectxe2x80x9d. For example, it may be a combination of only the figures, one of the serial numbers, or a combination of characters, figures and symbols.
The xe2x80x9cpeculiar signxe2x80x9d means a sign that is uniquely created for identifying one object from another. For example, one (106, for example) of the apply codes with the serial numbers (1, 2, 3, . . . for example) added corresponds to the xe2x80x9cpeculiar signxe2x80x9d. The serial numbers are included in the sign.
The xe2x80x9ccorrespondence peculiarity signxe2x80x9d means the corresponding sign to the xe2x80x9cpeculiar signxe2x80x9d. For example, the xe2x80x9ccorrespondence peculiarity signxe2x80x9d has one to one correspondence with the peculiar sign. For example, when the peculiar sign is xe2x80x9cMerry01abxe2x80x9d, the correspondence peculiarity sign that has one to one correspondence with that peculiar sign is xe2x80x9c1258xe2x80x9d. The correspondence peculiarity sign is used, for example, in the case that the database stores only the limited signs (for example, only a combination of figures). The peculiar sign has no such limitations.
The signs to be stored in the database or the like may be numbered on another rule than that of the peculiar signs (for example, a combination of only figures).
Then, the description will be oriented to the smart card issuing process. The initial load applications are required to be personalized. Since the personalizing information of the application is held in the application managing system, the smart card issuance managing system requests the application managing system that personalization be made. In order to distinguish an object for personalizing from another, the card ID may be used after the smart card is issued. At this time, however, the card is not issued yet. Hence, the numbered apply codes are specified. Then, the smart card issuance managing system receives the personalized application sent from the application managing system in response to the specified personalizing request.
Likewise, the concrete description will be oriented to the smart card issuing process included in the application managing system using the apply codes. The application managing system stores application accepting information which corresponds to application filing information in the database related to application. Then, the smart card issuance managing system requests the application managing system to personalize the application to be initially loaded in issuing the smart card. The application managing system retrieves the database with the specified apply codes as the key, personalize the application by using the concerned data, and send the personalized application to the card issuer.
The method of numbering the apply codes may be dynamically executed by the smart card issuance managing system when the user files an application of issuing the smart card. Alternatively, a numbering organization may assign the allocated number to the apply codes in advance. In a case where numbers described commonly on the smart card issue application form and the application form for an application are used as the apply codes, these numbers are stored in each database in association with corresponding application informations. This allows these numbers to be used as the apply codes in the system. That is, the card issuer stores apply codes described on the application form and corresponding smart card issuance information described on the application form in association with each other and in the database related to smart card, so as to be used in the subsequent smart card issuance management. Likewise, the service provider associates apply codes described on the application form with corresponding application information for an application and then store the apply codes and the corresponding application information in the database related to application, so as to be used for the subsequent smart card management.
Further, in the case of dynamically numbering the apply codes, the correspondence of the numbers described on the application form with the apply codes is stored in each database so that the correspondence between the apply codes and the application informations may be made possible. That is, the card issuer stores numbered apply codes, corresponding numbers described on the application form and corresponding smart card issuance application information in association with each other in the database related to smart card. The correspondence is notified to the service provider so that the data cooperation between both of the systems may be realized. The service provider associates apply codes with corresponding application information for an application according to the notified correspondence between the apply codes and the numbers described on the application form and stores them in the database related to application. Those information are used for the subsequent smart card management.
The application form, termed herein, may be paper or an electronic medium to be entered from the Web screen. In either case, the present invention provides, as the solving method for the first problem, the method of assigning the apply codes collectively to the application form for smart card issuance and the application form for an initial load application with respect to the smart card issue application and cooperating the data of the smart card issuance managing system with the data of the application managing system as link information.
Then, an embodiment of the invention provides the solving method for the second problem that the service provider cannot hide the data of the personalized application from the card issuer. This solving method is executed by exchanging a key between the bureau and the service provider in advance and encrypting the personalized application data with the key. As mentioned above, the second problem results from the fact that no independent key information exists between the service provider and the bureau. Hence, before issuing the smart card, the key is exchanged between the service provider and the bureau that acts for the smart card issuer in advance and the data is encrypted with this key. This allows the privacy of the data to be kept from the outside of the manager including the card issuer except the bureau.
The number of the keys to be exchanged may be one or more. In a case where one common key to the bureau and the service provider does not satisfy the security requirement, a plurality of keys are exchanged and then the encrypted data with the indexes for indicating the encrypted keys is sent to the bureau in which the data is allowed to be decrypted. Further, the exchanged key is specified as a master key from which a derivation key is created with the random number each time the data is encrypted. After the data is encrypted with this derivation key, the encrypted data with the random number used for the derivation may be sent to the bureau. Of course, the combination of these two methods is made possible. That is, the derivation key created from one of the master keys is used for encrypting the data, and the encrypted data with the index for specifying the master key and the random number used for the derivation may be sent to the bureau.
In turn, the smart card issuing process included in the application managing system that uses the foregoing encrypting method will now be concretely described. The application managing system operates to exchange one or more keys with the bureau that acts for the smart card issuer. Then, when the card issuer requests to personalize the initial load application, the personalized application data is encrypted with the exchanged key. If necessary, the necessary information for specifying the key such as the foregoing index for keys and the random number is added to the encrypted data before sending the data to the card issuer.
Likewise, the smart card issuing process included in the smart card issuance managing system that uses the foregoing encryption will be described below. The smart card issuance managing system requests the service provider to personalize an application to be initially loaded on the smart card. The data given back as a response is encrypted and thus can not analyzed. The smart card issuance managing system sends the data with the information required for issuing the smart card to the bureau and request the bureau to act for the smart card issuer. In a case where the card issuer has exchanged the key with the bureau like the service provider, the card issuer encrypts the smart card issuance information with this key and then send the encrypted data into the bureau, the data given back as a response from the service provider. The encrypting method may be the method of adding the smart card issuance information to the encrypted data sent from the service provider and then encrypting the data with the key of the card issuer or the method of encrypting the smart card issuance information with the key of the card issuer and then adding the encrypted data to the encrypted application data. After the request of acting for the smart card issuer is given to the bureau, the card issuer accepts the issuing result from the bureau and then terminates the smart card issuing process.
Likewise, the smart card issuing process included in the bureau system that uses the foregoing encryption will now be described. The bureau system exchanges one or more keys with the service provider in advance. Then, in response to the request of acting for the smart card issuer given from the card issuer, the bureau enters the data into the smart card issuance system. The smart card issuance system has the key set therein, by which the data is decrypted with the key for the purpose of extracting the smart card issuance information and the personalized initial load application. The use of this information allows the smart card issuing process and the loading process of the initial load application to be executed and then the result to be sent to the card issuer. If the smart card issuance system includes the foregoing HSM built therein, the data of the request of acting for the smart card issuer sent from the card issuer is allowed to be decrypted only inside of the smart card issuance system. This makes it possible to guarantee that the data is hidden from the outside of the card issuance system such as an operator of the bureau.
As set forth above, the present invention provides the solving method for the second problem in which the personal information of the application is hidden from the card issuer by encrypting the personalized initial load application data with the key which is exchanged between the bureau and the service provider.
The aforementioned smart card managing method provided by the invention makes it possible to provide link information between the application informations held by the card issuer and the service provider respectively so that the card issuer and the service provider can cooperate with each other and privacy of the personalized application data sent from the service provider to the card issuer can be secured.