1. Field of the Invention
The present invention generally relates to information recording media, information processing apparatuses and methods, program recording media, and information processing systems. More particularly, the invention relates to an information recording medium, an information processing apparatus and method, a program recording medium, and an information processing system, all of which implement, for example, highly convenient electronic tickets.
2. Description of the Related Art
Transportation tickets, entrance tickets, reserved tickets, membership cards, license cards, service tickets, etc. are used to prove that owners of these cards and tickets possess the rights described therein.
Such cards and tickets are hereinafter simply referred to as “tickets”. Tickets made of paper (including plastics similar to paper) are implemented by printing predetermined items on paper, which is convenient to be carried, and thus have “portability”.
If paper tickets are implemented simply by printing, it is difficult to prevent forgery. Accordingly, hitherto, as a measure to prevent forgery, special printing is performed on paper, or a stamp or a watermark is added to the paper. Thus, paper tickets can be issued only by legal issuers, and cannot be easily forged. In this sense, paper tickets have a “right copy-preventing function”.
Paper tickets also have a “right-validating function” for validating the rights possessed by the owners of the paper tickets, or an “assignment function” for easily assigning the rights described in the tickets to a third party.
Tickets can be reserved via a telephone line or a computer network. However, those who have reserved tickets have to receive the tickets by mail or collect them at the corresponding agents.
Along with the progress of computer network techniques, research and development is being made on electronic ticketing systems in which tickets are digitized and are directly sent and received via a communication network. Such digitized tickets are referred to as “electronic tickets”. With electronic tickets, users do not have to collect tickets at the corresponding agents, and the ticket distribution and management costs can also be reduced.
As methods for implementing an electronic ticketing system, for example, a first method disclosed in Japanese Unexamined Patent Application Publication No. 8-147500 and a second method disclosed in Japanese Unexamined Patent Application Publication No. 11-31204 have been proposed.
In the first method, electronic ticket information is stored in tamper-proof hardware so as to prevent multiple use (exercise) of the rights associated with electronic tickets by copying the electronic ticket information.
Then, when receiving the services provided by electronic tickets, authentication is performed between a storage device for storing the electronic ticket information and a checking device for checking the electronic ticket information so as to authenticate both the storage device and the checking device as authorized devices in the electronic ticketing system. This authentication operation is performed by, for example, sending a special command from the checking device to the storage device according to an encryption technique. If both the storage device and the checking device are authenticated, the electronic ticket information stored in the storage device is transmitted from the storage device to the checking device.
As described above, according to the first method, by authenticating the storage unit and the checking unit for sending and receiving the electronic ticket information as authorized devices, it is possible to prevent the electronic ticket information from being illegally leaked to unauthorized devices.
Thus, in the first method, in order to validate the rights of electronic tickets, it is necessary to check whether a device to communicate with is authorized. Accordingly, electronic tickets according to the first method are not as convenient as paper tickets.
That is, with paper tickets, the rights of the tickets can be easily and safely validated by presenting the tickets to receivers without checking who is to receive the tickets or without being anxious about the illegal use of the rights. In the first method, however, the rights cannot be validated until a receiving device is authenticated and electronic ticket information for validating the rights is sent to the receiver.
Accordingly, in the second method, instead of sending and receiving electronic ticket information, predetermined processing is performed by using the electronic ticket information, and a processing result is sent and received. Then, the rights can be validated.
That is, in the second method, by employing a so-called “challenge and response technique”, which is frequently used as an authentication method, the rights can be validated.
More specifically, a checking device for checking electronic tickets generates random numbers, and sends them to a storage device for storing electronic ticket information. Upon receiving the random numbers from the checking device, the storage device processes the random numbers by using private information contained in the electronic ticket information, and sends a processing result back to the checking device. The checking device then processes the processing result sent from the storage device by using public information, and checks whether the electronic ticket is authorized based on the processing result and the random numbers sent to the storage device.
The above-described challenge and response technique is performed by using, for example, a so-called “digital signature”. The private information contained in the electronic ticket information serves as a secret key in a public key cryptosystem, while the public information used by the checking device serves as a public key corresponding to the secret key. The storage device processes the random numbers (challenge) sent from the checking device by using the secret key so as to generate a digital signature, and then, the checking device processes the digital signature (response) by using the public key, thereby verifying the digital signature against the original random numbers.
According to the above-described second method, the secret key, which is the private information contained in the electronic ticket information, cannot be identified from the public key, which is information publicly known. Additionally, during the challenge and response process, the secret key is not leaked outside the storage device. Thus, the rights associated with the electronic tickets can be easily and safely validated for a third party, as in paper tickets.
In the above-described Japanese Unexamined Patent Application Publication No. 11-31204, the following three points are described as the essential functions for electronic tickets.
The first point is a “right copy-preventing function” for preventing the use of tickets copied by illegal users. The second point is a “right-validating function” for proving the validity of the rights associated with electronic tickets to a third party including anonymous users. The third point is an “anonymity function” for guaranteeing the anonymity of the users when utilizing electronic tickets (when receiving the services for the electronic tickets by exercising the rights associated with the electronic tickets).
All of the above-described first through third functions are implemented by known paper tickets, and must also be maintained by electronic tickets without sacrificing the convenience of paper tickets.
In electronic tickets, however, in order to maintain convenience comparable to that of paper tickets, the above-described three features are not sufficient, and the following fourth and fifth functions are required.
A fourth point is an “assignment function” for assigning the rights concerning electronic tickets to the others. A fifth point is a “completeness function” for validating the rights of electronic tickets, i.e., for performing a “right-validating function”, without the need to access a ticket management center or a management database.
The rights of paper tickets can be assigned to others. Thus, the “assignment function” is essential for electronic tickets to maintain a convenience comparable to that of paper tickets.
At a railway station or at an event entrance gate of a venue, the rights of paper tickets can be immediately checked by presenting or giving the tickets, thereby enabling the users to smoothly pass through the corresponding ticket gate. If it is necessary at a ticket gate to perform on-line checking on, for example, credit cards, or searching a database for checking a ticket number against the corresponding information in the database, the users cannot smoothly pass through the ticket gate. In this respect, the “completeness function” for validating the rights of electronic tickets only by using the electronic tickets is essential for the practical use of the electronic tickets.
However, the above-described second method does not satisfy the requirements for the “assignment function” and the “completeness function”.
That is, in the second method, electronic tickets (or information acting as the electronic tickets) are issued by encrypting feature information (for example, secret keys in the public key cryptosystem) unique to the individual electronic tickets with different encryption keys unique to individual storage devices. Additionally, the encrypted feature information stored in the storage device can be decrypted only with the encryption key possessed by the corresponding storage device, thereby implementing the “right copy-preventing function”. In the second method, the “right-validating function” of the electronic tickets is implemented by decrypting the encrypted feature information stored in the storage device with the encryption key stored in the same storage device and by using the decrypted feature information.
Accordingly, in the second method, the feature information of an electronic ticket can be decrypted only in the storage device which has issued the electronic ticket. Thus, the rights associated with the electronic ticket cannot be validated in storage devices other than the storage device which has issued the electronic ticket. This means that an electronic ticket issued in a certain storage device cannot be assigned to another storage device, i.e., the “assignment function” cannot be achieved.
Paper tickets possess two items, such as the “right articles” indicating the content written on paper tickets and the “validity” of the paper tickets which is difficult to forge or copy by the printing technique, the material, the stamp, or the watermark. The “right articles” and the “validity” are closely linked to each other by means of printing. That is, the “right articles” themselves are merely information, and can serve as a ticket when they are provided with the “validity” of electronic tickets represented by paper which is difficult to forge or copy on which the “right articles” are printed.
Thus, paper tickets are formed of the two closely linked items, such as “validity” and “right articles”. With these two items, the five functions, i.e., “right copy-preventing function”, “right-validating function”, “anonymity function”, “assignment function”, and “completeness function”, are fulfilled.
Between the “validity” and the “right articles” unique to paper tickets, the “validity” is particularly difficult to digitize while maintaining the features of paper tickets. Accordingly, in the second method, the “right copy-preventing function” is fulfilled at the expense of portability, which is a feature of paper tickets. That is, in the second method, the “validity” of electronic tickets is linked to a specific storage device, and the “right copy-preventing function” is fulfilled at the expense of the “assignment function”.
Additionally, in the second method, the above-described challenge and response authentication technique is employed for validating the rights of electronic tickets. In this technique, a checking device sends an ID number for identifying a secret key to a storage device. By using the ID number, the storage device generates a digital signature from random numbers generated by the checking device. In the storage device, as discussed above, a secret key, which is feature information unique to each electronic ticket, is encrypted with an encryption key unique to the storage device. Upon receiving the ID number from the checking device, the storage device searches for the secret key corresponding to the ID number. The storage device then decrypts the secret key with the encryption key unique to the storage device, and processes the random numbers sent from the checking device by using the secret key, thereby generating a digital signature. The digital signature is then sent to the checking device, and the checking device processes the digital signature with the public key corresponding to the secret key specified by the ID number sent to the storage device. Then, the checking device verifies the digital signature based on a processing result, and validates (checks) the rights associated with the electronic ticket.
In the second method, therefore, by using the challenge and response authentication technique, as in paper tickets, the rights can be safely verified (validated) without exposing the secret key, which indicates the rights associated with the electronic ticket, outside the storage device.
However, in the second method, information for verifying (validating) the rights of an electronic ticket, i.e., in this case, information required for verifying the rights of an electronic ticket by the challenge and response authentication technique, is separately provided from the electronic ticket information, and such information must be identified by the checking device.
More specifically, in the second method, the public key corresponding to a secret key indicating the rights of an electronic ticket, and the ID number for identifying the secret key are publicized and registered in a ticket management center. Thus, in order to validate the rights associated with the electronic ticket, the checking device must access the ticket management center to obtain the ID number and the corresponding public key.
If the content of the rights validated by the checking device is always the same, the checking device has to access the ticket management center only once to obtain the ID number and the corresponding public key. However, considering the widespread use of electronic tickets, it is not practical to assume that the content of the rights validated by the checking device is always the same.
More specifically, assuming that railway tickets are implemented by electronic tickets, a ticket gate, which serves as a checking device, has to check electronic tickets, which are issued daily at different stations and which have different right contents depending on whether the ticket is for a local train or an express. Accordingly, the checking device is required to access the ticket management center to obtain an ID number, which differs according to the station, the day, and the type of train, and the corresponding public key. Thus, the time required for checking the electronic ticket is increased, thereby impeding the smooth passage of users through the ticket gates. This problem originates from the lack of the “completeness function” for validating the rights only by using electronic tickets.
The lack of the “completeness function” adversely influences the “assignment function”. That is, without the “completeness function”, to assign an electronic ticket, the checking device is required to access the ticket management center to verify whether the electronic ticket is valid, as discussed above. Accordingly, even if the “assignment function” is simply added to the electronic ticket, checking for the validity of the electronic tickets becomes complicated unless the electronic ticket has the “completeness function”, thereby hampering the assignment of electronic tickets.
That is, generally, the validity of a paper ticket can be checked by examining the paper ticket. In other words, the validity of a paper ticket can be checked and be assigned from any user.
However, as discussed above, the validity of electronic tickets without the “completeness function” cannot be checked immediately. Thus, the electronic tickets cannot be assigned in a practical sense even if they are provided with the “assignment function”. In other words, electronic tickets can be assigned only from the issuer of the tickets to users.