Information processing apparatus, information processing method, and program
阅读说明:本技术 信息处理设备、信息处理方法和程序 (Information processing apparatus, information processing method, and program ) 是由 中津留勉 下地克弥 于 2019-01-11 设计创作,主要内容包括:提供一种信息处理设备,包括:处理单元,所述处理单元被配置成使用分配给记录介质的多个区域的密钥进行计算,并生成认证密钥。所述处理单元通过使用对应于密钥的转换值进行计算来生成认证密钥,所述转换值是通过使用与在计算中所使用的密钥相关联的转换方法,转换特定于设备的信息而获得的。(There is provided an information processing apparatus including: a processing unit configured to perform calculation using keys assigned to a plurality of areas of the recording medium, and generate an authentication key. The processing unit generates an authentication key by performing calculation using a conversion value corresponding to a key, the conversion value being obtained by converting device-specific information using a conversion method associated with the key used in the calculation.)
1. An information processing apparatus comprising:
a processing unit configured to perform calculation using keys assigned to a plurality of areas of a recording medium and generate an authentication key,
wherein the processing unit generates an authentication key by performing calculation using a conversion value corresponding to the key, the conversion value being obtained by converting device-specific information using a conversion method associated with the key used in the calculation.
2. The information processing apparatus according to claim 1, wherein the processing unit performs the calculation using a conversion value corresponding to a key used in the calculation, each time the calculation using the key is performed.
3. The information processing apparatus according to claim 1, wherein after performing the calculation using the key, the processing unit performs the calculation using a conversion value corresponding to the key.
4. The information processing apparatus according to claim 1, wherein the processing unit performs calculation using a synthesized value obtained by synthesizing a converted value corresponding to the key, after performing calculation using the key.
5. The information processing apparatus according to claim 1, wherein the processing unit specifies a conversion method associated with each key based on setting information associated with the area.
6. The information processing apparatus according to claim 1,
wherein the conversion method includes not converting the device-specific information, an
In a case where the conversion method associated with one key indicates that the device-specific information is not converted, the processing unit does not perform calculation using the conversion value corresponding to the one key.
7. An information processing apparatus comprising:
a processing unit configured to generate an authentication key used in an authentication process and perform the authentication process using the generated authentication key,
wherein the processing unit
A plurality of first degenerate keys obtained by synthesizing a plurality of keys assigned to areas of the recording medium are generated,
generating a second degenerate key obtained by synthesizing the generated plurality of first degenerate keys, and
the authentication process is performed using the second degenerate key as an authentication key.
8. The information processing apparatus according to claim 7, wherein in the processing unit, encryption schemes supported by the plurality of first degenerate keys are identical to each other.
9. The information processing apparatus according to claim 7, wherein in said processing unit, the encryption schemes supported by the plurality of first degenerate keys include a plurality of encryption schemes.
10. An information processing apparatus comprising:
a processing unit configured to perform an authentication process using, as an authentication key, a degenerate key obtained by synthesizing a plurality of keys assigned to areas of a recording medium, and to control execution of a process related to a service authenticated in the authentication process,
wherein, in a case where the authentication processing is performed a plurality of times, the processing unit makes executable a process related to a service authenticated in any one authentication processing.
11. The information processing apparatus according to claim 10, wherein in a case where the authentication process is performed a plurality of times, the processing unit changes the service-related process to be made executable based on a parameter of a command acquired from the external apparatus before the authentication process is performed.
12. The information processing apparatus according to claim 11, wherein the processing unit changes the service-related process to be made executable into a process related to the service authenticated in any one of the authentication processes, or a process related to the service authenticated in the authentication process performed most recently, based on a parameter of the command.
13. An information processing method performed by an information processing apparatus, comprising:
performing calculation using keys assigned to a plurality of areas of the recording medium, and generating an authentication key,
wherein in the generation of the authentication key, the authentication key is generated by performing calculation using a conversion value corresponding to the key, the conversion value being obtained by converting device-specific information using a conversion method associated with the key used in the calculation.
14. An information processing method performed by an information processing apparatus, comprising:
generating an authentication key used in the authentication process; and
the authentication process is performed using the generated authentication key,
wherein, in the generation of the authentication key,
generating a plurality of first degenerate keys obtained by synthesizing a plurality of keys assigned to areas of the recording medium, and
generating a second degenerate key obtained by synthesizing the generated plurality of first degenerate keys, and
in performing the authentication process, the authentication process is performed using the second degenerate key as an authentication key.
15. An information processing method performed by an information processing apparatus, comprising:
performing authentication processing using, as an authentication key, a degenerate key obtained by synthesizing a plurality of keys assigned to areas of the recording medium; and
controls execution of processes related to the service authenticated in the authentication process,
when the authentication process is performed a plurality of times, the execution control makes executable a process related to a service authenticated in any one authentication process.
16. A program that causes a computer to implement:
a function of performing calculation using keys assigned to a plurality of areas of the recording medium, and generating an authentication key,
wherein the function of generating an authentication key includes generating an authentication key by performing calculation using a conversion value corresponding to the key, the conversion value being obtained by converting device-specific information using a conversion method associated with the key used in the calculation.
17. A program that causes a computer to implement:
a function of generating an authentication key used in the authentication process; and
a function of performing an authentication process using the generated authentication key,
wherein the generating function comprises
Generating a plurality of first degenerate keys obtained by synthesizing a plurality of keys assigned to areas of the recording medium, and
generating a second degenerate key obtained by synthesizing the generated plurality of first degenerate keys, and
the function of performing the authentication process includes performing the authentication process using the second degenerate key as an authentication key.
18. A program that causes a computer to implement:
a function of performing authentication processing using, as an authentication key, a degenerate key obtained by synthesizing a plurality of keys assigned to areas of the recording medium; and
a function of controlling execution of a process related to a service authenticated in the authentication process,
wherein, in the case where the authentication process is performed a plurality of times, the function of controlling the execution includes making executable a process related to a service authenticated in any one of the authentication processes.
Technical Field
The present disclosure relates to an information processing apparatus, an information processing method, and a program.
Background
A technique for managing resources of a data storage device such as an IC card has been developed. As the above-described technique, for example, there is a technique described in the following patent document 1.
CITATION LIST
Patent document
PTL 1:JP 2000-36021A
Disclosure of Invention
Technical problem
For example, there is a device that needs to perform authentication using an authentication key in order to access an area, data, or the like of a recording medium.
The present disclosure proposes an information processing apparatus, an information processing method, and a program that are novel and improved and that are capable of improving the convenience of authentication using an authentication key.
Solution to the problem
According to an embodiment of the present disclosure, there is provided an information processing apparatus including: a processing unit configured to perform calculation using keys assigned to a plurality of areas of the recording medium, and generate an authentication key. The processing unit generates an authentication key by performing calculation using a conversion value corresponding to a key, the conversion value being obtained by converting device-specific information using a conversion method associated with the key used in the calculation.
In addition, according to an embodiment of the present disclosure, there is provided an information processing apparatus including: a processing unit configured to generate an authentication key used in an authentication process and perform the authentication process using the generated authentication key. The processing unit generates a plurality of first degenerate keys obtained by synthesizing a plurality of keys assigned to areas of the recording medium, generates a second degenerate key obtained by synthesizing the generated plurality of first degenerate keys, and performs authentication processing using the second degenerate key as an authentication key.
In addition, according to an embodiment of the present disclosure, there is provided an information processing apparatus including: a processing unit configured to perform an authentication process using, as an authentication key, a degenerate key obtained by synthesizing a plurality of keys assigned to areas of a recording medium, and to control execution of a process related to a service authenticated in the authentication process. In the case where the authentication process is performed a plurality of times, the processing unit makes a process related to a service authenticated in any one authentication process executable.
In addition, according to an embodiment of the present disclosure, there is provided an information processing method performed by an information processing apparatus, including: a key assigned to a plurality of areas of the recording medium is used for calculation, and an authentication key is generated. In the generation of the authentication key, the authentication key is generated by performing calculation using a conversion value corresponding to the key, the conversion value being obtained by converting device-specific information using a conversion method associated with the key used in the calculation.
In addition, according to an embodiment of the present disclosure, there is provided an information processing method performed by an information processing apparatus, including: generating an authentication key used in the authentication process; and performing an authentication process using the generated authentication key. In the generation of the authentication key, a plurality of first degenerate keys obtained by synthesizing a plurality of keys assigned to the areas of the recording medium are generated, and a second degenerate key obtained by synthesizing the generated plurality of first degenerate keys is generated, and in performing the authentication process, the authentication process is performed using the second degenerate key as the authentication key.
In addition, according to an embodiment of the present disclosure, there is provided an information processing method performed by an information processing apparatus, including: performing authentication processing using, as an authentication key, a degenerate key obtained by synthesizing a plurality of keys assigned to areas of the recording medium; and controlling execution of a process related to the service authenticated in the authentication process. In the case where the authentication process is performed a plurality of times, in the control of execution, the process related to the service authenticated in any one authentication process is made executable.
Further, according to an embodiment of the present disclosure, there is provided a program that causes a computer to realize: a function of performing calculation using keys assigned to a plurality of areas of the recording medium, and generating an authentication key. The function of generating the authentication key includes generating the authentication key by performing calculation using a conversion value corresponding to the key, the conversion value being obtained by converting the device-specific information using a conversion method associated with the key used in the calculation.
Further, according to an embodiment of the present disclosure, there is provided a program that causes a computer to realize: a function of generating an authentication key used in the authentication process; and a function of performing authentication processing using the generated authentication key. The generating function includes generating a plurality of first degenerate keys obtained by synthesizing a plurality of keys assigned to the areas of the recording medium, and generating a second degenerate key obtained by synthesizing the plurality of generated first degenerate keys, and the performing the authentication process includes performing the authentication process using the second degenerate key as the authentication key.
Further, according to an embodiment of the present disclosure, there is provided a program that causes a computer to realize: a function of performing authentication processing using, as an authentication key, a degenerate key obtained by synthesizing a plurality of keys assigned to areas of the recording medium; and a function of controlling execution of a process related to the service authenticated in the authentication process. In the case where the authentication process is performed a plurality of times, the function of controlling execution includes making executable a process related to a service authenticated in any one authentication process.
The invention has the advantages of
According to the embodiments of the present disclosure, the convenience of authentication using an authentication key can be improved.
Note that the above effects are not necessarily restrictive. Any one of the effects described in the present specification or other effects that can be understood from the present specification can be achieved in addition to or instead of the above-described effects.
Drawings
Fig. 1 is an explanatory diagram illustrating an example of the configuration of an information processing system according to the present embodiment.
Fig. 2 is a functional block diagram illustrating an example of the configuration of an information processing apparatus according to the present embodiment.
Fig. 3 is an explanatory diagram illustrating an example of the hardware configuration of the information processing apparatus according to the present embodiment.
Fig. 4 is an explanatory diagram illustrating an example of the configuration of the IC chip and the antenna illustrated in fig. 3.
Fig. 5 is an explanatory diagram illustrating an example of a hardware configuration of a reader/writer (relay device) according to the present embodiment.
Fig. 6 is an explanatory diagram illustrating an example of the hardware configuration of the server according to the present embodiment.
Fig. 7 is an explanatory diagram for describing the information processing method according to the present embodiment.
Fig. 8 is an explanatory diagram illustrating a first generation example of the authentication key relating to the information processing method according to the first embodiment.
Fig. 9 is an explanatory diagram illustrating a second generation example of the authentication key related to the information processing method according to the first embodiment.
Fig. 10 is an explanatory diagram illustrating a third generation example of the authentication key relating to the information processing method according to the first embodiment.
Fig. 11 is an explanatory diagram illustrating an example of generation of an authentication key related to the information processing method according to the second embodiment.
Fig. 12 is an explanatory diagram for describing processing corresponding to the information processing method according to the third embodiment.
Detailed Description
Hereinafter, preferred embodiments of the present disclosure will be described in detail with reference to the accompanying drawings. Note that in the present specification and the drawings, structural elements having substantially the same functions and structures are denoted by the same reference numerals, and repeated descriptions of these structural elements are omitted.
Further, the following description will be made in the following order.
1. Information processing system according to the present embodiment and information processing method according to the present embodiment
(1) Configuration of information processing system according to the present embodiment
(1-1)
(1-2) reader/writer 200 (Relay device)
(1-3) Server 300
(1-4) application examples of respective devices constituting the information processing system according to the present embodiment
(2) Processing corresponding to the information processing method according to the present embodiment
(2-1) information processing method according to the first embodiment
(2-2) information processing method according to the second embodiment
(2-3) information processing method according to the third embodiment
(2-4) information processing method according to other embodiment
2. The procedure according to the present embodiment
(information processing system according to the present embodiment and information processing method according to the present embodiment)
Next, an example of the information processing system according to the present embodiment will be described first, and then the information processing method according to the present embodiment will be described by taking as an example a case applied to the information processing system according to the present embodiment.
(1) Configuration of information processing system according to the present embodiment
Fig. 1 is an explanatory diagram illustrating an example of the configuration of an information processing system 1000 according to the present embodiment. The information processing system 1000 includes, for example, the
Further, the configuration of the information processing system according to the present embodiment is not limited to the example illustrated in fig. 1. For example, the information processing system according to the present embodiment may include a plurality of
The
Further, in the information processing system according to the present embodiment, for example, the
The server 300 and the reader/
Further, in the information processing system according to the present embodiment, the server 300 and the reader/
The server 300 and the
Further, in the information processing system according to the present embodiment, the server 300 and the
Next, a case where "the
(1-1)
Fig. 2 is a functional block diagram illustrating an example of the configuration of the
The
In addition, the
The ROM (not shown) stores programs used by the
An operation input device illustrated in a hardware configuration example of the
(example of hardware configuration of information processing apparatus 100)
Fig. 3 is an explanatory diagram illustrating an example of the hardware configuration of the
The
The MPU 150 is configured by one or more processors configured by a Microprocessor (MPU) or the like, various processing circuits, and the like, and functions as the
The ROM 152 stores programs used by the MPU 150, control data such as calculation parameters, and the like. The RAM 154 temporarily stores, for example, programs executed by the MPU 150, and the like.
The recording medium 156 is a single recording medium that functions as a storage unit (not shown). The recording medium 156 stores, for example, various types of data such as various types of applications. Here, examples of the recording medium 156 include a magnetic recording medium such as a hard disk and a nonvolatile memory such as a flash memory. Further, the recording medium 156 may be removable from the
The input/output interface 158 is connected to, for example, an operation input device 160 or a display device 162. The operation input device 160 functions as an operation unit (not shown), and the display device 162 functions as a display unit (not shown). Here, examples of the input/output interface 158 include a Universal Serial Bus (USB) terminal, a Digital Visual Interface (DVI) terminal, a high-definition multimedia interface (HDMI) (registered trademark) terminal, and various processing circuits.
Further, for example, an operation input device 160 is mounted on the
Further, for example, the display device 162 is mounted on the
Further, it is to be understood that the input/output interface 158 may be connected to an external device such as an external operation input device (e.g., a keyboard or a mouse) or an external display device serving as an external device of the
The communication interface 164 is a communication device for performing communication of one communication scheme supported by the
The
The
Fig. 4 is an explanatory diagram illustrating an example of the configuration of the
The
The
Further, the
The
The
Here, examples of the
For example, the
The
The
The
The MPU180 is driven using the driving voltage output from the
Further, the MPU180 generates a control signal for controlling load modulation associated with a response to an external device such as the reader/
The
With the above configuration, the
The
The
For example, in the case where communication with an external apparatus is performed via an external communication apparatus having a function and configuration similar to those of the communication interface 164, or in the case where communication of one of the communication schemes described above is not performed, the
Further, for example, in the case where communication with an external apparatus is performed via an external communication apparatus similar in function and configuration to the
Further, in the case where communication with an external device is performed in a communication scheme other than NFC (such as wireless communication using IEEE 802.15.1), the
Further, the
Further, for example, the
Further, for example, the configuration illustrated in fig. 3 (or the configuration according to the modification) may be realized by one or two or more Integrated Circuits (ICs).
Referring back to fig. 2, an example of the configuration of the
Here, for example, a communication antenna and an RF circuit (wireless communication), an IEEE802.15.1 port and a transceiver circuit (wireless communication), an IEEE 802.11 port and a transceiver circuit (wireless communication), a LAN terminal and a transceiver circuit (wired communication), and the like may be used as the
The
Here, for example, an NFC-enabled communication device such as the
The
The
Further, the configuration of the information processing apparatus according to the present embodiment is not limited to the configuration illustrated in fig. 2.
For example, the information processing apparatus according to the present embodiment may include the
Further, the configuration of the information processing apparatus according to the present embodiment is not limited to the configuration illustrated in fig. 2, and a configuration corresponding to a manner of separating processing according to an information processing method in the
Further, for example, in the case where communication with an external apparatus is performed via an external communication apparatus similar in function and configuration to the
Further, for example, in the case where communication with an external apparatus is performed via an external communication apparatus having a function and constitution similar to the
(1-2) reader/writer 200 (Relay device)
The reader/writer 200 (relay device) is a device that functions as a relay device that relays communication between the server 300 and the
(hardware configuration example of the reader/writer 200)
Fig. 5 is an explanatory diagram illustrating an example of the hardware configuration of the reader/writer 200 (relay apparatus) according to the present embodiment.
The reader/
The
The
The
The
The carrier
The
The
Since the
The reader/
For example, in the case where communication with an external device is performed via an external communication device having a function similar to that of the
Further, in the case where communication with an external apparatus is performed via an external communication apparatus having a function similar to that of the
Further, in the case where communication with an external device is performed in accordance with a communication scheme other than NFC (such as wireless communication using IEEE 802.15.1), the reader/
Further, the reader/
Further, for example, the reader/
Further, for example, the configuration illustrated in fig. 5 (or the configuration according to the modification) may be realized by one or two or more Integrated Circuits (ICs).
(1-3) Server 300
The server 300 is a device that communicates with the
(hardware configuration example of the Server 300)
Fig. 6 is an explanatory diagram illustrating an example of the hardware configuration of the server 300 according to the present embodiment. The server 300 includes, for example, an MPU 350, ROM 352, RAM 354, a recording medium 356, an input/output interface 358, an operation input device 360, a display device 362, and a communication interface 364. Further, for example, the respective components of the server 300 are connected to each other via a bus 366 serving as a data transmission path. Further, the server 300 is driven by, for example, power supplied from an internal power source such as a battery included in the server 300, power supplied from a connected external power source, or the like.
The MPU 350 is configured by one or more processors configured by a calculation circuit such as, for example, an MPU, various processing circuits, and the like, and functions as a control unit (not shown) that controls the server 300 as a whole.
The ROM 352 stores programs used by the MPU 350, control data such as calculation parameters, and the like. The RAM 354 temporarily stores programs executed by the MPU 350, for example.
The recording medium 356 functions as a storage unit (not illustrated), and stores various types of data such as, for example, data related to an information processing method in the server 300 or various types of applications. Here, examples of the recording medium 356 include a magnetic recording medium such as a hard disk and a nonvolatile memory such as a flash memory. Further, the recording medium 356 may be removed from the server 300.
The input/output interface 358 connects, for example, an operation input device 360 or a display device 362. The operation input device 360 functions as an operation unit (not shown), and the display device 362 functions as a display unit (not shown). Here, examples of the input/output interface 358 include a USB terminal, a DVI terminal, an HDMI (registered trademark) terminal, and various processing circuits.
Further, for example, an operation input device 360 is mounted on the server 300, and is connected to the input/output interface 358 in the server 300. For example, a button, a direction key, a rotary selector such as a dial, a combination thereof, or the like may be used as the operation input device 360.
Further, for example, a display device 362 is mounted on the server 300, and is connected to the input/output interface 358 in the server 300. For example, a liquid crystal display or an organic EL display may be used as the display device 362.
Further, it is to be appreciated that the input/output interface 358 can be connected to an external device, such as an operational input device (e.g., keyboard, mouse, etc.) external to the server 300 or an external display device. Further, the display device 362 may be a device on which display and user operation may occur, such as a touch screen.
The communication interface 364 is a communication device for performing communication of one communication scheme supported by the server 300, and functions as a communication unit (not shown) for performing wireless or wired communication with an external device such as the reader/
The server 300 performs various processes such as a settlement process, for example, by a hardware configuration illustrated in fig. 6. Further, the hardware configuration of the server 300 according to the present embodiment is not limited to the configuration illustrated in fig. 6.
For example, in the case where communication with an external device or the like is performed via a connected external communication device, the server 300 may not include the communication interface 364. Further, the communication interface 364 may have a configuration capable of performing communication with one or more external devices or the like in accordance with various communication schemes.
Further, the server 300 may have a configuration in which some or all of the recording medium 356, the operation input device 360, and the display device 362 are not included, for example.
Further, for example, the server 300 may have a hardware configuration according to an application example of the server 300 to be described later.
Further, for example, part or all of the hardware configuration illustrated in fig. 6 (or a configuration according to a modification) may be realized by one or two or more ICs.
(1-4) application examples of respective devices constituting the information processing system according to the present embodiment
Although the
Further, although the reader/writer 200 (relay apparatus) has been described as a component of the information processing system according to the present embodiment, the present embodiment is not limited to such a form. For example, the present embodiment can be applied to any device having a function of relaying communication between devices such as "reader/writer", "device having a reader/writer function", and "communication device communicating in accordance with wireless communication using IEEE802.15.1 such as BLE". Furthermore, the present embodiment can also be applied to a processing IC that can be incorporated into, for example, the above-described apparatus.
Further, although the server 300 has been described as a component of the information processing system according to the present embodiment, the present embodiment is not limited to such a form. The present embodiment is applicable to various devices such as "a computer such as a Personal Computer (PC) or a server", "a tablet device", "a communication device such as a smartphone", "a game machine", and the like. Furthermore, the present embodiment can also be applied to a processing IC that can be incorporated into, for example, the above-described apparatus.
(2) Information processing method according to the present embodiment
Next, processing corresponding to the information processing method according to the present embodiment will be described using the information processing system 1000 illustrated in fig. 1 as an example.
(2-1) information processing method according to the first embodiment
(2-1-1) overview of information processing System 1000 to which information processing method according to the first embodiment is applied
For example, patent document 1 describes the following:
-generating an authentication key using a plurality of hierarchical keys or storage area keys; and
-transforming the authentication key based on the device specific information and using the transformation result for authentication.
Fig. 7 is an explanatory diagram for explaining an information processing method according to the present embodiment, and schematically illustrates an authentication key described in patent document 1.
For example, as illustrated in steps S10, S12, S14, … illustrated in fig. 7, in the technique disclosed in patent document 1, for example, a degenerate key that can function as an authentication key is generated by performing calculation using a plurality of hierarchical keys or storage area keys on a value serving as a base (such as a random number). For example, a degenerate key is generated by sequentially encrypting each key with a value serving as a basis.
Further, as illustrated in step S16 of fig. 7, in the technique disclosed in patent document 1, a degenerate key is converted based on device-specific information (i.e., device-specific data such as a manufacturing ID), and the conversion result is used as an authentication key. In the technique disclosed in patent document 1, the degenerate key is converted, for example, by performing exclusive or between the degenerate key and device-specific information, or by encrypting the degenerate key using device-specific information as a key.
For example, as illustrated in fig. 7, since the degenerate key is converted using the device-specific information, the authentication key is different for each device, so that security can be improved.
Here, when the authentication key is converted using device-specific information as in the technique disclosed in patent document 1, the conversion method is generally kept secret. One of the reasons why the conversion method is kept secret is, for example, because in the case of conversion according to a public key encryption scheme, if the conversion method is known, reverse conversion can be performed.
In the case where the recording medium installed in one apparatus includes areas of a plurality of business operators, or in the case where the secret of the conversion method is leaked from one business operator, it affects all the other business operators. Thus, it is technically possible, but in practice difficult, to share the secrets of the conversion method between a plurality of business operators.
In this regard, the
Since the authentication key is generated based on the device-specific information, the authentication key is different for each device, and thus security can be improved. Further, since the authentication key is generated based on the device-specific information without sharing the secret of the conversion method between the business operators, the influence when the secret of the conversion method is leaked can be reduced, so that "convenience of authentication using the authentication key" in "each business operator and each user of the
Thus, the
(2-1-2) processing corresponding to the information processing method in the
Next, an example of processing corresponding to the information processing method in the
The
As the key related to the present embodiment, for example, an area key for allowing access to a specific area of the recording medium and/or a service key for allowing access to specific data stored in the area of the recording medium may be used. Further, the key according to the present embodiment is not limited to the above-described example, but may be, for example, a hierarchical key described in patent document 1.
In this specification, there is a case where "region" indicates "region" in a file system such as FeliCa (registered trademark) OS. In this case, the "area" corresponds to a directory (or folder).
Further, in this specification, there is a case where "service" indicates "service" in a file system such as FeliCa (registered trademark) OS. In this case, the "service" corresponds to data (or a file) for providing a predetermined service.
As the calculation using the key according to the present embodiment, for example, encryption according to an arbitrary encryption scheme may be used.
Further, when generating the authentication key, the
Encryption according to an arbitrary encryption scheme can be used as the calculation using the conversion value according to the present embodiment.
The conversion value corresponding to the key according to the present embodiment is a value obtained by converting device-specific information using a conversion method associated with each key used in calculation. As the device-specific information in the present embodiment, for example, data specific to the
The
The setting information according to the present embodiment is data indicating a setting related to an area of the recording medium.
As the setting information, for example, "a table (or a database) in which an address indicating an area of the recording medium, a key, and data indicating a conversion method are recorded in association with each area" may be used. As the data indicating the conversion method, for example, data indicating a conversion algorithm using at least device-specific information as an input may be used. The conversion method associated with each key may be the same or may include multiple conversion methods.
For example, as a conversion method stored in the setting information, for example, any algorithm capable of converting a value indicated by the device-specific information into another value may be used.
Further, the conversion method according to the present embodiment is not limited to the above example. For example, the conversion method according to the present embodiment may include not converting the device-specific information into another value.
For example, in the case where the conversion method associated with one key indicates that the device-specific information is not converted, the
Next, an example of generation of an authentication key corresponding to the information processing method according to the first embodiment will be described.
(A) First generation example of authentication key according to first embodiment
Fig. 8 is an explanatory diagram illustrating a first generation example of an authentication key corresponding to the information processing method according to the first embodiment.
The "area/service key a" illustrated in fig. 8 indicates an area key or service key assigned to the area a in the recording medium such as the
Further, the "random number" illustrated in fig. 8 is an example of a value serving as a basis of the authentication key. Further, it is to be understood that according to the present embodiment, the value serving as the basis of the authentication key including the examples illustrated in fig. 9 to 12 to be described later is not limited to the random number. The following description will be continued with a case in which the value serving as the basis of the authentication key is a random number.
The
The
The
The
The
The
The
The
The
For example, as illustrated in fig. 8, each time calculation using a key is performed, the
Further, the first generation example of the authentication key according to the first embodiment is not limited to the example illustrated in fig. 8.
For example, in the example illustrated in fig. 8, an example is illustrated in which the calculation using the key is sequentially performed three times, but the number of times of the calculation using the key may be any number of times, which is two or more times.
Further, as described above, the conversion method according to the present embodiment may include not converting the device-specific information into another value. Further, in the case where the conversion method associated with one key indicates that the device-specific information is not converted, the
(B) Second generation example of authentication key according to first embodiment
Fig. 9 is an explanatory diagram illustrating a second generation example of the authentication key corresponding to the information processing method according to the first embodiment.
The
The
The
The
The
The
The
The
The
For example, as illustrated in fig. 9, the
Further, the second generation example of the authentication key according to the first embodiment is not limited to the example illustrated in fig. 9.
In the second generation example of the authentication key, for example, similarly to the first generation example of the authentication key, the calculation using the key may be performed any number of times, which is two or more times. Further, in the second generation example of the authentication key, similarly to the first generation example of the authentication key, for example, in a case where the conversion method associated with one key indicates that the device-specific information is not converted, calculation using the conversion value corresponding to one key may not be performed.
(C) Third example of generation of authentication key according to the first embodiment
Fig. 10 is an explanatory diagram illustrating a third generation example of an authentication key corresponding to the information processing method according to the first embodiment.
The
The
The
The
The
The
The
The
For example, as illustrated in fig. 10, the
Further, the third generation example of the authentication key according to the first embodiment is not limited to the example illustrated in fig. 10.
In the third generation example of the authentication key, for example, similarly to the first generation example of the authentication key, the calculation using the key may be performed any number of times, which is two or more times. Further, in the third generation example of the authentication key, similarly to the first generation example of the authentication key, for example, in a case where the conversion method associated with one key indicates that the device-specific information is not converted, calculation using the conversion value corresponding to one key may not be performed.
(2-2) information processing method according to the second embodiment
(2-2-1) overview of information processing System 1000 to which information processing method according to the second embodiment is applied
For example, patent document 1 describes the following:
-generating a degenerate key using the plurality of region keys or service keys and authenticating using the degenerate key
Here, in the case where a degenerate key different from the area key and the service key is used in authentication like the technique disclosed in patent document 1, since it is sufficient to store only the degenerate key in the reader/writer, the security of the entire system is improved.
However, in the case of authentication using a degenerate key in accordance with the technique disclosed in patent document 1, services accessible in a device are limited to services corresponding to a service key used to generate the degenerate key. Further, in the case where authentication using a degenerate key according to the technique disclosed in patent document 1 is performed two or more times, only a service corresponding to the degenerate key used in the last authentication is accessible.
Further, in general, a service operator (reader/writer service operator) who develops and installs the reader/writer receives disclosure of the degenerate key from a manager (service provider) of the region key and the service key. Then, in the case where the reader/writer writes a plurality of services managed by a plurality of service providers, respectively, since the number of degenerate keys is two or more, authentication is performed two or more times.
Here, among NFC-enabled devices such as IC cards, there are devices that can write a plurality of services simultaneously in response to a single write command and have a feature that can guarantee atomicity of processing. However, in the conventional technique, when a plurality of degenerate keys are generated and authentication is performed a plurality of times, writing having atomicity cannot be performed.
In this regard, the
Since the re-degenerate key is a key in which a plurality of degenerate keys are synthesized, authentication using the re-degenerate key corresponds to "authentication using a degenerate key of a synthesis source is performed a plurality of times".
Then, when authentication using the re-degenerate key corresponding to the information processing method according to the second embodiment is performed, all services corresponding to the degenerate key of the synthetic source become accessible.
Further, since authentication using the re-degenerate key corresponds to "authentication using the degenerate key of the synthetic source is performed a plurality of times", writing having atomicity can be realized by a single authentication using the re-degenerate key.
Thus, according to the
(2-2-2) processing corresponding to the information processing method in the
Next, an example of processing corresponding to the information processing method in the
The
More specifically, the
Here, the encryption schemes supported by the plurality of first degenerate keys may be the same as or different from each other. In other words, the plurality of encryption schemes supported by the plurality of first degenerate keys may include a plurality of encryption schemes.
Then, the
Fig. 11 is an explanatory diagram illustrating an example of generation of an authentication key corresponding to the information processing method according to the second embodiment.
The
The
The
For example, as illustrated in fig. 11, the
Further, the generation example of the authentication key according to the second embodiment is not limited to the example illustrated in fig. 11.
For example, the example illustrated in fig. 11 illustrates an example in which two first degenerate keys are generated, but the
If a re-degenerate key (second degenerate key) is generated as the authentication key, the
Further, it is to be understood that the
(2-3) information processing method according to the third embodiment
(2-3-1) overview of information processing System 1000 to which information processing method according to the third embodiment is applied
As described in the information processing method according to the second embodiment, in the case where authentication using a degenerate key related to the technique disclosed in patent document 1 is performed a plurality of times, only a service corresponding to the degenerate key used in the last authentication is accessible. Further, as described in the information processing method according to the second embodiment, in the case where authentication using a plurality of degenerate keys is performed a plurality of times in the related art, writing having atomicity cannot be performed.
In this regard, the
More specifically, for example, in the case where the authentication process is performed a plurality of times, the
Thus, in the case where authentication according to the information processing method according to the third embodiment is performed, even if authentication using a degenerate key is performed a plurality of times, all services corresponding to the degenerate key used in the plurality of times of authentication are accessible.
Further, since all services corresponding to the degenerate key used in the plurality of authentications are accessible, writing with atomicity can be realized.
Thus, the
(2-3-2) processing corresponding to the information processing method in the
Next, an example of processing corresponding to the information processing method in the
Further, the
For example, in the case where the authentication process is performed a plurality of times, the
Here, the encryption schemes supported by the degenerate key used in the authentication process performed a plurality of times may be the same as or different from each other. In other words, similar to the plurality of first degenerate keys according to the second embodiment, a plurality of encryption schemes may be included in the encryption scheme supported by the plurality of degenerate keys according to the third embodiment.
Fig. 12 is an explanatory diagram for describing processing corresponding to the information processing method according to the third embodiment.
The
Subsequently, the
The
Subsequently, the
Here, since the degenerate key 2 is a degenerate key based on the service key 5 corresponding to the service 5 and the service key 6 corresponding to the service 6, the service 5 and the service 6 are services that become accessible by the authentication using the degenerate key 2 in step S506. Further, the service 2 and the service 3 become accessible by the authentication using the degenerate key 1 in step S502.
Then, in the example illustrated in fig. 12, in the case where authentication using the degenerate key 2 is performed in step S506, all services (service 2, service 3, service 5, and service 6) that become accessible by authentication using the degenerate key 1 and authentication using the degenerate key 2 become services accessible in the
For example, as illustrated in fig. 12, in the case where the authentication process is performed a plurality of times, the process related to the service authenticated in any one authentication process is executable in the
Further, the processing corresponding to the information processing method according to the third embodiment is not limited to the above-described example.
For example, in the case where the authentication process is performed a plurality of times, the
Specifically, the
In other words, in the information processing system 1000 to which the information processing method according to the third embodiment is applied, at the time of authentication, whether to add or replace an accessible service can be specified by a command parameter.
(2-4) information processing method according to other embodiment
The processing corresponding to the information processing method according to the present embodiment is not limited to the processing corresponding to the information processing method according to the first to third embodiments.
For example, the process corresponding to the information processing method according to the present embodiment may be a process obtained by combining two or more processes from among the processes according to the information processing methods of the first to third embodiments.
(procedure according to the present example)
When a program that causes a computer system to function as the information processing apparatus according to the present embodiment (for example, a program that can realize some or all of the functions of the
Further, when a program that causes the computer system to function as the information processing apparatus according to the present embodiment is executed by a processor or the like in the computer system, the effects obtained by the processing corresponding to the information processing method according to the above-described respective embodiments can be obtained.
It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations, and variations may occur depending on design requirements and other factors insofar as they are within the scope of the appended claims or the equivalents thereof.
For example, an example (computer program) in which a program that causes a computer system to function as the information processing apparatus according to the present embodiment is provided has been described above, but in the present embodiment, a recording medium in which the program is stored may be provided together.
The above-described configuration indicates an example of the present embodiment, and it naturally belongs to the technical scope of the present disclosure.
Further, the effects described in the present specification are merely illustrative or exemplary effects, and are not restrictive. That is, other effects that are obvious to those skilled in the art from the description of the present specification may be achieved according to the technology of the present disclosure in addition to or instead of the above-described effects.
In addition, the present technology may also be configured as follows.
(1) An information processing apparatus comprising:
a processing unit configured to perform calculation using keys assigned to a plurality of areas of a recording medium and generate an authentication key,
wherein the processing unit generates the authentication key by performing calculation using a conversion value corresponding to the key, the conversion value being obtained by converting the device-specific information using a conversion method associated with the key used in the calculation.
(2) The information processing apparatus according to (1), wherein the processing unit performs the calculation using the conversion value corresponding to the key used in the calculation, each time the calculation using the key is performed.
(3) The information processing apparatus according to (1), wherein the processing unit performs calculation using a conversion value corresponding to the key after performing calculation using the key.
(4) The information processing apparatus according to (1), wherein the processing unit performs calculation using a synthesized value obtained by synthesizing a converted value corresponding to the key, after performing calculation using the key.
(5) The information processing apparatus according to any one of (1) to (4), wherein the processing unit specifies a conversion method associated with each key based on the setting information associated with the area.
(6) The information processing apparatus according to any one of (1) to (5),
wherein the conversion method includes not converting device-specific information, an
In a case where the conversion method associated with one key indicates that the device-specific information is not converted, the processing unit does not perform calculation using the conversion value corresponding to the one key.
(7) An information processing apparatus comprising:
a processing unit configured to generate an authentication key used in an authentication process and perform the authentication process using the generated authentication key,
wherein the processing unit
A plurality of first degenerate keys obtained by synthesizing a plurality of keys assigned to areas of the recording medium are generated,
generating a second degenerate key obtained by synthesizing the generated plurality of first degenerate keys, and
the authentication process is performed using the second degenerate key as an authentication key.
(8) The information processing apparatus according to (7), wherein in the processing unit, encryption schemes supported by the plurality of first degenerate keys are identical to each other.
(9) The information processing apparatus according to (7), wherein in the processing unit, the encryption schemes supported by the plurality of first degenerate keys include a plurality of encryption schemes.
(10) An information processing apparatus comprising:
a processing unit configured to perform an authentication process using, as an authentication key, a degenerate key obtained by synthesizing a plurality of keys assigned to areas of a recording medium, and to control execution of a process related to a service authenticated in the authentication process,
wherein, in a case where the authentication processing is performed a plurality of times, the processing unit makes executable a process related to a service authenticated in any one authentication processing.
(11) The information processing apparatus according to (10), wherein, in a case where the authentication process is performed a plurality of times, the processing unit changes the service-related process to be made executable based on a parameter of a command acquired from the external apparatus before the authentication process is performed.
(12) The information processing apparatus according to (11), wherein the processing unit changes the service-related process to be made executable to a process related to the service authenticated in any one of the authentication processes, or a process related to the service authenticated in the authentication process performed most recently, based on the parameter of the command.
(13) An information processing method performed by an information processing apparatus, comprising:
performing calculation using keys assigned to a plurality of areas of the recording medium, and generating an authentication key,
wherein in the generation of the authentication key, the authentication key is generated by performing calculation using a conversion value corresponding to the key, the conversion value being obtained by converting the device-specific information using a conversion method associated with the key used in the calculation.
(14) An information processing method performed by an information processing apparatus, comprising:
generating an authentication key used in the authentication process; and
the authentication process is performed using the generated authentication key,
wherein, in the generation of the authentication key,
generating a plurality of first degenerate keys obtained by synthesizing a plurality of keys assigned to areas of the recording medium, and
generating a second degenerate key obtained by synthesizing the generated plurality of first degenerate keys, and
when performing the authentication process, the authentication process is performed using the second degenerate key as the authentication key.
(15) An information processing method performed by an information processing apparatus, comprising:
performing authentication processing using, as an authentication key, a degenerate key obtained by synthesizing a plurality of keys assigned to areas of the recording medium; and
controls execution of processes related to the service authenticated in the authentication process,
when the authentication process is performed a plurality of times, the execution control makes executable a process related to a service authenticated in any one authentication process.
(16) A program that causes a computer to implement:
a function of performing calculation using keys assigned to a plurality of areas of the recording medium, and generating an authentication key,
wherein the function of generating the authentication key includes generating the authentication key by performing calculation using a conversion value corresponding to the key, the conversion value being obtained by converting the device-specific information using a conversion method associated with the key used in the calculation.
(17) A program that causes a computer to implement:
a function of generating an authentication key used in the authentication process; and
a function of performing an authentication process using the generated authentication key,
wherein the generating function comprises
Generating a plurality of first degenerate keys obtained by synthesizing a plurality of keys assigned to areas of the recording medium, and
generating a second degenerate key obtained by synthesizing the generated plurality of first degenerate keys, and,
the function of performing the authentication process includes performing the authentication process using the second degenerate key as an authentication key.
(18) A program that causes a computer to implement:
a function of performing authentication processing using, as an authentication key, a degenerate key obtained by synthesizing a plurality of keys assigned to areas of the recording medium; and
a function of controlling execution of a process related to a service authenticated in the authentication process,
wherein, in the case where the authentication process is performed a plurality of times, the function of controlling the execution includes making executable a process related to a service authenticated in any one of the authentication processes.
List of reference numerals
100 information processing apparatus
200 reader/writer
300 server
102 first communication unit
104 second communication unit
106 control unit
110 processing unit
1000 information processing system
- 上一篇:一种医用注射器针头装配设备
- 下一篇:使用一次性密码本的安全内容路由