How to use information related to user identification cards
A quantum key distribution network secures My Number card authentication by encrypting user information and using shared quantum keys for secure device authentication, addressing security vulnerabilities and information leakage risks.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- NAT INST OF INFORMATION & COMM TECH
- Filing Date
- 2024-12-09
- Publication Date
- 2026-06-19
AI Technical Summary
Current methods for using My Number cards via smartphones face security vulnerabilities due to reliance on smartphone security, require model-specific operations, and risk information leakage through backdoors or device disposal.
Implement a quantum key distribution network for secure device authentication, encrypt user information on a smartphone, and perform authentication using a shared quantum key to enhance confidentiality.
Ensures secure personal authentication without data leaks by using quantum keys for device authentication and encrypted user information transmission.
Smart Images

Figure 2026100469000001_ABST
Abstract
Description
Technical Field
[0007]
[0001] This invention relates to a method of using information related to a user-specific card. More specifically, this invention relates to an authentication method for a My Number card that enhances confidentiality by performing device authentication and personal authentication.
Background Art
[0002] When currently using a My Number card via the Internet, the My Number card is read with a smartphone, and an electronic certificate for the smartphone is used.
[0003] In the above method, there is a problem that the security during communication depends on the security of communication with the smartphone. Also, there is a problem that the same operation is required when changing the smartphone model. Furthermore, when authentication is performed with a smartphone, there is a risk of information leakage due to backdoors or device disposal.
[0004] On the other hand, Japanese Patent Application Laid-Open No. 2024-064581 describes an authentication system that performs mutual authentication and message authentication in a quantum key distribution network.
Prior Art Documents
Patent Documents
[0005]
Patent Document 1
Summary of the Invention
Problems to be Solved by the Invention
[0008] The method of using the user identification card information described in this specification includes a quantum key sharing step, a device authentication step, a post-encryption user information acquisition step, a post-encryption user information transmission step, a decryption step, and an authentication step. The quantum key sharing process is the process by which the user terminal and the management terminal share a quantum key (cryptographic key). The device authentication process is the process in which the management terminal authenticates the user terminal using a quantum key. The process of obtaining encrypted user information involves the user terminal encrypting information related to the user identification card using a quantum key, and obtaining the encrypted user information. The process of transmitting encrypted user information is the process in which the user terminal transmits encrypted user information to the management terminal. The decryption process involves the management terminal using a quantum key to decrypt encrypted user information and obtain information related to the user identification card. The authentication process is the process in which the management terminal uses information related to the user identification card to authenticate the user's identity. [Effects of the Invention]
[0009] By using quantum keys for device authentication and then performing authentication based on user information using the authenticated device, personal authentication can be performed securely and without risk of data leaks. [Brief explanation of the drawing]
[0010] [Figure 1] Figure 1 is a block diagram illustrating an example configuration of a user identification card usage system. [Figure 2] Figure 2 is a conceptual diagram illustrating an example of symmetric key storage using a quantum key distribution (QKD) network. [Modes for carrying out the invention]
[0011] Figure 1 is a block diagram illustrating an example configuration of a user identification card usage system. This example includes a QKD network control unit 21 in a quantum key distribution (QKD) network 23, a first trusted node 25 (trusted node A) which is one of several network nodes in the QKD network 23, and a second trusted node 27 (trusted node B) which is one of several network nodes in the QKD network 23. In the example in Figure 1, a user terminal 3 (e.g., a smartphone) is connected to the first trusted node 25 so that it can exchange information. However, if the user moves, for example, the user's smartphone will be connected to a network node corresponding to the location of their movement.
[0012] User terminal 3 is a portable device owned by the user. Examples of user terminal 3 include smartphones, mobile phones, personal computers, smartwatches, and tablets. User terminal 3 has a computer or processor. User terminal 3 usually has a camera or other imaging unit. User terminal 3 also usually has a temporary (volatile) memory unit such as RAM. User terminal 3 can photograph user identification card 5. When user terminal 3 photographs user identification card 5, the image of user identification card 5 is appropriately stored in user terminal 3. User identification card 5 analyzes the stored image of user identification card 5 and reads the user identification information (user information) that is written on or associated with user identification card 5. Then, user terminal 3 appropriately stores the user information. Examples of user identification card 5 include My Number cards, driver's licenses, health insurance cards, passports, and employee ID cards. Examples of user information include one or more of the following: image of user identification card 5, My Number, name, identification number, driver's license number, insurance number, passport number, employee number, telephone number, and date of birth.
[0013] Quantum key distribution (QKD) is publicly known. The QKD network used in this specification may utilize publicly known networks as appropriate. Examples of QKD are described, for example, in Japanese Patent Publication No. 2023-149074, Japanese Patent Publication No. 2023-93938, and Japanese Patent Publication No. 2024-64581. QKD is based on a configuration in which a single-photon transmitter and receiver are directly connected by an optical fiber link consisting of a quantum channel and a classical channel. For example, in a QKD scheme called BB84, the transmitter sends a single-photon encoding 1 bit of information onto the quantum channel, and after the receiver detects it, it is shared as random number information after exchanging control information on the classical channel. In other words, QKD performs cryptographic key sharing at the lower QKD layer and uses that cryptographic key to perform encrypted communication at the upper application layer.
[0014] The first trusted node 25 (Trusted Node A) includes a first QKD device 31, a first key manager 33, and a first communication confidentiality proxy server 35. These may be controlled by a computer (or processor). The QKD device is an element for performing quantum key distribution. The key manager is an element for managing cryptography. For example, the key manager may issue cryptographic keys (e.g., one-time pads) to be used on classical channels in accordance with instructions from the QKD device. The communication confidentiality proxy server is an element for performing secure communication. For example, the communication confidentiality proxy server confidentializes information using cryptographic keys (e.g., one-time pads) issued by the key manager, and then communicates the confidentialized information on classical channels. The term "includes" does not require physical inclusion; it is sufficient that the elements are connected in a way that allows for the exchange of information.
[0015] The second trusted node 27 (trusted node B) includes a second QKD device 41, a second key manager 43, a second communication privacy proxy server 45, and an authentication server 47. The authentication server 47 is an element for performing authentication related to the user identification card 5. The authentication server 47 may be, for example, a terminal of a public institution or a terminal of a commercial facility.
[0016] Next, we will explain an example of how information related to User Identification Card 5 can be used. The following is an example of a user performing personal authentication using their My Number Card with a smartphone. The user launches a personal authentication application (app) on their smartphone. The smartphone has a program for personal authentication applications installed. Then, following the instructions of the app, the user takes a picture of their My Number Card. The image of the My Number Card is stored and analyzed on the smartphone as appropriate, and the My Number is (temporarily) stored. The My Number may be temporarily stored in the smartphone's volatile memory.
[0017] The application transmits the information a user is attempting to authenticate to a management terminal. An example of a management terminal is the authentication server 47. The authentication server 47 instructs the second QKD device 41 of the second trusted node 27 (trusted node B) to issue a quantum key. The second QKD device 41 then issues a quantum key. The issued quantum key is transmitted to the authentication server 47 via the second key manager 43. The second trusted node 27 functions as a QKD transmitter. As a result, the second communication privacy proxy server 45 and the first communication privacy proxy server 35 of the first trusted node 25 (trusted node A) can exchange information using a classical channel. Meanwhile, the second QKD device 41, the second key manager 43, the first QKD device 31, and the first key manager 33 distribute QKD keys.
[0018] The user's smartphone receives a symmetric key (quantum key) from the first trusted node 25 (trusted node A), which is a trusted node of the QKD network. In this way, the user's smartphone obtains the symmetric key of the encryption key issued by the second QKD device 41 and stores it in its memory as appropriate. Note that the symmetric key may be acquired by the smartphone by other means. The authentication server 47 shares the symmetric key with the user's smartphone. The smartphone may temporarily store the encryption key and one-time password in its volatile memory. In this way, the user terminal 3 and the management terminal can share the quantum key (encryption key). Note that the smartphone may encrypt the My Number in advance according to a protocol stored in the application, and then encrypt the encrypted My Number using the symmetric key and one-time password. An example of a protocol is to increment the number of each digit of the My Number by one, so that 9 becomes 0. The authentication server 47 also obtains this encryption protocol and, during decryption, performs a process symmetric to the encryption (decrementing the number of each digit by one, setting 0 to 9). The My Number Card has the My Number written in the numerical part, and the QR code part is linked to the My Number. Therefore, this system may encrypt each part, and the authentication server 47 may decrypt each part and authenticate the My Number if the My Number derived from the numerical part matches the My Number derived from the QR code part. For the QR code part, for example, the QR code part may be divided into multiple parts (e.g., 4 divisions, 8 divisions, 9 divisions, 16 divisions), and each part may be encrypted and decrypted. In addition, multiple types of division shapes (division by wavy lines, diagonal division, division with different areas, etc.) may be stored, and the QR code part may be divided based on the shape of the division read randomly.
[0019] The user's smartphone and the authentication server 47 perform device authentication using a shared symmetric key. Since device authentication using a symmetric key is well-known, a well-known method may be appropriately used. An example of a device authentication method is Wegman-Carter authentication. Wegman-Carter authentication records the content communicated between two parties and creates a digest using a pre-shared key. Next, when starting communication, the digests of each other are exchanged, and mutual authentication is performed by confirming that they are correct. A new key is used for each authentication. In this way, the management terminal can authenticate the user terminal 3 using a quantum key.
[0020] The user's smartphone encrypts the My Number using a symmetric key, such as a one-time password (OTP). The encrypted My Number may be temporarily stored in the volatile memory of the smartphone. Note that the encryption method may be not only OTP but also a well-known method. Another example of encryption is the Advanced Encryption Standard (AES) method. In this way, the user terminal 3 can encrypt information related to the user identification card 5 using a quantum key and obtain the encrypted user information. It may be associated with an ID that can identify the user (such as the manufacturing number of the smartphone, the card ID, etc.). In this case, the ID that can identify the user (such as the manufacturing number of the smartphone, the card ID, etc.) may be encrypted and transmitted to the authentication server 47.
[0021] Next, the smartphone transmits the encrypted My Number to the authentication server 47. Information regarding encryption is shared between the user terminal 3 such as the smartphone and the management terminal such as the authentication server 47. Therefore, the My Number information encrypted using the shared encryption key is transmitted toward the authentication server 47. In this way, the user terminal 3 can transmit the encrypted user information to the management terminal. This communication may be performed, for example, via the second communication anonymization proxy server 45 of the second trusted node 27 (Trusted Node B).
[0022] Since the authentication server 47 has received an encryption key such as a one-time password from the second key manager 43, it can decrypt the encrypted My Number. In this way, the management terminal can use the quantum key to decrypt the encrypted user information and obtain information about the user identification card 5.
[0023] The authentication server 47 stores various information related to the My Number Card. For example, the authentication server 47 uses the decrypted My Number Card to authenticate the user. In this way, the management terminal can authenticate the user using information related to the user identification card 5. The authentication server 47 can read information about the authenticated individual from the server and perform various services. Alternatively, the authentication server 47 may perform personal authentication using an ID that can identify the user (such as the smartphone's serial number or card ID). In this case, since identification information unrelated to the My Number, such as the smartphone's serial number, is used for personal authentication using the My Number, the confidentiality and accuracy of the authentication can be improved.
[0024] This specification also discloses a program for causing a computer to perform a method of using information related to a user identification card 5, which includes a quantum key sharing step, a device authentication step, a post-encryption user information acquisition step, a post-encryption user information transmission step, a decryption step, and an authentication step, as well as a non-temporary information recording medium storing such a program. [Examples]
[0025] Figure 2 is a conceptual diagram illustrating an example of storing symmetric keys using a quantum key distribution (QKD) network. Symmetric keys are stored on a smartphone, either through the quantum key distribution network or manually. The key sharing is between two parties: a public institution such as a ward office, city hall, or My Number Portal server, and the smartphone. Next, multi-factor authentication is performed when using the My Number Card. The user receives the symmetric key at a trusted node of the QKD network. For subsequent authentication, the authentication server needs to be able to determine which user possesses which symmetric key. Therefore, the authentication server links the supplied symmetric key with an ID that can identify the user (such as the smartphone's serial number or card ID). By using a symmetric key stored in a communication device such as a smartphone, Wegman-Carter authentication is employed to perform information-theoretically secure device authentication between two parties possessing the symmetric key. Furthermore, to transmit personal authentication data stored on the My Number Card to public institutions via encrypted communication from the authenticated smartphone, the data is temporarily stored in volatile memory, and encrypted communication is performed using either one-time pad (OTP) encryption or AES encryption with the aforementioned symmetric key. [Industrial applicability]
[0026] This invention can be used in fields such as the information utilization industry. [Explanation of Symbols]
[0027] 1 System 3. User terminals 5. User Identification Card 21 QKD Network Control Unit 23 QKD Network 25 Trusted Nodes 27 Trusted Nodes 31 QKD equipment 33 Key Manager 35. Proxy server for concealing communications 41 QKD equipment 43 Key Manager 45. Proxy server for concealing communications 47 Authentication Server
Claims
1. The process involves the user terminal and the management terminal sharing a quantum key, and The management terminal performs a device authentication step, which is a step of authenticating the user terminal using the quantum key, The user terminal performs an encrypted user information acquisition step, which is the step of encrypting information related to the user identification card using the quantum key and obtaining encrypted user information, The user terminal transmits encrypted user information to the management terminal in an encrypted user information transmission step, The management terminal performs a decryption step, which is the step of decrypting the encrypted user information using the quantum key and obtaining information about the user identification card, The management terminal includes an authentication step, which is a step of performing personal authentication of the user using information related to the user identification card, How information related to user identification cards is used.
2. The method according to claim 1, The method includes, in the quantum key sharing step, receiving the quantum key from a trusted node of the quantum key distribution network to which the management terminal is connected.
3. The method according to claim 1, The method includes a step of temporarily storing the quantum key in the user terminal during the quantum key sharing process.
4. The method according to claim 1, The aforementioned user identification card is a My Number Card. The information regarding the aforementioned user identification card includes the My Number (Social Security Number).