Security systems and methods for managing information within security systems

The security system uses biometric authentication to securely generate and recover master keys in HSMs, addressing the issue of key loss due to accidents or user errors, thereby maintaining data integrity.

JP2026104291APending Publication Date: 2026-06-25KK TOSHIBA

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
KK TOSHIBA
Filing Date
2024-12-13
Publication Date
2026-06-25

AI Technical Summary

Technical Problem

Conventional Hardware Security Modules (HSMs) face issues with the unrecoverable deletion of master keys due to unforeseen accidents or user errors, leading to the loss of encrypted authentication information and user keys.

Method used

A security system comprising a first and second security device, where the first device generates and registers a master key upon successful biometric authentication, and the second device retrieves and decrypts the encrypted master key using a biometric authentication card, enabling secure and recoverable key management.

Benefits of technology

Ensures secure and recoverable management of master keys by integrating biometric authentication, preventing data loss and ensuring the integrity of encrypted information.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026104291000001_ABST
    Figure 2026104291000001_ABST
Patent Text Reader

Abstract

This invention provides a method for managing information in security systems and security devices that securely manage information for protecting data. [Solution] The security system 1 includes a manufacturer's HSM (hardware security module) and a user's HSM. The manufacturer's HSM includes a communication unit 35, a secure ROM 33, and a CPU 31. The secure ROM stores key information registered in the user's HSM used by a specific user. The CPU outputs the key information stored in the secure ROM via the communication unit 35 when the biometric authentication of the specific user by the biometric authentication device is successful. The user's HSM includes a communication unit 45, a ROM 42, and a CPU 41. The ROM 42 has a predetermined memory area for storing key information. The CPU 41 obtains the key information output by the manufacturer's HSM via the communication unit 45 when the biometric authentication of the specific user by the biometric authentication device is successful, and registers the key information in the predetermined memory area.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] Embodiments of the present invention relate to an information management method in a security system and a security device.

Background Art

[0002] As a security device, a Hardware Security Module (HSM) generates a master key as information for securely protecting data inside the HSM during initial setup, and stores the generated master key in a predetermined memory area. The HSM encrypts data such as authentication information and user keys using the master key stored in the predetermined memory area, and stores the encrypted data such as authentication information and user keys (encrypted data) in a secure memory (secure ROM). When using authentication information, the HSM decrypts the encrypted authentication information stored in the secure memory with the master key and expands it into the RAM, and deletes the authentication information expanded in the RAM after use.

[0003] On the other hand, when a tamper event (reset signal, out of temperature range, out of voltage range) occurs, the HSM has a function of clearing the memory area including the predetermined memory area where the master key is stored in order to ensure data security. When the master key is deleted by the response to the tamper event in such an HSM, the data encrypted with the master key stored in the secure memory cannot be restored.

[0004] In addition, some HSMs store the master key in a predetermined memory area provided in the RAM, and maintain the master key even when there is no power supply from an external power source by holding the stored content of the RAM with power from a battery. When the power supplied to the RAM runs out in such an HSM, the master key is deleted. For example, when replacing a battery (such as a battery), the HSM can maintain the stored content of the RAM by supplying power from a spare battery, but it is possible that the stored content of the RAM is deleted due to an error in the operation procedure or the like.

[0005] As mentioned above, conventional HSMs have a problem in that if the master key is deleted due to an unforeseen accident, encrypted authentication information and user keys stored in secure memory cannot be recovered. In addition, some conventional HSMs have a function to back up the master key to storage media such as IC cards or backup HSMs by the user themselves, but there is a problem that the master key may not be recoverable due to user error or forgetting to configure it. [Prior art documents] [Patent Documents]

[0006] [Patent Document 1] Japanese Patent Publication No. 2009-135721 [Overview of the Initiative] [Problems that the invention aims to solve]

[0007] The problem that this invention aims to solve is to provide an information management method in a security system and security device that can securely manage information for protecting data. [Means for solving the problem]

[0008] According to the embodiment, the security system includes a first security device and a second security device. The first security device comprises a first communication unit, a first memory, and a first processor. The first memory stores key information registered to the second security device used by a specific user. When the biometric authentication of the specific user by the biometric authentication device is successful, the first processor outputs the key information stored in the first memory to the second security device via the first communication unit. The second security device comprises a second communication unit, a second memory, and a second processor. The second memory has a predetermined memory area for storing key information. The second processor obtains the key information output by the first security device when the biometric authentication of the specific user by the biometric authentication device is successful via the second communication unit, and registers the key information in the predetermined memory area. [Brief explanation of the drawing]

[0009] [Figure 1] Figure 1 shows an example configuration of a security system according to an embodiment. [Figure 2] Figure 2 is a block diagram showing an example configuration of a biometric authentication card in a security system according to an embodiment. [Figure 3] Figure 3 is a sequence diagram illustrating an example of the operation of the initial setup process for a user HSM in a security system according to the embodiment. [Figure 4] Figure 4 is a sequence diagram illustrating an example of the operation of a first recovery process for recovering the master key of a user HSM in a security system according to the embodiment. [Figure 5] Figure 5 shows a second configuration example of the security system according to the embodiment. [Figure 6] Figure 6 is a sequence diagram illustrating an example of the operation of a second recovery process for recovering the master key of a user HSM in a security system according to the embodiment. [Modes for carrying out the invention]

[0010] The embodiments will be described below with reference to the drawings. First, the configuration of the security system 1 according to the embodiment will be described.

[0011] Figure 1 is a schematic diagram showing a first configuration example of the security system 1 according to the embodiment. As shown in Figure 1, the security system 1 according to this embodiment includes a manufacturer PC (information processing device, first information processing device) 12, a manufacturer HSM (first security device) 13, a user HSM (second security device) 14, a card reader / writer (R / W) RW, and a biometric authentication card (biometric authentication device) 15. The manufacturer PC 12 connects to the biometric authentication card 15 as a biometric authentication device via the card reader / writer (reader / writer) RW.

[0012] The manufacturer's PC 12 is an information processing device such as a personal computer (PC). The manufacturer's PC 12 is a computer used by the person (hereinafter referred to as the manufacturer) who manufactures, sells, or manages the HSM (user HSM) 14 provided to the user. In the security system 1 of the first configuration example shown in Figure 1, the manufacturer's PC 12 is a control device for executing the processes described later. The manufacturer's PC 12 is equipped with an interface for connecting to the manufacturer's HSM 13, an interface for connecting to the card reader / writer RW, and an interface for connecting to the user HSM 14. The manufacturer's PC 12 is also equipped with interfaces such as an operation unit that receives operation instructions from the manufacturer and a display unit that displays operation guidance, etc.

[0013] HSMs, such as manufacturer HSM13 and user HSM14, are examples of security devices. In the security system 1 according to this embodiment, the security devices exemplified by HSM13 and 14 can be any hardware that has the function of ensuring the security of data held by the device or data whose access is controlled using key information.

[0014] HSM13 and 14, examples of security devices, are devices that generate and securely store cryptographic keys used for encryption and digital signatures using registered key information, and perform cryptographic processing using the securely stored cryptographic keys. HSM13 and 14 support encryption processing using strong encryption methods, including public-key cryptography. HSM13 and 14 achieve advanced information security by performing encryption processing and other operations without outputting key information stored in a secure memory area to the outside.

[0015] Furthermore, HSM13 and 14 are equipped with sensors to detect external attacks and have a self-destruct function that erases (zeros out) data stored in the device, such as encryption keys, in the event of an external attack. HSM13 and 4 reliably prevent the leakage of confidential information, including key information, through their self-destruct function.

[0016] The card reader / writer (reader / writer) RW is a communication device (communication interface) for communicating with the biometric authentication card 15, which is a biometric authentication device. The card reader / writer RW only needs to be equipped with a communication device that supports the communication method compatible with the biometric authentication card 15. The card reader / writer RW only needs to communicate with the biometric authentication card 15 under control from the connected information processing device.

[0017] The biometric authentication card (biometric authentication device) 15 is a device that performs biometric authentication. As an example of a biometric authentication device, the biometric authentication card 15 acquires a person's biometric information and verifies the person's identity by determining whether the acquired biometric information matches pre-registered biometric information (for example, the registrant's biometric information registered in the issuance process described later). Furthermore, the biometric authentication card 15 can perform biometric authentication (personal authentication) using biometric information such as fingerprints, facial images, voiceprints, vein patterns, or iris scans. In this embodiment, the biometric authentication card 15 will be described assuming that it is an IC card that performs biometric authentication using fingerprints.

[0018] Next, the configuration of the manufacturer PC 12 in the security system 1 according to the embodiment will be described. As shown in FIG. 1, in the security system 1 according to the embodiment, the manufacturer PC 12 includes a CPU (processor) 21, a ROM 22, a RAM 23, a communication unit 24, a display unit 25, an operation unit 26, and the like. The CPU (Central Processing Unit) 21 executes processes such as control of each unit and various data processes by executing a program. The CPU 21 is an example of a processor that executes a program.

[0019] The ROM 22 is a non-volatile memory. The ROM 22 stores programs, control data, and the like. The RAM 23 is a memory that temporarily holds data. The CPU 21 executes various processes by using the RAM 23 as a working memory and executing the program stored in the ROM 22. Further, the manufacturer PC 12 may be provided with an interface for connecting an external memory for storing data. In this case, the CPU 21 executes a program stored in the external memory or stores data in the external memory.

[0020] The communication unit 24 is composed of various interfaces and the like. The communication unit 24 includes a network interface for communicating with an external device via a network. The CPU 21 receives data from an external device or transmits data to an external device by using the communication unit 24. Further, the communication unit 24 includes an interface (card reader / writer interface) for connecting a card reader / writer RW. The card reader interface may correspond to the card reader / writer RW.

[0021] The communication unit 24 includes an interface (HSM interface) for connecting HSM13 and 14. The HSM interface can be any interface that is compatible with HSM13 and 14. For example, if HSM13 or 14 is a plug-in type device, the HSM interface consists of a PCI slot for inserting HSM13 or 14. If HSM13 or 14 is a network type device, the HSM interface consists of a network interface for connecting HSM13 or 14 via a network (e.g., LAN). If HSM13 or 14 is a USB (Universal Serial Bus) type device, the HSM interface consists of a USB interface for connecting HSM13 or 14 via USB.

[0022] The display unit 25 is composed of a display device. The display unit 25 displays operation instructions and the like to the operator (user). The operation unit 26 is composed of operating devices such as a keyboard, mouse, and touch panel. The operation unit 26 accepts information input from the operator.

[0023] Next, the configuration of the HSM13 as the first security device in the security system 1 according to the embodiment will be described. As shown in Figure 1, the HSM13 in the security system 1 according to this embodiment includes a CPU (processor, first processor) 31, ROM 32, secure ROM 33, RAM 34, communication unit 35, and coprocessor 36.

[0024] The CPU 31 executes various processes, such as controlling each component and processing various data, by running programs. The CPU 31 is an example of a processor that executes programs. ROM32 is a non-volatile memory. ROM32 stores programs and control data executed by the CPU21. ROM32 may also include memory that can be written to in response to specific commands.

[0025] Secure ROM 33 is memory that securely stores data. For example, Secure ROM 33 stores authentication information and user keys generated using the master key (key information) for the HSM. RAM34 holds data related to processing such as encryption performed by CPU31. RAM34 is powered by a power supply and holds stored data while power is supplied. RAM34 has a predetermined memory area reserved to hold a master key, which is key information for securely protecting the data.

[0026] The communication unit 35 is an interface for connecting to an information processing device such as the manufacturer's PC 12. For example, if the HSM 13 is a plug-in type device, the communication unit 35 consists of an interface that is inserted into a slot on the manufacturer's PC 12. If the HSM 13 is a network type device, the communication unit 35 consists of a network interface for connecting to the manufacturer's PC 12 via a network (e.g., LAN). If the HSM 13 is a USB type device, the communication unit 35 consists of an interface that is set into the USB interface of the manufacturer's PC 12.

[0027] The coprocessor 36 is a processor that performs cryptographic processing. For example, the coprocessor 36 uses a user key stored in the secure ROM 33 to perform data encryption or decryption.

[0028] Furthermore, the HSM13 has a detection unit (not shown) that detects security attacks being performed on the HSM13. The detection unit can be anything that detects security attacks. For example, the detection unit may include a sensor that detects when the HSM13 is subjected to an attack that would physically destroy it. The detection unit may also include sensors that detect temperature anomalies, sensors that detect voltage anomalies, and so on.

[0029] Next, the configuration of the HSM14 as a second security device in the security system 1 according to the embodiment will be described. As shown in Figure 1, the HSM14 in the security system 1 according to this embodiment includes a CPU (processor, second processor) 41, ROM 42, secure ROM 43, RAM 44, communication unit 45, coprocessor 46, biometric authentication unit 47, and biometric sensor 48.

[0030] The CPU 41 executes programs to control various components and perform various data processing tasks. The CPU 41 is, for example, the CPU (Central Processing Unit).

[0031] ROM42 is a non-volatile memory that stores programs and control data executed by the CPU21. ROM42 includes memory that can be written to in response to specific commands, and a predetermined memory area (memory area for master key) is provided in the writable memory to store a master key, which is key information for securely protecting the data stored in secure ROM33.

[0032] The secure ROM 43 is a memory that securely stores data. For example, the secure ROM 43 stores data such as authentication information and user keys generated using the master key for the user's HSM 14.

[0033] RAM44 stores data related to processing such as encryption processing performed by CPU41. RAM44 is powered by a power supply and stores data while power is supplied. The RAM44 of the user HSM14 may have a predetermined memory area for storing a master key, which is key information for securely protecting data stored in secure ROM33.

[0034] The communication unit 45 is an interface for connecting to an information processing device such as the manufacturer's PC 12. For example, if the HSM 14 is a plug-in type device, the communication unit 45 consists of an interface that is inserted into a slot on the manufacturer's PC 12. If the HSM 14 is a network type device, the communication unit 45 consists of a network interface for connecting to the manufacturer's PC 12 via a network (e.g., LAN). If the HSM 14 is a USB type device, the communication unit 45 consists of an interface that is set into the USB interface of the manufacturer's PC 12.

[0035] The coprocessor 46 is a processor that performs cryptographic processing. For example, the coprocessor 46 performs data encryption or decryption using a user key stored in the secure ROM 43.

[0036] The biosensor 48 is an example of a biosensor that acquires biological information. The biosensor 48 is, for example, a fingerprint sensor that acquires fingerprint information, which is an example of biological information. The fingerprint sensor, as defined by the biosensor 48, consists of a sensor that reads a fingerprint image as a person's fingerprint information, and reads the fingerprint on the finger of a person held over the reading unit.

[0037] The biometric authentication unit 47 is an example of a biometric authentication device that performs person authentication (biometric authentication) using biometric information (e.g., fingerprints). The biometric authentication unit 47 includes, for example, a processor and memory, and the processor performs biometric authentication by matching fingerprints as biometric information. For example, the biometric authentication unit 47 stores the biometric information of a specific user who is the user of the user HSM 14 in memory, and performs biometric authentication of a specific user by performing biometric matching between the biometric information acquired by the biometric sensor 48 and the biometric information of the specific user stored in memory.

[0038] In this embodiment, the operation examples of each process described later will explain the case in which biometric authentication of a specific user is performed using the biometric authentication card 15. However, the biometric authentication by the biometric authentication card 15 in the operation examples described later may be replaced with biometric authentication performed by the biometric authentication unit 47 and biosensor 48 in the user HSM 14.

[0039] Furthermore, the HSM14 has a detection unit (not shown) that detects security attacks being performed on the HSM14. The detection unit can be anything that detects security attacks. For example, the detection unit may include a sensor that detects when the HSM14 is subjected to an attack that would physically destroy it. The detection unit may also include sensors that detect temperature anomalies, sensors that detect voltage anomalies, and so on.

[0040] Next, the configuration of the biometric authentication card 15, which serves as an authentication device (biometric authentication device) in the security system 1 according to this embodiment, will be described. Figure 2 is a block diagram showing an example configuration of the biometric authentication card 15 in the security system 1 according to the embodiment. The biometric authentication card 15 shown in Figure 2 is an example of an authentication device (biometric authentication device). In this embodiment, the biometric authentication card 15, which is an example of a biometric authentication device, is described as an IC card that performs biometric authentication using a fingerprint, which is an example of biometric information.

[0041] However, in the security system 1 according to this embodiment, the authentication device (biometric authentication device) only needs to be capable of confirming that the user is a specific user (identity verification), and is not limited to the biometric authentication card 15. In other words, the security system 1 can be implemented by replacing the biometric authentication card 15 with a device capable of identity verification. For example, the biometric authentication card 15 may be replaced with a biometric authentication device that performs biometric authentication using biometric information other than fingerprints, and the external shape, etc., may also be replaced with a biometric authentication device other than a card.

[0042] In the configuration example shown in Figure 2, the biometric authentication card 15 has a main body C formed in the shape of a card, such as plastic. The biometric authentication card 15 includes a control module and a biometric verification unit within the main body C. For example, the control module is integrally formed with one or more IC chips connected to a communication interface and is provided in the main body C connected to the biometric verification unit.

[0043] As shown in Figure 2, the biometric authentication card 15 includes a processor 51, ROM 52, RAM 53, data memory 54, communication interface 55, and biometric verification unit 56. In the configuration example shown in Figure 2, the biometric authentication card 15 has a control module equipped with a processor 51, ROM 52, RAM 53, data memory 54, and communication interface 55, which is connected to the biometric verification unit 56.

[0044] The processor 51 includes circuits that perform various processes. The processor 51 is, for example, a CPU. The processor 51 controls the entire IC card, which is a biometric authentication card 15. The processor 51 realizes various processing functions by executing programs stored in the ROM 52 or data memory 54. Some or all of the various functions performed by the processor 51, as described later, may be realized by hardware circuits.

[0045] ROM52 is a non-volatile memory that functions as program memory. ROM52 stores control programs and control data in advance. ROM52 is incorporated into the biometric authentication card 15 during the manufacturing stage, with the control programs and control data already stored within it. For example, ROM52 stores a program that allows the processor 51 to execute processing in response to commands received from an external device (card reader / writer).

[0046] RAM 53 is a volatile memory that functions as working memory. RAM 53 also functions as a buffer for temporarily storing data being processed by the processor 51. For example, RAM 53 also functions as a communication buffer for temporarily storing data transmitted to and from external devices via the communication interface 55.

[0047] The data memory 54 is a non-volatile memory that allows data to be written to and rewritten. The data memory 54 is composed of, for example, EEPROM (Electrically Erasable Programmable Read Only Memory). Programs and various data corresponding to the processing to be performed according to the specifications of the biometric authentication card 15 are written to the data memory 54. In addition, program files and data files are defined in the data memory 54, and control programs and various data are written to these files.

[0048] Furthermore, the data memory 54 has a storage area in which some or all of its area is tamper-resistant and data can be stored securely. For example, the secure storage area of ​​the data memory 54 stores the biometric information of a legitimate user (registered user), a key pair (private key, public key) that it generates, and the public key of the HSM12. For example, the biometric information of a registered user stored in the data memory 54 is a fingerprint image or fingerprint feature data for matching with the fingerprint information acquired by the fingerprint sensor as a biosensor 56a.

[0049] The communication interface 55 comprises a communication circuit and an interface unit. The communication interface 55 is an interface for communicating with a higher-level device that supplies power and commands to the IC card, which is the biometric authentication card 15. The communication interface 55 implements a communication function using a communication method corresponding to the interface of the card reader / writer RW. The communication interface 55 may support multiple communication methods.

[0050] For example, the communication interface 55 may be a contact communication interface that communicates by contact with an external device, or it may be a contactless communication interface that communicates wirelessly. If the communication interface 55 is a contact communication interface, it includes a contact part that physically and electrically contacts the reader / writer contact part provided on the card reader / writer RW, and a communication control circuit that controls the transmission and reception of signals through this contact part. If the communication interface 55 is a contactless communication interface, it includes an antenna that transmits and receives radio waves and a communication circuit that modulates and demodulates the radio waves transmitted and received from the antenna.

[0051] The biometric matching unit 56 has a biosensor 56a. The biosensor 56a is a fingerprint sensor that reads the user's fingerprint information (fingerprint image), which is an example of biometric information. The fingerprint sensor as biosensor 56a is provided so that the sensor that reads the fingerprint is exposed on the surface of the main body C of the biometric authentication card 15, and reads the fingerprint of the person's finger held over the exposed sensor part. Note that the biosensor 56a is not limited to a fingerprint sensor, and may acquire biometric information other than fingerprints.

[0052] The biometric authentication unit 56 has a processor and memory for performing biometric authentication. In the biometric authentication unit 56, the processor executes a biometric authentication program stored in memory to perform biometric authentication using fingerprint information as biometric information acquired by the biosensor 56a. For example, the processor extracts a fingerprint image from the image read by the fingerprint sensor, which is the biosensor 56a, and performs fingerprint authentication by comparing the fingerprint image extracted from the image read by the fingerprint sensor with the registered person's fingerprint image (or fingerprint characteristic data) registered in the data memory 54.

[0053] In the configuration example shown in Figure 2, a biometric matching unit 56, separate from the processor 51, performs biometric authentication. However, the processor 51 may also perform biometric authentication. When the processor 51 performs biometric authentication, it should acquire the biometric information read by the biometric sensor 56a. The processor 51 should extract fingerprint information from the image supplied by the fingerprint sensor (which acts as the biometric sensor 56a) and compare the extracted fingerprint information with the registered user's fingerprint information registered in the data memory 54.

[0054] Next, the process of storing the master key of the user HSM14 in the manufacturer HSM13 in the security system 1 according to the embodiment will be described. Figure 3 is a sequence diagram illustrating an example of the operation of an initial setup process in the security system 1 according to the embodiment, which includes the process of storing the master key of the user HSM 14 in the manufacturer HSM 13. Here, it is assumed that the initial setup process is performed in a state where the user HSM14 can be connected to the manufacturer PC12, which is connected to the manufacturer HSM13 and card reader / writer RW, and furthermore, where the user who will be the owner (user) of the user HSM14 can perform biometric authentication using the biometric authentication card 15 connected to the card reader / writer RW.

[0055] The CPU 21 of the manufacturer's PC 12 receives operation instructions from the manufacturer to the operation unit 26. When initializing a user HSM 14, the manufacturer inputs the initial setup instructions via the operation unit 26. When the CPU 21 receives the initial setup instructions (step ST11), it establishes a communication connection with the user HSM 14 that is the target of the initial setup (step ST12). For example, the CPU 21 establishes a communication connection with the user HSM 14 that the manufacturer or the user themselves connects to the interface of the communication unit 24.

[0056] When the user HSM14, which is the target of the initial setup, is connected to the communication unit 24, the CPU 21 of the manufacturer PC 12 supplies an initial setup request to the user HSM14 via the communication unit 24 (step ST13). Here, the initial setup performed in response to the initial setup request includes the generation and registration of a master key within the user HSM14.

[0057] The user HSM14, while connected to the manufacturer PC12 via the communication unit 45, receives an initial setup request from the manufacturer PC12. When the CPU 41 of the user HSM14 receives the initial setup request from the manufacturer PC12 via the communication unit 45, it performs the initial setup, including the generation of a master key (step ST14). For example, the CPU 41 generates a new master key using the coprocessor 46. Once the CPU 41 has generated the master key, it registers the generated master key (key information) in a predetermined memory area (step ST15). For example, the CPU 41 of the user HSM14 stores the master key in a predetermined memory area for master keys provided in the ROM 42. Alternatively, the CPU 41 of the user HSM14 may store the generated master key (key information) in the RAM 44.

[0058] Once the initial setup process, including the generation and registration of the master key, is complete, the CPU 41 of the user HSM 14 sends a notification to the manufacturer PC 12 via the communication unit 45 indicating that the initial setup is complete (step ST16).

[0059] When the CPU 21 of the manufacturer's PC 12 receives notification from the user's HSM 14 that the initial setup is complete, it connects the biometric authentication card 15 of the user (specific user) who will be the owner (user) of the user's HSM 14 via a card reader / writer RW (step ST17). The biometric authentication card 15 is a biometric authentication device that registers the biometric information of the specific user and authenticates that the user is the specific user based on that biometric information. The biometric authentication card 15 is an example of an authentication device for authenticating that the user is the specific user who will be the owner of the user's HSM 14. For example, the biometric authentication card 15 is created by the manufacturer's system at the manufacturer's facility.

[0060] When the biometric authentication card 15 is connected to the card reader / writer RW, the CPU 21 of the manufacturer PC 12 performs biometric authentication using the biometric authentication card 15 (step ST18). For example, the CPU 21 of the manufacturer PC 12 requests biometric authentication from the biometric authentication card 15 connected to the card reader / writer RW. The biometric authentication card 15 receives the biometric authentication request from the manufacturer PC 12 via the card reader / writer RW through the communication interface 55. When the processor 51 of the biometric authentication card 15 receives the biometric authentication request, it performs biometric authentication to determine whether or not the user is a specific user.

[0061] For example, when the processor 51 of the biometric authentication card 15 receives a biometric authentication request, it instructs the biometric verification unit 56 to perform biometric verification against the biometric information of a specific user registered in the system. The biometric verification unit 56 performs biometric verification between the biometric information acquired by the biosensor 56a and the registered biometric information of a specific user, and returns the result of the biometric verification (biometric verification result) to the processor 51. The processor 51 determines whether or not biometric authentication was successful based on the biometric verification result from the biometric verification unit 56. The processor 51 determines that biometric authentication was successful if the biometric information acquired by the biosensor 56a matches the registered biometric information of a specific user. The processor 51 notifies the manufacturer PC 12 of the biometric authentication result (biometric authentication result) via the communication interface 55.

[0062] The manufacturer's PC 12 receives the biometric authentication result from the biometric authentication card 15 connected to the card reader / writer RW via the communication unit 24. The CPU 21 of the manufacturer's PC 12 determines whether or not biometric authentication by the biometric authentication card 15 was successful based on the biometric authentication result received by the communication unit 24. If biometric authentication by the biometric authentication card 15 is successful, the CPU 21 of the manufacturer's PC 12 executes a process to encrypt the master key of the user HSM 14 using the biometric authentication card 15 (step ST19). For example, the CPU 21 of the manufacturer's PC 12 obtains the master key from the user HSM 14 connected to the communication unit 24, and has the obtained master key (the master key of the user HSM) encrypted by the biometric authentication card 15. Here, the encryption of the master key only needs to be such that it can be decrypted using the biometric authentication card 15, which has successfully performed biometric authentication as a specific user.

[0063] The CPU 21 of the manufacturer's PC 12 temporarily stores the master key (encryption master key) encrypted using the biometric authentication card 15 in RAM 23 (step ST20). Here, the CPU 21 stores the encryption master key in association with the identification information. The identification information associated with the encryption master key may be the identification information of the biometric authentication card 15, or it may be the identification information of a specific user.

[0064] The CPU 21 of the manufacturer's PC 12 temporarily stores the master key encrypted by the biometric authentication card 15 in RAM 23, and then instructs the manufacturer's HSM 13 to save the encrypted master key. That is, the CPU 21 of the manufacturer's PC 12 connects to the manufacturer's HSM 13 via the communication unit 24 and sends a request to the manufacturer's HSM 13 to save the encrypted master key temporarily stored in RAM 23 (step ST21). For example, the CPU 21 sends a save request to the manufacturer's HSM 13 that includes the encrypted master key and identification information.

[0065] The manufacturer's HSM13 receives a request from the manufacturer's PC12 to save the encrypted master key via the communication unit 35. The CPU 31 of the manufacturer's HSM13 saves the encrypted master key to the ROM 32 in response to the received save request (step ST22). The CPU 31 of the manufacturer's HSM13 saves the encrypted master key included in the save request received from the manufacturer's PC12 to the ROM 32, associating it with identification information.

[0066] Through the initial setup process described above, in the security system 1 according to the embodiment, the master key (key information) is registered in the second security device, the user HSM14, and the master key registered in the user HSM14 is stored in the first security device, the manufacturer HSM, in an encrypted state using the user's biometric authentication card.

[0067] Next, a recovery process (first recovery process) for recovering the master key of the user HSM14 in the security system 1 according to the embodiment will be described. Figure 4 is a sequence diagram illustrating an example of the operation of a first recovery process for recovering the master key of a user HSM 14 in the security system 1 according to the embodiment. Here, we assume that the master key, which has been lost from the memory of the user HSM14 due to some factor, will be recovered to the user HSM14. Furthermore, the first recovery process shown in Figure 4 is assumed to be performed when the user HSM14 is able to connect to the manufacturer PC12, which is connected to the manufacturer HSM13 and card reader / writer RW, and when the user who is the owner (user) of the user HSM14 is able to perform biometric authentication using the biometric authentication card 15 connected to the card reader / writer RW. As a specific example, an operational model is assumed in which the user takes the user HSM14 to the manufacturer where the manufacturer PC12 is located and performs the first recovery process.

[0068] When the manufacturer needs to recover the master key of a user HSM14, the manufacturer inputs a master key recovery instruction to the user HSM14 via the operation panel 26 of the manufacturer's PC12. When the manufacturer's PC12's CPU 21 receives the master key recovery instruction (step ST31), it establishes a communication connection with the user HSM14 to which the master key recovery is to be performed (step ST32). For example, the manufacturer's PS12's CPU 21 establishes a communication connection with the user HSM14 to which the manufacturer or the user themselves connects to the interface of the communication unit 24.

[0069] When the user HSM14 to be restored is connected to the manufacturer's PC12's CPU21, the CPU21 connects the biometric authentication card 15 of the user (specific user) who will be the owner (user, user) of the user HSM14 via the card reader / writer RW (step ST33). The manufacturer's PC12's CPU21 connects to the biometric authentication card 15 through communication between the biometric authentication card 15 presented by the user and the card reader / writer RW. The biometric authentication card 15 is a biometric authentication device that authenticates that the user is a specific user using biometric information. Here, the biometric authentication card 15 connected to the card reader / writer RW is assumed to be the one used for biometric authentication when the master key of the user HSM14 was stored in the manufacturer's HSM13 during the initial setup process described above.

[0070] When the CPU 21 of the manufacturer's PC 12 connects to the biometric authentication card 15 via the card reader / writer RW, it performs biometric authentication using the biometric authentication card 15 (step ST34). For example, the CPU 21 of the manufacturer's PC 12 requests biometric authentication from the biometric authentication card 15 connected to the card reader / writer RW. Upon receiving the biometric authentication request from the manufacturer's PC 12, the biometric authentication card 15 performs biometric authentication to determine whether or not the user is a specific user, similar to step 18 above.

[0071] The CPU 21 of the manufacturer's PC 12 determines whether biometric authentication by the biometric authentication card 15 was successful based on the biometric authentication result received from the biometric authentication card 15. If biometric authentication by the biometric authentication card 15 is successful, the CPU 21 of the manufacturer's PC 12 sends a request to the manufacturer's HSM 13 to transfer the encryption master key (step ST35). In order to identify the master key (encryption master key) of the user HSM 14, the CPU 21 specifies the identification information corresponding to the encryption master key (identification information of the biometric authentication card 15 or identification information of a specific user) in the request to transfer the encryption master key.

[0072] The manufacturer's HSM13 receives a request from the manufacturer's PC12 to transfer the encryption master key via the communication unit 35. The CPU 31 of the manufacturer's HSM13 reads the encryption master key corresponding to the identification information specified in the transfer request received from the manufacturer's PC12 from the ROM 32, and transmits the read encryption master key to the manufacturer's PC12 via the communication unit 35 (step ST36).

[0073] The manufacturer PC 12 receives the encryption master key transferred from the manufacturer HSM 13 via the communication unit 24 in response to a request for transfer of the encryption master key. When the CPU 21 of the manufacturer PC 12 receives the encryption master key from the manufacturer HSM 13, it temporarily stores the received encryption master key in RAM 23 (step ST37). The CPU 21 of the manufacturer's PC 12 temporarily stores the encryption master key from the manufacturer's HSM 13 in RAM 23, and then decrypts the encryption master key using the biometric authentication card 15 (step ST38).

[0074] When the CPU 21 of the manufacturer's PC 12 decrypts the encryption master key using the biometric authentication card 15, it requests the user HSM 14 to re-register (recover) the decrypted master key (step ST39). That is, the CPU 21 of the manufacturer's PC 12 connects to the user HSM 14 via the communication unit 24 and sends a request to the user HSM 14 to register the master key that was decrypted using the biometric authentication card 15.

[0075] The user HSM14 receives a master key registration request from the manufacturer PC12 via the communication unit 45. The CPU 41 of the user HSM14 stores (registers) the master key read from the manufacturer HSM13 and decrypted in a predetermined memory area in response to the registration request received from the manufacturer PC12 (step ST40). For example, the CPU 41 stores (registers) the master key in a predetermined memory area for master keys provided in the ROM 42. Alternatively, the CPU 41 may store the master key (key information) specified in the registration request from the manufacturer PC12 in the RAM 44.

[0076] According to the first recovery process described above, the security system 1 according to the embodiment can recover the master key in the user HSM14 using the master key stored in the manufacturer HSM13 when biometric authentication of a specific user who is the owner of the user HSM14 is successful using the biometric authentication card.

[0077] Next, a second recovery process for recovering the master key of the user HSM14 in the security system 1 according to the embodiment will be described. The second recovery process recovers the master key of the user HSM14 online. The first recovery process described above requires the user, who is the owner (user) of the user HSM14, to present the biometric authentication card 15 to the card reader / writer RW connected to the manufacturer's PC 12 and perform biometric authentication. In contrast, the second recovery process recovers the master key of the user HSM14 by presenting the biometric authentication card 15 to the card reader / writer RW connected to the user's PC, which is an information processing device operated by the user, and performing biometric authentication.

[0078] Figure 5 shows an example configuration of security system 1 for performing the second recovery process (second configuration example). The security system 1 in the second configuration example shown in Figure 5 includes a user PC 16 in addition to the configuration shown in Figure 1. Here, in the configuration example shown in Figure 5, the manufacturer PC 12, manufacturer HSM 13, user HSM 14, card reader / writer RW, and biometric authentication card 15 can be implemented with the same configuration as those shown in Figure 1 above, so a detailed explanation is omitted.

[0079] The user PC 16 is an information processing device (second information processing device) operated by the user, and communicates with the manufacturer PC 12 via a network or the like (online connection). The user PC 16 is also connected to the user HSM 14 and a card reader / writer RW capable of communicating with the biometric authentication card 15.

[0080] As shown in Figure 5, the user PC 16 includes a CPU (processor) 61, ROM 62, RAM 63, communication unit 64, display unit 65, and operation unit 66, among others. The CPU 61 executes programs to control various components and perform various data processing tasks. The CPU 61 is an example of a processor that executes programs.

[0081] ROM62 is non-volatile memory. ROM62 stores programs and control data, etc. RAM63 is memory that temporarily holds data. The CPU61 uses RAM63 as working memory to execute programs stored in ROM62, thereby performing various processes. The user PC16 may also have an interface for connecting external memory for storing data. In this case, the CPU61 executes programs stored in the external memory and saves data to the external memory.

[0082] The communication unit 64 is composed of various interfaces. The communication unit 64 includes a communication interface for communicating with the manufacturer's PC 12. The communication interface for communicating with the manufacturer's PC 12 is, for example, a network interface for communicating with external devices via a network. The CPU 61 connects online with the manufacturer's PC 12 using the communication unit 64.

[0083] Furthermore, the communication unit 64 includes an interface (card reader / writer interface) for connecting a card reader / writer RW. The card reader interface included in the communication unit 64 only needs to be compatible with a card reader / writer RW.

[0084] The communication unit 64 includes an interface (HSM interface) for connecting the user HSM14. The HSM interface included in the communication unit 64 only needs to be compatible with the user HSM14. For example, if the user HSM14 is a plug-in type device, the HSM interface consists of a PCI slot for inserting the user HSM14. If the user HSM14 is a network type device, the HSM interface consists of a network interface for connecting the user HSM14 via a network (e.g., LAN). If the user HSM14 is a USB (Universal Serial Bus) type device, the HSM interface consists of a USB interface for connecting the user HSM14 via USB.

[0085] The display unit 65 is composed of a display device. The display unit 65 displays operation instructions and the like to the operator (user). The operation unit 66 is composed of an operating device such as a keyboard, mouse, or touch panel. The operation unit 66 accepts information input from the operator.

[0086] Next, the process for recovering the master key of the user HSM14 in the security system 1 according to the embodiment (second recovery process) will be described. Figure 6 is a sequence diagram illustrating an example of the operation of a second recovery process for recovering the master key of the user HSM14 in the security system 1 according to the embodiment. Here, it is assumed that User PC 16 is connected to User HSM 14 and Card Reader / Writer RW, which are the target of the master key recovery, as shown in Figure 5. In the configuration shown in Figure 5, when a user who owns User HSM 14 recovers the master key for User HSM 14, they operate User PC 16 to instruct User PC 16 to establish an online connection with Manufacturer PC 12.

[0087] The user PC 16 connects online with the manufacturer PC in response to user instructions (step ST51). For example, the CPU 61 of the user PC 16 accesses the manufacturer PC 12 via the communication unit 64 in response to user instructions and requests an online connection. The CPU 21 of the manufacturer PC 12 receives the online connection request from the user PC 16 via the communication unit 24 and establishes an online connection with the user PC 16. Here, the manufacturer PC 12 may also maintain account information for a specific user who will be the owner of the user HSM, and ensure an online connection state for that specific user's account in response to a login request from the user PC 16.

[0088] Once an online connection is established between the user's PC 16 and the manufacturer's PC 12, the CPU 61 of the user's PC 16 requests the manufacturer's PC 12 to recover the master key on the user's HSM 14, in accordance with the user's instructions (step ST52). When the CPU 21 of the manufacturer PC 12 receives a request from the user PC 16 to recover the master key of the user HSM 14, it requests biometric authentication from the user PC 16 using the biometric authentication card 15 (step ST53). Here, the manufacturer PC 12 requests the user PC 16 to perform biometric authentication using the biometric authentication card 15 that was used for biometric authentication when the master key of the user HSM 14 was stored in the manufacturer HSM 13 during the initial setup process described above.

[0089] The CPU 61 of the user PC 16 communicates with the biometric authentication card 15 via the card reader / writer RW connected to the communication unit 64 in response to a biometric authentication request from the manufacturer PC 12 (step ST54). For example, the CPU 61 of the user PC 16 displays a message on the display unit 65 indicating that biometric authentication will be performed using the biometric authentication card 15, prompting the user to present the biometric authentication card 15 to the card reader / writer RW. The CPU 61 of the user PC 16 displays a message on the display unit 65 indicating that biometric authentication will be performed using the biometric authentication card 15, and when the user presents the biometric authentication card 15 to the card reader / writer RW, the card reader / writer RW communicates with the biometric authentication card 15 presented by the user.

[0090] When the CPU 61 of the user PC 16 communicates with the biometric authentication card 15 presented by the user via the card reader / writer RW connected to the communication unit 64, it performs biometric authentication of the user using the biometric authentication card 15 (step ST55). For example, the CPU 61 of the user PC 16 requests biometric authentication from the biometric authentication card 15 connected to the card reader / writer RW. When the biometric authentication card 15 receives the biometric authentication request from the user PC 16, it performs biometric authentication, similar to step 18 above, to determine whether or not the user is a specific user based on the biometric information acquired by the biometric sensor 56a.

[0091] If biometric authentication using the biometric authentication card 15 is successful, the CPU 61 of the user PC 16 notifies the manufacturer PC 12 that biometric authentication using the biometric authentication card 15 has been successful (step ST56). In this case, the CPU 61 of the user PC 16 sends a notification of successful biometric authentication to the manufacturer PC 12, along with identification information (identification information of the biometric authentication card 15 or identification information indicating a specific user whose biometric authentication was successful) corresponding to the master key (encryption master key) stored by the manufacturer HSM 13.

[0092] When the CPU 21 of the manufacturer PC 12 receives notification of successful biometric authentication from the user PC 16, it sends a request to the manufacturer HSM 13 to transfer the encryption master key of the user HSM 14 owned by the specific user who successfully performed biometric authentication (step ST57). In order to identify the master key (encryption master key) of the user HSM 14, the CPU 21 of the manufacturer PC 12 sends a request to the manufacturer HSM 13 to transfer the encryption master key, specifying the identification information received along with the successful biometric authentication.

[0093] The manufacturer's HSM13 receives a request from the manufacturer's PC12 to transfer the encryption master key via the communication unit 35. The CPU 31 of the manufacturer's HSM13 reads the encryption master key corresponding to the identification information specified in the transfer request received from the manufacturer's PC12 from the ROM 32, and transmits the read encryption master key to the manufacturer's PC12 via the communication unit 35 (step ST58).

[0094] The manufacturer's PC 12 receives the encryption master key transferred from the manufacturer's HSM 13 via the communication unit 24 in response to a request for transfer of the encryption master key. When the CPU 21 of the manufacturer's PC 12 receives the encryption master key from the manufacturer's HSM 13, it transfers the received encryption master key to the user's PC 16 (step ST59).

[0095] When the CPU 61 of the user PC 16 receives the encryption master key stored in the manufacturer's HSM 13 from the manufacturer's PC 12, it temporarily stores the received encryption master key in RAM 63 (step ST60).

[0096] The CPU 61 of the user PC 16 temporarily stores the encryption master key in RAM 63, and then decrypts the encryption master key using the biometric authentication card 15 (step ST61). After decrypting the encryption master key using the biometric authentication card 15, the CPU 61 of the user PC 16 requests the user HSM 14 to re-register (recover) the decrypted master key (step ST62).

[0097] The user HSM14 receives a master key registration request from the user PC16 via the communication unit 45. The CPU 41 of the user HSM14 stores the master key read from the manufacturer HSM13 and decrypted in response to the registration request received from the user PC16 in a predetermined memory area (step ST62). For example, the CPU 41 of the user HSM14 stores (registers) the master key (key information) specified in the registration request from the user PC16 in a predetermined memory area for master keys provided in the ROM 42. Alternatively, the CPU 41 of the user HSM14 may store the master key (key information) specified in the registration request from the user PC16 in the RAM 44.

[0098] Through the second recovery process described above, the security system 1 according to the embodiment can recover using the master key (key information) stored in the manufacturer's HSM13 while the user PC connected to the user HSM14 and the manufacturer's PC are connected online.

[0099] In the embodiments described above, biometric authentication of a user (specific user) using the user HSM 14 is performed using the biometric authentication card 15. However, such biometric authentication of a specific user may also be performed using a biometric authentication unit 47 and a biosensor 48 provided on the user HSM 14. In this case, the user HSM 14 should perform biometric authentication of the specific user in response to a biometric authentication request from the manufacturer PC 12 or user PC 16, similar to the biometric authentication using the biometric authentication card 15 described above.

[0100] As detailed above, the security system according to this embodiment allows for the recovery of the user's HSM's master key without the user having to back up the master key, by having the manufacturer's HSM hold the master key of the user's HSM. This means that even if the master key is deleted due to an unforeseen accident, various data encrypted with the master key can be recovered, allowing the user to use the user's HSM safely.

[0101] Furthermore, according to the security system of this embodiment, when the manufacturer performs the initial setup of the user HSM, the master key of the user HSM is stored in the manufacturer's HSM, which is managed by the manufacturer. The manufacturer can provide a service of storing the master key of the user HSM by having the manufacturer's HSM manage the master key of the user HSM. As a result, the master key of the user HSM can be stored in the manufacturer's HSM during the initial setup process by the manufacturer, so the user does not need to back up the master key themselves, and it is possible to prevent the master key from becoming unrecoverable due to user error or forgetting to set it.

[0102] Furthermore, according to the security system of this embodiment, the master key of the user HSM stored by the manufacturer can be retrieved only after successful biometric authentication using the user's biometric information, thereby enabling strict management by the manufacturer and ensuring the secure storage of the user HSM's master key. In addition, since it is possible to restrict the writing of the master key to a predetermined memory area of ​​the user HSM unless biometric authentication using the user's biometric authentication card is successful, the security of the data within the user HSM can be ensured even if the master key of the user HSM is leaked by the manufacturer. Moreover, if the HSM is attacked and the master key is cleared in response to a tamper event, the user can not only recover the master key stored by the manufacturer but also perform initial setup and regenerate a new master key.

[0103] The program according to this embodiment may be transferred while stored in an electronic device such as a device, or it may be transferred without being stored in an electronic device. In the latter case, the program may be transferred via a network, or it may be transferred while stored in a storage medium. The storage medium is a non-temporary tangible medium. The storage medium is a computer-readable medium. The storage medium may be any medium that can store a program and is read by a computer, such as an optical disc or memory card, and its form is not limited. The electronic device downloads the program transferred (provided) via a network and installs it in memory, or reads the program from the storage medium and installs it in memory.

[0104] While several embodiments of the present invention have been described, these embodiments are presented as examples only and are not intended to limit the scope of the invention. These novel embodiments can be carried out in a variety of other forms, and various omissions, substitutions, and modifications can be made without departing from the spirit of the invention. These embodiments and their variations are included in the scope and spirit of the invention, as well as in the claims of the invention and its equivalents. [Explanation of Symbols]

[0105] 1…Security system 12…Manufacturer PC (Information Processing Device, First Information Processing Device) 13…HSM (First Security Device) 14…HSM (Second Security Device) RW…Card reader / writer 15…Biometric authentication card (biometric authentication device, authentication device) 16…User PC (Second Information Processing Unit) 21…CPU 22…ROM 23…RAM 24... Communications Department 25…Display section 26...Operation unit 31…Processor (first processor) 32...ROM 33…Secure ROM 34...RAM 35… Communications Department (First Communications Department) 36… Coprocessor 41…Processor (second processor) 42...ROM 43…Secure ROM 44...RAM 45… Communications Department (Second Communications Department) 46…Coprocessor 47…Biometric authentication unit 48…Biosensor C…Main body 51…Processor (First Processor) 54…Data memory 55…Communication interface (second interface) 56... Biometric verification unit 56a... Biosensor 61…CPU (Second Processor) 62...ROM 63...RAM 64... Communications Department 65...Display section 66...Operation unit.

Claims

1. A security system including a first security device and a second security device, The first security device is The first communications department and, A first memory that stores key information registered to the second security device used by a specific user, The system includes a first processor that, when biometric authentication of a specific user by a biometric authentication device is successful, outputs the key information registered in the second security device stored in the first memory via the first communication unit, The second security device described above is The second communications department, A second memory having a predetermined memory area for storing key information, The system includes a second communication unit which acquires the key information output by the first security device when the biometric authentication of the specific user by the biometric authentication device is successful, and a second processor which registers the key information in the predetermined memory area. Security system.

2. The first processor stores the key information encrypted using the biometric authentication device in the first memory. The second processor registers the key information decrypted using the biometric authentication device into the second memory. The security system according to claim 1.

3. The first communication unit includes an interface for communicating with the information processing device to which the biometric authentication device is connected. The first processor, upon successful biometric authentication of the specific user by the biometric authentication device, outputs the key information registered in the second security device stored in the first memory to the information processing device. The second communication unit includes an interface for communicating with the information processing device, The second processor acquires the key information transmitted from the information processing device by the second communication unit. The security system according to claim 1.

4. The first communication unit includes an interface for communicating with the first information processing device, The second communication unit includes an interface for communicating with the second information processing device to which the biometric authentication device is connected. When the first information processing device and the second information processing device are in a state where they can communicate, the first processor outputs the key information registered in the second security device stored in the first memory to the first information processing device if the biometric authentication of the specific user by the biometric authentication device connected to the second information processing device is successful. The second processor acquires the key information transmitted from the first information processing device via the second information processing device by the second communication unit. The security system according to claim 1.

5. The biometric authentication device is a biometric authentication card that has a biometric sensor to acquire biometric information and performs biometric authentication using the biometric information of the specified user. A security system according to any one of claims 1 to 4.

6. A method for managing information in a security system including a first security device and a second security device used by a specific user, The key information is registered in a predetermined memory area of ​​the second security device. The first security device stores the key information registered in the predetermined memory area of ​​the second security device. If the biometric authentication of the specific user by the biometric authentication device is successful, the key information registered in the predetermined memory area of ​​the second security device stored in the first security device is output. The second security device re-registers the key information output from the first security device in the predetermined memory area. Information management methods in security systems.