Remote signature system and tamper-resistant device
The remote signature system encrypts data and verification information using a shared key, addressing security and complexity issues by integrating identity verification and signature processes, ensuring secure and continuous operation.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Patents
- Current Assignee / Owner
- KEY TECHNO CO LTD
- Filing Date
- 2023-02-24
- Publication Date
- 2026-06-26
AI Technical Summary
Remote signature systems face security risks due to unencrypted transmission of data and authentication information, leading to tampering and fraudulent signatures, and complexity in verification processes.
A remote signature system that encrypts both the data to be signed and verification information using a shared encryption key, allowing for integrated identity verification and signature processes without challenge codes, ensuring secure transmission and continuous processing.
Ensures secure transmission of data, eliminates the need for remembering authentication information, simplifies verification processes, and prevents fraudulent signatures by validating identity and integrity of the signature request.
Smart Images

Figure 0007880640000001 
Figure 0007880640000002 
Figure 0007880640000003
Abstract
Description
Technical Field
[0001] The present invention relates to a remote signature system that performs an electronic signature on signature target data generated from an electronic document using a signature key managed by an anti-tampering device. The present invention relates to an anti-tampering device used in a remote signature system.
Background Art
[0002] A remote signature system has been proposed in which a user's signature key is installed in a business operator's server, the user remotely logs in to the server, and an electronic signature is performed using the user's signature key on the business operator's server. Since the remote signature system can perform an electronic signature remotely and the user does not need to manage the signature key, it is expected as a highly convenient signature system for the user.
[0003] As an electronic signature system using a remote signature method, an electronic signature system including a key management system for managing a signature key, a certificate issuing system for issuing a certificate, and a terminal device used by a user has been proposed (see, for example, Patent Document 1). In this known electronic signature system, user authentication is performed based on a combination of a user ID and a password based on a user account set in the key management system.
[0004] Furthermore, the present inventor has proposed a remote signature method for electronic signatures (see, for example, Patent Document 2). In this electronic signature system, the tamper-resistant device generates a key pair of a private key and a public key in response to a request from the user. The private key becomes the signing key and is stored in the tamper-resistant device. The public key is transmitted to the terminal device and stored as an encryption key. Subsequently, the user comes up with authentication information, such as a password, that indicates the right to use their signing key, and transmits it to the tamper-resistant device via the terminal device. The tamper-resistant device stores the received authentication information of the user in relation to the user's signing key. This authentication information acts as reference information when verifying the user's identity. The user's authentication information is stored in the user's memory and kept confidential. The private key also functions as a decryption key to decrypt an encrypted token encrypted using the public key.
[0005] When performing an electronic signature, the user enters their authentication information into a terminal device. The terminal device encrypts the entered authentication information using an encryption key and generates an encrypted token. Subsequently, a signature request containing the data to be signed, the encrypted token, and the signing key identification information is sent to a tamper-resistant device. The tamper-resistant device decrypts the encrypted token using a decryption key. The decrypted authentication information is verified for consistency with the authentication information stored together with the signing key, and electronic signatures are permitted only if they match. As a result, a remote signature system is established in which only those with legitimate rights to use the signing key can perform electronic signatures. [Prior art documents] [Patent Documents]
[0006] [Patent Document 1] Patent No. 6465426 [Patent Document 2] Japanese Patent Publication No. 2021-111925 [Overview of the Initiative] [Problems that the invention aims to solve]
[0007] Remote signature systems require securely sending signature requests containing the data to be signed to a tamper-resistant device. However, in systems that verify user identity using a user ID and password, the data to be signed is sent to the tamper-resistant device in plain text without encryption. This creates a security risk, as the data to be signed could be tampered with at network relay points.
[0008] In contrast, in an electronic signature system that uses authentication information to verify identity, both the authentication information and the data to be signed are encrypted and transmitted to a tamper-resistant device in an encrypted state. Therefore, the risk of the data to be signed being tampered with is avoided. Moreover, since identity verification is performed and only the owner of the signing key who knows the authentication information can electronically sign, a high level of security can be ensured. However, since the authentication information is secretly kept in the user's mind, there is a drawback in that the signature system cannot be used if the user forgets the authentication information. In this case, if the authentication information is composed of a simple password, there is a risk that it can be easily stolen by a hacker. Also, if the authentication information is stolen by someone else, a scandal may occur in which someone who does not have the authority to use the signing key electronically signs documents. On the other hand, it is expected that a complex password will be used to prevent the theft of authentication information. However, in this case, it becomes easier to forget the authentication information, and there is a risk that the signature system cannot be used. Thus, the remote signature system described in reference 2 had the drawback of placing an excessive burden on the user regarding the management of authentication information (password).
[0009] Furthermore, a known method for verifying identity involves using a challenge code. In this verification method, a challenge code is sent from a tamper-resistant device to a terminal device. The terminal device encrypts the challenge code using an encryption key and sends it back to the tamper-resistant device. The tamper-resistant device decrypts the encrypted challenge code using a decryption key and verifies its consistency with a legitimate challenge code. If they match, the signing key is activated and an electronic signature is performed. However, this verification method has the drawback that the verification process is not performed for each signature request because the verification process and the signing process are separated. In addition, it has been pointed out that the number of processing steps for the verification and signing processes is too large, making the process cumbersome. More importantly, although identity verification is performed, the presence or absence of tampering with the signature request is not verified, so there is a risk that an electronic signature may be applied to a fraudulent signature request.
[0010] The objective of the present invention is to realize a remote signature system in which identity verification is performed for each signature request, and in which identity verification is performed without using authentication information such as a password. Furthermore, an object of the present invention is to provide a remote signature system that can perform the verification process and the signing process sequentially without using challenge code. Furthermore, an objective of the present invention is to realize a remote signature system that effectively excludes tampered and fraudulent signature requests from the scope of electronic signatures. [Means for solving the problem]
[0011] The remote signature system according to the present invention comprises a signature system having one or more tamper-resistant devices configured to generate and manage signature keys and a key management server for controlling the tamper-resistant devices, and a terminal device used by a user or signer, and the remote signature system electronically signs the data to be signed included in a signature request sent from the terminal device to the tamper-resistant device using the signature key, The terminal device includes means for generating an authentication key pair having a private key and a public key, or means for installing an authentication key pair generated externally, and means for using the private key as an encryption key to encrypt the data to be signed and verification information used for identity verification to generate an encrypted token. The tamper-resistant device includes: a signature key generation means for generating a signature key; a signature key storage means for storing signature key information, including a signature key, a decryption key for decrypting a cryptographic token, and signature key identification information, for each user; a means for accessing the signature key storage means and searching for both the decryption key and the signature key identified by the signature key identification information; a means for decrypting encrypted verification information and encrypted data to be signed contained in a cryptographic token using the searched decryption key; a verification means for verifying the validity of a signature request using the decrypted verification information; and a means for digitally signing the data to be signed using the searched signature key. The private key of the aforementioned authentication key pair is stored as an encryption key in the terminal device, and the public key is transmitted to the tamper-resistant device and stored as a decryption key in the signature key storage means. During electronic signature, the terminal device encrypts the verification information and the data to be signed using the aforementioned encryption key to generate an encrypted token. A signature request is generated and sent to a tamper-resistant device, which includes signature key identification information, verification information for the plaintext before encryption, encrypted verification information, and an encrypted token containing the data to be signed. The tamper-resistant device searches for both the decryption key and the signing key using the signing key identification information included in the signature request, decrypts the cryptographic token using the found decryption key, verifies the consistency between the decrypted verification information and the plaintext verification information, and if the decrypted verification information and the plaintext verification information match, digitally signs the data to be signed using the found signing key.
[0012] The fundamental idea of this invention is to combine a public-key cryptography scheme with a remote signature system and control the signature key using the verification results of identity verification performed by the public-key cryptography scheme. As a result of various analyses conducted by the inventors on public-key cryptography schemes and remote signature systems, it was found that the signature key can be controlled using the verification results of the public-key cryptography scheme by adopting the following three configurations. (1) The tamper-resistant device is provided with a signature key storage means that stores signature key information for each user, including a signature key used for electronic signatures, a decryption key used to decrypt encrypted information, and signature key identification information that identifies these signature and decryption keys. (2) When electronically signing, a signature request is generated that includes both the information necessary for the signature process and the information necessary for the identity verification process, and this is sent to a tamper-resistant device. (3) The data to be signed, which is the subject of the electronic signature, and the verification information used for verifying identity are encrypted using the same encryption key and transmitted to a tamper-resistant device.
[0013] The information required for an electronic signature includes a signature key identification document that identifies the signature key used for the electronic signature, and the data to be signed. Furthermore, the information required for identity verification includes encrypted verification information, which is the verification information used for identity verification, and the plaintext verification information before encryption.
[0014] Verification information functions as reference information used in the identity verification process and performs a similar function to a challenge code. There are no particular restrictions on this verification information; any code or message information generated by the user can be used. Furthermore, data to be signed or signing key identification information can be used as verification information. Alternatively, various types of information, such as arbitrary sequences of numbers or strings, generated by the terminal device can be used. This verification information is generated by the terminal device or entered into the terminal device by the user.
[0015] In this invention, the data to be signed, which is the subject of the electronic signature, is encrypted and transmitted to a tamper-resistant device to prevent tampering. The verification information used for verifying identity is also encrypted using the same encryption key. By encrypting the data to be signed and the verification information using the same encryption key, both the verification information and the data to be signed can be reconstructed in a single decryption process using the same decryption key in the tamper-resistant device.
[0016] The setup process is described below. The tamper-resistant device generates a signature key for each user based on the user's request. The generated signature key is stored in the signature key storage means along with identification information that identifies the signature key. The signature key identification information is transmitted to the terminal device and stored in the terminal device as well. The terminal device generates an authentication key pair that executes public-key cryptography. The generated private key is stored in the terminal device. The public key is also transmitted to the tamper-resistant device and stored in the signature key storage means in relation to the user's signature key. The private key stored in the terminal device functions as an encryption key to encrypt the verification information and the data to be signed, and the public key functions as a decryption key to decrypt the encrypted verification information and the data to be signed. Therefore, the terminal device holds the encryption key, and the tamper-resistant device holds the decryption key.
[0017] Furthermore, signature key information, including a signature key used for digital signatures, a decryption key for decrypting encrypted information, and signature key identification information that identifies these signature and decryption keys, is formed for each user and stored in the signature key storage means. The signature key identification information acts as identification or search information that identifies the pair of signature and decryption keys. With this configuration, the signature key and decryption key set for each user are retrieved together by identifying the signature key identification information. The retrieval of the signature and decryption keys together, combined with the fact that the data to be signed and the verification information are encrypted using the same encryption key, allows for digital signatures to be performed following the decryption and verification processes. The setup process is completed by storing the signature key information in the signature key storage means.
[0018] Next, a signature request that requires an electronic signature for the tamper-resistant device will be described. In the present invention, in order to continuously execute the verification process and the electronic signature, the signature request includes information necessary for verifying the identity confirmation and information necessary for the electronic signature. The information necessary for verifying the identity confirmation is encrypted verification information and plaintext verification information before encryption. The information necessary for the electronic signature is signature key identification information that identifies the user's signature key and signature target data that is the target of the electronic signature. In the present invention, these pieces of information are effectively combined to generate a signature request.
[0019] The verification information is encrypted by the terminal device, included in the signature request together with the plaintext verification information before encryption, and transmitted to the tamper-resistant device. In the tamper-resistant device, the encrypted verification information is decrypted using the decryption key, and the identity confirmation is verified by verifying the consistency between the decrypted verification information and the plaintext verification information. That is, since the plaintext verification information is the reference information before encryption, if the encrypted verification information is decrypted using the decryption key associated with the encryption key, the plaintext verification information is reproduced. Therefore, in the tamper-resistant device, the encrypted token is decrypted using the decryption key specified by the signature key identification information included in the signature request, and the consistency between the decrypted verification information and the plaintext verification information is verified. If these match, the encrypted verification information is determined to be encrypted using the encryption key associated with the decryption key stored in the tamper-resistant device. As a result, the signature request is determined to be a signature request by a person having the right to use the signature key.
[0020] From the viewpoint of preventing forgery, the signature target data is encrypted and transmitted. At this time, the signature target data and the verification information are encrypted using the same encryption key. Also, the signature key identification information is transmitted in plaintext. The information necessary for verification is encrypted verification information and plaintext verification information before encryption. As a signature request, a signature request in the following form is assumed. Signature request = Plaintext (signature key identification information) + Plaintext (verification information) + Encrypted token (encrypted verification information + encrypted signature target data)
[0021] When performing an electronic signature, the terminal device executes a hash operation process on the electronic document to be signed to generate signature target data. Subsequently, the terminal device uses an encryption key to encrypt the generated signature target data and verification information to generate an encrypted token. The encrypted token is a token having a preset format structure. Next, a signature request having signature key identification information, plaintext verification information, and an encrypted token including the encrypted signature target data and verification information is generated and transmitted to the tamper-resistant device. Thereby, the signature target data is transmitted from the terminal device to the tamper-resistant device in an encrypted and secure state. Therefore, the signature target data will not be tampered with during transmission.
[0022] When the tamper-resistant device receives the signature request, the search means is activated. The search means accesses the signature key storage means and retrieves both the decryption key and the signature key associated with the signature key identification information included in the signature request. Subsequently, the encrypted token is decrypted using the retrieved decryption key, and the verification information and the signature target data are each decrypted. Subsequently, the consistency between the decrypted verification information and the plaintext verification information is verified. If these match, an electronic signature is performed on the signature target data decrypted using the retrieved signature key.
[0023] In the present invention, since both the decryption key and the signature key are retrieved by one search process, after the decryption and verification processes are completed, the signature process can be continuously executed. Incidentally, first, the decryption key is retrieved, the verification information of the encrypted token is decrypted using the retrieved decryption key to perform verification, the verification result is confirmed, and then the signature key is retrieved, and an electronic signature is performed on the signature target data using the retrieved signature key. This is also possible.
[0024] If the decrypted verification information does not match the plaintext verification information, the validity of the signature request is denied. In other words, since the cryptographic token is encrypted, it cannot be tampered with during transmission. Therefore, the cause of the mismatch is presumed to be that the verification information was encrypted using an encryption key that is not associated with the decryption key held in the tamper-resistant device. Such a signature request is determined to be a signature request made by someone who does not have the authority to use the signing key. Consequently, if the decrypted verification information does not match the plaintext verification information, this signature request is deemed invalid and excluded from the scope of digital signatures.
[0025] Next, we will explain how to handle cases where a signature request is tampered with. The signature request of the present invention includes plaintext signature key identification information, plaintext verification information, and a cryptographic token. Since the cryptographic key token is encrypted, it cannot be tampered with. Therefore, the only things that can be tampered with are the plaintext signature key identification information and the plaintext verification information. If the signature key identification information is tampered with, the tamper-resistant device searches for a signature key different from the legitimate signature key and searches for a decryption key unrelated to the cryptographic key used to encrypt the cryptographic token. As a result, the decryption process is performed using a decryption key different from the legitimate decryption key, and the legitimate verification information cannot be reproduced. Therefore, in the verification process, the decrypted information does not match the plaintext verification information and is treated as an error. Also, if the plaintext verification information is tampered with, the plaintext verification information and the decrypted verification information do not match and are treated as an error. Thus, in the present invention, if a signature request is tampered with, it is treated as an error, so the tampered signature request is excluded from the scope of electronic signatures. Therefore, in this invention, the validity of a signature request is determined not only from the perspective of whether or not there is a right to use the signing key, but also from the perspective of whether or not it has been tampered with.
[0026] An example of using the data to be signed as verification information will be described. When the data to be signed is used as verification information, the encrypted verification information and the encrypted data to be signed are the same, so the signature request is formed as follows. Signature request = Signature key identifier + Plaintext (data to be signed) + Cryptographic token (encrypted data to be signed) When a signature request is input to a tamper-resistant device, the following processes are performed: First, both the signing key and decryption key, identified by the signing key identifier information included in the signature request, are retrieved. The cryptographic token is decrypted using the retrieved decryption key, and the data to be encrypted is decrypted. Next, the consistency between the decrypted data to be signed and the plaintext data to be signed is verified. If they match, the data to be signed is signed using the retrieved signing key. Note that the data to be signed may be digitally signed in plaintext or on the decrypted data. Furthermore, the verification method according to this invention also serves to verify the authenticity of the cryptographic token. Additionally, the data to be signed is encrypted and transmitted securely without tampering. Therefore, the decrypted data to be signed has significant importance as authentic information. Consequently, digitally signing the decrypted data, rather than the plaintext data, achieves beneficial effects in ensuring system security. In this example, the consistency between the decrypted data to be signed and the plaintext data to be signed is verified. Therefore, identity verification is performed, and the presence or absence of tampering with the data to be signed is also verified. If the data to be signed has been tampered with, it is treated as an error.
[0027] Next, we will describe an example in which the signature key identifier is used as verification information. In this case, the signature key identifier and the verification information for the plaintext are the same, so the signature request is set up as follows. Signature request = Plaintext (signature key identifier) + Cryptographic token (encrypted signature key identifier + encrypted data to be signed) In a tamper-resistant device, the decryption key and signing key are retrieved using the signature key identifier. Subsequently, the cryptographic token is decrypted using the retrieved decryption key, and the agreement between the plaintext signature key identifier and the decrypted signature key identifier is verified. If they match, the data to be signed, which has been decrypted using the retrieved signature key, is digitally signed. In this example, identity verification is performed, as well as verification of whether the signature key identifier has been tampered with. That is, if the plaintext signature key identifier is tampered with while the signature request is being sent, it will be decrypted with a decryption key that is not associated with the encryption key, and therefore the decrypted signature key identifier will not match the plaintext signature key identifier. As a result, signature requests in which the signature key identifier has been tampered with are excluded from the scope of digital signatures.
[0028] An example of using the data to be signed and the signing key identification information as verification information will be described. The signature request is set up as follows. The terminal device generates data information in which the signing key identification information and the data to be signed are linked, and which can also be retrieved individually. Data information = Signature key identification information + Data to be signed Signature request = Plaintext (data information) + Cryptographic token (encrypted data information) In this example, the signature key identifier is extracted from the data information, and the decryption key and signing key are searched using the extracted signature key identifier. Next, the cryptographic token is decrypted using the searched decryption key, and the consistency between the plaintext data information and the decrypted data information is verified. If they match, the data to be signed is extracted from the data information, and the decrypted data is digitally signed using the searched signature key. In this example, identity verification is performed, as well as verification of whether the signature key identifier and the data to be signed have been tampered with. For example, if at least one of the signature key identifier or the data to be signed has been tampered with, the decrypted information and the plaintext information will not match, and the signature request will be determined to be invalid and excluded from the scope of digital signatures.
[0029] In the remote signature system of the present invention, any code sequence conceived by the user can also be used as verification information. In this case, the signature request is set up as follows. Signature request = Signature key identifier + Plaintext (verification information) + Cryptographic token (encryption verification information + encrypted data to be signed) In this example, the decrypted verification information is checked for consistency with the plaintext verification information. If they match, an electronic signature is applied to the decrypted data to be signed. In this example, any code sequence conceived by the user during setup can be used as verification information, or any code sequence conceived by the user when generating a signature request can be used as verification information. Furthermore, the code sequence used as verification information can be changed for each signature request. In this case, when generating a signature request, the user inputs the verification information into the terminal device via an input means such as a keyboard.
[0030] In this invention, the verification information used for identity verification consists of verification information written in plaintext before encryption and encrypted verification information. Furthermore, there are no special restrictions on the content of the verification information, and any information generated by the terminal device can be used.Therefore, this invention does not use a challenge code generated by a tamper-resistant device and transmitted to the terminal device, thus eliminating the complexity of the verification process.In addition, in this invention, the validity of the signature request is confirmed simply by comparing the plaintext verification information and the decrypted verification information, so the user does not need to remember passwords or authentication information.Therefore, the inconvenience of being unable to use the system due to forgetting a password is eliminated.In addition, since the data to be signed is transmitted to the terminal device in an encrypted state, the data to be signed cannot be tampered with.
[0031] Furthermore, in this invention, the verification information used for identity verification and the data to be signed are encrypted using the same encryption key. Therefore, both the verification information and the data to be signed can be reconstructed in a single decryption process. As a result, the advantage of being able to perform the verification process and the signing process consecutively is achieved. [Effects of the Invention]
[0032] In this invention, the validity of the signature request is confirmed without using a challenge code, thus eliminating the complexity of the verification process. Furthermore, the tamper-resistant device is equipped with a signature key storage means that stores signature key information for each user, including a decryption key for decrypting cryptographic tokens, a signing key for executing digital signatures, and signature key identification information that identifies the signing key. In addition, a signature request containing information necessary for signature processing and information necessary for verification processing is used, so the signature key can be controlled using the verification results of identity verification using a public key cryptography scheme. As a result, identity verification is performed for each signature request, and inappropriate signature requests can be excluded from the target of digital signatures. Furthermore, since the data to be signed and the verification information used for identity verification are encrypted using the same encryption key, the information necessary for verification and the information necessary for digital signing are reproduced together. As a result, the verification process and the signing process can be executed consecutively. There are no special restrictions on the verification information, and any information can be used, so even if a user forgets their verification information, it will not cause a problem where the signature system becomes unusable. In this invention, if a signature request is tampered with, it is treated as an error. Therefore, in addition to determining whether or not there is permission to use the signing key, fraudulent signature requests can be excluded from the scope of electronic signatures. [Brief explanation of the drawing]
[0033] [Figure 1] This figure shows the overall configuration of the electronic signature system according to the present invention. [Figure 2] This figure shows a schematic of the setup process and signing process of the remote signature system according to the present invention. [Figure 3] This figure shows the algorithm for the signature key generation process of the remote signature system according to the present invention. [Figure 4] This figure shows the algorithm for the signature process of the remote signature system according to the present invention. [Figure 5] This diagram shows a modified version of the setup process. [Figure 6] This is a diagram showing an example of a terminal device. [Figure 7] This figure shows an example of a tamper-resistant device. [Figure 8]This figure shows an example of a key management server. [Figure 9] This is an example of an editing server. [Figure 10] This figure shows a modified example of the electronic signature system according to the present invention. [Modes for carrying out the invention]
[0034] Figure 1 shows the overall configuration of the electronic signature system according to the present invention. Terminal devices 2-1 to 2-n are connected to network 1. These terminal devices are used by users or signers, and include, for example, personal computers and smartphones. Here, users include not only signers who electronically sign electronic documents, but also those who upload electronic documents to the editing server and those who download electronic documents from external servers to the editing server. Therefore, the terminal devices in this example include not only terminal devices used by signers, but also terminal devices used to upload electronic documents to be signed to the editing server.
[0035] Network 1 is connected to the signature system 3. The signature system 3 has a key management server 4 and one or more tamper-resistant devices 5 connected to the key management server. The key management server 4 is connected to the network and has the function of managing or controlling the tamper-resistant devices 5.
[0036] The tamper-resistant device 5 has the function of securely generating and managing signing keys without leaking them to the outside, and can be, for example, a Hardware Security Module (HSM). The tamper-resistant device includes a subsystem or device that has security management functions independent of the key management server. The tamper-resistant device has a key management module, which is a program for managing keys, and performs functions such as generating signing keys, storing signing keys, decrypting cryptographic tokens, verifying decrypted data to be signed, and digitally signing with signing keys.
[0037] Furthermore, a certificate issuance server 6, located at the Certificate Authority, is connected to network 1. The certificate issuance server 6 generates a Certificate Signing Request (CSR) and creates an electronic certificate in response to a certificate generation request sent from a terminal device. In addition, when generating a key pair that constitutes a signing key, a signing key generation request can be sent from the terminal device to the key management server via the certificate issuance server.
[0038] Furthermore, an editing server 7 is connected to network 1. The editing server 7 has the function of managing electronic documents to be signed, and manages electronic documents to be signed, such as electronic documents uploaded from terminal devices and electronic documents downloaded from external servers. When an electronic document is uploaded, the editing server 7 notifies the terminal device of the signer who is to sign that electronic document. In addition, the editing server can also embed the electronic signature generated by the signature system 3 into the electronic document and generate a signed electronic document. The generated signed electronic document is stored on the editing server 7.
[0039] Figure 2 shows an overview of the setup and signing processes of the remote signature system according to the present invention. A user who wishes to set up the system requests the tamper-resistant device to generate a signature key via a terminal device. In response, the tamper-resistant device generates a signature key using the signature key generation means 10. For example, the signature key generation means 10 generates a key pair of a private key and a public key, using the generated private key as the signature key and the public key as signature key identification information. Of course, the signature key identification information can include a user name to identify the user or number information to identify the terminal device. The generated signature key is stored in the signature key storage unit 12 along with the signature key identification information via the control unit 11. The signature key identification information is transmitted to the terminal device and also stored in the terminal device.
[0040] The terminal device has a key pair generation means 13 and generates an authentication key pair for executing a public-key cryptography scheme. The generated private key is sent to the encryption means 14 and functions as an encryption key for encrypting the data to be signed and the verification information. The generated public key is transmitted to the tamper-resistant device via the network and functions as a decryption key for decrypting the cryptographic token. Therefore, the public key is also referred to as the decryption key. This public key, i.e., the decryption key, is stored in the signature key storage unit 12 in association with the user's previously generated signature key. Therefore, as shown in Figure 2, the signature key storage unit stores signature key information, including the signature key, decryption key, and signature key identification information, in pairs for each user. Here, the signature key identification information identifies both the signature key and the decryption key that are in a pair. When transmitting the public key of the authentication key pair to the tamper-resistant device, it can be encrypted using the public key that is paired with the private key that constitutes the signature key and then transmitted to the tamper-resistant device. In this case, the tamper-resistant device decrypts the data using the signature key as the decryption key, and the decrypted public key is stored in the signature key storage unit as the decryption key.
[0041] Since the terminal device stores signature key identification information, the terminal device is indirectly linked to its own decryption key and signing key stored in the tamper-resistant device via the signature key identification information. In other words, by providing the signature key storage unit 12, each terminal device is assigned both a decryption key to decrypt cryptographic tokens and a signing key to execute digital signatures. Therefore, when a signature request containing signature key identification information is sent from the terminal device, both the decryption key and signing key identified by the signature key identification information included in the signature request are retrieved, and verification and signing processes are performed using the retrieved decryption key and signing key. The setup process is completed by configuring the signature key storage unit 12.
[0042] During electronic signature, the user or signer specifies the electronic document to be signed. Subsequent signal processing is performed automatically. The terminal device's signature target data generation means 15 performs a hash operation on the specified electronic document to generate signature target data. The generated signature target data is sent to the encryption means 14. The encryption means 14 encrypts the signature target data and verification information using an encryption key to generate an encrypted token. The generated encrypted token is sent to the signature request generation means 16. In addition to the encrypted token, the signature request generation means is also supplied with signature key identification information and plaintext verification information. The signature request generation means 16 generates the signature request shown below. Signature request = Signature key identifier + Plaintext (verification information) + Cryptographic token (encrypted verification information and encrypted data to be signed) The generated signature request is sent to the tamper-resistant device via the control unit 17.
[0043] There are no special restrictions on the verification information; users can use any information or code sequence they come up with. For example, the data to be signed or the signing key identifier can be used as verification information. Furthermore, any sequence of numbers or strings conceived by the signer can be used. It is also possible to change the verification information for each signature request.
[0044] Verification information can be obtained by performing a hash operation on reference information to calculate a hash value, and the resulting hash value can be used as verification information. For example, when using signature key identifier information as verification information, it may be difficult to use it directly because it has a large number of bytes. In such cases, by forming a hash value of the signature key identifier information, verification information with a smaller number of bytes can be used.
[0045] When the tamper-resistant device receives a signature request, a search means (not shown) is activated to access the signature key storage unit 12 and search for the decryption key and signing key identified by the signing key identification information. The retrieved decryption key is sent to the decryption means 18, and the signing key is sent to the signing means 19. Subsequently, an encrypted token is extracted from the signature request and sent to the decryption means. The decryption means 18 decrypts the encrypted verification information and the data to be signed. The decrypted verification information is sent to the match determination means 20, and the decrypted data to be signed is sent to the signing means 19. The match determination means 20 also receives the plaintext verification information extracted from the signature request. The match determination means 20 determines the match between the decrypted verification information and the plaintext verification information and sends the determination result to the signing means 19.
[0046] If the plaintext verification information matches the decrypted verification information, the signature request is deemed valid, and the decrypted data to be signed is digitally signed using the retrieved signing key. If there is a mismatch, the signature request is treated as an error and excluded from digital signing.
[0047] Thus, in this invention, both the decryption key and the signing key are retrieved using the signing key identification information, and both the information used in the verification process and the information used in the signing process are transmitted to the tamper-resistant device with a single signature request. Therefore, the verification process and the signing process can be executed sequentially and integrally. Furthermore, after specifying the electronic document to be signed, no information input operations are performed by the signer. Thus, all signal processing after the electronic document is specified can be performed automatically. As a result, the process until the signed document is generated can be performed automatically.
[0048] In the system configuration shown in Figure 2, when signature target data is used as verification information, the signature target data output from the signature target data generation means 15 is configured to be supplied to the encryption means 14 and the signature request generation means 16, respectively. In this case, the verification information supply means is not used. Furthermore, when both signature target data and signature key identification information are used as verification information, the signature target data output from the signature target data generation means 15 is configured to be supplied to the encryption means 14 and the signature request generation means 16, and the signature key identification information is also configured to be supplied to the encryption means 14 and the signature request generation means 16, respectively.
[0049] Figure 3 shows the algorithm for the signature key generation process of the remote signature system according to the present invention. The user makes an authentication request to the key management server 4 of the signature system 3 via the terminal device 2. The authentication request is for user authentication using a user ID and password. If the user's account has not been created, the key management server 4 will create a new account for that user. In addition to the method of authenticating the combination of user ID and password, authentication can also be performed by sending a token stored on an IC card to the key management server. After user authentication, an authentication response is sent from the key management server 4 to the terminal device 2.
[0050] Upon successful user authentication, the user sends a signature key generation request from the terminal device to the key management server 4. The key management server 4 instructs the tamper-resistant device 5 to generate the signature key. In response to the signature key generation request, the tamper-resistant device generates a key pair consisting of a private key and a public key, which will serve as the signature key. The generated private key becomes the signature key and is stored in the tamper-resistant device, where it is used for digital signatures. The public key is used as signature key identification information. The tamper-resistant device sends a signature key generation notification containing the generated public key to the key management server, which then sends the signature key generation notification to the terminal device. The terminal device stores the received public key as signature key identification information.
[0051] Upon receiving a signature key generation notification, the terminal device generates a private key and a public key pair for executing public-key cryptography. The generated private key is stored in the terminal device and functions as an encryption key for encrypting the data to be signed and the verification information. Encryption can be performed by using the private key to perform a signature operation. The encrypted data to be signed and the verification information constitute an encrypted token. The generated public key is sent to a tamper-resistant device and stored in association with the corresponding signature key. This public key can be encrypted using the public key that functions as the signature key identification information and sent to the tamper-resistant device. In this case, it is decrypted using the signature key. The public key stored in the tamper-resistant device functions as a decryption key for decrypting the encrypted token sent from the terminal device.
[0052] The signature key information, which includes a signing key for electronic signatures, a decryption key for decrypting cryptographic tokens, and signature key identification information that identifies the signing key and decryption key, is stored in the signature key storage unit 12 for each user. If the number of signature keys to be stored becomes large and an overflow occurs, the signature key information can also be encrypted and stored in an external database of the tamper-resistant device.
[0053] In addition to the private key and its corresponding public key that constitute the signing key, various other types of information can be used as signature key identification information. For example, not only can the same information as the signature key identification information be used, but identification information that has been modified to distinguish it from the signing key, i.e., identification information equivalent to the signature key identification information, can also be used. Furthermore, the user's name can be used as signature key identification information, or a tamper-resistant device can assign an identification number to the user, and that identification number can be used as the signature key identification information.
[0054] Once the tamper-resistant device has finished storing the public key that will function as the decryption key, it sends a setup completion notification to the terminal device. From then on, users can use the terminal device to request digital signatures.
[0055] Next, the user sends an authentication request to the certificate issuing server 6 via the terminal device in order to obtain an electronic certificate (signature certificate). This user authentication also uses a combination of user ID and password. An authentication response is sent from the certificate issuing server to the terminal device.
[0056] Upon successful user authentication, the terminal device sends a digital certificate generation request to the certificate issuing server, including the user ID, the public key paired with the signing key, and other necessary information. The certificate issuing server creates a Certificate Signing Request (CSR) using the received public key and necessary information, performs the prescribed review process, and then generates the digital certificate. The generated digital certificate is sent to the terminal device. The terminal device stores the received digital certificate. The digital certificate is also transferred to the editing server as needed and stored on the editing server.
[0057] Figure 4 shows an algorithm for performing digital signatures using a signing key. The terminal device generates the data to be signed from the electronic document to be signed. The electronic document used can be one stored on the terminal device or one sent from the editing server that manages the electronic documents. The terminal device performs a predetermined logical operation (hash operation) on the area of the electronic document to be signed to generate a hash value, and uses the generated hash value as the data to be signed.
[0058] The data to be signed in this invention includes not only data to be signed directly from electronic documents, but also messages to which additional information such as the date and time of creation and expiration date has been added. In other words, messages that partially contain data to be signed can also be used as data to be signed.
[0059] Next, the terminal device encrypts the data to be signed and the verification information using an encryption key (a stored private key) to generate an encrypted token. As an example of encryption, the data to be signed and the verification information can be concatenated, a signature operation can be performed on the concatenated data information, and the resulting signature operation result can be used as an encrypted token. Alternatively, the data to be signed and the verification information can be encrypted separately to form an encrypted token. Furthermore, a hash operation can be performed on the verification information, and the resulting hash value can be encrypted to generate an encrypted token.
[0060] Next, the terminal device generates a cryptographic token containing signature key identification information, plaintext verification information, and encrypted verification information and the data to be signed. The signature request has the purpose of requesting a digital signature from the tamper-resistant device. The signature request is sent to the tamper-resistant device via the key management server. Note that when signature key identification information is used as verification information, plaintext verification information is not required, and a cryptographic token containing signature key identification information, encrypted signature key identification information, and encrypted data to be signed is generated.
[0061] When the tamper-resistant device receives a signature request, the search means accesses the signature key storage unit and searches for the signature key identification information, associated decryption key, and signature key contained in the signature request. The retrieved decryption key is supplied to the decryption means, and the signature key is supplied to the signing means.
[0062] The decryption means decrypts the cryptographic token and forms plaintext verification information and plaintext data to be signed, respectively. The decrypted data to be signed is supplied to the signing means, and the verification information is supplied to the matching determination means. Next, the matching of the decrypted verification information with the plaintext verification information included in the signature request is verified. As an example of verification, a signature operation is performed on the encrypted verification information using the decryption key to form a signature value. Then, the matching of the obtained signature value with the plaintext verification information is verified. When signature key identification information is used as verification information, the matching of the plaintext signature key identification information with the decrypted signature key identification information is verified. Furthermore, when verification is performed using the hash value of the signature key identification information, the matching of the hash value formed from the plaintext signature key identification information with the decrypted hash value can be verified.
[0063] As a result of the verification, if the decrypted verification information matches the plaintext verification information, the tamper-resistant device determines that the received signature request is valid. In other words, it determines that the received signature request is from a person who has the legitimate right to use the signing key, and that the data to be signed has not been tampered with.
[0064] If the verification results show a mismatch, the tamper-resistant device determines that the received signature request is invalid and processes it as an error.
[0065] If the signature request is deemed valid, the tamper-resistant device uses the retrieved signing key to digitally sign the decrypted data to be signed, generating an electronic signature. The signature result, including the generated electronic signature, is transmitted to the terminal device via the key management server. The terminal device embeds the received electronic signature into the edited electronic document, creating a signed electronic document (signed document). The generated electronic signature is given a signature timestamp by the timestamp server and embedded in the electronic document as a long-term signature, guaranteeing the long-term validity of the electronic signature. The signed electronic document is stored on the terminal device and transmitted to the editing server as needed. The generated electronic signature can also be transmitted to the editing server for processing.
[0066] Figure 5 shows a modified version of the setup process. In this example, the editing server manages the electronic documents. The editing server 7 functions as a management server for managing uploaded electronic documents. Electronic documents to be signed are uploaded to the editing server from terminal devices, and upload information is entered. Electronic documents to be signed are also entered from external servers. The upload information includes the electronic document to be signed, the identification information of the signer to sign, and the address information of the signer's terminal device. The uploaded electronic documents are stored and managed by the editing server.
[0067] When upload information is entered, the editing server stores the uploaded electronic document and notifies the user's terminal device that a signature request has been made. Upon receiving the notification, the user requests user authentication from the editing server via their terminal device. If user authentication is successful, the editing server sends an authentication response to the terminal device.
[0068] The user verifies the electronic document to be signed. If the user wishes to sign the verified electronic document, they request the editing server to generate the data to be signed via their terminal device. This request from the terminal device to the editing server to generate the data to be signed is significant as an expression of the signer's intention to request the signing process. This generation request then triggers the start of the signing process, and a series of signing processes are automatically executed.
[0069] Upon receiving a request to generate data to be signed, the editing server edits the electronic document to be signed and generates the data to be signed from the electronic document. Subsequently, the editing server downloads the data to be signed to the terminal device.
[0070] Upon downloading the data to be signed, the terminal device uses an encryption key to encrypt the downloaded data and verification information, and generates an encrypted token.
[0071] Next, the terminal device sends the generated cryptographic token and signature information, which includes signature key identification information and plaintext verification information, to the editing server. At this point, the data to be signed is encrypted and cannot be tampered with.
[0072] The editing server generates a signature request containing plaintext signature key identification information and verification information, and an encrypted token containing encrypted data to be signed and encrypted verification information. The generated signature request is sent to a tamper-resistant device.
[0073] The tamper-resistant device's search mechanism accesses the signature key storage unit and searches for the signature key identification information and the associated signature key and decryption key. Subsequently, it uses the retrieved decryption key to decrypt the cryptographic token included in the signature request. Next, it compares and verifies the plaintext verification information with the decrypted verification information. If the verification results show that the two sets of verification information match, the signature request is determined to be valid, and the decrypted data to be signed is digitally signed. The signature result, including the generated digital signature, is sent to the editing server via the key management server.
[0074] The editing server embeds the received digital signature into the electronic document, creating a signed electronic document (signed document). The signed electronic document is stored on the editing server and sent to terminal devices as needed.
[0075] Figure 6 is a block diagram showing the functional configuration of the terminal device. Note that Figure 6 only shows the part related to electronic signatures. The terminal device has a communication means 30, a control unit 31, an input device 32, and a storage unit 33. The communication means 30 is connected to a network and transmits and receives data with a key management server, etc. The control unit 31 has an authentication request unit 34 and sends an authentication request using a user ID and password to the key management server of the signature system, etc. Subsequently, the user logs into the signature system and sends a signature key generation request from the signature key generation request unit 35 to the tamper-resistant device. The signature key identification information (public key of the key pair) generated by the tamper-resistant device is stored in the signature key identification information storage unit 36 of the storage unit via the communication means.
[0076] The electronic certificate issuance request unit 37 generates an electronic certificate issuance request including the public key received from the tamper-resistant device and sends it to the certificate issuance server. The created electronic certificate is received via communication means and stored in the electronic certificate storage unit 38.
[0077] The key pair generation unit 39 generates an authentication key pair. The generated private key encrypts the data to be signed and the verification information, and is stored in the encryption key storage unit 40. The public key is encrypted using the public key paired with the signing key as the encryption key, and is transmitted to the tamper-resistant device via the communication means.
[0078] Here, the key pair generation means includes not only means for directly generating key pairs, but also means or functions for installing key pairs generated externally and stored in a storage device into a terminal device. For example, storing an externally generated key pair in a storage device such as a USB memory stick and then installing the stored key pair into a terminal device also constitutes operating the key pair generation means.
[0079] The electronic document to be signed is stored in the electronic document storage unit 41. During the electronic signing process, the electronic document is read and supplied to the signature data generation unit 42. The signature data generation unit generates signature data from the electronic document. This signature data generation unit can be configured, for example, as a hash calculation means.
[0080] The generated data to be signed is supplied to the cryptographic token generation unit 43. The cryptographic token generation unit 43 encrypts the data to be signed and verification information using the cryptographic key to generate a cryptographic token. The generated cryptographic token is supplied to the signature request generation unit 44. The signature request generation unit generates a signature request that includes signature key identification information, plaintext verification information, a cryptographic token, and necessary information. The generated signature request is transmitted to the tamper-resistant device via the communication means 30. When signature key identification information is used as verification information, a signature request is generated that includes plaintext signature key identification information, a cryptographic token containing encrypted signature key identification information and data to be signed, and necessary information.
[0081] The electronic document upload unit 45 creates an electronic signature generation request that includes the electronic documents and electronic certificates stored in the electronic document storage unit 41, and sends it to the editing server. Furthermore, for electronic documents requiring another person's signature, it adds the signer's ID and address to the electronic document to be signed and uploads it to the editing server.
[0082] Once the electronic signature is completed in the tamper-resistant device, the electronic signature is sent to the terminal device. The received electronic signature is embedded in the electronic document, and a signed electronic document is generated. The generated signed electronic document is stored in the signed electronic document storage unit 46.
[0083] Figure 7 shows an example of the functional configuration of a tamper-resistant device. The tamper-resistant device has a management unit 50, a processing unit 51, and a storage unit 52. Information signals transmitted from terminal devices and editing servers are input to the management unit 50 via the network and key management server. The management unit 50 controls each functional unit provided in the processing unit and controls the execution of the specified function according to the input information signal.
[0084] Upon receiving a signature key generation request, the signature key generation unit 53 activates to generate a key pair consisting of a private key and a public key that will serve as the signature key. The generated key pair is temporarily stored in the storage unit 54. The public key functions as signature key identification information that identifies the signature key and decryption key. This public key is duplicated and transmitted to the corresponding terminal device via the management unit.
[0085] When the public key of the authentication key pair is received, the received public key is sent to the storage unit 54. The storage unit associates the received public key with the key pair that forms the signing key to form signing key information. This signing key information includes the signing key, signing key identification information, and decryption key. This signing key information is stored for each signer or user in the signing key storage unit 55 provided in the storage unit 52.
[0086] When a signature request is entered, the signature key identification information included in the signature request is input to the search unit 56, the cryptographic token is input to the decryption unit 57, and the verification information is sent to the verification unit 58. The search unit 56 accesses the signature key storage unit and searches for the decryption key and signature key associated with the signature key identification information. The retrieved decryption key is sent to the decryption unit 57. The decryption unit decrypts the cryptographic token using the input decryption key. The decrypted verification information is sent to the verification unit 58.
[0087] The verification unit 58 receives the decrypted verification information and the plaintext verification information as input. The verification unit verifies the consistency of these two sets of verification information.
[0088] The signature unit 59 receives the decrypted data to be signed and the retrieved signing key. If the two pieces of verification information match, the decrypted data to be signed is digitally signed using the signing key.
[0089] If the verification results do not match, this signature request will be treated as an error.
[0090] Figure 8 shows the functional configuration of the key management server. The key management server has a communication means 60, a control unit 61, and a user information database 62. The control unit has a user authentication processing unit 63 that processes authentication requests from terminal devices.
[0091] The signature key generation request sent from the terminal device, and the signature request sent from the editing server or terminal device, are supplied to the tamper-resistant device control unit 64, and instructions corresponding to the specified processing are sent to the tamper-resistant device. Various information such as the electronic signature generated by the tamper-resistant device is sent to the terminal device, editing server, etc., via the tamper-resistant device control unit. The key management server and the tamper-resistant device can be connected via an internal bus or an external bus. Alternatively, they can be connected via a LAN.
[0092] Figure 9 is a block diagram showing the functional configuration of the editing server. This block diagram corresponds to the algorithm in Figure 4. The editing server has a communication means 70, a control unit 71, and a storage unit 72. The communication means 70 is connected to a network and transmits and receives information with terminal devices, a key management server, and a tamper-resistant device. The user authentication processing unit 73 uses user information stored in the user information storage unit 74 to process authentication requests sent from terminal devices.
[0093] Upload information received from a terminal device is input to the upload information receiving unit 75. The upload information is sent to the signature notification unit 76, which sends a signature notification to the terminal device of the signer's address included in the upload information, indicating that a signature request has been made. The electronic document included in the upload information is stored in the electronic document storage unit 77.
[0094] A request from a signer to download the data to be signed is input to the download request receiving unit 78. In response to the input download request, the data to be signed generation unit 79 operates and generates the data to be signed from the electronic document. The generated data to be signed is transmitted from the data to be signed download unit 80 to the terminal device of the corresponding signer.
[0095] The signature information sent from the signer's terminal device is input to the signature request generation unit 81. The signature request generation unit generates a signature request that includes the cryptographic token contained in the signature information, as well as plaintext signature key identification information and verification information. The generated signature request is transmitted to the tamper-resistant device.
[0096] The editing server has an editing unit 82. The editing unit 82 edits the electronic document to be signed and sets the arrangement method and position of the fields of the electronic signature that are formed.
[0097] The electronic signature generated by the tamper-resistant device is input to the signed electronic document generation unit 83. The editorial information generated by the editorial department is also input to the signed electronic document generation unit, and the electronic signature is embedded in the stored electronic document, generating a signed electronic document (signed document). The generated signed electronic document is stored in the signed document storage unit 84.
[0098] Figure 10 shows a modified example of the electronic signature system according to the present invention. In this example, VPN connections 90 and 91 are provided between the key management server 4 and the certificate issuing server 6, and between the key management server 4 and the editing server 7, respectively. By providing VPN connections, the key management server 4 and the certificate issuing server 6 become equivalent to being directly interconnected, and the key management server 4 and the editing server 7 also become equivalent to being interconnected. As a result, an encrypted and secure transmission path is established between the certificate issuing server and the editing server and the key management server.
[0099] Furthermore, the certificate issuance server 6 and the editing server 7 are configured as authentication servers with user authentication functions. Users (terminal devices) have accounts with the authentication servers (certificate issuance server 6 and editing server 7) and exchange messages with the authentication servers via SSL encrypted communication through the login authentication process. As a result, communication between terminal device 2 and certificate issuance server 6, and between terminal device 2 and editing server 7, is protected by SSL encrypted communication.
[0100] In the signature key generation process, the public key of the key pair generated by the tamper-resistant device is sent to the terminal device via the key management server 4, VPN connection 90, and certificate issuing server 6. The cryptographic token created by the terminal device is also sent to the tamper-resistant device via the certificate issuing server 6, VPN connection 90, and key management server 4.
[0101] Furthermore, during the signing process, the cryptographic token generated by the terminal device is sent to the tamper-resistant device 5 via the editing server 7, VPN connection 91, and key management server. The digital signature generated by the tamper-resistant device is sent to the editing server 7 via the key management server and VPN connection 91. As a result, a secure, encrypted transmission path is established between the terminal device that issues a signing instruction to the tamper-resistant device and the key management server that performs the digital signature based on the instruction from the terminal device.
[0102] The present invention is not limited to the embodiments described above, and various modifications and changes are possible. For example, although the embodiments described above describe an electronic signature system including a signature system, an editing server, a certificate issuing server, and a terminal device, an independent electronic document management server having the function of managing electronic documents can be used. That is, electronic documents uploaded from the terminal device can be input to the electronic document management server and managed by the electronic document management server. Upload information can then be transferred from the electronic document management server to the editing server, and the editing server can perform processing such as generating data to be signed and generating signature requests.
[0103] The data to be signed can be extracted by performing a predetermined logical operation (hash operation) from the area of the electronic document that is to be signed.
[0104] In this invention, various forms of signature key identification information can be used. For example, a public key paired with a signature key (private key) can be used as signature key identification information, and the signature key can be identified between the terminal device and the tamper-resistant device using the public key. Alternatively, a code sequence for identifying the signature key can be pre-configured between the key management server and the tamper-resistant device, and the signature key can be identified using the configured code sequence. In this case, the signature key is identified between the terminal device and the key management server using the public key, and between the key management server and the tamper-resistant device using the pre-configured code sequence. In this case, the key management server has an identification information conversion means and converts the signature key identification information included in the signature request sent from the terminal device into a corresponding code sequence and sends it to the tamper-resistant device. The tamper-resistant device identifies the signature key using the converted code sequence.
Claims
1. A remote signature system comprising a signature system having one or more tamper-resistant devices configured to generate and manage signature keys and a key management server that controls the tamper-resistant devices, and a terminal device used by a user or signer, wherein the system electronically signs the data to be signed included in a signature request sent from the terminal device to the tamper-resistant device using the signature key, The terminal device includes means for generating an authentication key pair having a private key and a public key, or means for installing an authentication key pair generated externally, and means for using the private key as an encryption key to encrypt the data to be signed and verification information used for identity verification to generate an encrypted token. The tamper-resistant device includes: a signature key generation means for generating a signature key; a signature key storage means for storing signature key information, including a signature key, a decryption key for decrypting a cryptographic token, and signature key identification information, for each user; a means for accessing the signature key storage means and searching for both the decryption key and the signature key identified by the signature key identification information; a means for decrypting encrypted verification information and encrypted data to be signed contained in a cryptographic token using the searched decryption key; a verification means for verifying the validity of a signature request using the decrypted verification information; and a means for digitally signing the data to be signed using the searched signature key. The private key of the aforementioned authentication key pair is stored as an encryption key in the terminal device, and the public key is transmitted to the tamper-resistant device and stored as a decryption key in the signature key storage means. During electronic signature, the terminal device encrypts the verification information and the data to be signed using the aforementioned encryption key to generate an encrypted token. A signature request is generated and sent to a tamper-resistant device, which includes signature key identification information, verification information for the plaintext before encryption, encrypted verification information, and a cryptographic token containing the encrypted data to be signed. The tamper-resistant device is a remote signature system that searches for both a decryption key and a signing key using the signing key identification information included in the signature request, decrypts the cryptographic token using the found decryption key, verifies the consistency between the decrypted verification information and the plaintext verification information, and if the decrypted verification information and the plaintext verification information match, digitally signs the data to be signed using the found signing key.
2. A remote signature system according to claim 1, wherein the verification information is any of the following: signature key identification information, data information in which the signature key identification information and the data to be signed are linked, or any information conceived by the user.
3. In the remote signature system according to claim 2, signature key identification information is used as the verification information, a signature request is generated including the signature key identification information in plaintext before encryption, the encrypted signature key identification information, and an encrypted token including the encrypted data to be signed, and is transmitted to a tamper-resistant device. The tamper-proof device is a remote signature system that verifies the consistency between the decrypted signature key identifier and the plaintext signature key identifier, and if they match, uses the signature key to electronically sign the data to be signed.
4. In the remote signature system according to claim 3, the encrypted signature key identification information is an encrypted hash value obtained by encrypting the hash value of the signature key identification information. The tamper-resistant device is a remote signature system that verifies the consistency between a hash value obtained by performing a hash operation on plaintext signature key identification information and the hash value of the decrypted signature key identification information.
5. In the remote signature system according to claim 2, data information in which the data to be signed and the signature key identification information are linked is used as the verification information, a signature request having plaintext data information and an encrypted token including encrypted data information is generated and transmitted to a tamper-resistant device, The tamper-proof device is a remote signature system that extracts signature key identification information from data information, searches for a decryption key and a signature key using the extracted signature key identification information, decrypts the cryptographic token using the searched decryption key, verifies the consistency between the decrypted data information and the plaintext data information, and if they match, digitally signs the plaintext data to be signed or the decrypted data to be signed.
6. A remote signature system according to claim 2, wherein the user inputs verification information of their own choosing into a terminal device for each signature request, and the user's identity is verified using the verification information input for each signature request.
7. A remote signature system according to claim 1, wherein the terminal device is a remote signature system having means for generating data to be signed from an electronic document to be signed.
8. A remote signature system according to claim 1, wherein the signature key generation means of the tamper-resistant device generates a key pair of a private key and a public key, uses the generated private key as a signature key, and uses the public key as signature key identification information.
9. A remote signature system according to claim 8, wherein the public key of the authentication key pair generated by the terminal device is encrypted using the public key paired with the signature key and transmitted to a tamper-resistant device.
10. A remote signature system according to claim 1, wherein the remote signature system further comprises an editing server for managing electronic documents to be signed and a certificate issuing server for generating electronic certificates.
11. A remote signature system comprising a signature system having one or more tamper-resistant devices configured to generate and manage signature keys and a key management server that controls the tamper-resistant devices, and a terminal device used by a user or signer, wherein the system electronically signs the data to be signed included in a signature request sent from the terminal device to the tamper-resistant device using the signature key, The terminal device includes means for generating an authentication key pair having a private key and a public key or means for installing an authentication key pair generated externally; means for generating data to be signed from an electronic document to be signed; means for generating a cryptographic token by using the private key as an encryption key and encrypting the data to be signed and verification information used for identity verification; and means for generating a signature request including plaintext signature key identification information, plaintext verification information, encrypted data to be signed, and a cryptographic token including encrypted verification information. The tamper-resistant device includes: a signature key generation means for generating a signature key; a signature key storage means for storing signature key information, including a signature key, a decryption key for decrypting a cryptographic token, and signature key identification information, for each user; a means for accessing the signature key storage means and searching for a decryption key and a signature key identified by the signature key identification information; a means for decrypting a cryptographic token using the searched decryption key; a verification means for verifying the validity of a signature request using the decrypted verification information; and a means for digitally signing data to be signed using the searched signature key. The private key of the aforementioned authentication key pair is stored as an encryption key in the terminal device, and the public key is transmitted to the tamper-resistant device and stored as a decryption key in the signature key storage means. In the process of electronic signature, the data to be signed is used as the verification information, and a signature request is transmitted from the terminal device to the tamper-resistant device, including plaintext signature key identification information, plaintext data to be signed, and an encrypted token containing encrypted data to be signed. The tamper-proof device is a remote signature system that searches for both a decryption key and a signing key using the signing key identification information included in the signature request, decrypts the cryptographic token using the found decryption key, verifies the consistency between the decrypted data to be signed and the plaintext data to be signed, and if they match, digitally signs the data to be signed using the found signing key.
12. A tamper-resistant device that electronically signs data to be signed generated from an electronic document using a signing key, wherein the tamper-resistant device is The system comprises: means for generating a signing key; signing key storage means that stores signing key information for each user, including the signing key, a decryption key for decrypting cryptographic tokens included in a signature request sent from a terminal device, and signing key identification information; search means that access the signing key storage means and search for a decryption key and a signing key identified by the signing key identification information included in a signature request; decryption means that decrypts cryptographic tokens included in a signature request using the searched decryption key; verification means that verifies the validity of a signature request using the decrypted verification information; and means that digitally sign data to be signed using the searched signing key. During electronic signature, the tamper-resistant device receives a signature request that includes signature key identification information, plaintext verification information, encrypted verification information, and an encrypted token containing the data to be signed. The tamper-resistant device decrypts the encrypted verification information using the decryption means, verifies the consistency between the plaintext verification information and the decrypted verification information using the verification means, and if they match, digitally signs the data to be signed using the retrieved signing key.
13. In the tamper-resistant device according to claim 12, the data to be signed is used as the verification information. When performing an electronic signature, a signature request including signature key identification information, plaintext data to be signed, and an encrypted token containing encrypted data to be signed is input to the tamper-resistant device. The tamper-resistant device verifies the consistency between the decrypted data to be signed and the plaintext data to be signed, and if they match, digitally signs the data using the retrieved signing key.