Method for using information relating to user identification cards

Abstract

Provided is a method for using user identification cards with a high degree of confidentiality.　This method for using information relating to a user identification card comprises: a quantum key sharing step in which a user terminal and a management terminal share a quantum key; a device authentication step in which the management terminal uses the quantum key to perform device authentication of the user terminal; an encrypted user information acquisition step in which the user terminal uses the quantum key to encrypt information relating to the user identification card to obtain encrypted user information; an encrypted user information transmission step in which the user terminal transmits the encrypted user information to the management terminal; a decryption step in which the management terminal uses the quantum key to decrypt the encrypted user information to obtain the information relating to the user identification card; and an authentication step in which the management terminal uses the information relating to the user identification card to perform personal authentication of the user.

Description

Method of Using Information Related to User Identification Card 【0001】 This invention relates to a method of using information related to a user identification card. More specifically, this invention relates to an authentication method for a My Number card that enhances confidentiality by performing device authentication and personal authentication. 【0002】 When currently using a My Number card via the Internet, the My Number card is read with a smartphone, and an electronic certificate for the smartphone is used. 【0003】 In the above method, there is a problem that the security during communication depends on the security of communication on the smartphone. Also, there is a problem that the same operation is required when changing the smartphone model. Furthermore, when authentication is performed with a smartphone, there is a risk of information leakage due to backdoors or device disposal. 【0004】 On the other hand, Japanese Patent Application Laid-Open No. 2024-064581 describes an authentication system that performs mutual authentication and message authentication in a quantum key distribution network. 【0005】 Japanese Patent Application Laid-Open No. 2024-064581 【0006】 Provide a method of using information related to a user identification card, such as a My Number card, that is more secure and can prevent leakage of personal information. 【0007】 This invention is based on the finding that personal authentication can be performed while ensuring safety and preventing leakage by using quantum key-based device authentication and performing authentication based on user information using the authenticated device. 【0008】The method of using information related to the user identification card described in this specification includes a quantum key sharing step, a device authentication step, an encrypted user information acquisition step, an encrypted user information transmission step, a decryption step, and an authentication step. The quantum key sharing step is a step in which the user terminal and the management terminal share a quantum key (encryption key). The device authentication step is a step in which the management terminal authenticates the user terminal using the quantum key. The encrypted user information acquisition step is a step in which the user terminal encrypts information related to the user identification card using the quantum key and obtains encrypted user information. The encrypted user information transmission step is a step in which the user terminal transmits encrypted user information to the management terminal. The decryption step is a step in which the management terminal decrypts the encrypted user information using the quantum key and obtains information related to the user identification card. The authentication step is a step in which the management terminal performs personal authentication of the user using information related to the user identification card. 【0009】 By using quantum keys for device authentication and then performing authentication based on user information using the authenticated device, personal authentication can be performed securely and without risk of data leaks. 【0010】 Figure 1 is a block diagram illustrating an example of a user identification card usage system configuration. Figure 2 is a conceptual diagram showing an example of symmetric key storage using a quantum key distribution (QKD) network. 【0011】 Figure 1 is a block diagram illustrating an example configuration of a user identification card usage system. This example includes a QKD network control unit 21 in a quantum key distribution (QKD) network 23, a first trusted node 25 (trusted node A) which is one of several network nodes in the QKD network 23, and a second trusted node 27 (trusted node B) which is one of several network nodes in the QKD network 23. In the example in Figure 1, a user terminal 3 (for example, a smartphone) is connected to the first trusted node 25 so that it can exchange information. However, if the user moves, for example, the user's smartphone will be connected to a network node corresponding to the location of the user's movement. 【0012】User terminal 3 is a portable device owned by the user. Examples of user terminal 3 include smartphones, mobile phones, personal computers, smartwatches, and tablets. User terminal 3 has a computer or processor. User terminal 3 usually has a camera or other imaging unit. User terminal 3 also usually has a temporary (volatile) memory unit such as RAM. User terminal 3 can photograph user identification card 5. When user terminal 3 photographs user identification card 5, the image of user identification card 5 is appropriately stored in user terminal 3. User identification card 5 analyzes the stored image of user identification card 5 and reads the user identification information (user information) that is written on or associated with user identification card 5. Then, user terminal 3 appropriately stores the user information. Examples of user identification card 5 include My Number cards, driver's licenses, health insurance cards, passports, and employee ID cards. Examples of user information include one or more of the following: image of user identification card 5, My Number, name, identification number, driver's license number, insurance number, passport number, employee number, telephone number, and date of birth. 【0013】 Quantum key distribution (QKD) is publicly known. The quantum key distribution (QKD) network in this specification can be appropriately adapted from publicly known networks. Examples of quantum key distribution (QKD) are described, for example, in Japanese Patent Publication No. 2023-149074, Japanese Patent Publication No. 2023-93938, and Japanese Patent Publication No. 2024-64581. QKD is based on a configuration in which a single-photon transmitter and receiver are directly connected by an optical fiber link consisting of a quantum channel and a classical channel. For example, in a QKD scheme called BB84, the transmitter transmits a single-photon encoded with 1 bit of information onto the quantum channel, and after the receiver detects it, it is shared as random number information after exchanging control information on the classical channel. In other words, OKD performs encryption key sharing in the lower QKD layer and uses that encryption key to perform encrypted communication in the upper application layer. 【0014】The first trusted node 25 (Trusted Node A) includes a first QKD device 31, a first key manager 33, and a first communication confidentiality proxy server 35. These may be controlled by a computer (or processor). The QKD device is an element for performing quantum key distribution. The key manager is an element for managing cryptography. For example, the key manager may issue cryptographic keys (e.g., one-time pads) used on classical channels in accordance with instructions from the QKD device. The communication confidentiality proxy server is an element for performing secure communication. For example, the communication confidentiality proxy server confidentializes information using cryptographic keys (e.g., one-time pads) issued by the key manager, and then communicates the confidentialized information on classical channels. The term "includes" does not require physical inclusion; it is sufficient that the elements are connected in a way that allows for the exchange of information. 【0015】 The second trusted node 27 (trusted node B) includes a second QKD device 41, a second key manager 43, a second communication privacy proxy server 45, and an authentication server 47. The authentication server 47 is an element for performing authentication related to the user identification card 5. The authentication server 47 may be, for example, a terminal of a public institution or a terminal of a commercial facility. 【0016】 Next, we will explain an example of how information related to User Identification Card 5 can be used. The following is an example of a user performing personal authentication using their My Number Card with a smartphone. The user launches a personal authentication application (app) on their smartphone. The smartphone has a program for personal authentication applications installed. Then, following the instructions of the app, the user takes a picture of their My Number Card. The image of the My Number Card is stored and analyzed on the smartphone as appropriate, and the My Number is (temporarily) stored. The My Number may also be temporarily stored in the smartphone's volatile memory. 【0017】The application transmits the information a user is attempting to authenticate to a management terminal. An example of a management terminal is the authentication server 47. The authentication server 47 instructs the second QKD device 41 of the second trusted node 27 (trusted node B) to issue a quantum key. The second QKD device 41 then issues a quantum key. The issued quantum key is transmitted to the authentication server 47 via the second key manager 43. The second trusted node 27 functions as a QKD transmitter. As a result, the second communication privacy proxy server 45 and the first communication privacy proxy server 35 of the first trusted node 25 (trusted node A) can exchange information using a classical channel. Meanwhile, the second QKD device 41, the second key manager 43, the first QKD device 31, and the first key manager 33 distribute QKD keys. 【0018】The user's smartphone receives a symmetric key (quantum key) from the first trusted node 25 (trusted node A), which is a trusted node of the QKD network. In this way, the user's smartphone obtains the symmetric key of the encryption key issued by the second QKD device 41 and stores it in its memory as appropriate. Note that the symmetric key may be acquired by the smartphone by other means. The authentication server 47 shares the symmetric key with the user's smartphone. The smartphone may temporarily store the encryption key and one-time password in its volatile memory. In this way, the user terminal 3 and the management terminal can share the quantum key (encryption key). Note that the smartphone may encrypt the My Number in advance according to a protocol stored in the application, and then encrypt the encrypted My Number using the symmetric key and one-time password. An example of a protocol is to increment the number of each digit of the My Number by one, so that if it is 9, it becomes 0. The authentication server 47 also obtains this encryption protocol and, during decryption, performs a process symmetric to the encryption (a process that reduces the number of each digit by one, setting 0 to 9). The My Number Card has the My Number written in the numerical part, and the QR code (registered trademark) part is linked to the My Number. Therefore, this system may encrypt each of them, and the authentication server 47 may decrypt each and perform My Number authentication when the My Number derived from the numerical part and the My Number derived from the QR code part match. For the QR code part, for example, the QR code part may be divided into multiple parts (for example, 4 divisions, 8 divisions, 9 divisions, 16 divisions), and each part may be encrypted and decrypted. In addition, multiple types of division shapes (division by a wavy line, diagonal division, division with different areas, etc.) may be stored, and the QR code part may be divided based on the shape of the division read randomly. 【0019】The user's smartphone and the authentication server 47 perform device authentication using a shared symmetric key. Since device authentication using a symmetric key is publicly known, any publicly known method can be used as appropriate. An example of a device authentication method is Wegman-Carter authentication. Wegman-Carter authentication records the content of communication between two parties and creates a digest using a pre-shared key. Next, when communication begins, each party sends their digest to the other and confirms that it is correct, thereby performing mutual authentication. A new key is used for each authentication. In this way, the management terminal can authenticate the user terminal 3 using a quantum key. 【0020】 Sousa's smartphone encrypts the My Number using a symmetric key and a one-time password (OTP). The encrypted My Number may be temporarily stored in the smartphone's volatile memory. Note that the encryption method is not limited to OTP; it may be a publicly known method. Another example of encryption is the Advanced Encryption Standard (AES) method. In this way, the user terminal 3 can encrypt information related to the user identification card 5 using a quantum key and obtain the encrypted user information. It may also be linked to an ID that can identify the user (smartphone serial number, card ID, etc.). In this case, the ID that can identify the user (smartphone serial number, card ID, etc.) should be encrypted and sent to the authentication server 47. 【0021】 Next, the smartphone sends the encrypted My Number to the authentication server 47. Information regarding encryption is shared between the user terminal 3, such as the smartphone, and the management terminal, such as the authentication server 47. Therefore, the My Number information, encrypted using the shared encryption key, is sent to the authentication server 47. In this way, the user terminal 3 can send encrypted user information to the management terminal. This communication can be performed, for example, via the second communication confidentiality proxy server 45 of the second trusted node 27 (trusted node B). 【0022】Since the authentication server 47 has received an encryption key such as a one-time password from the second key manager 43, it can decrypt the encrypted My Number. In this way, the management terminal can use the quantum key to decrypt the encrypted user information and obtain information about the user identification card 5. 【0023】 The authentication server 47 stores various information related to the My Number Card. For example, the authentication server 47 uses the decrypted My Number Card to authenticate the user. In this way, the management terminal can perform personal authentication of the user using information related to the user identification card 5. The authentication server 47 can read information about the authenticated individual from the server and perform various services. Alternatively, the authentication server 47 may perform personal authentication using an ID that can identify the user (such as the smartphone's serial number or card ID). In this case, since identification information unrelated to the My Number, such as the smartphone's serial number, is used for personal authentication using the My Number, the confidentiality and accuracy of the authentication can be improved. 【0024】 This specification also discloses a program for causing a computer to execute a method for using information related to a user identification card 5, which includes a quantum key sharing step, a device authentication step, a post-encryption user information acquisition step, a post-encryption user information transmission step, a decryption step, and an authentication step, as well as a non-temporary information recording medium storing such a program. 【0025】Figure 2 is a conceptual diagram illustrating an example of storing symmetric keys using a quantum key distribution (QKD) network. Symmetric keys are stored on a smartphone via the quantum key distribution network or manually. The key sharing is between two parties: a public institution such as a ward office, city hall, or My Number Portal server, and the smartphone. Next, multi-factor authentication is performed when using the My Number Card. The user receives the symmetric key at a trusted node of the QKD network. For subsequent authentication, the authentication server needs to be able to determine which user possesses which symmetric key. Therefore, the authentication server links the supplied symmetric key with an ID that can identify the user (smartphone serial number, card ID, etc.). Using the symmetric key stored in a communication device such as a smartphone, Wegman-Carter authentication is used to perform information-theoretically secure device authentication between the two parties who possess the symmetric key. Furthermore, to transmit personal authentication data stored on the My Number Card to public institutions via encrypted communication from the authenticated smartphone, the data is temporarily stored in volatile memory, and encrypted communication is performed using one-time pad (OTP) encryption or AES encryption with the aforementioned symmetric key. 【0026】 This invention can be used in fields such as the information utilization industry. 【0027】 1 System 3 User Terminal 5 User Identification Card 21 QKD Network Control Unit 23 QKD Network 25 Trusted Node 27 Trusted Node 31 QKD Device 33 Key Manager 35 Communication Confidentiality Proxy Server 41 QKD Device 43 Key Manager 45 Communication Confidentiality Proxy Server 47 Authentication Server

Claims

1. A method for using information related to a user identification card, comprising: a quantum key sharing step, which is the step of a user terminal and a management terminal sharing a quantum key; a device authentication step, which is the step of the management terminal using the quantum key to authenticate the user terminal; an encrypted user information acquisition step, which is the step of the user terminal using the quantum key to encrypt information related to a user identification card and obtain encrypted user information; an encrypted user information transmission step, which is the step of the user terminal transmitting encrypted user information to the management terminal; a decryption step, which is the step of the management terminal using the quantum key to decrypt the encrypted user information and obtain information related to the user identification card; and an authentication step, which is the step of the management terminal using the information related to the user identification card to perform personal authentication of the user.

2. The method according to claim 1, wherein the user terminal includes the step of receiving the quantum key from a trusted node of the quantum key distribution network to which the management terminal is connected, in the quantum key sharing step.

3. The method according to claim 1, wherein the user terminal includes the step of temporarily storing the quantum key in the user terminal during the quantum key sharing step.

4. The method according to claim 1, wherein the user identification card is a My Number card, and the information relating to the user identification card includes a My Number.

Images