電子マネー・システムにおけるセキュリティ対策：リスク管理に焦点を当てて

1999 IC IC 2008 2 5 10 E-mail: masataka.suzuki@boj.or.jp E-mail: hirokawa@imes.boj.or.jp E-mail: une@imes.boj.or.jp //2008.8 39

1. 1990 2007 1 IC 1 1 20072006 2007 1 Edy Edy IC 2007 2 22 IC PASMO IC 2008 1 23 40 /2008.8

2 3 IC 4 NIST CRYPTREC 5 Une and Kanda [2007] 2007 1999 10 2 Suica 2007 11 10 WebMoney 2007 12 3 http://www.webmoney.jp/news/20071203_1.html 3 2007 12 20 64% 2008 1 14 4 1999 5CRYPTRECCryptography Research and Evaluation Committees 41

1999 2 3 4 2. 1 2. 42 /2008.8

2. 1 43

2 3 2 1 2 2 2 2 2 2 3 2 3 1 2. 2 2 1 2 1 2 2 1 2 2 2 1 2 44 /2008.8

2. 2 1 3 2 IC. 1990 Kocher [1996]Kocher, Jaffe, and Jun [1999] 1990 CMVPCryptographic Module Validation Program 1995 JCMVPJapan Cryptographic Module Validation Program, IPA2007 2007 4 IC 45

EMVCo EMVCo [2006] 6. NESSIENew European Schemes for Signatures, Integrity, and Encryption NESSIE consortium [2003] CRYPTREC 2003 NIST [2005] Une and Kanda [2007]2007 IC 7. 10 19991999 6 2008 7 1 Cartes Bancaires IC 2001 1989 RSA 200 IC IC 1999 2000 IC 46 /2008.8

3 1999 1999 3. 8 3 4 9 8 9 47

4 3 3 3. 10 Chida, Manbo, and Shizuya [2001] Chida, Manbo, and Shizuya [2001] unforgeability 1998 1998 1998 1999 10 48 /2008.8

1999. 1999 1999 1999. 1999 5 13 1 49

5 1 1 2 1 3 4 5 6 1 1 2 2 2 2 7 3 3 8 3 3 9 3 3 2 3 3 1999 1 3 1 3 2 3 9 19 50 /2008.8

6 1 2 3 4 5 11 5 15 6 3. 5 15 1 7. 11 IC 1 IC IC 51

7. 1999 3 8 M1 M2 M3 52 /2008.8

8 M1M3 M1 M2 M3 7 M1M3 3 ID U, ID U 0 ID U Λ V U PK U, SK U PK U 0, SK U 0 PK U Λ, SK U Λ PK I, SK I K E X.Y/ S X.Y/ DT DB.ID/ DB.PK/ DB.V/ U U 0 U Λ12 U U U 0 U Λ X Y X X Y ID 15 M1M3 9 M1 K ID U DT E K.ID U ; DT/ M2 K S I.ID U / DT E K.S I.ID U /; DT/ 12 U Λ 1999 53

9 1 2 M1 K, ID U, V U M2 K, S I.ID U /, V U M3 SK U, S I.PK U /, V U M1 K M2 K, PK I M3 PK I M1 K, DB.ID/ M2 K, PK I, SK I, DB.ID/ M3 PK I, SK I, DB.PK/ M1 K, DB.ID/, DB.V/ M2 K, PK I, SK I, DB.ID/, DB.V/ M3 PK I, SK I, DB.PK/, DB.V/ 3 M1 K, DB.ID/ M2 K, PK I, SK I, DB.ID/ M3 PK I, SK I, DB.PK/ 4 M1M3 M1 K, DB.ID/, DB.V/ 5 M1 K, ID U M2 K, S I.ID U / M3 SK U, S I.PK U / M2 K, PK I, SK I, DB.ID/, DB.V/ M3 PK I, SK I, DB.PK/, DB.V/ M3 SK U DT S U.DT/ 1, 2 M1 K E K.ID U ; DT/ DT M2 K E K.S I.ID U /; DT/ PK I S I.ID U / DT M3 PK I S I.PK U / PK U PK U S U.DT/ DT 35 M1 K E K.ID U,DT)ID U M2 K E K.S I.ID U /,DT) PK I S I.ID U / ID U M3 PK I S I.PK U / PK U PK U S U.DT/ 4, 5 54 /2008.8

2 2. D0D1. ID 13 S0A U 0A I 0 S1A U 1A I 1. M1M3 10 M3 10 M1 D0-S0 M2 D0-S1-A I 0 13 55

10 M1 M2 M3 M1M3 D0-S0 S0 D0 D0-S1 S1 D1-S0 S0 D1 D1-S1 S1 D0-S0-A I 0 S0 A I 0 D0-S1-A I 0 S1 A I 0 D0 D0-S0-A I 1 S0 A I 1 D0-S1-A I 1 S1 A I 1 D1-S0-A I 0 S0 A I 0 D1-S1-A I 0 S1 A I 0 D1 D1-S0-A I 1 S0 A I 1 D1-S1-A I 1 S1 A I 1 D0-A U 0-A I 0 A U 0 A I 0 D0-A U 1-A I 0 D0 A U 1 A I 0 D0-A U 1-A I 1 A U 1 A I 1 D1-A U 0-A I 0 A U 0 A I 0 D1-A U 1-A I 0 D1 A U 1 A I 0 D1-A U 1-A I 1 A U 1 A I 1 3 IC PC PC 56 /2008.8

3 4 S1 K A U 1 SK U SK U 0 A I 1 SK I D1 11 M1 K M2 K SK I 4 M3 SK U SK U SK U 0 SK U SK U 0 SK I 3 4 5 11 3 57

11 M1 M2 M3 1 2 3 4 5 D0-S0 D0-S1 K K D1-S0 K K D1-S1 K D0-S0-A I 0 D0-S1-A I 0 K D0-S0-A I 1 SK I D0-S1-A I 1 K, SK I K D1-S0-A I 0 K K D1-S1-A I 0 K K, SK I D1-S0-A I 1 K, SK I SK I K, SK I D1-S1-A I 1 K, SK I D0-A U 0-A I 0 D0-A U 1-A I 0 SK U, SK U 0 D0-A U 1-A I 1 SK U, SK U 0, SK I SK U D1-A U 0-A I 0 SK U, SK U 0 D1-A U 1-A I 0 SK U, SK U 0 D1-A U 1-A I 1 SK U, SK U 0, SK I 58 /2008.8

12 1 2 3 4 5 0-0-0 M1 K 2-2-2 2-2-0 0-1-0 M2 M3 0-0-0 K 2-2-0 0-1-0 SK I 0-0-0 K, SK I 2-2-2 2-2-0 0-1-0 0-0-0 SK U 2-0-0 0-0-0 SK U, SK U 0 2-2-0 0-1-0 SK U, SK U 0, SK I 2-2-2 2-2-0 0-1-0 3 012 12 14 0-1-0 3 1 2 3 0-1-0 M1 M2 K 1, 2 M2 2-2-0M1 2-2-2 35 M1 M2 M2 M1 15 1, 2 3 14 15 M1 KM2 K SK I M3 SK U SK U 0 SK I 59

4, 5 4, 5 4. 1 3 2 1 1 1 1 1 60 /2008.8

13 1 1 Suica PASMO Edy nanaco WAON Octopus 250,000 149,995 20,000 20,000 5 5 50,000 1,035 HKD 14,914 1 20,000 20,000 50,000 29,999 50,000 1,000 HKD 14,410 Octopus Cards Limited 2 1 1 QUICPay id Smartplus 20,000 30,000 OneTouch (Barclaycard) 10 GBP 2,192 JCB DCMX UFJ Barclaycard QUICPayiDSmartplus 13 16 16 13 1 Suica 2 Suica http://www.jreast.co.jp/suica/faq/faq05.html#10 PASMO 1 2 PASMO http://www.pasmo.co.jp/stipulation/e_money.html Edy am/pm 1 5 http://www.ampm.jp/service/edy/ nanaco -1 5 nanaco http://www.nanaco-net.jp/faq/faq_shopping.html WAON WAON http://www.waon.com/guide/index.html Octopus If the remaining value on an Octopus is positive (e.g. HK$0.1 or above) but insufficient to cover the payment of a particular transaction, then the Octopus can still be used provided the resulting negative value does not exceed HK$35. http://www.octopuscards.com/consumer/help/faq/en/index.jsp QUICPay 2 http://www.quicpay.jp/faq/index.html#q4 OneTouch OneTouch payment is a new cashless way to pay for low value purchases of 10 and under more quickly and conveniently. http://www.barclaycard-onepulse.co.uk/onepulsefaq.html?set=set6 id DoCoMo Smartplus UFJ 61

3. 1 2 1 1 IC EMV EMVCo [2004] RSA 17 EMV 2 2 3 3 18 Octopus OneTouch 1 HKD = 14.41 JPY1 GBP = 219.26 JPY2008 1 9 UFJ 17 EMVCo RSA URL http://www.emvco.com/bulletins.asp?show=14 18 IP 62 /2008.8

14 14 9 15 9 4, 5 4, 5 3 3. 1-1 -2-1 35 35 3 35 63

-2 1, 2 1, 2. -1-2 -1 2, 4, 5-1-1 4, 5 5 19 19 64 /2008.8

-1-2 2 20-2 2, 4 2, 4 21. ID -1-2 -1 35 3 35 20 21 65

-2 1, 2. 35 1, 2-1-2-1 1, 2 66 /2008.8

-2 1, 2. 15 35 67

. 15 1, 2 3 4, 5 3 4, 5 68 /2008.8

15 WL BL 69

5. 10 1999 70 /2008.8

. 1 15 M1 15 M1 E K.ID U ; DT/E K.ID U 0 ; DT/E K.ID U Λ ; DT/ M1 K K K 1 2 3 4 5 K K ID U 0 ID U Λ K U U ID U 0 ID U Λ DB.ID/ 71

K 1 2 3 4 5 K 2 15 M2 15 M2 E K.S I.ID U /,DT)E K.S I.ID U 0 /; DT/ E K.S I.ID U Λ /; DT/ M2 K SK I K SK I 4 K 1 2 3 4 5 K S I.ID U 0 / K U U ID U 0 SK I S I.ID U Λ / 72 /2008.8

SK I 1 2 3 4 5 SK I S I.ID U / S I.ID U 0 /S I.ID U Λ / K K SK I 1 2 3 4 5 K 13 M2 SK I ID U Λ S I.ID U Λ / S I.ID U Λ / K K 4, 5 M2 ID U Λ DB.ID/ 1 2 3 4 5 K SK I 73

3 15 M3 15 M3 S U.DT/, S I.PK U / S U 0.DT/,S I.PK U 0 /S U Λ.DT/,S I.PK U Λ / M3 SK U SK U SK U 0 SK U SK U 0 SK I 4 SK U 1 2 3 4 5 SK U U U SK U 0 S U Λ.DT/ SK I S I.PK U Λ / SK U SK U 0 1 2 3 4 5 SK U 13 M3 SK U 0 S I.PK U 0 / SK U 4, 5 M3 ID U 0 SK I 15 M3 74 /2008.8

SK U SK U 0 SK I 1 2 3 4 5 SK U SK U 0 13 M3 SK I PK U Λ S I.ID U Λ / PK U Λ SK U Λ SK U SK U 0 4, 5 M3 PK U Λ DB.PK/ 1 2 3 4 5 SK U SK U 0 S U Λ.DT/ SK I S I.PK U Λ / 75

IC EMV 26 1 2007 3152 2003 http://www.cryptrec.jp/images/cryptrec_01.pdf 27 1 2008 79114 IPA IPA2007 http://www.ipa.go.jp/security/jcmvp/ 18 2 1999 57114 20 2 2001 2132 ISECvol. 98 no. 4261998 6774 2007 12 10 http://www.yano.co.jp/press/pdf/314.pdf Chida, E., M. Manbo, and H. Shizuya, Digital Money A Survey, Interdisciplinary Information Sciences, vol. 7, no. 2, Tohoku University, 2001, pp. 135 165. EMVCo, EMV Integrated Circuit Card Specification for Payment Systems (EMV 4.1): Book 2 Security and Key Management, EMVCo, 2004., EMV Security Guidelines: EMVCo Security Evaluation Process, v1.0, EMVCo, 2006. Kocher, P., Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems, Proc. of CRYPTO 96, Springer-Verlag, 1996, pp. 104 113., J. Jaffe, and B. Jun, Differential Power Analysis, Proc. of CRYPTO 99, Springer-Verlag, 1999, pp. 388 397. National Institute of Standards and Technology (NIST), Recommendation on Key Management, SP800-57, NIST, 2005. (http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-part1.pdf) New European Schemes for Signatures, Integrity, and Encryption (NESSIE) consortium, Portfolio of recommended cryptographic primitives, NESSIE, 2003. (https://www.cosic.esat.kuleuven.be/nessie/deliverables/decision-final.pdf) Une, M., and M. Kanda, Year 2010 Issues on Cryptographic Algorithms, Monetary and Economic Studies, vol. 25, no. 1, Institute for Monetary and Economic Studies, 76 /2008.8

Bank of Japan, 2007, pp. 129 164. 77

78 /2008.8