JP2010257122A - Portable electronic device and termination method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a portable electronic device and a termination method for performing a termination function which is carried out, in response to a security attack properly on a plurality of applications. <P>SOLUTION: The portable electronic device 1 which includes a module Ca including a memory and a CPU and transmits/receives information to/from an external device 2, is equipped with a function of grouping respective applications stored in the module to carry out respective processes of the portable electronic apparatus; the termination function of executing a function of breaking key data and personal identification number data, corresponding to applications and a function of returning a status which shows that information cannot be given/received to/from the applications, to an external device when receiving a command from the external device; and a function of executing the termination function on respective applications belonging to a predetermined group, when the portable electronic comes under a security attack. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention includes, for example, a portable electronic device such as an IC card that incorporates a module having a control element such as a non-volatile memory capable of writing and rewriting data and a CPU, and executes processing corresponding to an externally input command. Relates to the device.

  Conventionally, as a portable electronic device, for example, an IC card in which an IC module having functions such as a memory and a CPU is embedded in a casing made of a plastic plate or the like is known.

  IC cards are used not only for settlement of credit cards, commuter passes, and other commercial transactions, but also in various fields as ID cards for employee cards, membership cards, insurance cards, and the like. This is because the IC card has an IC having control elements such as a CPU, a ROM, a RAM, and an EEPROM as compared with a conventional magnetic card, so that various functions can be realized. It can be mentioned that there is also a significant improvement in terms.

  Patent Document 1 discloses a technique for improving security by performing processing within a limited range of an IC card in accordance with an environment attribute in which an external device (terminal) such as a reader / writer is installed. ing.

JP 2005-49957 A

  In general, data transmission / reception between an IC card and an external device (terminal) often involves one-to-one communication between the IC card and the terminal. In recent years, communication between one IC card and a plurality of terminals is performed. Increasing cases are being conducted. That is, the basic performance of IC cards has been improved, or the number of IC cards having multiple interfaces with the outside (contact type, non-contact type, high-speed type contact type, etc.) has increased. As a factor, in order to use one IC card for various purposes, an operation mode in which a plurality of applications are operated has become widespread. Therefore, it is desired that the above-described improvement in security can be applied to a plurality of applications.

  By the way, in this security measure, the Termination function is known as one of the means taken on the IC card side when the IC card is subjected to a security attack. In the Termination function, the key data and PIN in the card are destroyed, and when a command is received thereafter, a SW (Status Word) indicating Termination is returned to notify the terminal that the card cannot be used.

  However, several specifications are currently defined for the Termination function for one application, but there is no clear view as to what Termination function is implemented for multiple applications.

  SUMMARY OF THE INVENTION The present invention has been made in view of such circumstances, and a portable electronic device and a termination method capable of appropriately performing a termination function performed when subjected to a security attack on a plurality of applications. The purpose is to provide.

  The present invention for solving the problems includes a portable electronic device having a built-in module having a memory and a CPU and exchanging information with an external device. Each of the portable electronic devices stored in the module A function for grouping each application for executing processing, a function for destroying key data and personal identification number data corresponding to the application, and information exchange with the application when receiving a command from the external device. A termination function for executing a function for returning the status to the external device, and a function for executing the termination function for each application belonging to a predetermined group when the portable electronic device is subjected to a security attack. It is a portable electronic device.

  The present invention also provides a portable electronic device termination method in which a module having a memory and a CPU is built in, and exchanges information with an external device, wherein each process of the portable electronic device stored in the module is performed. When each application to be executed is grouped and the portable electronic device is subjected to a security attack, for each application belonging to a predetermined group, the key data and the PIN data corresponding to the application are destroyed, and the external device It is a termination method for returning a status indicating that information exchange with the application is impossible when a command is received to the external device.

  According to the portable electronic device and the termination method of the present invention, it is possible to appropriately execute the termination function performed when subjected to a security attack on a plurality of applications.

The figure which shows the external appearance of the IC card as a portable electronic device which concerns on this embodiment. The figure which shows the hardware constitutions of IC card roughly. The figure which grouped the application mounted on the IC card which concerns on 1st Embodiment. The figure which shows the example of the file structure memorize | stored in the non-volatile memory. The figure which shows transmission / reception of the signal of an IC card and a reader / writer. The figure which shows the software structure in an IC card typically. The figure which grouped the application mounted on the IC card which concerns on 2nd Embodiment.

[First embodiment]
FIG. 1 is a view showing an appearance of an IC card 1 as a portable electronic device according to this embodiment.
The IC card 1 includes a card body (plastic card), and the card body includes an IC chip (module Ca).

FIG. 2 is a diagram schematically showing a hardware configuration of the IC card 1.
The IC card 1 includes a CPU (Central Processing Unit) 11, a ROM (Read Only Memory) 12, a RAM (Random Access Memory) 13, a communication unit (UART) 14, and a coprocessor (Co-Processor) 15. And a non-volatile memory (NV (EEPROM)) 16.

The CPU 11, ROM 12, RAM 13, communication unit 14, coprocessor 15, and nonvolatile memory 16 are configured by a module Ca formed integrally with an IC chip or the like. The module Ca is embedded in the housing C that forms the IC card 1. That is, the IC card 1 is configured by a housing C in which the module Ca is embedded.
Further, the IC card 1 is activated (becomes operable) when supplied with power or the like from the reader / writer 2 as a host device, and operates in response to a command from the reader / writer 2.

  The CPU 11 is responsible for overall management and control. The CPU 11 functions as a processing unit and a determination unit. The CPU 11 performs various processes by operating based on a control program or the like. The ROM 12 is a non-volatile memory in which a control program and control data are stored in advance. The RAM 13 is a volatile memory that functions as a working memory.

  The communication unit 14 functions as a communication unit and controls data communication with the reader / writer 2 as a host device. The communication unit 14 also functions as means for receiving power for operating the IC card 1. The coprocessor 15 assists operations such as encryption or decryption. The nonvolatile memory 16 is a rewritable nonvolatile memory that stores various data and applications (application programs).

  The communication unit 14 has a configuration corresponding to the communication method of the IC card 1. For example, when the communication method of the IC card 1 is a contact-type communication method, the communication unit 14 includes a contact unit for physically contacting the contact unit of the reader / writer 2 as a host device. In this case, the IC card 1 receives power from the reader / writer 2 through the communication unit 14 that is in physical contact with the reader / writer 2. That is, when the IC card 1 is a contact IC card, the IC card 1 is activated by receiving the operation power and the operation clock supplied from the reader / writer 2 through the contact unit as the communication unit 14.

  When the communication method of the IC card 1 is a non-contact (wireless) communication method, the communication unit 14 includes an antenna that transmits and receives radio waves, a communication control unit that controls communication, and the like. In this case, the IC card 1 generates an operation power supply and an operation clock from a radio wave received by the communication unit 14 by a power supply unit (not shown). That is, when the IC card 2 is a non-contact type IC card, the IC card 1 receives a radio wave from the reader / writer 2 via an antenna as a communication unit 14 and a communication control unit and the like, and from the radio wave, a power source (not shown) An operation power supply and an operation clock are generated and activated by the unit.

FIG. 3 is a diagram in which applications mounted on the IC card according to the first embodiment are grouped.
In the present embodiment, the applications A to I are classified into three groups. The traffic application performs, for example, information exchange concerning automatic ticket gates when getting on and off vehicles of railway companies. For example, the financial application exchanges information regarding deposits and withdrawals with ATMs of financial companies. For example, the ID-related application transmits / receives information for identifying an individual owner to a predetermined corporation or institution.

FIG. 4 is a diagram illustrating an example of a file structure stored in the nonvolatile memory 16. FIG. 4 shows a file structure belonging to the traffic system application group.
In the example shown in FIG. 4, the highest file is a file MF (Master File) 21 as a master file. Under the MF 21, a DF (Dedicated File) (application A) 22A as a folder, a DF (application B) 22B as a folder, and a DF (application C) 22C as a folder are provided.

Further, under the DF (application A) 22A, EF (Elementary File) 23A1, EF23A2, and EF23A3 used for data storage and the like are provided.
EF23B1 and EF23B2 used for data storage and the like are provided under the DF22B.
Under the DF 22C, an EF 23C1 and an EF 23C2 used for data storage and the like are provided.

EF23A1, EF23B1, and EF23C1 store data that cannot be read by the reader / writer 2, for example, key data, PIN (password). EF23A2, EF23B2, and EF23C2 store data that can be read by the reader / writer 2, for example, data related to an IC card owner, data related to an expiration date, and the like.
The EF 23A3 stores data related to the financial application group, for example, data shared by the group, group link information, and the like. As described above, the data regarding the group is stored in the EF file under the control of any one application in the group.

Next, an operation when the IC card 1 is subjected to a security attack will be described.
FIG. 5 is a diagram showing signal transmission / reception between the IC card 1 and the reader / writer 2.

  In step S01, for example, after the IC card 1 is activated, the reader / writer 2 selects the application A by transmitting a SELECT command. In step S02, a normal SW (Status Word) is transmitted from the IC card 1. As a result, information is exchanged between the IC card 1 and the reader / writer 2.

  In step S03, for example, when the reader / writer 2 transmits an interpreter command designating a parameter for reading the record in the IC card to the IC card 1, in step S04, the IC card 1 sends the corresponding record information in accordance with this parameter to the reader / writer. Reply to 2.

  A case where the LSI or the application A detects a security attack while processing is being performed by the application A on the IC card 1 will be described.

FIG. 6 is a diagram schematically showing a software configuration in the IC card 1.
The software in the IC card 1 includes a hardware (H / W) layer 31, an OS (operating system) layer 32, and an application layer 33. As shown in FIG. 6, the IC card 1 has a structure in which the application layer 33 is positioned at the top and the OS layer 32 is positioned above the H / W layer 31.

  The H / W layer 31 includes hardware such as the CPU 11, ROM 12, RAM 13, UART 14, coprocessor 15, and nonvolatile memory 16.

  The OS layer 32 has a card OS (operating system) as a program for executing basic control in the IC card 1. The software as the card OS is a program that controls the basic operation of the IC card, and controls each hardware of the H / W layer 31 and receives information such as processing results from each hardware. It is a program to do.

  The application layer 33 includes various applications (application A, application B,...) For realizing various processes.

As shown in FIG. 6, when a security attack is detected in the hardware layer 31, the information is processed in the OS layer 32 and notified to the application A operating at that time via the OS.
Further, even when the application A is executing its own source code, the application A can be configured to detect a security attack.

In step S05, application A terminates itself and terminates the application group to which application A belongs.
That is, when application grouping is performed as shown in FIG. 3, application A is terminated and application B and application C are terminated.

  For example, the application A destroys the key data and PIN in the EF 23A1 of FIG. Then, the applications B and C belonging to this group are identified from the information regarding the group in the EF 23A3, and the key data and PIN in the EF 23B1 and 23C1 are destroyed for the applications B and C, respectively.

  After that, each application in this group receives a command from the reader / writer 2 in step S06, and returns a SW (Status Word) indicating termination to the reader / writer 2 in step S07 to use the card. Impossible.

  Note that due to the structure of the application and the OS, it may be difficult for a plurality of applications to simultaneously shift to the key data destruction, PIN destruction, and SW reply phases indicating the terminate. Accordingly, when a security attack is detected, the operation phase is first shifted to an operation phase in which a SW indicating “terminate” is returned.

  This grouping is not limited to the example shown in FIG. 3, but may be arbitrarily determined by the user.

[Second Embodiment]
In the second embodiment, the grouping method is different from that of the first embodiment. Accordingly, the same parts as those in the first embodiment are denoted by the same reference numerals, and detailed description thereof is omitted.

FIG. 7 is a diagram in which applications mounted on the IC card according to the second embodiment are grouped.
In the present embodiment, the applications A ′ to F ′ are classified into two groups. The applications A ′ to F ′ are all financial applications, but the applications A ′ to C ′ share the key 1 and the applications D ′ to F ′ share the key 2.

  If a security attack is detected when processing is performed on the application A ′, the financial application group 1 to which the application A ′ belongs shares the key 1. Therefore, since the security levels of the applications A ′ to C ′ are considered to be equivalent, all the applications A ′ to C ′ belonging to the financial application group 1 are terminated. That is, the key 1 and the PIN are destroyed, and then a SW indicating “terminate” is returned.

  In the second embodiment as well, it may be difficult for a plurality of applications to simultaneously shift to the phase of key data destruction, PIN destruction, and SW reply indicating terminate. Therefore, when a security attack is detected, the operation phase is first shifted to an operation phase in which SW indicating the termination of each application is returned.

  In the above grouping, the applications sharing the key data are classified into the same group. However, the present invention is not limited to this example, and the applications sharing the PIN may be the same group, and the count data (counter) such as the expiration date may be used. The shared application may be the same group.

[Third embodiment]
The third embodiment is different from the first embodiment in that the content to be terminated differs depending on the level of security attack. Accordingly, the same parts as those in the first embodiment are denoted by the same reference numerals, and detailed description thereof is omitted.

  For example, as shown in FIG. 6, when the application detects a security attack on software, the security attack level is set to 1. When a security attack is detected on the hardware layer 31, the security attack level is set to 2.

  Here, the contents of the security attack are illustrated. As security attacks on software, RSA, Des verification fails, or a module (API) is skipped. Examples of security attacks on hardware include power supply abnormality, frequency abnormality, and light detection glitch.

  Then, according to the security attack level, what kind of security operation (security level) is executed is set.

  For example, when processing is being performed in application A, if a security attack level 1 attack is received, the financial application group shown in FIG. 3 is terminated, and if a security attack level 2 attack is received 3. Terminate the financial application group and the ID application group shown in FIG.

  In this embodiment, the security policy is determined for each application group as described above, and what level of the termination function (security level) is executed when there is an attack at what security attack level. Can be set in the IC card 1.

  According to each embodiment described above, the termination function can be efficiently applied to a plurality of applications.

  In each of the above-described embodiments, a plastic IC card has been described as an example. However, the present invention is not limited to this embodiment, and can be applied to a SIM-shaped IC card. It can be applied to the device.

Note that the present invention is not limited to the embodiments as they are, and can be embodied by modifying the components without departing from the scope of the invention in the implementation stage.
Various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiments. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, you may combine suitably the component covering different embodiment.

    Ca ... module, 1 ... portable electronic device, 2 ... reader / writer, 11 ... CPU, 12 ... ROM, 13 ... RAM, 14 ... communication unit, 15 ... coprocessor, 16 ... non-volatile memory, 31 ... hardware layer, 32 ... OS layer, 33 ... Application layer.

Claims (5)

In a portable electronic device that incorporates a module having a memory and a CPU and exchanges information with an external device,
A function for grouping each application for executing each process of the portable electronic device stored in the module;
A function of destroying key data and personal identification number data corresponding to the application and a function of returning a status indicating that information cannot be exchanged with the application to the external device when a command is received from the external device. Termination function to
A portable electronic device comprising: a function for executing the termination function for each application belonging to a predetermined group when the portable electronic device is subjected to a security attack. The grouping function is
The portable electronic device according to claim 1, wherein the application sharing the key data, the application sharing the personal identification number data, or the application sharing the counting data are grouped into the same group. The function for executing the termination function is as follows:
2. The portable electronic device according to claim 1, wherein contents of a termination function to be executed and a target group are determined according to a type of security attack. The function for executing the termination function is as follows:
The portable electronic device according to any one of claims 1 to 3, wherein a function of returning the status to the external device is executed first. In a termination method of a portable electronic device that incorporates a module having a memory and a CPU and exchanges information with an external device.
Grouping each application that executes each process of the portable electronic device stored in the module,
When the portable electronic device is subjected to a security attack, for each application belonging to a predetermined group, destroy the key data and password data corresponding to the application,
When receiving a command from the external device, a termination method is returned to the external device with a status indicating that information exchange with the application is impossible.

Images