JPH06274398A - File control system - Google Patents

Abstract

PURPOSE:To unnecessitate reference to enormous black lists at the time of executing application operation and to improve flexibility in the file control of application by providing the system with access limiting means and access relaxing means. CONSTITUTION:In an IC card, memories are divided into plural file groups to control each divided file by tree structure. A first access limiting means limits the access of one of files belonging to specified files and a first access relaxing means relaxes the access limit made by the first access limiting means. A second access limiting means limits the access of specified plural files of the files belonging to the specified files en bloc and a second access relaxing means relaxes the limit made by the second access limiting means. A selection means selects the first and second access limiting means and the first and second access relaxing means.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to, for example, in a non-volatile memory and an IC card having an IC chip having a control element such as a CPU for controlling these, a plurality of files divided and set in the memory are stored. The file management method to be managed.

[0002]

2. Description of the Related Art Recently, as a portable data storage medium, attention has been focused on an IC card having a nonvolatile data memory and an IC chip having a control element such as a CPU for controlling these.

In this type of IC card, the built-in data memory is divided into a plurality of files, and each file stores the data necessary for the application to be used during operation. By inputting an application identification name or the like from the device, a state in which only corresponding files can be selectively used is realized. Therefore, by dividing a plurality of application data into files and storing them in one IC card, multi-purpose use is possible. Now, depending on the application to be used, there is a situation in which it is necessary to disable the application of the particular IC card. In such a case, conventionally, for example, a credit application is used to exclude credit card usage by blacklisting card users.

[0004]

However, if the method as described above is used, the number of persons in the black list will increase, and the labor for checking the IC card when using it will increase. This increase in effort is particularly noticeable when the application was deployed on an international scale.

For this reason, it is conceivable to forcibly prohibit access to individual files. In this case, by individually prohibiting data or keys in the file, fine-grained access control can be performed on the file. Becomes

It is therefore an object of the present invention to provide a file management system which eliminates the need to refer to an enormous blacklist when operating an application and increases flexibility in file management of an application.

[0007]

A file management system according to the present invention is a file management system in which a memory is divided into a plurality of file groups and each of the divided files is managed in a tree structure. A first access restricting means for restricting access to one of the files; a second access restricting means for collectively restricting access to a plurality of specific files belonging to the designated file; Access restriction means, and
Selecting means for selecting the second access limiting means.

The file management system of the present invention is a file management system in which a memory is divided into a plurality of file groups and each of the divided files is managed in a tree structure. A first access restricting means for restricting access to one file; a first access relaxing means for relaxing the access restriction by the first access restricting means; and a plurality of specific files among files belonging to the designated file. Second access restriction means for collectively restricting access, second access relaxation means for relaxing the access restriction by the second access restriction means, first access restriction means, second access A limiting means, the first access relaxing means, and a selecting means for selecting the second access relaxing means. To have.

[0009]

According to the present invention, the data file corresponding to the application can be forcibly disabled from the outside by the instruction data. Therefore, it is not necessary to refer to a huge black list when operating the application. Further, it is possible to select whether to target one file under the file or collectively target a plurality of specific files. Therefore, the flexibility of file management of the application is increased. Further, by canceling this, the application can be set so that the user can use it again.

[0010]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of the present invention will be described below with reference to the drawings.

FIG. 1 shows a configuration example of a card handling device to which an IC card as a portable electronic device according to this embodiment is applied, for example, used as a terminal device such as a financial system or a shopping system. . That is, this device enables the IC card 1 to be connected to the control unit 3 including a CPU via the card reader / writer 2, and the control unit 3 includes the keyboard 4 and C.
The RT display device 5, the printer 6, and the floppy disk device 7 are connected to each other.

FIG. 2 shows an example of the configuration of the IC card 1, which is a control element (eg, CPU) as a control unit.
11. Non-volatile data memory 1 whose stored contents can be erased
2, a working memory 13, a program memory 14, and a contact portion 15 for making electrical contact with the card reader / writer 2. Of these, the part within the broken line (control element 11, data memory 1
2. The working memory 13 and the program memory 14) are composed of one (or a plurality of) IC chips and are embedded in the IC card body.

The data memory 12 is used to store various data and is composed of, for example, an EEPROM or the like. The working memory 13 is a memory for temporarily holding processing data when the control element 11 performs processing, and is composed of, for example, a RAM. The program memory 14 is composed of, for example, a mask ROM, and stores the program of the control element 11 and the like.

The data memory 12 is divided into, for example, a directory 121, an empty area 122, and an area group 123, as shown in FIG. Area group 123
Can have multiple data areas and key areas and can be grouped in a concept called a data file. The data file is the data area used by the corresponding application, and
This is a file for collectively managing key areas.
The data area can be, for example, transaction data.
This is an area that stores data for reading and writing as necessary. The key area is, for example, an area used for storing a personal identification number, which is a target of writing / rewriting / verification and cannot be read.

The control element 11 recognizes the physical position of each of these files or areas by means of the directory 121 in the data memory 12. To recognize these, as shown in FIG.
Various corresponding definition information is stored.

FIG. 4A shows information defining a data file. This definition information is data PT for identifying the data file definition information in the directory 121.
N, file serial number DFSN assigned to this data file, serial number P of the parent file of this data file
FSN, file name DF given to this data file
name, NL indicating its length, data file size DFS, and DFA indicating data file access conditions
C, DFST for holding the state of this file, and data BCC for checking the validity of all these data.

FIG. 4B is information defining an area for storing various transaction data and the like. This definition information is the PTN for identifying the area definition information in the directory 121, and the serial number D of the data file to which this area belongs.
Identification number AI for accessing FSN and area
D, ATOP indicating the start address of the area, ASIZ indicating the area size, AA indicating the access condition of the area
C, AST that holds the state of the area, and data BCC for checking the validity of all of these data
Consists of.

FIG. 4C is information defining an area for storing various key data. This definition information is data PTN for identifying the key area definition information in the directory 121, serial number DFSN of the data file to which this area belongs, identification number KID for accessing the area, and KTOP indicating the start address of the area. , KSIZ indicating the area size, K indicating the key access condition
AC, KST that holds the state of the key, and data BCC for checking the validity of all these data
Consists of.

These various types of definition information are collectively stored in the directory 121 as shown in FIG. As shown in the figure, a DFSN (file serial number) is automatically added to each definition word when the file is created. This D
The control element 11 recognizes the related state of each file based on the FSN and the sequence number of the parent file stored in the data file definition word.

For example, the key area defined by the key area 3 definition word stored sixth is D
Since the FSN is "01", it can be seen that it belongs to DF1 (data file 1). Also, it can be seen that the 11th stored key area 6 is also under the control of DF4, and this DF4 is also under the control of DF2.

Information for designating a key required for access is defined in each file. This information is
It can be set independently for each access type as follows. The data file has access types related to forced file locking, area registration in the file, directory information reference, and file unlocking. The data area has access types related to data reference, data writing, data rewriting, and data erasing. The key area has access types for writing key data, rewriting key data, locking key data, and unlocking key data.

These access conditions are information specifying the combination of keys existing in the IC card 1, and are composed of, for example, 4 bytes. Each of these bytes corresponds to an access type, and BS (Bit for Settin) corresponding to the position of the set bit in each byte.
g the assignment of collationflag: a key having a bit to which the collation flag is assigned is requested at the time of access. If all the bits are reset, it means that it is not necessary to confirm the collation state of the key at the time of access corresponding thereto (free access).

Further, at a predetermined location of the working memory 13, there is a field for holding which key is collated, and in response to the key collating operation, the BS possessed by the key concerned is held.
The bit designated by is set / reset. Therefore, when an access command is input from an external device to each file or area, the control element 11 determines which of the above access types, and extracts a byte indicating an access condition corresponding to the corresponding type. Whether or not access is possible is determined by whether or not the collation state required by each bit in this byte matches the collation state on the working memory 13.

For example, if the access condition for reading data in a certain data area is the key A in the IC card 1, this is judged at the time when the data read command for this data area is input, and temporarily. If the verification state of the key A is not set, it means that the access cannot be made.

These inspections are similarly performed not only for read access but also for other access such as writing.
Further, even when an instruction for the key area and the data file is input, the corresponding access condition and the key collation state at that time are similarly confirmed. Next, the function of locking the data file in the IC card 1 that performs such access control will be described.

As shown in FIG. 6, the IC card 1 shifts to a command data waiting state after being electrically activated. At this point, the instruction data is kept waiting, and when input, the function code at the head of the instruction data is extracted, and the process proceeds to the corresponding instruction routine. After that, processing is performed in the instruction routine, the processing result is output, and then the processing returns to the instruction data waiting state.

When a data file lock command as shown in FIG. 7A is input to the IC card 1, the process moves to a data file lock command routine as shown in FIG. That is, the control element 11 first identifies which data file is currently in the current state. In order to bring the data file into the current state, file selection command data as shown in FIG. 7 (e) is input. In this case, a data file having the same file name as the data file name input by the command data is searched from the directory 121, and if found, the working memory 1
The DFSN corresponding to the predetermined position 3 is held. If it is not found, the information on the predetermined position is not changed. After the electrical activation of the IC card 1, this information is “00”.

When the data file in the current state is found, the control element 11 extracts the above-mentioned access condition relating to the lock of the data file from the corresponding access conditions, and compares it with the previous key collation state. By doing so, it is determined whether or not this instruction is executed. If it is determined that the access cannot be made, response data indicating an abnormal access condition is output at this point, and the original instruction data waiting state is returned to.

If it is determined that access is possible,
Next, the status information corresponding to the data file is extracted and compared with the lock value specified by the instruction data. The lock value has a format as shown in FIG. 9, and a different lock function is assigned to each bit.
As shown in the figure, the lower 4 bits of the first 1 byte of the 2 bytes are a lock function related to access to the data file.

As for the meaning of the bits, the least significant bit is to prohibit this access when the access condition is set for the directory change access to the data file (additional setting of a new area in the file, etc.). It is a bit that specifies whether or not. The second bit is
This is a bit that specifies whether or not to prohibit the access when the access condition is set for the directory reference access to the data file. The third bit is a bit that specifies whether or not the directory change access to the data file is prohibited when the free condition (accessible regardless of whether the key is collated) is set. Is. Fourth
The bit is a bit that specifies whether or not the access is prohibited when the directory reference access to the data file is set to the free condition. The upper 4 bits of the last 1 byte of the lock value is a lock function related to access to the key area under the data file.

Regarding the meaning of the bits, the least significant bit is the key change access to the key area (set / set key).
It is a bit that specifies whether or not to prohibit this access when the access condition is set to (for example, change). The second bit is a bit that specifies whether or not to prohibit the access when the access condition is set for the access referring to the state of the key. The third bit is a bit that specifies whether or not to prohibit the key change access to the key area when the key change access is a free condition. The fourth bit is a bit that specifies whether or not to prohibit the access when the access referring to the key state is a free condition. Also,
The lower 4 bits of the last byte of the lock value is a lock function related to access to the data area under the data file.

Regarding the meaning of the bit, the least significant bit is to prohibit the access when the access condition is set for the stored data change access (writing / rewriting / erasing of data, etc.) to the data area. It is a bit that specifies whether or not. The second bit is a bit that specifies whether or not to prohibit the access when the access condition is set for the stored data reference access to the data area (such as reading the data). The third bit is a bit designating whether or not to prohibit the access to the data area when the access to change the stored data is a free condition. The fourth bit is a bit that specifies whether or not the access to the stored data is prohibited when the stored data reference access to the data area is a free condition. If each bit is "1", it means that access is possible, and if "0", it means that access is prohibited.

The control element 11 compares the lock value input by the lock command with those of the data file in the current state, performs a logical product (AND) of these on a bit-by-bit basis, and outputs the result. The new lock value is stored at a predetermined position in the data file definition information. In addition,
At this time, BCC is also recalculated and a new BCC is written.
Then, the response data indicating that the process is normal is output, and the process returns to the command data waiting state.

Each key area definition information has a lock value unique to the key area in the same format as the upper 4 bits of the last byte among the lock values in the previous data file definition information ( (See FIG. 10).

Each data area definition information has a lock value specific to the data area in the same format as the lower 4 bits of the last byte among the lock values in the previous data file definition information ( (See FIG. 11). These lock processes are also performed on the key area and data area under the current data file.

At this time, as shown in FIG. 7B, the area lock command data includes the key area and the ID (identification information) given to the data area, and the control element 11 When receiving this command data, first, as shown in FIG. 12, first, from the previous directory 121, it is checked whether or not the designated ID exists under the current data file. At this time, if not found, the response data indicating that there is no designated ID is output, and the process returns to the command data waiting state. Otherwise, the access condition corresponding to the lock process specified in the specified area is referred to, and it is determined whether or not the access is possible. if,
When it is determined that the access cannot be made, the response data indicating the access condition abnormality is output at this point, and the original instruction data waiting state is returned.

If it is determined that access is possible,
Next, the status information corresponding to the data file is extracted and compared with the lock value specified by the instruction data. Then, the control element 11 compares the lock value input by the lock command with that of the data file in the current state, calculates the logical product (AND) of these in bit units, and obtains this result as a new lock. As a value
It is stored at a predetermined position in the data file definition information. In addition,
At this time, BCC is also recalculated and a new BCC is written.
Then, the response data indicating that the process is normal is output, and the process returns to the command data waiting state. Next, the relationship between the access condition and the lock value will be described with reference to the flowchart shown in FIG. 13 by taking the data read access to the data area as an example.

When the data access command data as shown in FIG. 7 (c) or (d) is input while the IC card 1 is in the command data waiting state, the control element 11 first
Among the data area definition information belonging to the current data file, the definition information having the ID designated by the instruction data is found. At this time, if the corresponding ID is not found, the response data indicating that there is no designated ID is output, and the process returns to the command data waiting state. If found, the access condition related to the designated access type is extracted from the access conditions set in the definition information.

For example, when this access is a data read access, the access condition corresponding to this is extracted, and when this access condition indicates a free access condition, among the lock values of the current data file, Referring to the fourth bit of the least significant 4 bits and the fourth bit of the lock value of the data area,
If both these two bits are "1", the access processing is started. If either one is "0", response data indicating that the data area is locked is output, and the process returns to the instruction data waiting state.

When the access condition requires collation of a certain key, the second value of the least significant 4 bits of the lock value of the current data file and the lock value of the data area are compared. The second bit of the two is referred to, and if either of the two is "0", the response data indicating that the access target lock is in progress is output, and the process returns to the instruction data wait state. If both are "1", it is confirmed whether the key indicated by the access condition is in a collated state. If not collated, the response data indicating an abnormal access condition is output, and the process returns to the instruction data waiting state. If it is verified, the process proceeds to access processing.

At the time of access, the access target area is recognized by the start address and size of the data area set in the data area definition information. Then, the processing decision is output as response data, and the process returns to the command data waiting state.

In this way, at the time of data write / rewrite / erase access to the data area, the corresponding access condition, the corresponding bit of the lock value of the data file, and the data area to be accessed Whether or not the access is possible is determined using the corresponding bit of the lock value of.

When the key area is accessed, the access condition (set in the definition information of the access target key area) corresponding to the access, the corresponding bit of the lock value of the data file, and Whether or not access is possible is determined using the corresponding bit of the lock value of the key area that is the access target.

When accessing a data file, the access condition (set in the definition information of the access target data file) corresponding to the access,
Also, the availability of access is determined using the corresponding bit of the lock value of the data file.

In the above embodiment, the lock value is a factor when determining whether or not access is possible, and when access is disabled, response data indicating that the access target is locked is output. May be replaced with response data indicating an abnormal access condition.

Further, in the above embodiment, the lock value can be set independently for each bit. However, when locking the bit, for example, a bit indicating access prohibition in order from the least significant bit direction. When setting a value or unlocking, a bit value indicating access permission may be set in order from the most significant bit direction. In this case, the set lock value is compared with the input set value, and it is judged whether or not it is not appropriate to change the set value.If it is not suitable, response data indicating an abnormal lock value is sent. Output and return to command data wait state.

In the above embodiment, the lock value is 4
Although bits are assigned, the number of bits can be changed variously depending on the type of the corresponding instruction and the condition of the lock target.

In the above embodiment, the instruction data corresponding to only the lock instruction and the corresponding flow are explained. However, by improving only the portion for changing the lock value (the set lock value in the embodiment is ANDed. ) Is the logical sum (O
R) Yes).

Although the contact portion is used for exchanging data with an external device, a method of performing this without contact with the external device by using light, an electric field, a magnetic field or the like may be used. Good.

Further, in the above-mentioned embodiment, the IC card is exemplified, but the housing structure is not limited to the card, and various modifications such as a rod shape and a block shape can be made. Further, the configuration content can be variously modified without departing from the scope of the present invention.

[0051]

As described above in detail, according to the present invention, the data file corresponding to the application can be forcibly made unusable from the outside by the instruction data, and therefore, when the application is operated. It is not necessary to refer to a huge blacklist of files, and it is possible to select whether to target one file under the file or a plurality of specific files at once. It is possible to provide a file management method with increased flexibility in file management.

[Brief description of drawings]

FIG. 1 is a block diagram showing a configuration example of a card handling device to which an IC card according to an embodiment of the present invention is applied.

FIG. 2 is a block diagram showing a configuration example of an IC card.

FIG. 3 is a memory map diagram showing a configuration example of a data memory.

FIG. 4 is a diagram showing a format example of various definition information.

FIG. 5 is a diagram showing a configuration example of a directory set in a data memory.

FIG. 6 is a flowchart illustrating a command data input routine.

FIG. 7 is a diagram showing a format example of various instruction data.

FIG. 8 is a flowchart illustrating a data file lock instruction routine.

FIG. 9 is a diagram showing a format example of a data file lock value.

FIG. 10 is a diagram showing a format example of a key area lock value.

FIG. 11 is a diagram showing a format example of a data area lock value.

FIG. 12 is a flowchart illustrating an area lock instruction routine.

FIG. 13 is a flowchart illustrating a data area access instruction routine.

[Explanation of symbols]

 1 ... IC card 2 ... Card reader / writer 3 ... Control unit 4 ... Keyboard 5 ... CRT display device 11 ... Control element 12 ... Data memory 13 ... Working memory 14 ... Program memory 15 ... Contact part 121 …… Directory 123 …… Area group

Claims (2)

[Claims] 1. A file management method for dividing a memory into a plurality of file groups and managing each of the divided files in a tree structure, wherein access to one of the files belonging to a designated file is restricted. No. 1 access restriction unit, a second access restriction unit for collectively restricting access to a plurality of specific files belonging to a designated file, the first access restriction unit, and the second access A file management method comprising: a selecting unit for selecting a limiting unit. 2. A file management method for dividing a memory into a plurality of file groups and managing each divided file in a tree structure, wherein access to one file out of files belonging to a designated file is restricted. A first access restriction unit, a first access relaxation unit that relaxes the access restriction by the first access restriction unit, and a first access restriction unit that collectively restricts access to a plurality of specific files belonging to a designated file. Second access restriction means, second access restriction means for relaxing the access restriction by the second access restriction means, the first access restriction means, the second access restriction means, and the first access Mitigation means, and the second
And a selection means for selecting the access relaxation means.