JPH0632100B2 - IC card system - Google Patents

Description

Description: TECHNICAL FIELD OF THE INVENTION The present invention confirms compatibility between an IC card used as a cash card or credit card issued by a financial institution such as a bank and its card terminal. However, the present invention relates to an IC card system for improving safety when exchanging information.

[Prior art and its problems] In recent years, it is called the cashless era, and by using a card issued by a credit card company or the like, it is possible to purchase products without handling cash. . Conventionally, as the card, a plastic card, an embossed card, a magnetic stripe card, etc. have been generally used. However, these cards are structurally easy to forge, and illegal use is a problem. In order to solve such a problem, recently, an information card, which is a so-called IC card, in which an IC circuit storing a personal identification number or the like is incorporated in the card so that the personal identification number cannot be easily read from the outside, has been developed. . This IC card has the advantage that it is difficult to counterfeit, has excellent confidentiality, and can store a large amount of information. In particular, the personal identification number can be directly entered and set by the person himself. (For example, a bank clerk) does not know the personal identification number and is very safe.

However, since the physical shape and dimensions of the IC card and the position of the connection terminal are standardized by ISO (International Organization for Standardization), the above IC card should be mounted on any type of card terminal. However, on the other hand, for example, even if the card terminal has been modified to illegally use the important information in the IC card, the cardholder may attach the IC card without any discomfort. is there. In other words, on the card terminal side, it is possible to freely manipulate all the information in the IC card by changing the command code transmitted to the IC card side in various ways, which may lead to the occurrence of card crime. is there.

[Object of the Invention] The present invention has been made in view of the above problems.
For example, even if an illegal instruction code is transmitted from the card terminal, the information in the card is not illegally used,
It is an object of the present invention to provide an IC card system capable of improving the security of card transactions.

[Points of the Invention] That is, in the IC card system according to the present invention, a terminal code corresponding to the type of the terminal itself is stored in advance in the card terminal, and this terminal code is transmitted to the card side when connecting to the IC card. Then, whether or not each of the command code transmitted from the terminal at the time of actual information exchange and the terminal code transmitted at the time of the above-mentioned cord connection properly corresponds in the IC card. It is configured such that the information exchange operation between the card terminal and the IC card is prohibited when the above-mentioned codes are not in correspondence with each other by comparison and determination.

[Configuration of Embodiment of the Invention] An embodiment of the present invention will be described below with reference to the drawings.

<Process of manufacturing and issuing IC card> FIG. 1 shows a manufacturer (Manufa) who manufactures an IC card.
It shows the mutual relationship between a credit card), an issuer of an IC card, such as a bank (Issure), and a card holder who uses the IC card (CARD Holder). The card manufacturer manufactures an IC card 11 and a card terminal whose details will be described later. Then,
After manufacturing the IC card 11, the card manufacturer writes a predetermined code on the IC card 11 using the IC card manufacturing terminal 12. As will be described later in detail, this IC card 11 has an IC circuit inside and a connector 11a provided on the upper surface, and when mounted on the IC card manufacturing terminal 12, it is connected to the internal circuit of the terminal 12. It is supposed to be done. The IC card manufacturing terminal 12 includes a card insertion slot 13 and a keyboard 1.
4, a display panel 15 and a printer unit 16 are provided, and various codes, that is, "CA", "IPIN", are input by the operator from the keyboard 14.
Write "PMK" and "PRK" on the IC card 11. Above "CA" (Card Authenticator)
Is a random, for example 64-bit code, which is used for encrypting and decrypting the message. "IP
IN ”(Initialization Person)
al Identification Number)
Is a random, for example, 6-bit code, and is a number until a self-verification number PIN described later is used. "P
MK "(Production Master Key
The same code is used for each group (for example, for each robot) as a manufacturing number, and is kept secret even in the factory. "PRK" (Private Key C
ode) is a code for deciphering, and is a code "Publ" for encryption, which is written in a card terminal whose details will be described later.
It has a one-to-one correspondence with the ic Key Code. When a predetermined code is written in the IC card 11 by the IC card issuing terminal 12, only "PMK" is printed on the printing paper 17 by the printer unit 16. Then, the manufacturer separately seals the IC card 11 and the "PMK" printing paper 17 on which the predetermined code is written as described above, and sends them to the issuer by separate flight. The issuer attaches the IC card 11 sent from the manufacturer to the IC card issuing terminal 22 and reads the recorded content "PMK" of the print sheet 17 sent from the manufacturer to the IC card issuing terminal 22. Enter the code. Furthermore, the issuer sends the IC card issuing terminal 22
Account number “PAN” for the IC card 11 (Pr
Input the image Account Number). The IC card issuing terminal 22 is provided with a card insertion slot 23, a keyboard 24, a display panel 25, and a printer unit 26 as with the IC card manufacturing terminal 12, and the "PMK" written on the IC card 11 and the keyboard. The "PMK" input from 24 is input to the IC card 1
The account number “PAN” is written in the IC card 11 only when the two are matched, and the “IPIN” is read from the IC card 11 to print the print sheet 2
Print on 7. Then, the issuer has the IC card 11 and "I" in which the account number "PAN" is written as described above.
The PIN "printing sheets 27 are individually sealed and separately sent to the cardholder. When the card holder receives the IC card 11 and the printing paper 27 from the issuer,
Go to the issue destination and place the IC in the IC card user terminal 32 for the card holder installed there.
While the card 11 is mounted, the recorded content "IPIN" of the printing paper 27 sent from the issuer is read and the code is input to the IC card user terminal 32. In addition, the cardholder gives the IC card user terminal 32 an arbitrary self-verification number "PIN" (Personal).
Enter the Identification Number). The IC card user terminal 32 is the IC
As with the card issuing terminal 22, a card insertion slot 33,
The IC card 11 includes a keyboard 34, a display panel 35, and a printer unit 36, and is written on the IC card 11.
"N" and "IPIN" input from the keyboard 34 are compared in the IC card 11, and the self-verification number "PIN" is written in the IC card 11 only when they match.
By the above procedure, the issuing process of the IC card 11 is completed, and thereafter, the IC card 11 can be actually used.

<External Mounting of Terminal> FIG. 2 shows an external configuration of the IC card 11 and the card terminal 41 for the card 11 when the IC card system of the present invention is realized. The card terminal 41 has a card insertion slot 42. , A keyboard 43 and a display unit 44. The keyboard 43 is provided with a ten key 45, a yes key 46, a no key 47 and the like. This card terminal 4
Details of the internal circuit 1 will be described later.

<Circuit Configuration of IC Card> Next, the configuration of the IC circuit configured inside the IC card 11 will be described with reference to FIG.

In the figure, 51 is a system bus, and this system bus 51 has a data ROM 52 and an application R.
The input controller 60 is connected to the OM 53, the system program ROM 54, the working RAM 55, the system controller 56, the decryption operation unit 57, the read / write controller 58, and the input buffer 59, and the output controller 62 is connected to the output buffer 61. . A data input / output terminal I / O is connected to the input controller 60 and the output controller 62.

The data ROM 52 stores all operating conditions for the card 11 itself (data write applied voltage and its current allowable value and maximum application time, maximum data transmission amount, maximum response waiting time, etc.). When the internal initials of the card itself are completed, answer-to-reset data (Answer To Reset data) according to a predetermined format is transmitted to the terminal 41 side. In addition, the application ROM 53 stores the card type data “APN” (A
application name),
This card type data is the answer-to-reset
After the initial parameters are set based on the data, they are placed in a predetermined data format and transmitted when the attributes are exchanged with the terminal 41. The system program ROM 54 also includes various system programs and code numbers "ACK" and "NAC" codes indicating whether or not the signal transmitted and supplied from the terminal 41 side is correct. Further, the system controller 56 has a judgment area therein, and outputs an operation command or the like to each circuit according to a data reception signal transmitted and supplied via the input buffer 59 and an operation state. The cryptanalysis operation unit 57 performs cryptanalysis based on the "RSA" algorithm, and uses a key code memory (R
OM) 57a stored in the key code for decryption (I
The input data supplied from the terminal 41 side via the input buffer 59 is decoded by the secure's private key) and output to the comparison unit 63. The comparison output from the secret information comparison unit 63 is supplied to the system control line 56a of the system controller 56. The system control line 56a includes a flag 64 that operates based on the comparison result by the comparison unit 63.
Are connected. On the other hand, the read / write controller 58
Controls the writing and reading of data to and from the data memory 65 in response to a command from the system controller 56. The memory data read by the read / write controller 58 is stored in the comparison unit 6 as described above.
3 or the system bus 51 or the card status buffer 66. The data memory 65
For example, an EEP-ROM is used in this memory area. In this memory area, "CA", "IPIN", "PA" are used.
"N", "CHN", "EPD", "PRK", "RT"
Each code of "N" and status data "ST" are written. “CHN” written in the data memory 65
Is an abbreviation for "Card Holder's Name" (name of the cardholder), and "EPD" is "Exp.
Abbreviation for “irration date”.
Further, “RTN” is the number of data re-inputs when wrong data is input. Further, the above "ST" represents the current state of the card 11. For example, in the case of the card after the manufacturing process in FIG. P
If "IN" is not registered, PIN unregistered data is written. The card status data “ST” is transmitted to the terminal 41 side in the same data format as the card type data “APN” stored in the application ROM 53. The data memory 65
Is not limited to EEP-ROM, but may be, for example, EP-ROM.

On the other hand, the system controller 56 includes a timer 67.
Are connected. The timer 67 counts for a fixed time when a command for starting the supply of the data write voltage is output to the card terminal 41 during a normal information exchange process. When the acknowledgment signal “ACK” is not supplied from the terminal 41 side, the system controller 56 prohibits the data input / output in the card 11. An address comparator 68 is connected to the bus line connecting the read / write controller 58 and the system bus 51. The address comparator 68 constantly compares, for example, an unused specific address set in the fixed address section 69 at the end of the test after manufacturing the card with a specified address specified via the system bus 51. The comparison output from the comparator 68 is supplied to the read / write controller 58, and the data memory 65 is provided only when the comparison output is an address coincidence signal due to illegal use of the terminal or the like.
Clears all memory data in it to prevent secret information from being read from the card indiscriminately. Here, when the IC card 11 as described above is attached to the card terminal 41, the reset signal Reset and the system clock clo are output from the card terminal 41 via the connector 11a.
ck is supplied, and the Vcc power supply and the Vpp power supply are connected. The Vcc power source is a system driving power source, the Vpp power source is a data writing power source for the data memory 65, and the power source voltage thereof is the data RO.
It is set on the terminal 41 side based on the answer-to-reset data stored in M52. On the other hand, the system operation signal from the system clock clock is
It is supplied to each circuit via the frequency divider 70.

<Terminal Circuit Configuration> Next, the circuit configuration of the card terminal 41 will be described with reference to FIG.

In the figure, 71 is a system bus, and the system bus 71 includes a sound controller 72, a working RAM 73, a system program ROM 74, a terminal attribute ROM 75, and an initial parameter RAM 7.
6, a main controller 77, a display drive controller 78, a key controller 79, a reader / writer controller 80, a comparison section 81, an encryption operation unit 82 for performing encryption based on the "RSA" algorithm,
Latch circuit 83 for latching "CA", data
Encryption Standard (Data Encr
"DHG" based on the option standard)
System encryption operation unit 84, “DES” method decryption operation unit 85, output buffer 88 via input / output controller (I / O controller) 86 and output controller 87, and input controller 90 via input buffer 89. Are connected.

A speaker 91 is connected to the sound controller 72, and an alarm sound is output as needed. In the memory area of the working RAM 73, "PAN" sent from the IC card 11,
In addition to storing “CHN”, “EPD” and the like, various processing data in the terminal 41 are stored. The system program ROM 74 includes various system programs and an "ENQ" (query) code for matching with the IC card 11. Further, the terminal attribute ROM 75 stores a terminal code "TC" (for example, a manufacturing code, an issue code, a store code, etc.) that differs depending on the use of each terminal, and this terminal code "TC" is the above IC. After setting the initial parameters based on the answer-to-reset data from the card 11, the data is transmitted in a predetermined data format when the attributes are exchanged with the card 11. Here, the answer-to-reset data from the IC card 11 side is the initial parameter RAM.
It is collectively stored at 76. This initial parameter R
The output controller 87 and the input controller 90 are connected to the AM 76 via the initial data transmission line 76a.
And a Vpp level latch unit 92, a Vpp timer latch unit 93, and an Ipp level latch unit 94, and each of the latch units has a corresponding Vpp power supply 95.
The Vpp timer 96 and the Ipp limiter 97 are connected.
Then, the output line of the Vpp power source 95 is
It is connected to the Vpp output terminal via a pp timer 96 and an Ipp limiter 97. Here, the maximum data transmission amount to the IC card 11 controlled by the main controller 77, the card data maximum write voltage by the Vpp power supply 95, the write voltage supply time by the Vpp timer 96, and the card data maximum allowance by the Ipp limiter 97. The write current is set based on the answer-to-reset data, which are collectively stored in the initial parameter RAM 76.

An IC card operating frequency selector 98 is connected to the data transmission line 76a. The oscillation signal from the oscillator 99 is fed to the frequency divider 100 to the selector 98.
, And the oscillation signal whose operating frequency is set is output from the clock terminal. Further, the initial parameter RAM 76 has the timer 101
Are connected. Based on answer-to-reset data sent from the IC card 11 side and collectively stored in the initial parameter RAM 76 to the timer 101, for example, the inquiry signal “from the terminal 41 side to the card 11 side”. The maximum response waiting time from the time when the ENQ "or other command signal is transmitted is counted. If there is no response signal from the card 11 side within this waiting time, the main controller 77 causes the above" The transmission of the ENQ "or other command signal is instructed again, or the reader / writer mechanism unit 102 is instructed to disconnect from the card 11 via the reader / writer controller 80.

In addition, the system control line 7 of the main controller 77
7a includes the comparison unit 81, the encryption operation unit 82,
The latch circuit 83, the input / output controller 86, etc. are connected to the main controller 7 depending on the operating state of the system.
A control command is sent from 7 to each circuit unit. The display drive controller 78 performs display control on the backlight 44a by the display unit 44 and an EL display element provided behind the display unit 44. The backlight 44a is used in the IC card in the reader / writer mechanism unit 102. The lighting is controlled only when 11 is inserted. The key controller 79 applies a key sampling signal to the keyboard 43 to detect a key input signal. Then, the reader / writer controller 80
The reader / writer mechanism unit 102 is driven and controlled, and the reader / writer mechanism unit 102 includes a motor for carrying a card, and an IC inserted from the card insertion slot 42.
This is a mechanism for transporting the card 11 to a predetermined position and returning the IC card 11 which has been subjected to a predetermined process to the card insertion slot 42. Further, the output buffer 88, the reset controller 103, the Ipp level latch unit 94, the operating frequency selector 98, and the Vcc power supply 104 are connected to the reader / writer mechanism unit 102, and the corresponding terminals I / O, Reset, Vpp, clo
ck and Vcc are set to high impedance only when the IC card 11 is not inserted.
Here, the input controller 90 and the output buffer 88
The output controller 87, which is connected to the input / output terminal I / O via the above, transfers data between the card terminal 41 and the IC card 11 in response to a command from the main controller 77 via the initial parameter RAM 76. The input controller 9 that controls
0 outputs the data sent from the IC card 11 to the storage unit such as the working RAM 73 via the input buffer 89, and the output controller 87 outputs the data provided from the storage unit such as the terminal attribute ROM 75. Is sent to the IC card 11 side via the output buffer 88. On the other hand, the data input from the IC card 11 side via the input buffer 89 is sent to the comparison section 81 via the bus line, and the comparison output is supplied to the main controller 77. Further, the output controller 87 outputs the encrypted data supplied from the encryption operation unit 82 via the output buffer 88 to the IC card 1
Send to 1. Data "PAN" sent from the working RAM 73 through the system bus 71 is sent to the encryption operation unit 82 by an IPK (Issuer's Public Key) R configured by a data ROM.
Encrypt according to the public key code provided by the OM 105. In the IPKROM 105, I
“PR stored in the data memory 65 of the C card 11
A public key code corresponding to "K" is written in advance, and when a command is given from the main controller 77, the stored code is output.

On the other hand, “CA” latched by the latch circuit 83 is input to the encryption operation unit 84 and the decryption operation unit 85. Further, predetermined data is input to the encryption operation unit 84 via the system bus 71,
In response to a command from the main controller 77, "PAN" or the like stored in the working RAM 73 is encrypted with "CA" as a key and output to the input / output controller 86. The input / output controller 86 outputs a database, that is, encrypted data to the host computer when the host computer is online. Further, the input / output controller 86 decrypts the encrypted data sent from the host computer by the decryption operation unit 85 based on "CA" and outputs it to the system bus 71.

<Operation of the Embodiment of the Invention> Next, the operation of the above embodiment will be described with reference to a flowchart.

First, as shown in FIG. 1 above, when the IC card 11 is manufactured and issued and the user's “PIN” is registered, when the user uses the card 11, the user is required to use the card shown in FIG. When the IC card 11 is inserted into the power-on card terminal 41 as shown, the present system starts processing operation according to the flowchart in FIG.

<Initial Processing> That is, as shown in step A1 of FIG.
The terminal 41 transmits a preset initialization signal to the IC card 11. This initial setting signal is input / output terminal I under the control of the main controller 77, for example.
/ O is H level, reset terminal Reset is L
From (low) to H (high) level, Vcc terminal and V
pp terminal is 5V each, and clock terminal cloc
k is set to 4.9152 MHz, and this initial setting signal is applied to each terminal I / O, Reset, Vpp, Vcc, c on the card 11 side in step B1.
Received via lock. Then IC card 11
Starts the operation in step B2 under the operating condition based on the initial setting signal.

<Answer-to-Reset Processing> In step B3, the IC card 11 having started the initial operation reads out the answer-to-reset data stored in advance in the data ROM 52 under the control of the system controller 56, and reads the system bus. 51 through the output buffer 61 and the output controller 62
Send from the / O terminal to the terminal 41. Here, the contents of the answer-to-reset data stored in the data ROM 52 will be described with reference to FIGS. 7 to 16.

First, FIG. 7 shows the overall structure of the answer-to-reset data stored in the data ROM 52. In FIG. 7, the operating condition data of the IC card 11 are interface bytes TA1, TB1, respectively.
Indicated by TC1 and TA2, TB2, TC2, ...
The format byte TO indicates whether or not each condition data exists. On the other hand, TD1 is the TA2
It indicates whether or not the subsequent condition data exists, and the initial byte TS is initial setting data for transmitting these condition data. Furthermore, the complementary bytes T1, T2, ... TK are
It is used when increasing the condition data in the card 11. The initial byte TS, the format byte TO, and the interface byte have an 8-bit data format. FIG. 8 shows the code contents of the initial byte TS. Among the 8-bit codes a to h, a, b and c are fixed code bits,
d is a bit indicating whether or not the parity is used, e is a bit indicating a level attribute, f is a bit indicating a data transfer direction order, and h and g are bits indicating a parity attribute. 9th
The figure shows the code contents of the format byte TO in FIG. 7, where a, b, c, d are bits indicating the number of the complementary bytes T1, T2, ..., TK, and e is the interface byte TA1. A bit indicating whether or not there is condition setting data, f is a bit indicating the presence / absence of interface byte TB1, g is a bit indicating the presence / absence of TC1, h is the presence / absence of TD1, that is, something after interface byte TA2 It is a bit indicating whether or not the condition setting data is present.
FIG. 10 shows the interface byte TA1 in FIG. 7, and among the 8-bit code, a, b,
c and d are bit areas for setting the speed of data transmission to the card 11, and e, f, g and h are clock terminals cl.
This is a bit area for setting the operating frequency of the card 11 taken out from the ock. Next, FIG. 11 shows the interface byte TB1 in FIG.
Of the 8-bit code, a to e are bit areas for setting the data write voltage to the data memory 65 of the card 11, and here Vpp = 5V to 25V can be set according to various cards. Also, f to g
Is a bit area for setting the allowable value of the data write current to the data memory 65, and here, Ipp
= 50 to 100 mA can be set according to various cards. In this embodiment, the value of Ipp is set to 5
Although it is specified as either 0 mA or 100 mA, the specified current value and its range can be set arbitrarily. FIG. 12 shows the interface byte TC1. Here, all of the 8-bit codes a to h are areas for setting the data transmission interval (guard time) for the card 11. FIG. 13 shows the interface byte TDn. Here, 4 bits a to d of the 8-bit code are unused bits, e, f, g,
Each of h indicates whether the following interface bytes TAn1, TBn1, TCn1, TDn1 have condition setting data or not. FIG. 14 shows the interface byte TA2 in FIG. 7 above, in which all of the 8-bit code is the present card 1
This is an area for setting an allowable maximum data transmission amount for 1 and can be set from 1 to 255 bytes according to the reading ability of various cards. Further, FIG. 15 shows the interface byte TB2 in FIG. 7, and all of the 8-bit codes a to h are in this card 11.
This is the area for setting the waiting time for the response signal to
100 ms to 2 depending on the data processing capacity of various cards
It can be set up to 5,500 mS. Further, FIG. 16 shows the interface byte T in FIG.
C2 indicates an area in which all 8-bit codes a to h set the maximum continuous application time of the data write voltage Vpp to the card 11, and 100 mS to 25 depending on the data write capability or withstand voltage performance of various cards. ，
It can be set up to 500 mS.

That is, as described above, the initial byte TS, the format byte TO, the interface byte TA1,
Answer-to-reset data composed of TB1, TC1, TD1, TA2, ...
The first side waits for reception in step A2. In this case, the answer-to-reset sent from the card 11 side
Data waiting time when data is initialized (for example, 100
It is determined in step A3 whether or not the signal is received within mS). Yes in this step A3, that is, timer 1
Within the data waiting time set in 01, the answer
If the main controller 77 determines that the two-reset data has been written in the initial parameter RAM 76 via the I / O terminal, the input controller 90, the input buffer 89, and the system bus 71, step A4 Then, the main controller 77 further determines whether or not the write data in the initial parameter RAM 76 is correct data corresponding to the terminal 41. If YES is determined in step A4, the process proceeds to step A5, and the main controller 77 allocates and sets each interface byte in the initial parameter RAM 76 to each corresponding circuit as the operation condition setting data of the IC card 11. That is, the operating frequency setting data of the IC card 11 corresponding to the interface byte TA1 is set in the IC card operating frequency selector 98 via the data transmission line 76a, and the write voltage to the data memory 65 corresponding to the interface byte TB1. The setting data and the maximum allowable write current setting data are set in the Vpp level latch section 92 and the Ipp level latch section 94, respectively. Then, the setting data of the maximum data transmission amount for the IC card 11 corresponding to the interface byte TA2 is set in the main controller 77 itself,
The setting data of the response signal waiting time corresponding to TB2 is set in the timer 101. In this case, in step A2, the constant data waiting time set in the timer 101 is rewritten to the waiting time dedicated to the IC card 11 currently mounted. Further, the setting data of the write voltage application time to the data memory 65 corresponding to the interface byte TC2 is V
It is set in the pp timer latch section 93. This allows
The maximum data transmission amount controlled by the main controller 77,
Vpp, a data write voltage determined by the Vpp power supply 95
The data write voltage continuous application time determined by the pp timer 96, the allowable value of the data write current determined by the Ipp limiter 97, and the operating frequency for the card determined by the operating frequency selector 98 are all stored in the initial parameter RAM 76. Based on the written answer-to-reset data, the value is set to a value corresponding to the operating condition of the card 11 currently mounted. Therefore, even if the operating conditions such as the data write voltage Vpp and its continuous application time, the permissible current Ipp or the data read ability and the response ability are different for each card, the answer on the card 11 side is
As long as it has a two-reset data transmission function and a terminal 41 side condition data setting function,
It is possible to set operating conditions corresponding to cards of any performance.

On the other hand, if it is determined No in step A3 or No in step A4, the process proceeds to step A6, and it is determined whether or not the number of times determined to be No has reached three times. In this case, the above step A2 or A3
The number of times No is determined in the working RAM 7
It is stored in the count data area 3 and the value in this count data is checked by the main controller 77 to make the determination in step A6. If No is determined in step A6, the process proceeds to step A1 again to transmit the initial data to the IC card 11. On the other hand, in step A6, Yes, that is, the card 1
When it is determined that the answer-to-reset data transmitted from the first side does not correspond to the terminal 41, the main controller 77 sends a control command to the reader / writer controller 80 to send the reader / writer controller 80. -The plunger in the writer mechanism unit 102 is flipped to release the card lock mechanism, eject the IC card 11, and disconnect the connection. As a result, for example, when the IC card 11 attached to the terminal 41 does not correspond to this system at all or the operating conditions cannot be set, the card 11 is previously set in step A6. The connection with will be cut off and trouble will be prevented from occurring.

<Selecting Process> Next, in step A5, when the setting of the initial parameters for the card 11 to be mounted is completed, the process proceeds to step A7 shown in FIG. E
The NQ "code, that is, a code for inquiring whether the card 11 on the other side normally operates under the operating conditions set in the step A5 is taken out, and the system bus 71, the output controller 87, the output buffer It is transmitted to the IC card 11 side via 88 and the I / O terminal.
Then, on the card 11 side, the "ENQ" signal sent via the I / O terminal is received via the input controller 60 and the input buffer 59, and the working RAM 56 is received.
Write in (step B4). In this case, in step B5, the input controller 60 performs a parity check of the "ENQ" signal. Here, Yes,
That is, if it is determined that the parity check of the input signal is OK, the process proceeds to step B6 and the system controller 56
Is the "EN" written in the working RAM 55.
It is determined whether or not the Q "code can be received as a normal" ENQ "code.Yes in this step B6, that is, it is determined that the above" ENQ "code can be received normally in a normal operation state. Then, the process proceeds to step B7, and the system controller 56 extracts the "ACK" code from the system program ROM 54 based on the determination that the card 11 is in the normal operating state according to the operating condition set on the terminal 41 side, and outputs it. Data is transmitted to the terminal 41 side via the buffer 61, the output controller 62, and the I / O terminal.On the other hand, if No is determined in the above step B5 or B6, the process proceeds to step B8, and the system controller 56 confirms that this card 11 is Does not operate normally under the operating conditions set on the terminal 41 side Judgment say, or Terminal 4
Based on the judgment that there is some abnormality in the transmission system between the card 1 and the card 11, "N" is read from the system program ROM 54.
The AC "code is taken out and transmitted to the terminal 41 side through the output buffer 61, the output controller 62 and the I / O terminal.

Then, on the terminal 41 side, the "ACK" signal or the "NAC" signal sent from the card 11 side via the I / O terminal is standby-received in step A8. In this case, the "ACK" signal or "NAC"
The signal indicates that the response waiting time of the IC card 11 set in the timer 101 in step A5 (for example, 150 m
It is determined in step A9 whether or not it is received within S). Yes in this step A9, that is, timer 1
Within the response waiting time of the IC card 11 set in 01, the "ACK" signal or "NAC" signal is I
/ O terminal, input controller 90, input buffer 89,
When the main controller 77 determines that the data has been written in the working RAM 73 via the system bus 71, the process proceeds to step A10, and the main controller 77 further writes the write data in the working RAM 73 to the terminal 41. It is determined whether the corresponding one is correct. If YES is determined in this step A10, the process proceeds to step A11, and the main controller 77 determines whether or not the code written in the working RAM 73 is "ACK". And this step A
Yes in 11, that is, the signal received from the card 11 side in step A8 is “ACK”, and it is confirmed that the card 11 is operating normally under the respective operating conditions set in step A5. And step A1 assuming that there is no error in the transmission system between the terminal and the card.
2, the main controller 77 takes out the terminal code TC which is different depending on the type of the terminal stored in the terminal attribute ROM 75, and the output controller 8
The output buffer 88 is latched via 7 to prepare for the attribute exchange processing in the subsequent steps.

On the other hand, if it is determined No in step A9, A10 or A11, the process proceeds to step A13, where N
It is determined whether or not the number of determinations of “o” has reached three times. In this case, the above steps A9, A10 or A1
The number of times No is determined in 1 is the working RAM.
It is stored in the count data area 73, and the value in the count data is checked by the main controller 77 to make the determination in step A13. If it is determined No in step A13, the process proceeds to step A7 again and I
The "ENQ" code is transmitted to the C card 11. On the other hand, in step A13, Yes, that is, the content of the signal transmitted from the card 11 side is the terminal 4
1 is determined not to correspond to 1, or the signal transmitted from the card 11 side is the "NAC" signal, and the IC card 11 does not operate normally under the respective operating conditions set in step A5, or the terminal does not operate normally. → When it is determined that there is some abnormality in the transmission system between the cards, the main controller 77 sends a control command to the reader / writer controller 80 to flip the plunger in the reader / writer mechanism unit 102, and the IC card 1
Eject 1 to break the connection. As a result, even after the initial parameters are set in step A5, the IC card 11 attached to the terminal 41 is
If the card does not operate normally, the connection with the card 11 is cut off due to the card → terminal incompatibility or the transmission system is abnormal, and the occurrence of trouble can be prevented.

<Attribute Exchange Processing> Next, the attribute exchange processing operation shown in FIG. 6C and subsequent figures will be described.

First, as shown in step A14, the terminal 41
Transmits the terminal code TC latched and set in the output buffer 88 in step A12 to the card 11 side via the I / O terminal. In this case, the terminal code TC is transmitted by being assembled in a data format as shown in FIG. 17, for example.
Is received via the input controller 60 and the input buffer 59 and stored in the working RAM 55. In this case, in step B10, the input controller 6
0 is a parity check of the transmission signal in which the terminal code TC is incorporated and determines whether or not the data content is correct. Here, if it is determined to be Yes, that is, the parity check of the transmission signal is OK, a step is performed. B1
In step 1, the system controller 56 fetches the application name APN different according to the type of the card stored in the application ROM 53 and latches it in the output buffer 61 to prepare for the next step. Then, in step B12, the application name APN latched and set in the output buffer 61 in step B11 is transmitted to the terminal 41 side via the output controller 62 and the I / O terminal. In this case, the application name APN is assembled in a data format as shown in FIG. 18 and transmitted as a card type code, and its name area is 12 bytes including an extension byte (2 bytes), for example. Composed. Further, during the transmission of the application name APN, the card status data ST stored in the data memory 65 is also stored in the read / write controller 58.
Also, the card type code is transmitted to the terminal 41 side via the card status buffer 66.
On the other hand, if it is determined No in step B10, the process proceeds to step B13, where the system controller 56
Takes out the "NAC" code from the system program ROM 54 based on the judgment that the terminal code TC is unreadable, and outputs the output buffer 61 and the output controller 6
2 and to the terminal 41 side via the I / O terminal.

Then, on the terminal 41 side, the card type code or "NAC" signal sent from the card 11 side via the I / O terminal is received in step A15,
It is stored in the working RAM 73. Then, proceeding to step A16, the main controller 77 determines whether or not the write data in the working RAM 73 is correct data corresponding to the terminal 41. If Yes is determined in step A16, step A1
7, the main controller 77 is a working RAM
It is determined whether or not the data written in 73 is "NAC". No in this step A17, that is, the data sent from the card 11 side is not "NAC",
If it is determined that the card type code includes the card application name APN and the card status data ST, the process proceeds to a card type determination flow as shown in steps A18 and A19.

On the other hand, in step A16, No or A17
If it is determined to be Yes in step A20, the process proceeds to step A20, and the number of times determined to be No in step A16 and Yes in step A17 is n (for example, n =
It is determined whether or not 2) has been reached. In this case, No or Yes in step A16 or A17.
The number of times determined to be stored is stored in the count data of the working RAM 73. By checking the value of this count data with the main controller 77,
The determination in step A20 is made. Then, if it is determined No in step A20,
The process proceeds to step A14 again, and the terminal code TC is transmitted to the IC card 11. On the other hand, in step A20 described above, Yes, that is, it is determined that the signal content transmitted from the card 11 side does not correspond to the terminal 41, or the signal transmitted from the card 11 side is the "NAC" signal. , Step B above
When it is determined that the terminal code TC is already unreceivable at the time point of 10, the main controller 77 sends a control command to the reader / writer controller 80 to cause the plunger in the reader / writer mechanism unit 102 to move. To remove the IC card 11 and disconnect the connection. As a result, if data transfer of the terminal code TC and the card type code is not successful even after the IC card 11 starts to operate normally by setting the initial parameters on the terminal 41 side, the card-terminal failure As a countermeasure, the connection with the card 11 is cut off and the occurrence of trouble is prevented in advance.

<Application Name Discrimination Processing> Next, the card type determination operation in steps A18 and A19 will be described.

FIG. 19 shows the card type determination operation in detail. First, in step B12, the card 1
The card type code (application name APN) sent from the first side and stored in the working RAM 73,
In step A19a, it is determined whether or not the application name APN, which is taken out by the main controller 77 and stored in the terminal attribute ROM 75 in advance, and the usage type have a correspondence relationship. Here, assuming that the terminal code TC of the terminal 41 is a merchant code and the application name APN is for installation at an abc bank store, for example, the application name APN of the card type code sent from the card 11 side is, for example, abc bank deposit. If it is the abc bank cd branch for deposit, it is determined in step A19a that both application names match, and step A2
The process moves to the information exchange process after 1. This step A21
Then, in step A19a, the I
The C card 11 is the system program ROM for the first time based on the judgment that the type matches the terminal 41.
The formal instruction code is taken out from 74 and transmitted to the card 11 side.

On the other hand, when the application name APN of the card type code transmitted to the terminal 41 side in step B12 is, for example, an xy credit card for general shopping, it is determined in step A19a that the card types do not match, The process proceeds to the card ejection process in A22. In this step A22, the main controller 77 sends a control command to the reader / writer controller 80 based on the judgment that the type of the currently mounted IC card 11 does not match the terminal 41 in the above step A19a. As a result, the plunger in the reader / writer mechanism 102 is flipped, the IC card 11 is ejected, and the connection between them is broken.
At the same time, a control command is also transmitted to the display drive controller 78 to display on the display unit 44 that the card types do not match. In the above embodiment, the application name APN is the terminal attribute ROM 7
5, the application name APN may be written in the working ROM 55 by inserting a startup card after powering on the terminal. As described above, for example, when the purpose of use of the IC card 11 does not match the type of the terminal 41, the card 1 can be previously exchanged before the actual information exchange.
Since the connection with 1 is disconnected, it is possible to prevent the occurrence of trouble such as malfunction of the terminal.

<Instruction Code Discrimination Processing> Next, after the above card type determination operation, the terminal 41
The terminal command confirmation operation when the command code is sent from the user side to the card 11 side for the actual information exchange processing will be described.

FIG. 20 shows the terminal command confirmation operation in detail. First, in step A14, the working RA of the IC card 11 already sent from the terminal 41 side is sent.
The terminal code TC stored in M55 and the instruction code (COM) sent in step A21 (information exchange initiation step) in FIG.
In step B14, arithmetic processing is performed with a predetermined relational expression. The terminal code TC 'and its instruction code (C
In step B15, it is determined whether or not the OM ') and the OM') have a regular correspondence. Here, the terminal instruction code (COM ') sent in step A21 is, for example, the comparison and collation instruction (P) of the personal identification number.
In the case of IN Compare), in step B15, the terminal instruction code match (TC = PI)
N Compare). In addition, if the terminal instruction code is, for example, a PIN code writing instruction (PIN W
If it is “write”, the terminal instruction code does not match (TC ′ ≠ PIN Wr in step B15).
ite '). That is, the above step B1
Terminal code TC 'and its instruction code C in 5
The result of comparison with OM 'is according to the correspondence table of terminal codes and instruction codes as shown in FIG. 21, and the instruction codes (indicated by circles) that should exist in various terminals are on the card side. A match is determined only when sent, and a non-match is determined when an instruction code that should not exist is sent. When it is determined in step B15 that the terminal code TC 'and the instruction code COM' match, step B1
In accordance with the command code (corresponding to the personal identification number comparison and collation command in this case) confirmed to correspond to the terminal 41, for example, the personal identification number keyed from the terminal 41 and stored in the data memory 65 of the card 11. The comparison unit 63 compares the PIN with the PIN. Then, when the compared personal identification numbers PIN match each other, the process proceeds to the information exchange processing operation of money transaction. On the other hand, the above step B15
Terminal code TC 'and instruction code CO
If it is determined that the M's do not match, the system controller 56 proceeds to step B17, and the system controller 56 sends to the terminal 41 an error instruction code that does not correspond to the terminal code TC. Notify that there is a system program ROM
54 or the data memory 65 is locked to prevent unauthorized reading or rewriting of memory contents. Therefore, for example, even if some modification is made on the terminal 41 side to try to illegally use the contents of the mounted IC card 11, it is impossible to execute the instruction based on the illegal instruction code, and the safety is high. An IC card system can be realized.

<Card Status Registration and Confirmation Processing> Next, the card status registration function in this IC card system will be described.

FIG. 22 is a flowchart showing the card status registration function and its confirmation operation. First, step A
At the time when the manufacturing of the IC card 11 in 101 is completed, the manufacturing completion status is written in the data memory 65 of the IC card 11 at the card manufacturing terminal 12 as shown in FIG. 1, for example. After the card manufacturing process is completed, the process proceeds to the card issuing process, and when the IC card 11 is attached to the card issuing terminal 22, the terminal 22 firstly performs the above-mentioned card 11 in step A102.
The status data ST in the side data memory 65 is read and it is determined whether or not there is a manufacturing end status. If it is determined Yes in step A102, the predetermined card issuing process is completed, and then step A103 is performed.
Proceed to step 1 and use the card issuing terminal 22 to enter the above card 1
Further, the issuing process end status is written in the data memory 65 in 1. After the card issuing step is completed, the PIN number PIN registering step is proceeded to, and when the IC card 11 is mounted on the PIN registering user terminal 32, the terminal 32 first sets the status in the data memory 65 on the card 11 side in step A104. Data S
Read T to determine whether there is an issue completion status. If it is determined Yes in step A104, the predetermined PIN registration process is completed, and then step A
In step 105, the user terminal 32 writes the PIN registration status in the data memory 65 in the card 11. After completing this PIN registration process,
When the IC card 11 is attached to the in-store terminal 41 as shown in FIG. 2, for example, when the IC card 11 is installed in the in-store use process, the terminal 41 first sets the status data ST in the data memory 65 on the card 11 side in step A106.
Is read to determine whether or not there is a PIN registration status. If it is determined Yes in step A106, the process proceeds to step A107, and the product can be purchased at the store. Here, FIG. 23 shows the IC card 1 described above.
1 shows the code content of the card status data ST stored in the data memory 65 of No. 1, of the 8-bit code, b is a bit indicating the manufacturing process end status written in step A101, and c is the step A105. The bit indicating the PIN registration status written in step A103 and the bit d indicating the issue process end status written in step A103. Further, in the status data ST, a is a bit indicating that the collation number has been mistaken three times in succession, f is a bit indicating that the write item area does not exist in response to a write command from the terminal 41, and A bit indicating a card invalid state is provided in h. e and g are unused bits.

On the other hand, No in step A102 or A104, that is, the manufacturing process end status is not written in the data memory 65 of the IC card 11 when the card issuing process is proceeded, that is, in the bit area b in FIG. When "1" is set or when the PIN registration process is proceeded, the issuing process end status is not written in the data memory 65 of the IC card 11, that is, "1" is written in the bit area d in FIG. If it is determined that "is standing", the process proceeds to step A108, and each terminal 22 or 32 has not completed the process that should have been completed. Turn off the flag to the flag 64 of the IC card 11 so that the system controller 56 cannot be substantially controlled. To. This invalidates the card itself. Further, in step A106 above, No,
That is, it is determined that the PIN registration status is not written in the data memory 65 of the IC card 11 when the process of using the store is proceeded, that is, "1" is set in the bit area c in FIG. As a matter of course, at the terminal 41 installed at the store, since the personal identification cannot be performed by the personal identification number PIN, the product cannot be purchased, and the PIN registration is inevitably required in the PIN registration process.
However, in this case, as described with reference to FIG.
To register a PIN at the user terminal 32,
Since the collation number IPIN sent directly from the issuer to the user by another flight is required as a key code for PIN writing, if this IC card is stolen by a third party, PIN registration is not possible. Since it cannot be done absolutely, illegal use is impossible. As a result, for example, even if an IC card that has not passed the regular card manufacturing, issuing and PIN registration route is illegally used, the card status data ST of the in-card data memory 65 is checked each time, so that the card is not in advance. It is possible to prevent crime. On the other hand, by using the bit areas a, f, and h in FIG. 23 by appropriately displaying them on the terminal when actually using the card, for example, it is possible to reduce the occurrence of troubles caused by mistaken input of the PIN key. Is also possible.

Therefore, according to the IC card system configured as described above, as described with reference to the flowchart in FIG. 20, the terminal code stored in advance in the terminal attribute ROM 75 of the card terminal 41 and indicating the type of the terminal itself. The TC and the command code transmitted from the terminal 41 side at the time of starting the information exchange with the IC card 11 have a predetermined relationship each time the command code is sent, whether or not there is a corresponding relationship. Using the formula, the IC card 11 side compares and determines, and if there is no compatibility between the currently connected card terminal 41 and its command code, the data memory 65 on the card 11 side is immediately locked and the contents of the memory are illegal. Since it is designed to prevent unauthorized reading or rewriting, the card terminal 4
There is no possibility that the information stored in the mounted IC card 11 will be illegally used on the first side.

[Effects of the Invention] As described above, according to the present invention, a terminal code corresponding to the type of the terminal itself is stored in advance in the card terminal, and this terminal code is transmitted to the card side when connecting to an IC card. Then, whether or not each of the command code transmitted from the terminal at the time of actual information exchange and the terminal code transmitted at the time of the above-mentioned card connection can be legally corresponded in the IC card. It is configured to prohibit the information exchange operation between the card terminal and the IC card when the above-mentioned codes are not in a corresponding relationship by comparison and determination. Therefore, for example, even when an illegal command code is transmitted from the card terminal, It is possible to improve the security of card transactions without the information on the card being illegally used. , Great effect in preventing card crime.

[Brief description of drawings]

FIG. 1 shows the manufacture, issuance, and personal identification number (P) of an IC card in an IC card system according to an embodiment of the present invention.
(IN) registration process, FIG. 2 is an external configuration diagram showing an IC card and its card terminal in the IC card system, and FIG. 3 is a diagram showing a circuit configuration of the IC card in the IC card system. The figure above is I
FIG. 5 is a diagram showing a circuit configuration of a card terminal in the C card system, FIG. 5 is a flowchart showing a simplified flow of the entire operation in the IC card system, and FIGS. 6A to 6C are operations in the IC card system. FIG. 7 is a flow chart showing the overall flow in which the card terminal side and the IC card side are associated with each other.
FIG. 8 is an overall configuration diagram showing answer-to-reset data stored in the card, FIG. 8 is a diagram showing a code content of the initial byte TS in FIG. 7, and FIG. 9 is a format byte in FIG. FIG. 10 shows the code contents of TO, FIG. 10 shows the code contents of interface byte TA1 in FIG. 7, FIG. 11 shows the code contents of interface byte TB1 in FIG. 7, and FIG. 7 shows the code contents of the interface byte TC1 in FIG. 7, FIG. 13 shows the code contents of the interface byte TDn in FIG. 7, and FIG. 14 shows the code contents of the interface byte TA2 in FIG. FIG. 15 shows the interface byte T in FIG.
FIG. 16 shows the code contents of B2, FIG. 16 shows the code contents of the interface byte TC2 in FIG. 7, and FIG. 17 transmits the terminal code (TC) stored in the card terminal to the IC card side. FIG. 18 is a diagram showing the data format when the card application name (AP is stored in the IC card is stored.
N) and card status data (ST) are shown in the data format when transmitted to the card terminal side, and FIG. 19 is executed based on the card type code transmitted from the IC card on the card terminal side in the IC card system. 20 is a flowchart showing a card type determination operation, and FIG. 20 is a flowchart showing a terminal command confirmation operation executed based on a terminal code and a terminal command code transmitted from a card terminal on the IC card side in the IC card system. FIG. 22 is a diagram showing a correspondence relationship between a terminal code and a terminal command code in the terminal command confirmation operation, and FIG. 22 is a flowchart showing a card status registration function in the IC card system.
FIG. 23 is a diagram showing the code contents of the card status data (ST) stored in the IC card. 11 …… IC card, 41 …… Card terminal, 42
…… Card slot, 51 …… Terminal system bus,
52 ... Data ROM, 53 ... Application RO
M, 54 ... Card system program ROM, 55 ...
… Card working RAM, 56 …… System controller, 58 …… Read / write controller, 59 ……
Card input buffer, 61 ... Card output buffer, 6
4 ... Card lock flag, 65 ... Data memory,
71 ... Terminal system bus, 73 ... Terminal working RAM, 74 ... Terminal system program ROM, 75 ... Terminal attribute ROM, 76 ...
Initial parameter RAM, 77 ... main controller, 88 ... terminal output buffer, 89 ... terminal input buffer.

Claims (1)

[Claims] 1. An IC card system comprising an IC card and a card terminal to which the IC card is attached, means for storing a terminal code set in advance in the card terminal according to the type of the terminal itself, and the terminal. A means for transmitting a code to the IC card side, a means for transmitting an instruction code from the card terminal to the IC card when information exchange processing is performed between the card terminal and the IC card, and a transmission for the IC card side. Means for comparing and judging in the IC card whether or not the generated terminal code and the instruction code sequentially transmitted in the information exchange processing correspond to each other, and the terminal code and the instruction code Does the information exchange operation for the IC card when it is determined that it does not correspond legally. IC card system characterized by comprising a means for stopping, to prevent the execution of the illegal instruction from the card terminal.