CN1892665A - Data for processing method and its apparatus - Google Patents
Data for processing method and its apparatus Download PDFInfo
- Publication number
- CN1892665A CN1892665A CN200610077336.3A CN200610077336A CN1892665A CN 1892665 A CN1892665 A CN 1892665A CN 200610077336 A CN200610077336 A CN 200610077336A CN 1892665 A CN1892665 A CN 1892665A
- Authority
- CN
- China
- Prior art keywords
- data
- circuit
- program
- semiconductor circuit
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
In accordance with a plurality of processing requests, a SAM chip generates IC card entity data including job execution order data showing an order of execution of a plurality of jobs forming processing in accordance with a processing request and status data showing a state of progress of execution of said plurality of jobs for each of said processing requests. Further, the SAM chip selects one entity data from said plurality of entity data, selects and executes the job to be executed next based on the status data and processing order data of said selected entity data, and updates the status data in accordance with execution of said job.
Description
The application is dividing an application in the Chinese patent application No.02801052.3 that is entitled as " data processing method and equipment thereof " of submission on February 15th, 2002.
Technical field
The present invention relates to utilizing the IC (integrated circuit) that embeds in card or the mobile terminal device to carry out data processing method useful under the exchange situation, its equipment, its program, semiconductor circuit and authentication equipment by network.
Background technology
At present, developing IC-card etc. is being used for communication system by the transaction of the Internet and other network.
In this communication system, server receives the processing request of using IC-card from the reader/writer or the PC (personal computer) of IC-card, and carries out subscriber authentication, data encryption and deciphering and other processing.
But with regard to communication system described above, imagination simultaneously or receive situation about the processing request of a large amount of IC-cards at short notice.
In this case, server must be handled such processing request effectively.
In addition, server is carried out some application programs of handling the formality relevant with some account settlement businesses sometimes, and by according to handling request, utilizes the application program of selecting to handle.Such processing request also must be effectively handled.
In addition, in Shuo Ming the communication system, the operational order of the code and the operation IC-card of secret key message reference IC-card is used in the application program mandatory declaration that server is carried out in the above.Here, if require to use the security of the transaction of IC-card, then secret key information and operational order only the managerial personnel of serviced device know.
So in the past, the managerial personnel of server produce and custom application from above-mentioned ISP's request.
But, the managerial personnel of server produce by this way and the situation of custom application under, exist managerial personnel's burden to become heavy problem.
In addition, in Shuo Ming the server, move the application program of some credit card companies or other enterprises in the above.This application program is produced by single enterprise, and by utilizing personal computer etc. to be downloaded to server.
But, as mentioned above, when above-mentioned server moves the application program of some enterprises, must guarantee that the processing of each application program is not subjected to Another Application sequential monitoring or interference.
On the other hand, need between application program, transmit in the data, various services are provided.
In addition, single enterprise downloads to their application program on the server, debugs these application programs subsequently as required.
But, when each enterprise downloads to server to application program by this way, and when debugging these application programs, must prevent that the program in the server is subjected to illegal interference.
A kind of technology that realizes this point is to use the authentication process technology of secret key information when access server.But common this secret key information is kept in the storer of terminal device (personal computer), therefore has the illegal possibility of using, and has safety problem.
In addition, the LSI that forms above-mentioned server has built-in CPU.CPU visits the storer that is positioned at outside the LSI chip sometimes.
In this case, data stream is crossed the bus that is arranged between LSI chip and the external memory storage, thereby can check data by detection bus.
But, when above-mentioned server is carried out e-commerce transaction, personal verification and other sensitive processing, as mentioned above,, then have the problem of secure context if data are detected.
In addition, server described above is made of single computing machine sometimes.
In this case, the single computer run some programs relevant with the some services that provide by different enterprises.When the sensitive data of these service processing, during for example with the relevant data of clearing, the possibility that the height confidential data that exists each enterprise to have is illegally obtained or alters by another enterprise.
In addition, when conventional computing machine is used as aforesaid computing machine, there is following problems.
Figure 133 represents the basic structure of common computer 601.
In the computing machine shown in Figure 133 601, CPU 602 utilizations are handled from the instruction and data that storer 603 reads.
In addition, CPU 602 carries out read-write operation according to control signal S602 to storer 603.
The modules A, module B and the module C that are kept in the storer 603 are the processing units with special function of program.
In development sequence, debugged program 605 is checked the operation of CPU 602.It uses the operation of the interim interrupts of CPU 602 of HLAT signal, reads the internal information of CPU 602, and this information advising process developer.
Here, in Figure 133, suppose that modules A has the basic function that is used by module B or module C.
Here, suppose the routine height secret of the basic function that is included in the modules A.In this case, because modules A is a basic function, it must provide the developer who makes module B or module C can develop the environment of its program.A kind of mode that realizes this purpose is the method in distribution function storehouse.
This is to explain with the intermediary language between higher level lanquage and machine language (being commonly referred to " assembly language "), but analysis is quite easy.The processing routine that the requirement of program is maintained secrecy is known at last probably.
In addition, another kind of mode is in advance basic module (in this example for modules A) to be kept in the storer 603, rather than used as function library, and the developer is present at the supposition basic module under the situation of ad-hoc location and develops software.
But,, still exist the developer of module B and C to be difficult to the problem of the modules A of reading and saving in storer 603 even utilize this method.At this moment, the content that reads is to explain with the machine language that CPU 602 carries out, but has the instrument that this machine language is converted to assembly language.Analysis routines quite easily.
In addition, in the stage of developer's development sequence, in the implementation of modules A, the developer of module B and C can suspend the execution of CPU 602 temporarily, so that understand the institute's data of handling of modules A or the content of modules A, thus the entire process routine of the program of understanding modules A.
In addition, run on other high security data that application program process key data, charge data, daily record data and ISP on the above-mentioned server are provided with, these data that therefore need protection are avoided illegally altering or monitoring.
First purpose of the present invention provide a kind of can be according to a large amount of processing requests, the data processing method of handling effectively, semiconductor circuit and program.
Second purpose of the present invention provides a kind of data processing method, semiconductor circuit and program, is not allowing the user to learn under the situation of sensitive information, makes the user can produce and customize the application program of user that will be carried out by server.
The 3rd purpose of the present invention provides a kind of data processing method, semiconductor circuit and program, when identical semiconductor circuit moves some application programs, can prevent that each independent application program is subjected to the influence of Another Application program.
The 4th purpose of the present invention provides a kind of data processing method, semiconductor circuit and program, when identical semiconductor circuit moves some application programs, when preventing that each application program is subjected to illegally the altering of user of Another Application program, supervision etc., allow between application program, to transmit as required data.
The 5th purpose of the present invention provides a kind of data processing method, semiconductor circuit, Authentication devices and program, can be according to the authority of server or other semiconductor circuit, and restriction is for the content of the visit of server or other semiconductor circuit.
The 6th purpose of the present invention provides a kind of semiconductor circuit and data processing method, even when transmitting sensitive data by external bus between semiconductor circuit and semiconductor memory circuit, also can keep the confidentiality of data.
The 7th purpose of the present invention provides a kind of when carrying out some programs, can be between program the data processing equipment of confidentiality of hold instruction and data.
The 8th purpose of the present invention provides a kind of semiconductor circuit that can improve the confidentiality of the program that will carry out.
The 9th purpose of the present invention provides a kind of data processing equipment, its method and program thereof, when the service that utilizes IC or other integrated circuit is provided, can improve the security of the application program of moving on server.
Summary of the invention
To achieve these goals, the data processing method of first aspect present invention is according to some processing requests, a kind of data processing method by the semiconductor circuit execution, comprise the steps: to produce the task management data for each the processing request in some processing requests, described task management data comprise operation execution sequence data and status data, described operation execution sequence data representation forms the execution sequence of some operations of handling according to the request of processing, described status data is represented the state of the executive process of described some operations, according to predetermined rule, from the some task management data that produce, select task management data, according to the status data of the task management data of selecting and the operation that the processing sequence data select next step to carry out, carry out the operation of selecting, and, upgrade the status data of the task management data of selecting according to the execution of this operation.
In the data processing method of first aspect present invention, at first, semiconductor circuit is each the processing request in some processing requests, generation comprises the task management data of operation execution sequence data and status data, operation execution sequence data representation is according to the execution sequence of some operations of handling request formation processing, and status data is represented the state of the executive process of some processing operations.
Secondly, semiconductor circuit is selected task management data according to predetermined rule from the some task management data that produce.
Next, semiconductor circuit is according to the status data of the task management data of selecting and the operation that the processing sequence data select next step to carry out.
Subsequently, semiconductor circuit is carried out the operation of selecting.
At last, semiconductor circuit upgrades the status data of the task management data of selecting according to the execution of this operation.
In addition, the data processing method of first aspect present invention preferably also comprises the status data that upgrades the task management data of selecting, and selects the step of task management data subsequently from the plurality of data module.
In addition, the data processing method of first aspect present invention preferably also is included in after the status data that upgrades the task management data of selecting, and selects the step of task management data from the plurality of data module.
In addition, the data processing method of first aspect present invention preferably also comprises when the All Jobs that forms processing according to the request of processing is finished execution, the step of deletion task management data.
In addition, the data processing method of first aspect present invention preferably also comprises from the integrated circuit with storer or with respect to the communication facilities of integrated circuit input output data and receives the step of the request of processing, and described storer is preserved the data of the processing that will be used for the process carried out by semiconductor circuit.
The semiconductor circuit of second aspect present invention is a kind of semiconductor circuit according to some processing request processing data, comprise the interface of importing some processing requests, preserve the memory circuit of task management data, the task management data comprise operation execution sequence data and status data, operation execution sequence data representation forms the execution sequence of some operations of handling according to the request of processing, status data is represented the state of the executive process of some operations, produce task management data with the request of handling in some processing requests of input each and it is kept in the memory circuit, from the some task management data that produce, select task management data, the operation that next step will be carried out is selected and carried out to status data and processing sequence data according to the task management data of selecting, and, upgrade the control circuit of the status data of the task management data of selecting according to the execution of this operation.
In the semiconductor circuit of second aspect present invention, interface is imported some processing requests.
Subsequently, control circuit produces the task management data and it is kept in the memory circuit, and described task management data comprise that expression forms the operation execution sequence data of execution sequence of some operations of handling and the expression status data according to the state of the executive process of some operations of some processing requests according to the request of processing.
Next, control circuit is selected task management data from some task management data.
Afterwards, the operation that next step will be carried out is selected and carried out to control circuit according to the status data and the processing sequence data of the task management data of selecting, and according to the execution of this operation, upgrade the status data of the task management data of selecting.
The program of third aspect present invention is a kind of program of being carried out by semiconductor circuit according to some processing request processing data, each that is included as in some processing requests handled the routine that request produces the task management data, the task management data comprise operation execution sequence data and status data, operation execution sequence data representation forms the execution sequence of some operations of handling according to the request of processing, status data is represented the state of the executive process of some operations, from the some task management data that produce, select the routine of task management data, according to the status data of the task management data of selecting and the routine that the processing sequence data are selected next step operation that will carry out, carry out the routine of selecting operation, with execution, upgrade the routine of the described status data of the task management data of selecting according to this operation.
The data processing method of fourth aspect present invention is a kind of data processing method of being carried out by semiconductor circuit, the application program of the processing that described semiconductor circuit operation is relevant with the process of using integrated circuit, wherein semiconductor circuit can be checked the correspondence designation data, described correspondence designation data indication is used for the operation code of described application program operation integrated circuit and the title of operation, it is the correspondence between the action name, described method comprises the steps: to make semiconductor circuit to utilize action name to describe the operation instructions program of the operation of application program with the form reception of input, with make semiconductor circuit by checking the correspondence designation data, the corresponding operation code of action name that obtains and in the operation instructions program, describe, and the processing of the operation code definition application of use acquisition.
In addition, preferably also comprise according to the data processing method of fourth aspect present invention and to make the also correspondence between display operation title and the key information that when integrated circuit is carried out the operation corresponding with these action names, uses of correspondence designation data, and make semiconductor circuit by checking the correspondence designation data, the corresponding key information of action name that obtains and in the operation instructions program, describe, and the processing of the key information definition application of use acquisition.
In addition, the data processing method of fourth aspect present invention preferably also comprises makes semiconductor circuit produce the task management data that comprise operation execution sequence data and status data, the execution sequence of some operations of the processing of operation execution sequence data representation formation application program, status data is represented the state of the executive process of described some operations, the operation of selecting next step to carry out according to the status data and the processing sequence data of task management data, carry out the operation of selecting, and, upgrade the status data of the task management data of selecting according to the execution of this operation.
The semiconductor circuit of fifth aspect present invention is the semiconductor circuit that a kind of operation is used to carry out the application program of the processing relevant with the process of utilizing integrated circuit, comprise the memory circuit of preserving the correspondence designation data, described correspondence designation data indication is used for the operation code of application program operation integrated circuit and the title of operation, it is the correspondence between the action name, import the interface of the operation instructions program of the operation that utilizes action name to describe application program, with by checking the correspondence designation data, the corresponding operation code of action name that obtains and in the operation instructions program of input, describe, and the control circuit of the processing of the operation code definition application of use acquisition.
In the semiconductor circuit of fifth aspect present invention, the interface input utilizes action name to describe the operation instructions program of the operation of application program.
Subsequently, control circuit is by checking the correspondence designation data, the corresponding operation code of action name that obtains and describe in the operation instructions program of input.
Afterwards, control circuit uses the processing of the operation code definition application that obtains.
The program of sixth aspect present invention is the program of being carried out by the semiconductor circuit of the application program of the operation execution processing relevant with the process of utilizing integrated circuit, comprise: input utilizes the title of the operation of integrated circuit, it is the routine of the operation instructions program of the action name operation of describing application program, check that indication is used to operate the operation code of integrated circuit and the correspondence designation data of the correspondence between the action name by application program, thereby the routine of the corresponding operation code of action name that obtains and in the operation instructions program, describe, and the routine of utilizing the processing of the operation code definition application that obtains.
The data processing method of seventh aspect present invention is the data processing method of being finished by the semiconductor circuit of executive utility; comprise the steps: to utilize this program module of firewall protection of distributing to each program module in the some program modules that form application program in some fire walls in advance; write down the program module that links with the fire wall identifying information of discerning the fire wall of distributing to program module; and, carry out this program module to be recorded as condition.
The data processing method of seventh aspect present invention comprises also that preferably the data by between some program modules of identical fire wall identifying information link that allow record transmit or data are checked, and forbid writing down by the data between some program modules of different fire-proof identifying information link transmit or data are checked step.
The data processing method of seventh aspect present invention preferably also comprises the steps:
The program module that record also links with the download key information that uses when program module is downloaded to semiconductor circuit outside semiconductor circuit, and when the download request that receives about program module, utilize record the download whether may with download key information judgement this program module link, and when judging the download possibility, download this program module.
The semiconductor circuit of eighth aspect present invention is to run application; utilize this program module of firewall protection of distributing to each program module in the some program modules that form application program in some fire walls in advance; write down the program module that links with the fire wall identifying information of discerning the fire wall of distributing to program module; and with record is being condition, carries out the semiconductor circuit of this program module.
The program of ninth aspect present invention is the program of being carried out by the semiconductor circuit of executive utility; comprise the routine of utilizing this program module of firewall protection of distributing to each program module in the some program modules that form application program in some fire walls in advance; write down the routine of the program module that links with the fire wall identifying information of discerning the fire wall of distributing to this program module; with with the record be condition, carry out the routine of this program module.
The data processing method of tenth aspect present invention is the data processing method of being carried out by the semiconductor circuit of executive utility; comprise the steps: independent some application programs of carrying out by firewall protection; the condition that record permission in advance communicates between application program by fire wall; when application requests and Another Application interprogram communication; judge whether communication request satisfies the condition of record; with when judging that communication request satisfies the condition of record, carry out communication between the application program according to communication request.
The present invention the tenth semiconductor circuit on the one hand is independent some application programs of carrying out protected by firewall; the condition that record permission in advance communicates between application program by fire wall; when application requests and Another Application interprogram communication; judge whether communication request satisfies the condition of record; with when judging that communication request satisfies the condition of record, the semiconductor circuit that carries out the communication between the application program according to communication request.
The semiconductor circuit of the tenth one side is independently carried out some application programs of protected by firewall.
In addition, semiconductor circuit writes down the condition that permission communicates between application program by fire wall in advance.
In addition, when application requests and Another Application interprogram communication, semiconductor circuit judges whether communication request satisfies the condition of record.
In addition, when judging that communication request satisfies the condition of record, semiconductor circuit carries out communication between the application program according to communication request.
The program of the present invention the 12 aspect is to make semiconductor circuit carry out the independent routine of carrying out some application programs of protected by firewall; in advance record allows the routine of the condition that communicates by fire wall between application program; when application requests and Another Application interprogram communication; judge whether communication request satisfies the routine of the condition of record; with when judging that communication request satisfies the condition of record, carry out the program of the routine of communicating by letter between the application program according to communication request.
The data processing method of the present invention the 13 aspect is that the addressable semiconductor memory apparatus of semiconductor circuit or semiconductor circuit is loaded in the data processing method of the program of moving in the semiconductor circuit down by it, comprise the steps: to make semiconductor circuit to have the software configuration of forming by several layers, and make corresponding to every layer download signed validation key information and can be checked by semiconductor circuit, when receiving download request, the download signed information that makes semiconductor circuit utilize the checking of download signed validation key information to produce according to download request, to download signing messages legal is condition, makes semiconductor equipment allow the person of sending of download request to download and be used for the program of corresponding one deck of download signed validation key information of this checking.
In addition, the data processing method of the present invention the 13 aspect also comprises the steps: the affiliated corresponding visit master key information of one deck of the program that makes Authentication devices preserve and allow to be downloaded, make Authentication devices send download request to semiconductor circuit, with make Authentication devices use this visit master key information to produce download signed information, and this download signed information is sent to semiconductor circuit.
In addition, the data processing method of the present invention the 13 aspect also comprises the steps: to make Authentication devices to preserve the identifying information of semiconductor circuit, make Authentication devices utilization visit master key information to being the expressly identifying information encryption of form, download master key information thereby produce, and use this download master key information to produce download signed information.
The semiconductor circuit of the present invention the 14 aspect is the semiconductor circuit with software configuration of being made up of several layers, wherein semiconductor circuit can be checked the download signed validation key information corresponding to every layer, when receiving download request, the download signed information of utilizing the checking of download signed validation key information to produce according to download request, and to download signing messages legal is condition, allows the person's of sending handle of download request and the program of the corresponding one deck of download signed validation key information that is used for this checking to download to this semiconductor circuit or the addressable semiconductor memory circuit of this semiconductor circuit.
When receiving download request, the semiconductor circuit of the present invention the 14 aspect utilizes the download signed validation key information, the download signal information that checking produces corresponding to this download request.
In addition, to download signing messages legal is condition, and this semiconductor circuit allows the person's of sending handle of download request and the program of the corresponding one deck of download signed validation key information that is used for this checking to download to this semiconductor circuit or the addressable semiconductor memory circuit of this semiconductor circuit.
The Authentication devices of the present invention the 15 aspect is when the semiconductor memory apparatus that the program of moving is downloaded to semiconductor circuit with software configuration of being made up of several layers or can be visited by this semiconductor circuit in semiconductor circuit, the Authentication devices that is used to verify, the corresponding visit master key information of one deck under the program that described Authentication devices is preserved and allowed to be downloaded, download request is sent to this semiconductor circuit, and utilize this visit master key information generation download signed information and this download signed information is sent to this semiconductor circuit.
The Authentication devices of the present invention the 15 aspect at first sends download request to this semiconductor circuit.
In addition, this Authentication devices uses the visit master key information to produce download signed information.
In addition, Authentication devices sends download signed information to this semiconductor circuit.
The program of the present invention the 16 aspect is the program of carrying out by the semiconductor circuit with software configuration of being made up of several layers, comprise the download signed validation key information of utilizing corresponding one deck in the described several layers, the routine of the download signed information that checking produces according to such download request when receiving download request, with be condition to download signing messages legal, the person's of the sending handle that allows download request and the program of the corresponding one deck of download signed validation key information that is used for this checking download to the routine of this semiconductor circuit or the addressable semiconductor memory circuit of this semiconductor circuit.
The semiconductor circuit of the present invention the 17 aspect is the semiconductor circuit with data processing circuit and data I/O treatment circuit, wherein data processing circuit passes through data I/O treatment circuit with respect to the bus inputoutput data outside this semiconductor circuit, data input/output circuit is to tentation data length being the data encryption of unit from the data processing circuit input, and data encrypted exported to this bus, to data decryption from the bus input, and the data after the deciphering are exported to data processing circuit, when Nc/Nb=n, with m data I/O transaction is unit, carry out data I/O transaction by bus, here the width of bus is Nb, data length is Nc, and the smallest positive integral of n or bigger value (n or more) is m.
The semiconductor circuit of the present invention the 17 aspect passes through data I/O treatment circuit with respect to the bus inputoutput data outside this semiconductor circuit.
At this moment, data input/output circuit is to being unit with tentation data length from the data encryption of data processing circuit input, and data encrypted is exported to this bus.
In addition, data input/output circuit is to the data decryption from the bus input, and the data after the deciphering are exported to data processing circuit.
At this moment, when Nc/Nb=n, this data input-output apparatus is a unit with m data I/O transaction, carry out data I/O transaction by external bus, here the width of bus is Nb, and data length is Nc, and the smallest positive integral of n or bigger value (n or more) is m.
In addition, in the semiconductor circuit aspect the present invention the 17, when visiting semiconductor memory circuit according to first address of importing from data processing circuit, data input/output circuit preferably becomes second address to first address translation, so that the memory block with the data of wherein preserving Nc is a unit visit semiconductor memory circuit, and uses second address to visit this semiconductor memory circuit.
The data processing method of the present invention's the tenth eight aspect is when semiconductor circuit links to each other by bus with semiconductor memory circuit, when semiconductor circuit visit semiconductor memory circuit, data processing method by the semiconductor circuit execution, comprise the steps: will being the data encryption that unit writes semiconductor memory circuit with tentation data length, and enciphered data exported to bus, to data decryption from the bus input, with when the Nc/Nb=n, with m data I/O transaction is unit, carry out data I/O transaction by bus, here the width of bus is Nb, and data length is Nc, and the smallest positive integral of n or bigger value (n or more) is m.
The data processing equipment of the present invention the 19 aspect comprises the memory circuit of the instruction and data of preserving some programs, by transmission line visit memory circuit, and the instruction and data that uses some programs is carried out the counting circuit of some programs, place between transmission line and the memory circuit, be used for transmission line and memory circuit being arranged to the change-over circuit that is connected of connection status and one of off-state according to control signal, according to limiting for each program in described some programs when counting circuit is being carried out described some program, the access profile definition of data of address realm that can be accessed in the memory circuit, counting circuit sends the address of request of access for it in the memory circuit, which program implementation program indication information of carrying out in described some programs with the explanation counting circuit produces control signal, the control circuit that is connected of connection status and one of off-state is arranged to transmission line and memory circuit in control, with by transmission circuit with respect to the counting circuit inputoutput data, and with respect to the input/output interface circuit of the outside inputoutput data of this data processing equipment.
In addition, in the data processing equipment aspect the present invention the 19, when counting circuit in the memory circuit sends request of access for it address is within and program corresponding address scope that just be performed that limit by the access profile definition of data, connect control circuit and preferably produce the control signal that connection status is arranged to transmission line and memory circuit in indication, and when described address is not within this address realm, produce the control signal that off-state is arranged to transmission line and memory circuit in indication.
The semiconductor circuit of the present invention the 20 aspect is the semiconductor circuit of executive routine, comprise first transmission line, preserve the instruction of executive routine or the memory circuit of data, counting circuit according to the instruction manipulation that reads from memory circuit by first transmission line, according to first control signal first transmission line and memory circuit are arranged to first of connection status and one of off-state and are connected change-over circuit, according to second control signal second transmission line outside this semiconductor circuit and first transmission line are arranged to second of connection status and one of off-state and are connected change-over circuit, with when first control signal that is connected of indication is exported to the first connection change-over circuit, connect second control signal that change-over circuit output indication disconnects to second, when first control signal of indication disconnection is exported to the first connection change-over circuit, connect the connection control circuit that change-over circuit is exported second control signal of indication connection to second.
In addition, in the semiconductor circuit aspect the present invention the 20, second connects change-over circuit links to each other with memory device outside being positioned at this semiconductor circuit by second transmission line.
In addition, in the semiconductor circuit aspect the present invention the 20, when counting circuit during, connect first control signal that control circuit connects indication and export to first and connect change-over circuit, and second control signal that indication disconnects is exported to second connect change-over circuit from the memory circuit reading command.
The present invention the 20 semiconductor circuit on the one hand is a kind of semiconductor circuit of executive routine, the encrypted instruction or the data that comprise save routine, to exporting to the data encryption of memory device by first transmission line outside this semiconductor circuit, and to passing through first transmission line from the encrypted instruction of memory device input or the encryption/decryption circuit of data decryption, the counting circuit that utilizes decryption instructions or data to calculate, whether selection permits the selection circuit in second transmission line outside this semiconductor circuit and the communication between the counting circuit according to control signal, when counting circuit is utilizing the instruction of this program or data to handle, to selecting circuit output indication not allow the control circuit of control of communication signal between second transmission line and the counting circuit.
The data processing equipment of the present invention the 22 aspect is the data processing equipment that comprises memory circuit and semiconductor circuit, described memory circuit is preserved the some application programs that constitute by the plurality of data module in predetermined memory block, thereby described plurality of data module comprises that describing communicates by letter with integrated circuit provides the processing routine data of the processing of service routine, and the preservation expression is linked at data module together, be used at first key data that uses another data module according to the processing of this data module, with be used at the management data that transmits second key data of data according to the processing of this data module with respect to integrated circuit, described semiconductor circuit is carried out the processing relevant with service according to data module, in this processing, check management data, utilization is used another data module corresponding to first key data of this data module, and utilizes second key data corresponding to this data module to transmit data with respect to integrated circuit.
In addition, in the data processing equipment aspect the present invention the 22, memory circuit is preferably preserved the daily record data of the processing that utilizes the data module execution at least with the form of data module, demonstration records data module the routine data of the routine in the memory block, demonstration is from the routine data of the routine of the record of memory block deleted data module and show one of routine data of the routine that is defined for the memory block of preserving application program.
In addition, in the data processing equipment aspect the present invention the 22, when semiconductor circuit will be carried out processing according to another data module, the best use and management data of semiconductor circuit obtain corresponding to first key data of tentation data module with corresponding to first key data of another data module, and conforming to two first key datas that obtain is condition, uses described another data module from the tentation data module of carrying out.
The data processing method of the present invention the 23 aspect is to communicate by letter with integrated circuit, provide the semiconductor circuit of the processing of service to transmit the data processing method of data with respect to memory circuit by it, comprise the steps: in predetermined memory area, to preserve by the some application programs that comprise that thereby description is communicated by letter with integrated circuit provides the plurality of data module of the processing routine data of the processing of service routine to form when memory circuit, and preservation shows the data module that is linked at together, be used at first key data that uses another data module according to the processing of this data module, with be used for when the management data of second key data that transmits data according to the processing of this data module with respect to integrated circuit, make semiconductor circuit carry out the processing relevant with service according to this data module, make semiconductor circuit in the processing relevant, check management data with service, and utilize first key data to use another data module corresponding to this data module, and make semiconductor circuit use in the processing relevant transmit data with respect to integrated circuit corresponding to second key data of this data module with service.
The program of the present invention the 24 aspect is to be communicated by letter with integrated circuit by semiconductor circuit being used for of carrying out, thereby carry out the processing that service is provided, and transmit the program of data with respect to memory circuit, comprise that working as memory circuit preserves by the some application programs that comprise that thereby description is communicated by letter with integrated circuit provides the plurality of data module of the processing routine data of the processing of service routine to form in predetermined memory area, and preservation shows the data module that is linked at together, be used at first key data that uses another data module according to the processing of this data module, with be used for when the management data of second key data that transmits data according to the processing of this data module with respect to integrated circuit, carry out the routine of the processing relevant with service according to this data module, in the processing relevant, check management data with service, and utilize the routine of using another data module corresponding to first key data of this data module, and in the processing relevant, use corresponding to second key data of this data module routine with respect to integrated circuit transmission data with service.
According to the present invention described above, can obtain following effect.
That is, according to of the present invention first to the third aspect, can provide data processing method, semiconductor circuit and the program that efficiently to handle according to a large amount of processing requests.
According to the 4th to the 6th aspect of the present invention, can not be provided at and inform under the situation of sensitive information to the user, make the user can produce and customize this user's the application program that will carry out by server.
According to the 7th to the 9th aspect of the present invention, can provide when the some application programs of operation on identical semiconductor circuit, can prevent data processing method, semiconductor circuit and program that each application program is subjected to the Another Application program to be influenced.
According to the tenth to the 12 aspect of the present invention, can provide and consider what above-mentioned prior art produced, and when the some application programs of operation on identical semiconductor circuit, when preventing that each application program is subjected to illegally the altering of user of Another Application program, supervision etc., allow between application program, to transmit as required data processing method, semiconductor circuit and the program of data.
According to the 13 to the 16 aspect of the present invention, can provide can be according to data processing method, semiconductor circuit, Authentication devices and the program of its authority restriction to the accessed content of the semiconductor circuit of server etc.
According to the of the present invention the 17 and the tenth eight aspect, even can provide when between semiconductor circuit and semiconductor memory circuit, transmitting sensitive data, also can keep the semiconductor circuit and the data processing method of the confidentiality of data by external bus.
According to a nineteenth aspect of the invention, can provide when carrying out some programs, can the maintenance program between the data processing equipment of confidentiality of instruction and data.
According to the of the present invention the 20 and the 20 one side, can provide the semiconductor circuit of the confidentiality that can improve the program of being performed.
According to the 22 to the 24 aspect of the present invention, can provide when providing when utilizing IC-card or other integrated circuit, can improve data processing equipment, method and the program of the security that runs on the application program on the server.
Description of drawings
Fig. 1 is the integrally-built view of the communication system of one embodiment of the present of invention.
Fig. 2 has illustrated the software arrangements of the SAM chip shown in Fig. 1.
Fig. 3 is the functional-block diagram of the IC of the IC-card shown in Fig. 1.
Fig. 4 has illustrated the information that is kept in the storer shown in Fig. 3.
Fig. 5 has illustrated the information in the external memory storage of the SAM device that is kept at shown in Fig. 1.
Fig. 6 has illustrated the service definition table data shown in Fig. 5.
Fig. 7 has illustrated and has utilized the service definition table data shown in Fig. 5 and the processing of shell script in the SAM chip.
Fig. 8 has illustrated the order of using in the shell script.
Fig. 9 is the functional-block diagram of the SAM chip shown in Fig. 1.
Figure 10 has illustrated the data that are kept in the storer shown in Fig. 9.
Figure 11 has illustrated the form of the IC-card solid data that is produced by the SAM chip.
Figure 12 has illustrated the state transition diagram of the IC-card solid data shown in Figure 11.
Figure 13 has illustrated the IC-card process management task handling routine shown in Figure 10.
Figure 14 has illustrated the integrated operation of the communication system shown in Fig. 1.
Figure 15 has illustrated the integrated operation of the communication system shown in Fig. 1.
Figure 16 has illustrated the communication protocol between IC-card and the SAM chip.
Figure 17 is the functional-block diagram of the functional block of the SAM chip shown in the presentation graphs 9 more specifically.
Figure 18 has illustrated that the another kind of SAM chip uses pattern.
Figure 19 is the integrally-built view of the communication system of one embodiment of the invention.
Figure 20 has illustrated the software arrangements of the SAM chip shown in Figure 19.
Figure 21 is the functional-block diagram of the IC of the IC-card shown in Figure 19.
Figure 22 has illustrated the information that is kept in the storer shown in Figure 21.
Figure 23 has illustrated the external memory storage of the SAM device shown in Figure 19.
Figure 24 has illustrated the form of the module management data shown in Figure 23.
Figure 25 is the functional-block diagram of the SAM chip shown in Fig. 1.
Figure 26 has illustrated being carried out by the CPU shown in Figure 25 of task.
Figure 27 is explanation downloads to application program the operation of the external memory storage shown in Figure 19 from personal computer a process flow diagram.
Figure 28 is the process flow diagram that the operation of the SAM chip of carrying out the application program shown in Figure 19 is described.
Figure 29 has illustrated the operation in the application program implementation.
Figure 30 illustrated shown in Figure 19 the integrated operation of system.
Figure 31 is a functional-block diagram of representing the functional block of the SAM chip shown in Figure 25 in more detail.
Figure 32 has illustrated that the another kind of SAM chip uses pattern.
Figure 33 has illustrated the one-piece construction of the communication system of one embodiment of the invention.
Figure 34 has illustrated the software arrangements of the SAM chip shown in Figure 33.
Figure 35 is the functional-block diagram of the IC of the IC-card shown in Figure 33.
Figure 36 has illustrated the information that is kept in the storer shown in Figure 35.
Figure 37 is the view of the external memory storage of the SAM device shown in Figure 33.
Figure 38 has illustrated that the AP shown in Figure 37 selects data.
Figure 39 has illustrated communication data between the AP shown in Figure 37.
Figure 40 is the functional-block diagram of the SAM chip shown in Figure 33.
Figure 41 has illustrated being carried out by the CPU shown in Figure 40 of task.
Figure 42 has illustrated the function of the settlement process routine tasks shown in Figure 41.
Figure 43 is the process flow diagram of the processing of communication task between the AP shown in explanation Figure 41.
Figure 44 has illustrated communication task between the SAM shown in Figure 41.
Figure 45 has illustrated the integrated operation of the communication system shown in Figure 33.
Figure 46 is a functional-block diagram of representing the functional block of the SAM chip shown in Figure 40 in more detail.
Figure 47 has illustrated that the another kind of SAM chip uses pattern.
Figure 48 is the integrally-built view of the communication system of one embodiment of the invention.
Figure 49 has illustrated the software arrangements of the SAM chip shown in Figure 48.
Figure 50 is the functional-block diagram of authentication means that utilizes the enterprise of the application program shown in Figure 48.
Figure 51 has illustrated the function of the mutual demo plant shown in Figure 50.
Figure 52 has illustrated the function of the download process device shown in Figure 50.
Figure 53 is the software developer's of the handling procedure layer shown in Figure 48 the functional-block diagram of authentication means.
Figure 54 has illustrated the function of the download process device shown in Figure 53.
Figure 55 is the managerial personnel's of the SAM chip shown in Figure 48 the functional-block diagram of authentication means.
Figure 56 has illustrated the function of the download process device shown in Figure 55.
Figure 57 has illustrated the external memory storage of the SAM device shown in Figure 48.
Figure 58 is the functional-block diagram of the SAM chip shown in Figure 48.
Figure 59 is explanation downloads to application program the operation of the external memory storage shown in Figure 48 from personal computer a process flow diagram.
Figure 60 has illustrated the processing of the transaction of the IC-card that uses the communication system shown in Figure 48.
Figure 61 is a functional-block diagram of representing the functional block of the SAM chip shown in Figure 58 in more detail.
Figure 62 has illustrated that the another kind of SAM chip uses pattern.
Figure 63 has illustrated the modification of the communication system shown in Figure 48.
Figure 64 is the integrally-built view of the communication system of one embodiment of the invention.
Figure 65 has illustrated the software arrangements of SAM chip shown in Figure 64.
Figure 66 has illustrated the external memory storage of the SAM device shown in Figure 64.
Figure 67 is the functional-block diagram of the chip of SAM shown in Figure 64.
Figure 68 has illustrated the relation between the CPU shown in Figure 66, bus scrambling apparatus and the external memory storage.
Figure 69 has illustrated the address space between CPU shown in Figure 68 and the external memory storage.
Figure 70 is the functional-block diagram of the bus scrambling apparatus shown in Figure 67.
Figure 71 has illustrated the write operation of the external memory storage that is undertaken by the bus scrambling apparatus shown in Figure 67.
Figure 72 is the process flow diagram of operating shown in Figure 71.
Figure 73 has illustrated the read operation of the external memory storage that is undertaken by the bus scrambling apparatus shown in Figure 67.
Figure 74 is the process flow diagram of operating shown in Figure 73.
Figure 75 has illustrated the exchange processing of scrambling key in the scrambling key management devices shown in Figure 70.
Figure 76 has illustrated the exchange processing of scrambling key in the scrambling key management devices shown in Figure 70.
Figure 77 has illustrated the exchange timing of scrambling key in the scrambling key management devices shown in Figure 70.
Figure 78 has illustrated the exchange timing of scrambling key in the scrambling key management devices shown in Figure 70.
Figure 79 has illustrated the pipeline processes that the streamline shown in Figure 70 (pipeline) processing control apparatus carries out.
Figure 80 has illustrated the integrated operation of the communication system shown in Figure 64.
Figure 81 is a functional-block diagram of representing the functional block of the SAM chip shown in Figure 67 in more detail.
Figure 82 has illustrated that the another kind of SAM chip uses pattern.
Figure 83 is the functional-block diagram that constitutes the computing machine that uses in the electronic accounting of correlation technique of the present invention.
Figure 84 has illustrated software configuration and one embodiment of the present of invention of the computing machine of Figure 83.
Figure 85 has illustrated the type by the IC-card of the Computer Processing shown in Figure 83.
The store status of storer shown in Figure 83 before Figure 86 has illustrated and write.
The store status of storer shown in Figure 83 after Figure 87 has illustrated and write.
Figure 88 has illustrated the corresponding relation between the IC-card type shown in application program and Figure 84.
Figure 89 is the view of the structure of computing machine according to an embodiment of the invention.
Figure 90 is the structure of the decision circuitry shown in Figure 89.
Figure 91 is the view that takes out the structure of (fetch) decision circuitry shown in Figure 90.
Figure 92 has illustrated that the taking-up scope shown in Figure 91 limits data.
Figure 93 is the view that call relation limits data between the taking-up AP shown in Figure 91.
Figure 94 is the view of the structure of reading decision circuitry shown in Figure 90.
Figure 95 has illustrated that the read range shown in Figure 94 limits data.
Figure 96 has illustrated the call relation qualification data between AP of reading shown in Figure 94.
Figure 97 is the view of the structure that writes decision circuitry shown in Figure 90.
Figure 98 has illustrated that the writing range shown in Figure 97 limits data.
Figure 99 has illustrated the call relation qualification data between AP that write shown in Figure 97.
Figure 100 has illustrated another embodiment of the present invention.
Figure 101 has illustrated another embodiment of the present invention.
Figure 102 is the topology view of the semi-conductor chip of first embodiment of the invention.
Figure 103 has illustrated the software arrangements of the semi-conductor chip shown in Figure 102.
Figure 104 has illustrated the structure of the program module shown in Figure 102.
Figure 105 is the topology view of the semi-conductor chip of second embodiment of the invention.
Figure 106 has illustrated the structure of program module shown in Figure 105.
Figure 107 has illustrated encryption and decryption unit and the parity data of being carried out by the encryption/decryption circuit shown in Figure 105.
Figure 108 has illustrated the cipher key information table of being preserved by the encryption/decryption circuit shown in Figure 105.
Figure 109 is the integrally-built view of the communication system of present embodiment.
Figure 110 has illustrated another SAM chip that the SAM chip shown in Figure 109 is communicated by letter with it.
Figure 111 has illustrated another SAM chip that the SAM chip shown in Figure 109 is communicated by letter with it.
Figure 112 is the functional-block diagram of IC-card shown in Figure 109.
Figure 113 is the view of storer shown in explanation Figure 112.
Figure 114 has illustrated the software configuration of SAM chip shown in Figure 109.
Figure 115 has illustrated the memory block of external memory storage shown in Figure 109.
Figure 116 has illustrated the application A P shown in Figure 115.
Figure 117 has illustrated the type of the applying unit data APE shown in Figure 116.
Figure 118 has illustrated the processing of the SAM chip shown in Figure 109.
Figure 119 has illustrated the order of using in the operation of the IC-card shown in Figure 118 macros shell script.
Figure 120 has illustrated the AP management storage region shown in Figure 115.
Figure 121 has illustrated the AP admin table data shown in Figure 120.
Figure 122 has illustrated SAM_ID.
Figure 123 has illustrated the APP table data shown in Figure 120.
Figure 124 is the functional-block diagram of the SAM chip shown in Figure 109.
Figure 125 has illustrated and has been kept at the task in the storer, program and data shown in Figure 124.
Figure 126 has illustrated the form of IC-card solid data 73_x.
Figure 127 has illustrated the state transformation of entity state data shown in Figure 126.
Figure 128 is the process flow diagram by the processing of IC-card process management task execution.
Figure 129 illustrated when according to the operation of the step ST4 that carries out Figure 128, by the routine that applying unit data APE limits, and visit or when handling the data that limit by other applying unit data APE, the processing of SAM chip execution.
Figure 130 illustrated when according to the operation of the step ST4 that carries out Figure 128, by the routine that applying unit data APE limits, and visit or when handling the data that limit by other applying unit data APE, the processing of SAM chip execution.
Figure 131 has illustrated the integrated operation of the communication system shown in Figure 109.
Figure 132 has illustrated the integrated operation of the communication system shown in Figure 109.
Figure 133 is the view of explanation prior art.
Embodiment
Embodiments of the invention are described below with reference to the accompanying drawings.
First embodiment
Present embodiment is the embodiment corresponding to first to the 6th aspect of the present invention.
Fig. 1 is the general structure of the communication system 1 of present embodiment.
As shown in fig. 1, communication system 1 uses server 2, IC-card 3, card reader/writer 4, personal computer 5, ASP (application service provider) server 6 and SAM (security applications module) device 9 to communicate by letter by the Internet 10, and utilizes IC-card 3 (integrated circuit of the present invention) to finish the processing of settlement process or other process.
SAM device 9 has external memory storage 7 and SAM chip (semiconductor circuit of the present invention) 8.
As shown in Figure 2, from the bottom to the top layer, SAM chip 8 has HW (hardware) layer, OS layer, rudimentary handling procedure layer, advanced processes program layer and AP layer.
Rudimentary handling procedure layer comprises driver layer.
Here, the AP layer comprises application A P_1, AP_2 and the AP_3 of the process of determining the 15_1 of other enterprise, 15_2 shown in credit card company or Fig. 1 and 15_3 use IC-card 3.
At the AP layer, between application A P_1, AP_2 and AP_3 and advanced processes program layer, fire wall FW is set.
Application A P_1 is determined by service definition table data (correspondence director data) 20_1 and shell script (the operation description program) 21_1 that are kept in the external memory storage 7 that illustrate later.
Application A P_2 is determined by service definition table data (correspondence director data) 20_2 and shell script (the operation description program) 21_2 that are kept in the external memory storage 7 that illustrate later.
Application A P_3 is determined by service definition table data (correspondence director data) 20_3 and shell script (the operation description program) 21_3 that are kept in the external memory storage 7 that illustrate later.
Produce the operational order that sends to IC-card 3 and analyze the respond packet that comes from IC-card 3 in SAM device 9 one sides.So, card reader/writer 4, personal computer 5 and place 6 of ASP servers between them to play a part order or response contents are kept at data service load part and relay data service load part.They do not participate in the encryption of data or other practical operation in deciphering, authentication and the IC-card 3.
Personal computer 16_1,16_2 and 16_3 can download to the shell script that illustrates later on the SAM chip, thereby customize their application A P_1, AP_2 and AP_3.
The following describes the assembly shown in Fig. 1.
[IC-card 3]
Fig. 3 is the functional-block diagram of IC-card 3.
As shown in Figure 3, IC-card 3 has IC (integrated circuit) 3a that disposes storer 50 and processor 51.
As shown in Figure 4, storer 50 has the memory block 55_1 that is used by credit card company or the 15_1 of other enterprise, by the memory block 55_2 of the 15_2 of enterprise use and the memory block 55_3 that is used by the 15_3 of enterprise.
In addition, storer 50 is preserved the key information that is used to judge to the access rights of memory block 55_1, is used to judge key information and the key information that is used to judge to the access rights of memory block 55_3 to the access rights of memory block 55_2.Key information is used for encryption and decryption of mutual authentication, data or the like.
In addition, storer 50 is preserved the user's of IC-card 3 or IC-card 3 identity identification information.
To illustrate in greater detail SAM device 9 below.
[external memory storage 7]
Fig. 5 has illustrated the data and the program of preserving in the external memory storage 7 shown in Fig. 1.
As shown in Figure 5, external memory storage 7 is preserved service definition table data 20_1 and the IC-card operation macros shell script 21_1 of the 15_1 of enterprise.
In addition, external memory storage 7 is preserved service definition table data 20_2 and the IC-card operation macros shell script 21_2 of the 15_2 of enterprise.
In addition, external memory storage 7 is preserved service definition table data 20_3 and the IC-card operation macros shell script 21_3 of the 15_3 of enterprise.
Service definition table data 20_1,20_2 have identical form with 20_3.
In addition, utilize common macros to write IC-card operation macros shell script 21_1,21_2 and 21_3.
In addition, service definition table data 20_1,20_2 and 20_3 and IC-card operation macros shell script 21_1,21_2 and the encrypted coding of 21_3 are saved in the external memory storage 7.Data behind the scrambled and program are decrypted in SAM chip 8.
In the present embodiment, shell script 21_1,21_2 and 21_3 utilize personal computer 16_1,16_2 shown in Fig. 1 and 16_3 to produce by the 15_1 of enterprise, 15_2 and 15_3, and are downloaded to external memory storage 7 by SAM chip 8.
In addition, the managerial personnel of SAM chip 9 produce service definition table data 20_1,20_2 and 20_3 according to the instruction of the 15_1 of enterprise, 15_2 and 15_3.
Fig. 6 has illustrated service definition table data 20_1.
As shown in Figure 6, service definition table data 20_1 has COS unit (action name), address, service-number (operation code), key version information and key information.
The title of the service that the application program by the 15_1 of enterprise provides is distributed in " COS unit " expression.The COS unit is to check identifier, rather than the service-number of the service that can use of the application program of the 15_1 of enterprise.
In the present embodiment, as shown in Figure 6, " Rc ", " Rd ", " Wd " and " Wc " are used as the COS unit corresponding to the service definition table data 20_1 of the 15_1 of enterprise.
In the present embodiment, IC-card operation macros shell script 21_1 determines the service content of the some COS of combination unit, and this is reflected in the IC-card solid data (task management data) that illustrates later, so that Services Combination service corresponding to some COS unit can be provided.
For example, can determine in the IC-card solid data that combination is used for from the service of IC-card 3 reading of data and is used for data are write the service of the service of server 2.
Service-number among the service definition table data 20_1 is when carrying out the service that the 15_1 of enterprise provides, the operational order that is distributed to IC-card 3 and can be analyzed by IC-card 3.
The address with the data relevant with the process that relates to the corresponding service type unit is preserved in " address " indication among the service definition table data 20_1.
" key version information " among the service definition table data 20_1 represented when this service is provided, the version of employed key.
" key information " among the service definition table data 20_1 is employed key information when this service is provided.
For example, when the memory block 55_1 as the IC 3a of the IC-card 3 shown in visit Fig. 3 is set, the key information of service definition table data 20_1 use.
In addition, in service definition table data 20_2, the key information that uses is set when visiting the memory block 55_2 of IC 3a.
In addition, in service definition table data 20_3, the key information that uses is set when visiting the memory block 55_3 of IC 3a.
IC-card operation macros shell script 21_1 will be described below.
Shell script 21_1 is the application program that is used to determine to run on the 15_1 of enterprise on the SAM chip, and the program of the processing procedure that IC-card 3 carries out when carrying out this application program.
In the present embodiment, as what illustrate later, as shown in Figure 7, SAM chip 8 uses service definition table data 20_1 and shell script 21_1 to produce IC-card physical template data 30_1, input block 31_x1, output block 32_x2, the daily record data 33_x3 that is used for the process relevant with the 15_1 of enterprise and calculates definition of data piece 34_x4.
Fig. 8 has illustrated the order that is used to describe IC-card operation macros shell script 21_1,21_2 and 21_3.
With regard to order, be endowed initial " S " about the order of SAM chip 8 self, and the order relevant with the operation of IC-card 3 is endowed initial " C ".
In addition, use second letter selectively according to using.For example, publisher for the explanation of setting IC-card 3, second letter is " I ", and for the COS cell descriptions, second letter is " S ", for reading explanation from IC-card 3, second letter is " R ", is " W " for explanation being write IC-card 3, the second letters, be used for COS and calculate definition, second letter is " F ".
The order that is used for description script program 21_1,21_2 and 21_3 comprises SC order, SO order, SI order, SL order, SF order, CI order, CS order, CR order and CW order.
SC order is the order of the maximum number that explanation SAM chip 8 can simultaneously treated IC-card solid data.
For example, when SAM chip 8 can be handled 1000 IC-card solid datas simultaneously, describe " SC:1000 ".
SO order is explanation when according to the IC-card solid data that illustrates later, when utilizing IC-card 3 to handle, constitutes the order of the data block of the output block 32_x2 that wherein preserves the data that read from IC-card 3 in the data block that is produced in SAM chip 8.
For example, when forming data block 1-10, when being saved in the data block 1, " SO:1 " is described to the data that read from IC-card 3.
The SI order is that explanation is worked as according to the IC-card solid data that illustrates later, when utilizing IC-card 3 to handle, constitutes the order of wherein preserving the data block of the input block 31_x1 that will write the data in the IC-card 3 in the data block that forms in SAM chip 8.
For example, when forming data block 1-10, when the data that will write IC-card 3 being saved in the data block 2,3, " SI:2,3 " are described.
SL order is explanation when according to the IC-card solid data that illustrates later, when utilizing IC-card 3 to handle, is configured for preserving the order with the data block of the daily record data piece 33_x3 that operates relevant daily record data in the data block that forms in SAM chip 8.
For example, when forming data block 1-10, when daily record data being saved in the data block 4, " SL:4 " is described.
SF order provides the order that forms the data block of calculating definition of data piece 34_x4, calculates the definition of the relation between the relevant COS unit of definition of data piece 34_x4 explanation and IC-card 3.
The content 34_x4 that calculates the definition of data piece becomes the pretreatment information of IC-card solid data.
The CI order is the order of the publisher (enterprise) of explanation IC-card 3.
Appointment is become the IC-card type information of IC-card solid data by the information of the enterprise of CI command definition.
The CS order is the order of COS unit operation in the time of the some services of IC-card 3 explanations by reference.
" CS: " Rc "+" Wc "+" Wd " " for example, may be described.
According to the content of CS order, determine the COS unit appointed information and the processing sequence information of IC-card solid data.
The CR command specification is (when not describing the SF order) when the relation between the COS unit is uncertain, and the data that read from IC-card 3 are saved in the data designated piece.
For example, when being saved in the data block 1, " CR:SO:1=" Rc " " is described to the data that read from IC-card 3.
The CW command specification writes the data that are kept in the specified data block in the IC-card 3 when the relation between the COS unit is uncertain.
For example, when when being kept at data in the data block 2 and writing in the IC-card 3, " CW:SI:2=" Wc " " is described.
The CF command specification is described and is calculated the data block that content generates (spanning) service.
For example, when in SF data block 1, describing calculating content generation service, " CF:CES_FUNC=SF:1 " is described.
In addition, described in the SF data block 1, for example " " Wc "=If (" Wc ">10) then (" Wc "-10; " Wd "=" Wc " * 0.08+ " Wd ") ".This formulate when the residue number Wc of service greater than 10 the time, deduct 10 from the value of Wc, and count as accumulation counting and to be added to computing on the Wd corresponding to 8% Wc some.
[SAM chip 8]
Fig. 9 is the functional-block diagram of the SAM chip shown in Fig. 1.
As shown in Figure 9, SAM chip 8 has ASPS communication interface 60, external memory storage communication interface 61, bus scrambling apparatus 62, randomizer 63, encryption/decryption device 64, storer 65 and CPU 66.
External memory storage communication interface 61 is the interfaces that are used for the data input and output of external memory storage 7.
When the external memory storage communication interface 61 input and output data, 62 pairs of output data coding encryptings of bus scrambling apparatus and to the input data decryption.
The random number that randomizer 63 uses when producing authentication process.
64 pairs of data of encryption/decryption device are encrypted and enciphered data are deciphered.
As described later, storer 65 is preserved task, program and the data that CPU 66 uses.
The following describes the task, program and the data that are kept in the storer 65.
Figure 10 has illustrated task, program and the data that are kept in the storer 65.
As shown in Figure 10, storer 65 is preserved script downloading task 69, script explains that task 70, entity produce task 71, IC-card process management task 72, IC-card operation macros shell script 21_1-21_3, service definition table 20_1-20_3, IC-card physical template data 30_1-30_3, IC-card solid data 73_x, input block 31_x1, output block 32_x2, daily record data piece 33_x3 and calculate definition of data piece 34_x4.
As shown in Figure 7, script downloading task 69 is from the downloaded service definition table data 20_1-20_3 of enterprise, and they are loaded in the SAM chip 8.
Script explains that task 70 use service definition table data and shell script produce IC-card physical template data, input block, output block, the daily record data piece of each enterprise and calculate the definition of data piece.
The number of the data block that produces for each enterprise is not particularly limited.
When entity produces task 71 from ASP server 6 receiving entities generation request, it carries out poll with respect to IC-card 3, utilize the IC-card physical template data corresponding to enterprise to produce the IC-card solid data subsequently, described IC-card solid data is used for the processing of the process between IC-card 3 and this enterprise.At this moment, IC-card physical template data become classification, with the form generation IC-card solid data of such other example.
The processing that entity produces task 71 generation IC-card solid datas will describe in detail in the back.
IC-card process management task 72 uses the one or more IC-card solid data 73_x that are present in the storer 65 to carry out the processing of the process between IC-card 3 and the 15_1-15_3 of enterprise.
In the present embodiment, some processing of the process of carrying out between some IC-cards 3 and the 15_1_15_3 of enterprise are carried out simultaneously.
Some processing of a plurality of processes of IC-card process management task 72 executed in parallel.
When a series of process is finished, IC-card process management task 72 deletion IC-card solid data 73_x.
The processing of IC-card process management task 72 will describe in detail in the back.
Shell script 21_1_21_3 by script downloading task 69 from external memory storage 7 input stores 65.
Service definition table data 20_1-20_3 is imported and is saved in the storer 65 from external memory storage 7 by script downloading task 69.
IC-card physical template data 30_1-30_3 explains that by script task 70 produces, and when producing the IC-card solid data 73_x of the process relevant with corresponding enterprise, is used as template (classification).
By utilizing IC-card physical template data 30_1-30_3 as classification, entity produces the form generation IC-card solid data 73_x of task 71 with an example of classification.
Input block 31_x1, output block 32_x2, daily record data piece 33_x3 and calculating definition of data piece 34_x4 explain that by script task 70 produces.
The following describes IC-card solid data 73_x.
When SAM chip 8 when ASP server 6 receives the processing request that the application program of utilizing IC-card 3 and predetermined enterprise handles, produce IC-card solid data 73_x by utilizing in the SAM chip 8 the IC-card physical template data that produce the corresponding enterprise that task 71 produces by entity.
Figure 11 has illustrated the form of IC-card solid data 73_x.
As shown in Figure 11, IC-card solid data 73_x has managing pointer information 80, entity id information 81, entity status information (status data) 82, IC-card type information 83, COS unit appointed information 84, processing sequence information (processing sequence data) 85, pretreatment information 86 and post-processing information 87.
Managing pointer information 80 is the bidirectional pointers that are used for the IC-card solid data 73_x of diode-capacitor storage 65.
Entity id information 81 is used for the request of processing of affirmation, deletion or remaining a series of use IC-card solid data 73_x of generation, the process status of IC-card solid data 73_x.Entity id information 81 also becomes the rreturn value that gives the final user.When opening file in universal document system, entity id information 81 is corresponding to descriptor.
The state of a process of the process that entity status information 82 expression and IC-card 3 are relevant.
As shown in Figure 12, the basic status of IC-card solid data 73_x comprises the state (RS) of the processing of the service that investigation IC-card 3 can use, SAM chip 8 is by the state (A1) of the processing of its checking IC-card 3, IC-card 3 is by the state (A2) of the processing of its checking SAM chip 8, from the state (R) of the processing of IC-card 3 reading of data with data are write the state (W) of the processing of IC-card 3.
In the present embodiment, the processing of investigation enterprise, the processing of SAM chip 8 checking IC-cards 3, the processing of IC-card 3 checking SAM chips 8 writes the processing of IC-card 3 corresponding to operation from the processing of IC-card 3 reading of data with data.
As described later, " operation " is that IC-card process management task 72 is determined the processing unit of execution sequence for it.
Notice that A1 and A2 constitute the mutual authentication processing between IC-card 3 and the SAM chip 8.
In addition, in the present embodiment, consider the call duration time on the Internet 10, as shown in the state transition diagram of Figure 12, above mentioned basic status is divided into startup back (after giving an order) state and finishes (after receiving response) state.
Specifically, using the state of the processing of IC-card solid data 73_x to produce (generations of IC-card solid data) state, RS by example starts back state, RS completion status, A1 and starts back state, A1 completion status, A2 and start back state, A2 completion status, R and start back state, R completion status, W and start back state, W completion status and example (IC-card solid data) and delete condition managing.
IC-card type information 83 is the information that is used to determine send the enterprise of IC-card 3.
When producing IC-card solid data 73_x, utilize the information setting IC-card type information of determining by the order of the CI in the above mentioned shell script 83.
COS unit appointed information 84 is illustrated in the COS unit of the service that defines in the employed service definition table data in the processing that utilizes IC-card solid data 73_x.
When producing IC-card solid data 73_x, utilize one or more COS unit of the CS order appointment in the above mentioned shell script that COS unit appointed information 84 is set.
Processing sequence information 85 is illustrated in the execution sequence that utilizes the service of using among the IC-card solid data 73_x (operation), i.e. state transformation shown in Figure 12.
That is, processing sequence information 85 uses the COS unit to represent execution sequence corresponding to the operation of the basic operation of IC-card 3.
Here as described later, operation is corresponding to the RS shown in Figure 12, A1, A2, R and W.Concrete operations about IC-card 3 are realized by the processing sequence of utilizing the operation appointment.For example, for only there being the processing of using IC-card 3 under the situation that reads and do not verify mutually, utilize " RS → R " set handling order information 85.In addition, reading and writing, utilizing " RS → A1 → A2 → R → W " set handling order information 85 with regard to what verify mutually.
When producing IC-card solid data 73_x, utilize the sequence of events set handling order information 85 of the order correspondence of the service unit of appointment in the CS order in shown in Figure 12 and the shell script that mention in the above.
Utilization is used to carry out the management data that uses IC-card solid data 73_x, from ASP server 6 one sides pretreatment information 86 is set.
For example, utilization counting of computing formula of service specified in the SF data block is provided with pretreatment information 86.
In addition, when not between definition service during computing function, utilize institute processing of request expense (charge) that pretreatment information 86 is set.
For example, just clearing are provided with and expense number of giving or relevant state such as count.
Utilization is provided with post-processing information 87 in the data of the result of the required IC-card solid data 73_x of ASP server 6 one sides.For example, with regard to clearing, utilize the data of expression normal termination clearing that post-processing information 87 is set.
The routine of the processing that the some IC-cards 3 relevant IC-card process management tasks 72 with using some IC-card solid data 73_x shown in Figure 10 are carried out will be described below.
IC-card process management task 72 is started on the CPU 66 of the SAM chip 8 shown in Fig. 9 continuously.
Figure 13 is the process flow diagram of the processing of IC-card process management task 72 execution.
Step ST1:
Select an IC-card solid data 73_x to be used to carry out next processing among some IC-card solid data 73_x of IC-card process management task 72 from be present in storer 65.
Selecting the method for IC-card solid data 73_x may be the IC-card solid data 73_x that selects successively to be present in the storer 65, perhaps distributes priority orders, and selects according to priority according to the order of limit priority.
Step ST2:
IC-card process management task 72 judges whether the operation of the IC-card solid data 73_x that selects at step ST1 is activated.When judging that this had been activated already, it proceeds to the processing of step ST5, and when judging that this operation also is not activated, then forwards the processing of step ST3 to.
Step ST3:
IC-card process management task 72 judges according to the entity status information shown in Figure 11 of the IC-card solid data 73_x that selects at step ST1 82 processing relevant with this solid data is in which state in the state transition diagram shown in Figure 12, and determines next step operation that will carry out according to processing sequence information 85.
At this moment, processing sequence information 85 utilizes the service unit that is provided with in the foregoing service definition table data to determine the execution sequence of operation.
Step ST4:
IC-card process management task 72 is enabled in the operation that step ST3 selects.
IC-card process management task 72 is utilized above mentioned input block 31_x1, output block 32_x2, daily record data piece 33_x3 with calculate the definition of data piece 34_x4 relevant data block of this operation that neutralizes and carry out this operation.
At this moment, when when the IC-card 3 of carrying out operation is given an order, IC-card process management task 72 is used as search service definition list data to the service unit corresponding to this operation, thereby obtains the key word (operational order of IC-card 3 can be analyzed by IC-card 3) corresponding to the service-number of this service unit.In addition, IC-card process management task 72 uses the service-number that obtains to IC-card 3 issue an orders.
In addition, as utilizing Fig. 4 to illustrate, when the memory block of visit IC-card 3a needs key information, the service unit search service definition list data that IC-card process management task 72 is used corresponding to this operation, and acquisition is corresponding to the key information of this service unit.In addition, IC-card process management task 72 these key informations of use are finished the mutual checking with IC-card 3, the encryption and decryption of data, and other processing, and the authority of the predetermined memory area of acquisition visit IC-card 3.
Step ST5:
When IC-card process management task 72 is given an order to IC-card 3, and when waiting for the result of IC-card 3, execution in step ST5.
When IC-card process management task 72 when IC-card 3 receives results, it is placed on this result among the IC-card solid data 73_x.
Step ST6:
IC-card process management task 72 is upgraded the entity status information of the IC-card solid data 73_x shown in Figure 11.
Like this, in the present embodiment, the 72 parallel processing that are present in the some IC-cards 3 in the SAM chip 8 of IC-card process management task, the while is selected the IC-card solid data 73_x of some IC-cards 3 in order.So even when receiving the processing request of the process of using some IC-cards 3, SAM chip 8 also can be proceeded to handle simultaneously.
Below with all operations of the communication system shown in the key diagram 1.
Figure 14 and Figure 15 have illustrated all operations of the communication system 1 shown in Fig. 1.
Step ST21:
The 15_1-15_3 of enterprise or on personal computer 16_1,16_2 shown in Fig. 1 and 16_3, produced shell script 21_1,21_2 and the 21_3 of the processing of describing the transaction of being undertaken by the enterprise that uses IC-card 3 by the side that these enterprises ask.
In addition, the managerial personnel of SAM chip 8 produce service definition table data 20_1,20_2 and the 20_3 corresponding to the 15_1-15_3 of enterprise.
Step ST22:
Service definition table data 20_1, the 20_2 and the 20_3 that produce in step ST21 are stored in the external memory storage 7.
In addition, by the Internet 10, ASP server 6 and SAM chip 8 shell script 21_1, the 21_2 and the 21_3 that produce at step ST21 are downloaded to external memory storage 7 from personal computer 16_1,16_2 and 16_3.As shown in Figure 7, this download process is by 69 management of the script downloading task in the SAM chip 8.
Step ST23:
Script in the SAM chip shown in Fig. 7 explains that task 70 use service definition table data and shell script produce the IC-card physical template data of each enterprise, input block, output block, daily record data piece and calculating definition of data piece.
The data that produce are stored in the storer 65 of the SAM chip 8 shown in Fig. 9.
Step ST24:
The user is sent to IC-card 3.
As shown in Figure 4, the storer 50 of the IC 3a of IC-card 3 is preserved the key information that is used for the transaction that user and enterprise reach.
Attention is after distribution IC-card 3, and user and enterprise also can settle a bargain mutually by the Internet 10 etc.
Step ST25:
For example, pass through the Internet 10 access servers 2 when the user uses personal computer 5, when attempting to buy product, server 2 sends the request of processing by the Internet 10 to ASP server 6.
When ASP server 6 receives when handling request from server 2, it is by the Internet 10 visit personal computers 5.In addition, as shown in Figure 16 A, the processing request of being sent by the card reader/writer 4 of IC-card 3 is transmitted to SAM chip 8 by personal computer 5, the Internet 10 and ASP server 6.
Step ST26:
The information of the publisher that shows IC-card 3 is preserved in the entity request of producing.
Step S27:
When SAM chip 8 receiving entities produced request, as shown in Figure 16 B, it carried out the poll for IC-card 3.
Step ST28:
After the end of polling(EOP), the entity of SAM chip 8 produces task 71 and judges whether the number that is present in the IC-card solid data 73_x in the SAM chip 8 orders within the maximum number of determining at the SC by shell script.If within maximum number, then it forwards the processing of step ST29 to, if not within maximum number, and end process then.
Step ST29:
Entity produces task 71 according to being kept at the information that entity produces the publisher of the demonstration IC-card 3 in the request, and appointment will be used the IC-card physical template data of which enterprise, and uses the IC-card physical template data of appointment to produce IC-card solid data 73_x.
This produces corresponding to the example shown in Figure 12.
Step ST30:
Step ST31:
The service that the IC-card process management task 72 investigation IC-cards 3 of SAM chip 8 can use.
This is the processing corresponding to the operation RS shown in Figure 12.
Step ST32:
The legitimacy of the IC-card process management task 72 checking IC-cards 3 of SAM chip 8.
This is the processing corresponding to the operation A1 shown in Figure 12.
Step ST33:
The legitimacy of IC-card 3 checking SAM chips 8.
This is the processing corresponding to the operation A2 shown in Figure 12.
By step ST32 and ST33, IC-card 3 and SAM chip 8 are verified mutually.This is corresponding to Figure 16 C.
Step ST34:
The IC-card process management task 72 of SAM chip 8 reads and writes about the necessary data of the process of IC-card 3.
This is corresponding to operation R shown in Figure 12 and Figure 16 D and the 16E and the processing of W.
In addition, IC-card process management task 72 is used according to the computing formula of the pretreatment information appointment of IC-card solid data 73_x and is used the predetermined computation of the data that read from IC-card 3 to handle.
Step ST35:
As shown in Figure 16 F, the IC-card process management task of SAM chip 8 72 is exported to ASP server 6 to the result of step ST34.
Step ST36:
For example, IC-card process management task 72 deletion IC-card solid data 73_x.
As mentioned above, according to communication system 1, can handle for each of the process that together takes place with IC-card and produce IC-card solid data 73_x, and make IC-card process management task 72 use some IC-card solid data 73_x to proceed processing simultaneously about some IC-cards 3.
In addition, just enough according to verification system 1 owing to the IC-card solid data 73_3 that is actually used in the processing of IC-card 3 is saved in the storer 65, so the memory block that can use storer 65 effectively.
In addition, according to verification system 1, as shown in Figure 12, because being divided into, the executing state of IC-card process management task 72 operations of handling starts back state and completion status, therefore after beginning to carry out an operation, can come from the processing of another operation of beginning under the state of data of IC-card 3 in wait.So, can eliminate by the Internet 10 and IC-card 3 and transmit the stand-by period that data cause.
In addition, according to verification system 1, service definition table data description is represented the title of the COS that each enterprise provides, i.e. COS unit, the numbering of the service of using in the IC-card 3, and the key information of use when this service is provided.This is kept in the external memory storage 7.So, not the application program on the SAM chip 8 of running on that the developer's of SAM chip 8 the 15_1-15_3 of enterprise can produce themselves by shell script 21_1,21_2 and 21_3, and these application programs are downloaded in the external memory storage 7 for customization by SAM chip 8.That is, under not the situation of the operational order of key information, direct control IC-card 3 or other sensitive information notification 15_1-15_3 of enterprise, customizable themselves the application program of these enterprises.In addition, when enterprise customized its application program, it needn't know key information or card operational order, thereby has alleviated the burden of enterprise.
In addition, according to verification system 1,, therefore can provide the difference service of the some services of combination in a large amount of services that approval is carried out simultaneously in IC-card 3 one sides owing to can define the calculating content that generates some services.
In addition, according to verification system 1,, can easily manage data input and data output and daily record data about IC-card 3 by introducing the notion of data block.
Figure 17 is the functional-block diagram of the functional block of SAM chip 8 shown in the presentation graphs 9 more specifically.
As shown in Figure 9, SAM chip 8 is by internal bus 90 and ASPS communication interface 60, external memory storage communication interface 61, bus scrambling apparatus 62, randomizer 63, encryption/decryption device 64, storer 65 and CPU 66.
In the SAM chip 8 shown in Figure 17, as shown in Figure 18, the card I/F device 91 that links to each other with internal bus 90 is linked to each other with chip 8 RF reception/emitter 92 outward with SAM, and transmit data by contactless system and IC-card 3 by the antenna 92a of RF reception/emitter 92.
Second embodiment
Present embodiment is the embodiment corresponding to the 7th to the 9th aspect of the present invention.
Figure 19 is the integrally-built synoptic diagram of the communication system 101 of present embodiment.
As shown in Figure 19, communication system 101 uses server 102, IC-card 103 (integrated circuit of the present invention), card reader/writer 104, personal computer 105, ASP (application service provider) server 106, SAM (security applications module) device 109, personal computer 116_1,116_2 to communicate by letter by the Internet 10 with 117_3 with 116_3 and authentication means 117_1,117_2, and carries out settlement process or other processing of the process of using IC-card 103.
SAM device 109 has external memory storage 107 (semiconductor memory circuit of the present invention) and SAM chip 108 (semiconductor circuit of the present invention).
As shown in Figure 20, from the bottom to the top layer, SAM chip 108 has HW (hardware) layer, OS layer, rudimentary handling procedure layer, advanced processes program layer and AP layer.
Rudimentary handling procedure layer comprises driver layer.
Here, the AP layer comprises application A P_1, AP_2 and the AP_3 of the process of determining the 115_1 of other enterprise, 115_2 shown in credit card company or Figure 19 and 115_3 use IC-card 103.
At the AP layer, fire wall FW (fire wall of the present invention) is set between application A P_1, AP_2 and AP_3 and advanced processes program layer.
Produce the operational order that sends to IC-card 103 and analyze the respond packet that comes from IC-card 103 in SAM device 109 1 sides.So, card reader/writer 104, personal computer 105 and 106 of the ASP servers between them play a part to be kept at order or response contents in the data service load part and relay data service load part, and they do not participate in the encryption of data or other practical operation in deciphering, authentication and the IC-card 103.
The 115_1 of enterprise, 115_2 and 115_3 use their personal computer 116_1,116_2 and 116_3 to produce application A P_1, AP_2 and AP_3, and by SAM chip 108 empirical tests device 117_1,117_2 and 117_3 the application program that produces are downloaded in the predetermined memory area in the external memory storage 107.
At this moment, because the 115_1 of enterprise, 115_2 and 115_3 are irrelevant each other, so SAM chip 108 determines the memory block that application A P_1, AP_2 and AP_3 can be downloaded in the external memory storages 107 in advance, and whether checking has the right to download to such memory block.
In addition, in executive utility AP_1, AP_2 and AP_3, the data between fire wall FW limits application AP_1, AP_2 and the AP_3 transmit and check.
When application A P_1, AP_2 and AP_3 were downloaded to SAM chip 108, as described later, demo plant 117_1,117_2 and 117_3 carried out the mutual checking with SAM chip 108, produce download signed validation key information or the like.
The following describes the assembly shown in Figure 19.
[IC-card 103]
Figure 21 is the functional-block diagram of IC-card 103.
As shown in Figure 21, IC-card 103 has IC (integrated circuit) 103a that is furnished with storer 150 and processor 151.
As shown in Figure 22, storer 150 has the memory block 155_1 that is used by credit card company or the 115_1 of other enterprise, by the memory block 155_2 of the 115_2 of enterprise use and the memory block 155_3 that is used by the 115_3 of enterprise.
In addition, storer 150 is preserved the key information that is used to judge to the existence of the authority of memory block 155_1, is used to judge to the key information of the access rights of memory block 155_2 and is used to judge key information to the access rights of memory block 155_3.Key information is exclusively used in encryption and decryption of mutual authentication, data or the like.
In addition, storer 150 is preserved IC-card 103 or IC-card 103 users' identity identification information.
To illustrate in greater detail SAM device 109 below.
[external memory storage 107]
Figure 23 has illustrated the memory block of external memory storage 107.
As shown in Figure 23, the memory block of external memory storage 107 comprises the AP memory block 120_1 of the application A P_1 that preserves the 115_1 of enterprise, preserve the AP memory block 120_2 of the application A P_2 of the 115_2 of enterprise, preserve the AP memory block 120_3 of the application A P_3 of the 115_3 of enterprise, the AP management storage region 121 and the key information memory block 122 of using by the managerial personnel of SAM chip 108.
The application A P_1 that is kept among the 120_1 of AP memory block is made up of some program modules.Visit to AP memory block 120_1 is limited by fire wall FW_1.
The application A P_2 that is kept among the 120_2 of AP memory block is made up of some program modules.Visit to AP memory block 120_2 is limited by fire wall FW_2.
The application A P_3 that is kept among the 120_3 of AP memory block is made up of some program modules.Visit to AP memory block 120_3 is limited by fire wall FW_3.
In the present embodiment, top program module is the minimum unit that downloads to external memory storage 107 outside SAM device 109.The number that constitutes the program module of each application program can be determined by corresponding freedom of enterprise.
In addition, be kept at application A P_1, AP_2 and the encrypted coding of AP_3 in the external memory storage 107.When being read into SAM chip 108, these application programs are disengaged scrambled.
In addition, application A P_1, AP_2 and AP_3 are produced by the 115_1 of enterprise, the 115_2 that use personal computer 116_1,116_2 shown in Figure 19 and 116_3 and 115_3, and are downloaded to external memory storage 107 by SAM chip 108.
Visit to AP management storage region 121 is limited by fire wall FW_4.
Fire Hazard Area wall FW_1, FW_2, FW_3 and FW_4 are corresponding to the fire wall FW shown in Figure 20.
AP management storage region 121 is preserved the module management data 130 shown in Figure 24.
That is be the download of conditions permit program module, with module management data 130 with the download signed validation key information that is recorded in advance wherein.
In addition, module management data 130 are recorded in the module title of the program module of being carried out by SAM chip 108 and execution signature verification key information wherein.
That is, be condition with module management data 130 with the execution signature verification key information that is recorded in advance wherein, acquisition will be by the authority of SAM chip 108 execution of program modules.
As shown in Figure 24, the consistance of the fire wall numbering (fire wall identifying information of the present invention) of the fire wall of module management data 130 expression limiting access program modules, start address, address size, the download signed validation key information is carried out signature verification key information and is kept at application A P_1, AP_2 among AP memory block 120_1,120_2 and the 120_3 and the module title of each program module of AP_3.
Here, fire wall numbering expression prevents the numbering to the fire wall of the visit of program module.
Start address is represented the start address of the memory block of firewall restriction visit.
Address size is represented the address size of the anti-memory block of asking of firewall restriction.
The download signed validation key information is the key information that is used for the signature verification carried out when by SAM chip 108 program module being downloaded to external memory storage 107.
Carry out signature verification key information and be used for checking when SAM chip 108 execution of program modules, give the signing messages of program module.For example, in the present embodiment, each program module is endowed the signing messages of its legitimacy of proof.When program module is illegally modified or alters, can use and carry out signature verification key Information Authentication signing messages, to confirm the legitimacy of program module.
The module title is to distribute to the title of program module.
Preserve as executive utility AP_1 key information memory block 122, employed encryption key message K_C1 when visiting the memory block 155_1 of the IC-card 103 shown in Figure 22, as executive utility AP_2, employed encryption key message K_C2 when visiting the memory block 155_2 of the IC-card 103 shown in Figure 22, and as executive utility AP_3, employed encryption key message K_C3 during the memory block 155_3 of the IC-card 103 shown in visit Figure 22.
Utilize key information K_X that key information K_C1, K_C2 and K_C3 are encrypted.
Have only the managerial personnel of SAM chip 108 just to allow visit to key information memory block 122.
[SAM chip 108]
Figure 25 is the functional-block diagram of the SAM chip 108 shown in Figure 19.
As shown in Figure 25, SAM chip 108 has ASPS communication interface 160, external memory storage communication interface 161, bus scrambling apparatus 162, signature treating apparatus 163, checking treating apparatus 164, encryption/decryption device 165, storer 166 and CPU 167.
External memory storage communication interface 161 is the interfaces that are used for about external memory storage 107 inputoutput datas.
When the external memory storage communication interface 161 input and output data, 162 pairs of output data coding encryptings of bus scrambling apparatus and to the input data decryption.
As described later, when by the Internet 110 application program being downloaded to external memory storage 107, and when carrying out this application program, signature treating apparatus 163 produces signature and certifying signatures.
When application program being downloaded to external memory storage 107 by the Internet 110, the mutual checking that checking treating apparatus 164 is carried out about the opposing party.
165 pairs of data of encryption/decryption device are encrypted, and enciphered data is deciphered.
Figure 26 has illustrated being carried out by CPU 167 of task.
As shown in Figure 26, CPU 167 carries out downloading task 170, system task 171, AP task 172 (program of the present invention) and settlement process routine tasks 173.
As described later, downloading task 170 is carried out by SAM chip 108, application program is downloaded to outside the SAM device 109 processing of external memory storage 107.
System task 171 is to carry out the driver management operation of having only IC-card 103 just to have, and the task of other processing.
AP task 172 general management receive the application A P_1, the AP_2 that carry out when handling request and the execution of AP_3 from ASP server 106 or outside SAM chip 108 other are local when SAM chip 108.
Settlement process routine tasks 173 is determined to receive when relating to the processing request of IC-card 103 from ASP server 106 when SAM chip 108, with among use application A P_1, AP_2 and the AP_3 which.
The example of the operation of communication system 101 will be described below.
[AP being downloaded to the operation of external memory storage]
Figure 27 is explanation downloads to application A P_1 the operation of external memory storage 107 from the personal computer 116_1 shown in Figure 19 a process flow diagram.
Step ST101:
Personal computer 116_1 shown in Figure 19 sends the download request of the module title of specifying each program module that will download to SAM chip 108 by demo plant 117_1.
Step ST102:
Run on the mutual checking that the downloading task 170 on the SAM chip 108 shown in Figure 26 is carried out about the demo plant 117_1 that links to each other with personal computer 116_1.In addition, when mutual demonstration validation during mutual legitimacy, the processing of execution in step ST103.
Note, in the present embodiment, can be used as mutual verification technique to various technology, but use following technology.
Demo plant 117_1 and SAM chip 108 are all preserved the identity identification information of SAM chip 108, i.e. SAM_ID and verify master key information mutually.
In addition, demo plant 117_1 utilizes mutual checking master key information that SAM_ID is encrypted, and sends it to SAM chip 108.SAM chip 108 utilizes the encryption SAM_ID deciphering of checking master key to receiving mutually, and the SAM_ID that itself and it oneself preserved compares.If mate, then confirm the legitimacy of demo plant 117_1.In addition, in contrast, SAM chip 108 utilizes mutual checking master key information that SAM_ID is encrypted, and sends it to demo plant 117_1.Demo plant 117_1 utilizes the encryption SAM_ID deciphering of checking master key to receiving mutually, and the SAM_ID that itself and it oneself preserved compares.If mate, then confirm the legitimacy of SAM chip 108.
Step ST103:
Downloading task 170 judges whether recorded in the module management data 130 by each module title of download request appointment at step ST101, described module management data 130 are kept in the AP management storage region 121 of external memory storage 107.
Step ST104:
When judging that at step ST103 each module title is not recorded, end process under the situation of not carrying out download process, and when judging that each module title is recorded, the processing of execution in step ST105.
Step ST105:
Demo plant 117_1 utilizes AP master key KEY-A to encrypting as SAM_ID expressly, produces the download signed validation key information.
In addition, it sends download signed validation key information or the signing messages that utilizes this download signed validation key information to produce to SAM chip 108.
Step ST106:
When step ST105 receives the download signed validation key information, downloading task 170 judge the download signed validation key information that receives whether with module management data 130 in the download signed validation key information coupling of respective modules title.
In addition, when when step ST105 receives signing messages, downloading task 170 uses the download signed validation key information of the respective modules title in the module management data 130 to judge the legitimacy of signing messages.
Step ST107:
When judging download signed validation key information coupling at step ST106, perhaps when the judgement signing messages was legal, downloading task 170 forwarded the processing of step S108 to, and end process in other cases.
Step ST108:
Downloading task 170 is by checking module management data 130, in the designated external storer 107 and in the module title corresponding address of step ST101 appointment, and program module downloaded to assigned address on the external memory storage 107 from personal computer 116_1.
[operation of executive utility]
Figure 28 is the process flow diagram of the operation of the SAM chip 108 executive utility AP_1 shown in explanation Figure 19.
Step ST111:
When SAM chip 108ASP server 106 receives the request of executive utility AP_1, the processing of the AP task 172 execution in step ST112 shown in Figure 26.
Step ST112:
When the program module of AP task 172 executive utility AP_1, by referrer module management data 130, it can obtain the execution signature verification key information corresponding to the module title of program module.
Step ST113:
AP task 172 is used the legitimacy of the signal message of this program module of execution signature verification key Information Authentication that obtains at step ST112.
That is, whether its determining program module is illegally changed or is altered.
Step ST114:
When AP task 172 when step ST113 verifies that this signing messages is legal, it forwards the processing of step ST115 to, and when it judges that this signing messages is illegal, end process.
Step ST115:
AP task 172 is carried out its signing messages and has been judged as legal program module.
Notice that as the subroutine in the program, program module also can be carried out by the CPU167 shown in Figure 25.
[operation in the implementation of application program]
Figure 29 is the view of the operation of explanation executive utility.
Step ST121:
When AP task 172 by the processing shown in Figure 28, during code in the execution of program modules, its judges that whether the code that next will carry out is to transmit or the code of data check about another program module director data.
Step ST122:
Judging the code that next will carry out when AP task 172 does not instruct data about another program module to transmit or during data check, it forwards the processing of step ST124 to, and when its judges that the code command data next will carry out transmit or during data check, it forwards the processing of step ST123 to.
Step ST123:
AP task 172 is carried out this code.
Step ST124:
AP task 172 is carried out fault processing under the situation of not carrying out this code.
The integrated operation of the communication system shown in Figure 19 will be described below.
Figure 30 is the view of the integrated operation of communication system 101 shown in explanation Figure 19.
Step ST131:
115_1-115_3 of enterprise or the side that these enterprises asked produce application A P_1, AP_2 and AP_3 on the 116_1 of personal computer shown in Figure 19,116_2 and 116_3, described application A P_1, AP_2 can carry out and the relevant processing of transaction that utilizes IC-card 103 to carry out these enterprises with AP_3.
In addition, the managerial personnel of SAM chip 108 produce the module management data 130 shown in Figure 23, and it is carried out scrambled, and it is kept in the external memory storage 107.
Step ST132:
Application A P_1, AP_2 and AP_3 are downloaded to SAM chip 108 by demo plant 117_1,117_2 and 117_3 from personal computer 116_1,116_2 and 116_3.
At this moment, carry out the processing that utilizes Figure 27 to illustrate.
Step ST133:
The user is sent to IC-card 103.
As shown in Figure 22, the storer 150 of the IC 103a of IC-card 103 is preserved the key information of the transaction that is used for user and signatory enterprise.
Notice that after distribution IC-card 103, user and enterprise also can be by strike an agreements such as the Internets 110.
Step ST134:
For example, pass through the Internet 110 access servers 102 when the user uses personal computer 105, when attempting to buy product, server 102 sends the request of processing by the Internet 110 to ASP server 106.
When from server 102 reception processing requests, ASP server 106 is by the Internet 110 visit personal computers 105.In addition, the processing request about IC-card 103 of being sent by card reader/writer 104 is transmitted to SAM chip 108 by personal computer 105, the Internet 110 and ASP server 106.
Step ST135:
Carry out the processing of in the execution of application program, using Figure 28 and Figure 29 explanation subsequently.
As mentioned above, according to communication system 101, as utilizing Figure 27 to illustrate, because SAM chip 108 uses the download person of demo plant 117_1,117_2 and 117_3 verifying application programs, and only allow application program is downloaded to designated storage area in the external memory storage 107, can prevent that therefore the unauthorized side from illegally exchanging or alter application program in the external memory storage 107.
In addition, according to communication system 101, when the some application programs of SAM chip 108 operations, because data transmission between the application program and data and code check and limited by fire wall FW_1, FW_2 and FW_3, the processing that therefore can prevent each application program is illegally disturbed by the Another Application program or is altered.In addition, can improve the confidentiality of each application program.
In addition, according to communication system 101, with utilize Figure 28 to illustrate the same, when executive utility, whether just altered by verifying application programs, can avoid identity theft or based on other illegal act of illegally altering application program.
In addition, according to communication system 101,, can be that unit downloads to external memory storage 107 with the program module by constituting each application program by some program modules.
In addition,,,, and it is kept in the external memory storage, can improves the safe class of key information its encryption by carrying out common scramble about the height secret keys information of the operation of IC-card 103 to being used for according to communication system 101.
In addition, according to communication system 101, because when bus scramble function was carried out code access, application program was carried out encryption and decryption, therefore when stopping the processing of SAM chip 108, the application program that can prevent to be kept in the external memory storage 107 is avoided illegal analysis or the like.
Figure 31 is a functional-block diagram of more specifically representing the functional block of the SAM chip 108 shown in Figure 25.
As shown in Figure 31, SAM chip 108 links to each other with ASPS communication interface 160, external memory storage communication interface 161, bus scrambling apparatus 162, encryption/decryption device 165, storer 166 and CPU 167 by internal bus 190.
The partial function of signature treating apparatus 163 shown in Figure 25 and checking treating apparatus 164 is realized by CPU 167.
In the SAM chip 108 shown in Figure 31, for example as shown in Figure 32, can also make the card I/F device 191 that links to each other with internal bus 190 and be positioned at SAM chip 108 outer RF reception/emitters 192 and link to each other, and, transmit data with respect to IC-card 102 by contactless system by the antenna 192a of RF reception/emitter 192.
The 3rd embodiment
Present embodiment is the embodiment corresponding to 10-12 of the present invention aspect.
Figure 33 has represented the one-piece construction of the communication system 201 of present embodiment.
As shown in Figure 33, communication system 201 is used server 202, IC-card 203, card reader/writer 204, personal computer 205, ASP (application service provider) server 206, SAM (security applications module) device 209, personal computer 216_1,216_2 and 216_3, and authentication means 217_1,217_2 communicate by letter by the Internet 210 with 217_3, and carry out settlement process or other processing of the process of using IC-card 203.
SAM device 209 has external memory storage 207 and SAM chip 208.
As shown in Figure 34, from the bottom to the top layer, SAM chip 208 has HW (hardware) layer, OS layer, rudimentary handling procedure layer, advanced processes program layer and AP layer.
Rudimentary handling procedure layer comprises driver layer.
Here, the AP layer comprises application A P_1, AP_2 and the AP_3 of the process of determining the 215_1 of other enterprise, 215_2 shown in credit card company or Figure 33 and 215_3 use IC-card 203.
At the AP layer, between application A P_1, AP_2 and AP_3 and advanced processes program layer, fire wall FW is set.
Personal computer 205 links to each other with Dumb type card reader/writer 204 by serial ports or USB port.Card reader/writer 204 is realized communicating by letter with the physical radio of IC-card 203.
Produce the operational order that sends to IC-card 203 and analyze the respond packet that comes from IC-card 203 in SAM device 209 1 sides.So card reader/writer 204, personal computer 205 and 206 of the ASP servers between them play a part to be kept at order or response contents in the data service load part and relay data service load part.They do not participate in the encryption of data or other practical operation in deciphering, authentication and the IC-card 103.
The 215_1 of enterprise, 215_2 and 215_3 use personal computer 216_1,216_2 and 216_3 to produce application A P_1, AP_2 and AP_3, and by demo plant 217_1,217_2 and 217_3 and in SAM chip 208 downloads to the application programs that produce predetermined memory area in the external memory storage 207.
At this moment, because the 215_1 of enterprise, 215_2 and 215_3 are irrelevant each other, but therefore pre-determine the memory block of down load application program AP_1, AP_2 and AP_3 in the external memory storage 207.Whether SAM chip 208 these application programs of checking have the right to download to these memory blocks.
In addition, transmission of the data between application A P_1, AP_2 and the AP_3 and data are checked by fire wall FW and are limited.As described later, when application A P_1, AP_2 and AP_3 were downloaded to SAM chip 108, demo plant 217_1,217_2 and 217_3 carried out the mutual checking with respect to SAM chip 209, produced download signed validation key information or the like.
The following describes the assembly shown in Figure 33.
[IC-card 203]
Figure 35 is the functional-block diagram of IC-card 203.
As shown in Figure 35, IC-card 203 has IC (integrated circuit) 203a that is furnished with storer 250 and processor 251.
As shown in Figure 36, storer 250 has the memory block 255_1 that is used by credit card company or the 215_1 of another enterprise, by the memory block 255_2 of the 215_2 of enterprise use and the memory block of being used by the memory block 255_3 that the 215_3 of enterprise uses.In addition, storer 250 is preserved the key information that is used to judge about the existence of the authority of memory block 255_1, is used to judge to the key information of the access rights of memory block 255_2 and is used to judge key information to the access rights of memory block 255_3.Key information is exclusively used in encryption and decryption of mutual checking, data or the like.
In addition, storer 250 is preserved the user's of IC-card 203 or IC-card 203 identity identification information.
Below, describe SAM device 209 in detail.
[external memory storage 207]
Figure 37 has illustrated the memory block of external memory storage 207.
As shown in Figure 37, the memory block of external memory storage 207 comprises the memory block 220_1 of the application A P_1 that preserves the 215_1 of enterprise, preserve the memory block 220_2 of the application A P_2 of the 215_2 of enterprise, preserve the memory block 220_3 of the application A P_3 of the 215_3 of enterprise, and the AP management storage region of using by the managerial personnel of SAM chip 208 221.
The application A P_1 that is kept among the 220_1 of AP memory block is made up of some program modules.Fire wall FW_1 restriction is to the visit of AP memory block 220_1.
The application A P_2 that is kept among the 220_2 of AP memory block is made up of some program modules.Fire wall FW_2 restriction is to the visit of AP memory block 220_2.
The application A P_3 that is kept among the 220_3 of AP memory block is made up of some program modules.Fire wall FW_3 restriction is to the visit of AP memory block 220_3.
In the present embodiment, the said procedure module is the minimum unit that downloads to external memory storage 207 from SAM device 209 outsides.The number that constitutes the program module of each application program can be determined by the freedom of enterprise of correspondence.
In addition, be kept at application A P_1, AP_2 in the external memory storage 207 and AP_3 by scramble.These application programs are separated scramble when being read SAM chip 208.
In addition, application A P_1, AP_2 and AP_3 use personal computer 216_1,216_2 shown in Figure 33 and 216_3 to produce by the 215_1 of enterprise, 215_2 and 215_3, and are downloaded to external memory storage 207 by SAM chip 208.
Fire wall FW_4 places restrictions on the visit to AP management storage region 221.
Fire Hazard Area wall FW_1, FW_2, FW_3 and FW_4 are corresponding to the fire wall FW shown in Figure 34.
The AP that AP management storage region 221 is preserved as shown in Figure 37 selects communication data 232 between data 231 and AP.
Here, when forming SAM chip 208, write down AP in advance and select communication data 232 between data 231 and AP.In addition, communication data 232 is rewritten by the managerial personnel of SAM chip 208 only between AP selection data 231 and AP.
Figure 38 has illustrated that AP selects data 231.
As shown in Figure 38, AP selects data 231 to show IC-card type information and the AP identity identification information that is linked at together.
The IC-card type information is represented the type of the IC-card 203 shown in Figure 33, and is the identity identification information of credit card company of carrying out the clearing of the transaction utilize IC-card 203.
As shown in Figure 34, the AP identity identification information is the identifying information of application program operating on the AP of SAM chip 208 layer.
Figure 39 has illustrated communication data 232 between AP.
Whether application A P_1, AP_2 and the communication between the AP_3 shown in communication data 232 expression Figure 34 may between AP.
Specifically, whether this expression permits the communication request of being sent to the application program that is positioned at certain delegation's clauses and subclauses by the application program that is positioned at a certain row clauses and subclauses shown in Figure 39.
For example, the communication request that licensed application AP_3 sends to application A P_1, but refusal is to using the communication request that application A P_2 sends.
In addition, as shown in Figure 37, AP management storage region 221 has the memory block 233 of communicating by letter between the AP that is used for interapplication communications (transmission of data).
[SAM chip 208]
Figure 40 is the functional-block diagram of the SAM chip 208 shown in Figure 33.
As shown in Figure 40, SAM chip 208 has ASPS communication interface 260, external memory storage communication interface 261, bus scrambling apparatus 262, signature treating apparatus 263, checking treating apparatus 264, encryption/decryption device 265, storer 266 and CPU 267.
External memory storage communication interface 261 is the interfaces that are used for about external memory storage 207 inputoutput datas.
When the external memory storage communication interface 261 input and output data, 262 pairs of output data scrambles of bus scrambling apparatus and frequently to the input data de-scrambling.
That is, external memory storage 207 is preserved data to separate the scramble state.
When by the Internet 210 application program being downloaded to external memory storage 207, and when carrying out this application program, signature treating apparatus 263 as described later produces signature and certifying signatures.
When application program being downloaded to external memory storage 207 by the Internet 210, as described later, the mutual checking that checking treating apparatus 264 is carried out about the opposing party.
265 pairs of data of encryption/decryption device are encrypted, and enciphered data is deciphered.
The required data of processing that storer 266 is preserved CPU 267.
Figure 41 has illustrated being carried out by CPU 267 of task.
As shown in Figure 41, CPU 167 carries out between downloading task 270, system task 271, AP task 272, settlement process routine tasks 273, AP communication task 275 between communication task 274 and SAM.
As described later, downloading task 270 is carried out by SAM chip 208, application program is downloaded to outside the SAM device 209 processing of external memory storage 207.
System task 271 is to carry out the driver management operation of having only IC-card 203 just to have, the perhaps task of other processing.
AP task 272 general management when SAM chip 208 from ASP server 206 or application A P_1, AP_2 that outside SAM chip 208 other is local to be carried out when receiving PROGRAMMED REQUESTS and the execution of AP_3.
As shown in Figure 42, when SAM chip 208 when ASP server 206 receives processing request about IC-card 203, the identity identification information that settlement process routine tasks 273 selects data 231 to obtain corresponding to the AP that is included in the IC-card type information in the request of processing according to the AP shown in Figure 38, and select and carry out application A P_1, AP_2 and AP_3 corresponding to this AP identity identification information.
Communication between AP between the communication task 274 management application programs.
Figure 43 is the process flow diagram of the processing of communication task 274 between explanation AP.
Here, given explanation is described application A P_1 for example and is sent the situation that data is write the communication request of AP_2.
Step ST201:
When the application A P_1 that is carrying out sends when data are write the communication request of AP_2 the processing of execution in step ST202.
Step ST202:
Communication task 274 receives between communication request that step ST201 sends is by AP.
Step ST203:
Communication task 274 is checked communication data 232 between the AP shown in Figure 39 between AP, and judges whether signal procedure AP_1 can communicate by letter with AP_2.
Step ST204:
When communication task between AP 274 is judged when can communicate at step ST203, the processing of its execution in step ST205, and in the time can not communicating, end process.
In this example, according to Figure 39, application A P_1 can communicate by letter with AP_2, so the processing of execution in step ST205.
Step ST205:
Under the control of communication task between AP 274, application A P_1 writes data in the memory block 233 of communicating by letter between the AP shown in Figure 37.
Step ST206:
The fact that communication task 274 just is being written into to application A P_2 notification data between AP.
Step ST207:
Application A P_2 is according to the notice that receives at step ST206, from communication memory block 233 reading of data between AP.
Thus, finish by the application A P_1 of fire wall relaying and the communication between the AP_2.
As shown in Figure 44, as required, communication task 275 can be started communication task 275 between the SAM of the SAM chip 208x that is positioned at outside the SAM chip 208 between SAM, and communication task 275 is sent remote command between the SAM of SAM chip 208x.
When the processing of SAM chip 208 is loaded change greatly, and it can not suitably be carried out when handling, this remote command is sent to communication task 275 between the SAM of SAM chip 208x by communication task 275 between the SAM of SAM chip 208, request SAM chip 208x carries out the section processes of distributing to SAM chip 208 at least.
The integrated operation of the communication system 201 shown in Figure 33 will be described below.
Figure 45 has illustrated the integrated operation of the communication system 201 shown in Figure 33.
Step ST231:
The 215_1-215_3 of enterprise or produced application A P_1, AP_2 and the AP_3 of these enterprises by the side that these enterprises ask on personal computer 216_1,216_2 shown in Figure 33 and 216_3 is so that carry out the processing about the transaction that utilizes IC-card 203.
Step ST232:
Application A P_1, AP_2 and AP_3 are downloaded to SAM chip 208 by demo plant 217_1,217_2 and 217_3 from personal computer 216_1,216_2 and 216_3.
Step ST233:
The user is sent to IC-card 203.
As shown in Figure 36, the IC 203a of IC-card 203 preserves the key information of the transaction that is used for user and signatory enterprise.
Notice that the transaction between user and the enterprise can be concluded by the Internet 2110 grades after distribution IC-card 203.
Step ST234:
For example, when the user wishes to use personal computer 205 by the Internet 210 access servers 202 and when buying product, server 202 sends the request of processing by the Internet 210 to ASP server 206.
When ASP server 206 receives when handling request from server 202, ASP server 206 is by the Internet 210 visit personal computers 205.In addition, the processing request about IC-card 203 of being sent by card reader/writer 204 is sent to SAM chip 208 by personal computer 205, the Internet 210 and ASP server 206.
Step ST235:
Handle request according to the processing that receives at step ST234, SAM chip 208 is selected application program by settlement process routine tasks 273, and carries out the application program of selecting.
In the execution of application program, communication task 274 is finished between any communication that carries out between the application program is by the AP shown in Figure 43 as mentioned above.
Step ST236:
As mentioned above, according to communication system 201, as shown in Figure 34 and Figure 37, firewall restriction application A P_1, AP_2 and AP_3 visit mutually, therefore can prevent that application program is subjected to illegally monitoring and altering.In addition, can improve the confidentiality of each application program.
In addition, according to communication system 201, use the AP management storage region 221 of the external memory storage 207 shown in Figure 37 to finish the processing shown in Figure 43 by communication task between the AP shown in Figure 41 274, in the scope of permission in advance, allow the communication between the application program.
So, can provide different services by the synchronous and cooperation of some application programs.
With regard to this different service, for example, exist the settlement process routine 273 shown in Figure 41 to select the situation of application program automatically.That is, though it is identical to calculate the level of content, for according to the publisher of IC-card 203 in settlement process different aspect the billing agreements, if the type of known IC-card 203 then can be determined corresponding application program automatically.So,, then can determine the type and the corresponding application program of IC-card 203 automatically by level record settlement process in settlement process routine tasks 273.Thus, can alleviate Application developer's burden.
In addition, according to communication system 201, because by bus scrambling apparatus 262 scrambles of the SAM chip 208 shown in Figure 40, therefore for the analysis from the outside, there is quite high confidentiality in the information in the external memory storage 207 of being kept at.
In addition, according to communication system 201,, can disperse to give other SAM chip the processing of SAM chip 208 burden by communication task 275 between the SAM shown in Figure 41 is provided.So, when SAM chip 208 is installed in must deal with simultaneously come from some terminal devices about in the shop server of the processing request of settlement process etc. the time, can use the function of communication task 275 between SAM to improve the settlement process ability of using some SAM chips 208.
Figure 46 is a block scheme of representing the functional block of the SAM chip 208 shown in Figure 40 in more detail.
As shown in Figure 46, SAM chip 208 links to each other with ASPS communication interface 260, external memory storage communication interface 261, bus scrambling apparatus 262, encryption/decryption device 265, storer 266 and CPU 267 by internal bus 290.
The partial function of signature treating apparatus 263 shown in Figure 40 and checking treating apparatus 264 is realized by CPU 267.
As shown in Figure 47, SAM chip 208 shown in Figure 46 also can make the card I/F device 291 that links to each other with internal bus 290 link to each other with RF reception/emitter 292 outside the SAM chip 208, and, transmit data by contactless system and IC-card 203 by the antenna 292a of RF reception/emitter 292.
The 4th embodiment
This embodiment is the embodiment corresponding to the 13rd~16 aspect of the present invention.
Figure 48 is the integrally-built view of the communication system 301 of present embodiment.
As shown in Figure 48, communication system 301 is used server 302, IC-card 303 (integrated circuit of the present invention), card reader/writer 304, personal computer 305, ASP (application service provider) server 306, SAM (security applications module) device 309, personal computer 316_1,316_2,316_3,316_4 and 316_5, authentication means 317_1,317_2,317_3,317_4 communicates by letter by the Internet 310 with ICE (incircuit emulator) 318 with 317_5 (Authentication devices of the present invention), the software of exploitation or customization SAM chip 308 is carried out the settlement process of utilizing IC-card 303, or the like.
As shown in Figure 49, from the bottom to the top layer, SAM chip 308 has HW (hardware) layer, OS layer, rudimentary handling procedure layer, advanced processes program layer and application (AP) layer.
Rudimentary handling procedure layer determines not rely on the processing of application program, and corresponding to the transport layer in the osi protocol, network layer and data link layer.
Rudimentary handling procedure layer comprises driver layer.
Driver layer is carried out the processing relevant with the operation of LSI.
The advanced processes program layer determines to depend on the processing of application program, and transmits the level of floor height corresponding to ratio in the osi protocol.
Here, the OS layer is corresponding to ground floor of the present invention, and rudimentary handling procedure layer, driver layer and advanced processes program layer are corresponding to the second layer of the present invention, and the AP layer is corresponding to the 3rd layer of the present invention.
The AP layer comprises determines that the 315_AP1 of other enterprise, 315_AP2 shown in credit card company and Figure 48 and 315_AP3 use application A P_1, AP_2 and the AP_3 of the process of IC-card 303.
In the AP layer, fire wall FW (fire wall of the present invention) is set between application A P_1, AP_2 and AP_3 and advanced processes program layer.
In the software arrangements shown in Figure 49, the AP layer is determined the processing of each enterprise-specific, for example, uses the content of the settlement process of IC-card 303.The processing of direct control IC-card 303 is determined by (on down) below the advanced processes program layer each layer.
Personal computer 316_1 is used by the 315_AP1 of enterprise of the performed application A P_1 of SAM chip 308.
Personal computer 316_2 is used by the 315_AP2 of enterprise of the performed application A P_1 of SAM chip 308.
Personal computer 316_3 is used by the 315_AP3 of enterprise of the performed application A P_1 of SAM chip 308.
Personal computer 316_4 is by the advanced processes program layer that can develop SAM chip 308 and comprise that the software developer 315_MID of the rudimentary handling procedure layer of driver layer uses.
Personal computer 316_5 is by the fabricator of SAM chip 308, and the software developer 315_SUP of the holistic management SAM chip 308 of promptly having the right uses.
The 315_AP1 of enterprise, 315_AP2 and 315_AP3 use personal computer 316_1,316_2 and 316_3 to produce application A P_1, AP_2 and AP_3, and by SAM chip 308, empirical tests device 317_1,317_2 and 317_3 download to the application program that produces in the external memory storage 307 in the pre-assigned memory block.
Therefore in advance at this moment, the 315_AP1 of enterprise, 315_AP2 and 315_AP3 have no relation mutually, but determine the memory block of down load application program AP_1, AP_2 and AP_3 in the external memory storage 307.Whether SAM chip 308 verifying application programs have the right to download to such memory block.
In addition, in the implementation of application A P_1, AP_2 and AP_3, data transmission and data that fire wall FW places restrictions between application A P_1, AP_2 and the AP_3 are checked.
Software developer 315_MID downloads to SAM chip 308 to preset program by demo plant 317_4 as required, so that the advanced processes program layer shown in Figure 49 of customization SAM chip 308 and comprise rudimentary handling procedure layer of driver layer or the like.
In addition, software developer 315_SUP downloads to SAM chip 308 to preset program by demo plant 317_5, so that all each layers shown in customization Figure 49.
As described later, when preset program when personal computer 316_1-316_5 downloads to SAM chip 308, demo plant 371_1-317_5 verifies mutually, and utilizes SAM chip 308 to produce download signed validation key information or the like.
Produce the operational order that sends to IC-card 303 and analyze the respond packet that comes from IC-card 303 in SAM device 309 1 sides.So, card reader/writer 304, personal computer 305 and rise between 306 of the ASP servers between them is kept at order or response contents in the data service load part, and the effect of relay data service load part, they do not participate in the encryption of data or other operation in deciphering, authentication or the IC-card 303.
In addition, ICE 318 is the emulators that use when the program of commissioning test on SAM chip 308.
Below the assembly shown in Figure 48 will be described.
IC-card 303
IC-card 303 is preserved necessary key information of settlement process that uses SAM chip 308 or the like.
Authentication means 317_1-317_5
Figure 50 is the functional-block diagram of demo plant 317_1.
As shown in Figure 50, demo plant 317_1 has storer 350_1 and processor 351_1.
As shown in Figure 50, storer 350_1 preserves SAM_ID, verifies master key information K1 and visit master key information KA mutually.
SAM_ID is the identity identification information of SAM chip 308.
As described later, verify that mutually master key information K1 is used to produce mutual validation key information K2.
As described later, visit master key information KA is used for producing the download signed information of using when program is downloaded to external memory storage 307.
Visit master key information KA downloads to external memory storage 307 necessary key informations to the program of the AP layer of the software configuration of the SAM chip 308 shown in Figure 49.
As shown in Figure 50, processor 351_1 has mutual demo plant 352_1 and download processor 353_1.
As shown in Figure 51, when program is downloaded to external memory storage 307, demo plant 352_1 utilizes and verifies that mutually the SAM_ID of form encrypts master key information K1 to being expressly mutually, produce mutual validation key information K2, and this mutual validation key information K2 is used for mutual checking with SAM chip 308.
As shown in Figure 52, when program was downloaded to external memory storage 307, download processor 353_1 utilizes visit master key information KA, and the SAM_ID of form encrypted to being expressly, produces to download key information K_DA.In addition, download processor 353_1 uses and downloads key information K_DA generation download signed information, and sends it to SAM chip 308.
The structure of demo plant 317_2 and 317_3 is identical with demo plant 317_1 described above.But the content of the visit master key information KA of each demo plant has nothing in common with each other.
Figure 53 is the functional-block diagram of demo plant 317_4.
As shown in Figure 53, demo plant 317_4 has storer 350_4 and processor 351_4.
As shown in Figure 53, storer 350_4 preserves SAM_ID, verifies master key information K1 and visit master key information KA and KM mutually.
SAM_ID, verify that master key information K1 and visit master key information KA are with described above identical mutually.
Visit master key information KM be used for the advanced processes program layer of the software configuration of the chip of SAM shown in Figure 49 308 with comprise that the program of the rudimentary handling procedure layer of driver layer downloads to the key information of external memory storage 307 or SAM chip 308.
As shown in Figure 53, processor 351_4 has mutual demo plant 352_4 and download processor 353_4.
Mutually the mutual demo plant 352_1 that illustrates among demo plant 352_4 and Figure 51 is identical.
As shown in Figure 54, when program was downloaded to external memory storage 307, download processor 353_4 utilizes visit master key information KA, and the SAM_ID of form encrypted to being expressly, produces to download key information K_DA.Subsequently, download process device 353_4 utilizes visit master key information KM to encrypting as download key information K_DA expressly, produces and downloads key information K_DM.Afterwards, download process device 353_4 uses and downloads key information K_DM generation download signed information, and sends it to SAM chip 308.
Figure 55 is the functional-block diagram of demo plant 317_5.
As shown in Figure 55, demo plant 317_5 has storer 350_5 and processor 351_5.
As shown in Figure 55, storer 350_5 preserves SAM_ID, verifies master key information K1 and visit master key information KA, KM and KS mutually.
SAM_ID, verify that master key information K1 and visit master key information KA and KM are with described above identical mutually.
Visit master key information KS downloads to the required key information of external memory storage 307 or SAM chip 308 to the program of the OS layer of the software configuration of the chip of SAM shown in Figure 49 308.
As shown in Figure 55, processor 351_5 has mutual demo plant 352_5 and download processor 353_5.
Demo plant 352_5 is identical with the mutual demo plant 352_1 shown in above mentioned Figure 51 mutually.
As shown in Figure 56, when program was downloaded to external memory storage 307, download processor 353_5 utilized visit master key information KA to encrypting as SAM_ID expressly, produces and downloads key information K_DA.Subsequently, download processor 353_5 utilizes visit master key information KM to encrypting as download key information K_DA expressly, produces and downloads key information K_DM.Afterwards, download processor 353_5 utilizes visit master key information KS to encrypting as download key information K_DM expressly, produces and downloads key information K_DS.Then, download processor 353_5 uses and downloads key information K_DS generation download signed information, and sends it to SAM chip 308.
In the present embodiment, demo plant 317_1,317_4 and 317_5 are kept at information among storer 350_1,350_4 and the 350_5 safely.When these information were subjected to the destruction of extraneous factor or are forced to open, this detected detected device, and the information that is kept among storer 350_1,350_4 and the 350_5 is deleted.
[external memory storage 307]
Figure 57 has illustrated the memory block of external memory storage 307.
As shown in Figure 57, the memory block of external memory storage 307 comprises the AP memory block 320_1 of the application A P_1 that preserves the 315_1 of enterprise, preserve the AP memory block 320_2 of the application A P_2 of the 315_2 of enterprise, the AP memory block 320_3 of the application A P_3 of the preservation 315_3 of enterprise and the employed AP management storage region 321 of managerial personnel of SAM chip 308.
The application A P_1 that is kept among the 320_1 of AP memory block is made up of some program modules.Visit to AP memory block 320_1 is limited by fire wall FW_1.
The application A P_2 that is kept among the 320_2 of AP memory block is made up of some program modules.Visit to AP memory block 320_2 is limited by fire wall FW_2.
The application A P_3 that is kept among the 320_3 of AP memory block is made up of some program modules.Visit to AP memory block 320_3 is limited by fire wall FW_3.
In the present embodiment, the said procedure module is the minimum unit that downloads to external memory storage 307 outside SAM device 309.The number that constitutes the program module of each application program can be determined by corresponding freedom of enterprise.
In addition, be kept at application A P_1, AP_2 in the external memory storage 307 and AP_3 by scramble.In addition, when being read into SAM chip 308, they are separated scramble.
In addition, application A P_1, AP_2 and AP_3 are produced by the 315_1 of enterprise, the 315_2 that utilize personal computer 316_1,316_2 shown in Figure 48 and 316_3 and 315_3, and are downloaded to external memory storage 307 by SAM chip 308.
Visit to AP management storage region 321 is limited by fire wall FW_4.
Notice that fire wall FW_1, FW_2, FW_3 and FW_4 are corresponding to the fire wall FW shown in Figure 49.
AP management storage region 321 is preserved AP management data 330.
Here, download signed validation key information K_DVA is a key information of verifying the legitimacy of utilizing the signing messages of downloading key information K_DA generation.
Download signed validation key information K_DVM is a key information of verifying the legitimacy of utilizing the signing messages of downloading key information K_DM generation.
Download signed validation key information K_DVS is a key information of verifying the legitimacy of utilizing the signing messages of downloading key information K_DS generation.
The download signed validation key information is the key information that is used for the signature verification carried out when by SAM chip 308 program module being downloaded to external memory storage 307.
[SAM chip 308]
Figure 58 is the functional-block diagram of the SAM chip shown in Figure 48.
As shown in Figure 58, SAM chip 308 has ASPS communication interface 360, external memory storage communication interface 361, bus scrambling apparatus 362, encryption/decryption device 363, storer 364 and CPU 365.
External memory storage communication interface 361 is the interfaces that are used for about external memory storage 307 inputoutput datas.
When the external memory storage communication interface 361 input and output data, 362 pairs of output data scrambles of bus scrambling apparatus and frequently to the input data de-scrambling.
363 pairs of data of encryption/decryption device are encrypted, and enciphered data is deciphered.
For example, CPU 365 carries out and is used to finish by the download downloading task 365a of processing of module of the Internet 310.
The down operation of the program module that the downloading task 365a by CPU 365 finishes will be described below.
Figure 59 is the process flow diagram of explanation down operation.
In the following embodiments, the explanation of the operation when the 315_AP1 of enterprise downloads the program module of application A P_1 shown in Figure 49 and Figure 57 will be provided.
Step ST301:
Personal computer 316_1 shown in Figure 48 sends the download request of the module title of each program module of specifying the formation application A P_1 that will download to SAM chip 308 by demo plant 317_1, the Internet 310, ASP server 306 and ICE 318.
Step ST302:
As shown in Figure 51, the mutual demo plant 352_1 of the processor 351_1 of demo plant 317_1 utilizes and verifies that mutually master key information K1 to encrypting as SAM_ID expressly, produces mutual validation key information K2.
Step ST303:
The mutual demo plant 352_1 of the processor 351_1 of demo plant 317_1 utilizes in the mutual validation key information K2 execution of step ST302 generation and the mutual checking of the downloading task 365a of the CPU365 of SAM chip 308.
Step ST304:
When confirming mutual legitimacy in the mutual checking at step ST303, this device forwards the processing of step ST305 to, and when not confirming mutual legitimacy, end process.
Step ST305:
As shown in Figure 52, the download process device 353_1 of the processor 351_1 of the demo plant 317_1 shown in Figure 50 utilizes visit master key information KA to encrypting as SAM_ID expressly, produces and downloads key information K_DA.
Step ST306:
Download process device 353_1 uses the download key information K_DA that produces at step ST305 to produce download signed information.
Step ST307:
Download process device 353_1 sends the download signed information that produces at step ST306 to SAM chip 308.
Step ST308:
The downloading task 365a of the CPU 365 of the SAM chip 308 shown in Figure 58 uses the download signed validation key information K_DVA shown in Figure 57 to judge the legitimacy of the download signed information that receives at step ST307.
At this moment, downloading task 365a judges according to the module title that receives at step ST301 whether download request makes at the AP layer, and specifies download signed validation key information K_DVA.
Step ST309:
If judge that at step ST308 download signed information is legal, then task forwards the processing of step ST310 to, otherwise end process.
Step ST310:
The downloading task 365a of the CPU 365 of the SAM chip 308 shown in Figure 58 is by checking module management data 330, corresponding in the address of the module title of step ST301 appointment, and the program module that receives from personal computer 316_1 downloaded to assigned address on the external memory storage 307 in the designated external storer 307.
Note when software developer 315_MID downloads to external memory storage 307 to the program module of advanced processes program layer shown in Figure 49 and rudimentary handling procedure layer,, download key information K_DM and produce by the routine of utilizing Figure 54 to illustrate at step ST305.Utilize this download key information, produce download signed information at step ST306.In addition, at step ST308, in SAM chip 308, the download signed validation key information K_DVM shown in Figure 57 is used to verify download signed information.
In addition, when software developer 315_SUP downloaded to external memory storage 307 to the program module of the OS layer shown in Figure 49, at step ST305, the routine of utilizing Figure 56 to illustrate was used to produce download key information K_DS.Utilize this download key information K_DS, produce download signed information at step ST306.In addition, at step ST308, in SAM chip 308, the download signed validation key information K_DVS shown in Figure 57 is used to verify download signed information.
Notice that software developer 315_MID and 315_SUP can use visit master key information KA that the program module of AP layer is downloaded to external memory storage 307.
In addition, software developer 315_SUP can use visit master key information KA and KM that the program module of advanced processes program layer and rudimentary handling procedure layer is downloaded to external memory storage 307.
The following describes the processing of the transaction of the use IC-card 303 that the communication system 301 shown in Figure 48 carries out.
Figure 60 has illustrated the integrated operation of the communication system shown in Figure 48.
Step ST331:
315_1-315_3 of enterprise or the side that these enterprises asked produce application A P_1, AP_2 and the AP_3 of the execution of these enterprises about the processing of the transaction of use IC-card 303 on personal computer 316_1,316_2 shown in Figure 48 and 316_3.
At this moment, carry out the download process of utilizing Figure 59 to illustrate.
Step ST332:
By demo plant 317_1,317_2 and 317_3, application A P_1, AP_2 and AP_3 are downloaded to SAM chip 308 from personal computer 316_1,316_2 and 316_3.
At this moment, carry out the processing that utilizes Figure 56 to illustrate.
Step ST333:
The user is sent to IC-card 303.
IC-card 303 is preserved the key information of the transaction that is used for user and signatory enterprise.
Notice that after distribution IC-card 303, user and enterprise also can be by strike an agreements such as the Internets 310.
Step ST334:
For example, when the user wish to use personal computer 305 by the Internet 310 access servers 302 so that when buying product, server 302 sends the request of processing by the Internet 310 to ASP server 306.
When from server 302 reception processing requests, ASP server 306 is by the Internet 310 visit personal computers 305.In addition, the processing request about IC-card 303 of being sent by card reader/writer 304 is transmitted to SAM chip 308 by personal computer 305, the Internet 310 and ASP server 306.
Step ST335:
Step ST336:
As mentioned above, according to communication system 301, preserve visit master key information KA by demo plant 317_1,317_2 and 317_3, demo plant 317_4 preserves visit master key information KM, demo plant 317_5 preserves visit master key information KS, and as mentioned above, carry out the processing that program module is downloaded to external memory storage 307, can be according to the permission download program module that gives according to the software level shown in Figure 49.So, can prevent that the unauthorized side from illegally exchanging or alter the program module of carrying out by SAM chip 308.
In addition, according to communication system 301, as previously mentioned, demo plant 317_1,317_4 and 317_5 are kept at information among storer 350_1,350_4 and the 350_5 safely.When these information were subjected to the destruction of extraneous factor or are forced to open, this detected detected device, and the preservation information among storer 350_1,350_4 and the 350_5 is deleted.So, can avoid being used for the illegal use of key information of the download of SAM chip 308.
In addition, according to communication system 301, when the some application programs of SAM chip 308 operations, since the data transmission between the application program or data and code check the restriction that is subjected to fire wall FW_1, FW_2 and FW_3, can prevent that therefore the Another Application program from illegally disturbing or altering the processing of each application program.In addition, can improve the confidentiality of each application program.
In addition, according to communication system 301,, can be that unit downloads to external memory storage 307 with the program module by constituting each application program by some program modules.
In addition,,, the sensitive key information of the operation that is used for IC-card 303 is encrypted, and it is kept in the external memory storage 307, can improve the safe coefficient of key information by except conventional scramble according to communication system 301.
In addition, according to the Internet 301, when by bus scramble function fetcher code, application program can be carried out encryption and decryption, thereby can be in the processing that stops SAM chip 308, the application program that prevents to be kept in the external memory storage 307 is subjected to illegal analysis or the like.
Figure 61 is a functional-block diagram of representing the functional block of the SAM chip 308 shown in Figure 58 in more detail.
As shown in Figure 61, SAM chip 308 links to each other with ASPS communication interface 360, external memory storage communication interface 361, bus scrambling apparatus 362, encryption/decryption device 365, storer 364 and CPU 366 by internal bus 390.
In the SAM chip 308 shown in Figure 61, for example as shown in Figure 62, the card I/F device 391 that links to each other with internal bus 390 is linked to each other with RF reception/emitter 392 outside the SAM chip 308, and, utilize contactless system and IF card 303 to transmit data by the antenna 392a of RF reception/emitter 392.
The present invention is not limited to embodiment described above.
For example, in the above among Shuo Ming the embodiment, for example understand the situation that program module is downloaded to external memory storage 307 from personal computer 316_1-316_5 by SAM chip 308, even but when program module when personal computer 316_1-316_5 downloads to storer 364 the SAM chip 308, by utilizing the function of downloading task 365a described above, also can use the present invention similarly.
In addition, in the above among Shuo Ming the embodiment, for example understand the situation that demo plant 317_1-317_5 is provided for the Internet 310 in personal computer 316_1-316_6 one side, but as shown in Figure 63, also demo plant 317_1-317_5 can be set in SAM chip 308, and, allow visit demo plant 317_1-317_5 for corresponding personal computer 316_1-316_5.
The 5th embodiment
Present embodiment is corresponding to the of the present invention the 17th and the embodiment of the 18th aspect.
Figure 64 is the integrally-built view of the communication system 401 of present embodiment.
As shown in Figure 64, communication system 401 is used server 402, IC-card 403, card reader/writer 404, personal computer 405, ASP (application service provider) server 406, SAM (security applications module) device 409, personal computer 416_1,416_2 and 416_3 communicate by letter by the Internet 410 with 417_3 with authentication means 417_1,417_2, and carry out settlement process or other processing of the process of utilizing IC-card 403.
SAM device 409 has external memory storage 407 and SAM chip 408.
Rudimentary handling procedure layer comprises driver layer.
Here, the AP layer comprises application A P_1, AP_2 and the AP_3 of the process of determining the 415_1 of other enterprise, 415_2 shown in credit card company or Figure 64 and 415_3 use IC-card 403.
At the AP layer, between application A P_1, AP_2 and AP_3 and advanced processes program layer, fire wall FW is set.
Utilize scsi port, Ethernet etc., SAM chip 408 links to each other with ASP server 406 by bus 419.ASP server 406 links to each other at interior some terminal devices with 416_3 by personal computer 416_1, the 416_2 of the Internet 410 with the personal computer 405 that comprises the final user and the 415_1 of enterprise, 415_2 and 415_3.
Produce the operational order that sends to IC-card 403 in SAM device 409 1 sides, and analyze the respond packet that comes from IC-card 403.So, card reader/writer 404, personal computer 405 and play a part to be kept at order or response contents in the data service load part and relay data service load part between 406 of the ASP servers between them.They do not participate in the encryption of data or other practical operation in deciphering, authentication and the IC-card 403.
The 415_1 of enterprise, 415_2 and 415_3 use personal computer 416_1,416_2 and 416_3 to produce application A P_1, AP_2 and AP_3, and by SAM chip 408 empirical tests device 417_1,417_2 and 417_3 the application program that produces are downloaded to pre-assigned memory block in the external memory storage 407.
At this moment since the 415_1 of enterprise, 415_2 and 415_3 it doesn't matter each other, but determine the memory block of down load application program AP_1, AP_2 and AP_3 in the external memory storage 407 in advance, and whether have the right to download to such memory block by 408 checkings of SAM chip.
In addition, transmission of the data between application A P_1, AP_2 and the AP_3 and data are checked the restriction that is subjected to fire wall FW.
When application A P_1, AP_2 and AP_3 were downloaded to SAM chip 408, as described later, demo plant 417_1,417_2 and 417_3 carried out and the mutual checking of SAM chip 408, produce download signed validation key information or the like.
To describe the SAM device 409 shown in Figure 64 below in detail.
Figure 66 has illustrated the memory block of external memory storage 407.
As shown in Figure 66, the memory block of external memory storage 407 comprises the AP memory block 420_1 of the application A P_1 that preserves the 415_1 of enterprise, preserve the AP memory block 420_2 of the application A P_2 of the 415_2 of enterprise, preserve the AP memory block 420_3 of the application A P_3 of the 415_3 of enterprise, the AP management storage region of using by the managerial personnel of SAM chip 408 421.
The application A P_1 that is kept among the 420_1 of AP memory block is made up of some program modules.Visit to AP memory block 420_1 is limited by fire wall FW_1.
The application A P_2 that is kept among the 420_2 of AP memory block is made up of some program modules.Visit to AP memory block 420_2 is limited by fire wall FW_2.
The application A P_3 that is kept among the 420_3 of AP memory block is made up of some program modules.Visit to AP memory block 420_3 is limited by fire wall FW_3.
In the present embodiment, top program module is the minimum unit that downloads to external memory storage 407 outside SAM device 409.The number that constitutes the program module of each application program can be determined by corresponding freedom of enterprise.
In addition, application A P_1, AP_2 and AP_3 are produced by the 415_1 of enterprise, the 415_2 that use personal computer 416_1,416_2 shown in Figure 64 and 416_3 and 415_3, and are downloaded to external memory storage 407 by SAM chip 408.
By fire wall FW_4, the visit of AP management storage region 421a is only permitted by the managerial personnel of SAM chip 408.
Fire Hazard Area wall FW_1, FW_2, FW_3 and FW_4 are corresponding to the fire wall FW shown in Figure 65.
AP management storage region 421 is preserved the module management data 421 shown in Figure 66.
Here, AP management data 421 is used to manage the execution of application A P_1, AP_2 and AP_3 by SAM chip 408.
In the present embodiment, as described later, be kept at application A P_1, AP_2 in the external memory storage 407 and AP_3 and AP management data 421 and utilize scrambling key K scramble by the bus scrambling apparatus 461 in the SAM chip 408.When being read into SAM chip 408, utilize scrambling key K that they are separated scramble.
Figure 67 is the functional-block diagram of the SAM chip shown in Figure 64.
As shown in Figure 67, SAM chip 408 has ASPS communication interface 460, bus scrambling apparatus 461, signature treating apparatus 462, checking treating apparatus 463, encryption/decryption device 464, storer 465 and CPU 466.
Here, CPU is corresponding to data processing circuit of the present invention, and bus scrambling apparatus 461 is corresponding to data input/output circuit of the present invention.
In addition, SAM chip 408 is corresponding to semiconductor circuit of the present invention, and external memory storage 407 is corresponding to semiconductor memory circuit of the present invention.
461 pairs of bus scrambling apparatus will write the data scramble of external memory storage 407, and the data de-scrambling frequency to reading from external memory storage 407.
That is, external memory storage 407 is preserved the data that are the scramble state.
The back will describe the processing of bus scrambling apparatus 461 in detail.
As described later, signature treating apparatus 462 produces signature, and when by the Internet 410 down load application programs, and when executive utility, certifying signature.
As described later, when by the Internet 410 application program being downloaded to external memory storage 407, checking treating apparatus 463 is carried out and the opposing party's mutual checking.
464 pairs of data of encryption/decryption device are encrypted and enciphered data are deciphered.
The necessary data of processing that storer 465 is preserved CPU 466.
When passing through bus scrambling apparatus 461 access external memory 407, CPU 466 executive utility AP_1, AP_2 and AP_3, and execution is corresponding to the various processing of the service of SAM chip 408.
To describe the processing of bus scrambling apparatus 461 below in detail.
Note, in the present embodiment, for example understand when the visit external bus, use the situation of bus scrambling apparatus 461, but by I/O bus etc. by the situation of another SAM chip 408 with respect to outside inputoutput data under, also can use bus scrambling apparatus 461.
In addition, bus scrambling apparatus 461 utilizes the data decryption of scrambling key K to reading from external memory storage 407 by bus 419, and outputs it to CPU 466.
[address space]
Make the cryptographic block length of the cryptographic algorithm that bus scrambling apparatus 461 uses be Nc, the data-bus width that makes bus 419 is Nb.In the example below, consider that Nc is the situation of the multiple of Nb, promptly Integer n (=Nc/Nb).
Notice that owing to increase the cause of parity check sum address scrambling the address space of the address space of CPU 466 (address space in the SAM chip 408) and use when bus scrambling apparatus 461 access external memory 407 (below be also referred to as " external memory address space ") is different.
So, as shown in Figure 68, by utilizing predetermined mapped f (address mapping algorithm), bus scrambling apparatus 461 converts the address CPU_ADR (first address of the present invention) from CPU 466 inputs to the address MEM_ADR (second address of the present invention) in external memory address space.Bus scrambling apparatus 461 uses address MEM_ADR access external memory 407.
As shown in Figure 69, have only when address a1 (address CPU_ADR) is " a1 modNc/Nb=0 ", just to define this mapping f.For another address a2, utilize f (a2-(a2 modNc/Nb)) access external memory 407.
Here, " x mod y " is the remainder after removing x with y.
That is, bus scrambling apparatus 461 is that unit reads and write data with respect to external memory storage 407 with cryptographic block length N c.
Here, work as Nc/Nb=n, and the smallest positive integral of n or bigger value (n or more) is when being m, bus scrambling apparatus 461 is that unit carries out the transaction (data I/O transaction of the present invention) by bus 419 access external memory 407 with m transaction.
[structure of bus scrambling apparatus 461]
Figure 70 is the functional-block diagram of bus scrambling apparatus 461.
As shown in Figure 70, bus scrambling apparatus 461 has encryption device 431, decryption device 432, address management apparatus 433, scrambling key management devices 434, parity checking treating apparatus 435, pipeline processes control device 436, working storage 437 and controller 438.
Encryption device 431 utilizes predetermined scrambling key K to the data encryption from CPU 466 inputs.
Decryption device 432 utilizes the predetermined data decryption of scrambling key K to reading from external memory storage 407.
As mentioned above, address management apparatus 433 converts the address CPU_ADR from CPU 466 inputs to address MEM_ADR.
Scrambling key management devices 434 is managed the scrambling key K in encryption device 431 and decryption device 432 uses, and exchanges scrambling key K rightly.
Parity checking unit 435 adds parity data in the data that will write external memory storage 407 to, and the parity data from the data that external memory storage 407 reads is added in checking to.
Pipeline processes control device 436 is divided into some stages to the processing of bus scrambling apparatus 461, and control system is that unit carries out pipeline processes with the stage.
Working storage 437 is used for the processing of bus scrambling apparatus 461.
The processing of controller 438 comprehensive control bus scrambling apparatus 461.
[for the write operation of external memory storage 407]
Figure 71 has illustrated the operation of bus scrambling apparatus 461 when the CPU shown in Figure 67 466 writes external memory storage 407 to data.
Figure 72 is the process flow diagram of operating shown in explanation Figure 71.
Step ST401:
Data " d32 " are written in the working storage 437 of the bus scrambling apparatus 461 shown in Figure 70.
Step ST402:
When Nc>Nb, the address management apparatus 433 shown in Figure 70 uses addresses " a3 " to search mapping f (a3-(a3 mod Nc/Nb)), then shines upon f (a3-1), and the address MEM_ADR of mapping f (a3-1) as the external memory address space.
Step ST403:
Controller 438 shown in Figure 70 uses the address MEM_ADR f (a3-1) that obtains at step ST402, and ({ X1 X2}), and writes working storage 437 with it from external memory storage 407 reading encrypted data block e.
Step ST404:
({ X1, X2}) deciphering produces data block { X1, X2} to 432 couples of data block e that read from working storage 437 of decryption device shown in Figure 70.In addition, ({ X1, parity data X2}) are used for parity checking to be handled parity checking treating apparatus 435, and { X1, X2} write working storage 437 data block once more subsequently adding data block e to.
Step ST405:
Controller 438 rewrite corresponding to data block { X1 from the working storage 437 address correspondence that reads, address among the X2} " a3 ", and be decrypted into " X2 " that writes data " d32 ", so that produce data block { X1, d32}, and it is write working storage 437.
Step ST406:
Parity checking treating apparatus 435 produces data block { X1, the parity data of d32}.
Step ST407:
Encryption device 431 utilizes data block { X1, the d32} encryption of scrambling key K to reading from working storage 437.
Step ST408:
Controller 438 is address MEM_ADR f (a3-1) writing data blocks of storer 407 { X1, d32}, and externally be written in the parity data that step ST406 produces in the presumptive area of storer 407 externally.
Attention is before step ST407 is to the data block encryption, and controller 438 judges whether be " a3-1 " from the address that CPU 466 imports next.If " a3-1 " then utilizes and write this data block of data rewrite X1, write external memory storage 407 to its encryption and with it subsequently.
Thus, can reduce continuation address is carried out number of steps under the write operation situation.
In addition, even when the data that are Nb to data length write external memory storage 407,438 pairs of these data padding data length of controller are the data of (Nc-Nb), are the data of Nc so that obtain data length, write external memory storage 407 subsequently to its encryption, and with it.
That is, data length is that the memory block of Nc is the data of Nb to data length by uniform distribution in the external memory storage 407.
[reading] from external memory storage 407
Figure 73 has illustrated the read operation from external memory storage 407 to the bus scrambling apparatus.
Figure 74 is the process flow diagram of this read operation of explanation.
Step ST411:
Step ST412:
When Nc>Nb, the address management apparatus 433 shown in Figure 70 uses addresses " a3 " to search mapping f (a3-(a3 mod Nc/Nb)), promptly shines upon f (a3-1), and the address MEM_ADR of mapping f (a3-1) as the external memory address space.
Step ST413:
Step ST414:
({ d31, d32}) deciphering produces { d31, d32} to 432 couples of data block e that read from working storage 437 of decryption device shown in Figure 70.In addition, parity checking treating apparatus 435 add to data block e (d31, d32}) parity data in is used for parity checking and handles, { d31, d32} write working storage 437 data block once more subsequently.
Step ST415:
The data block that controller 438 takes out and reads from working storage 437 d31, the CPU_ADR among the d32} " a3 " correspondence, and decrypted data " d32 ", and output it to CPU 466.
That is, controller 438 takes out " (a3 mod Nc/Nb)+1 " data in the data block, and outputs it to CPU 466.
[management of scrambling key]
The scrambling key that scrambling key management devices 434 following management shown in Figure 70 are used in encryption device 431 and decryption device 432.
For each address in the external memory storage 407, scrambling key management devices 434 can use different keys.So, must preserve some scrambling keys.Represented to preserve an example of the method for some scrambling keys below.
As shown in Figure 75, scrambling key management devices 434 is preserved some scrambling key K1, K2 and K3.The key that it uses according to the address exchange that comes from CPU 466, and output it to encryption device 431 and decryption device 432.
Specifically, when reference address " a1 ", it uses scrambling key K1, and when reference address " a2 ", it uses scrambling key K2, and when reference address " a3 ", it uses scrambling key K3.
In addition, as shown in Figure 76, counting circuit 434a in the scrambling key management devices 434 utilizes the key K s of formation classification and carries out processing from the address of CPU 466 inputs, and exporting to encryption device 431 and decryption device 432 as the result of calculation of scrambling key K.
Calculating can comprise and utilizes Ks to encrypt or deciphering filling address number, obtains XOR (XOR), perhaps other calculating.
In addition, bus scrambling apparatus 461 can be kept at scrambling key the precalculated position of bus, and the scrambling key of the address correspondence of sending by bus input and CPU 466.In this case, because it is identical with the bus of bus scrambler to transmit the data bus of scrambling key, must control by Memory Controller.The position of preserving scrambling key can be the inside and outside any place of SAM chip 408, if but outside chip, in order to ensure the security to the path of chip, scrambling key is by transmitting secret key encryption, and decrypted when arriving bus scrambling apparatus 461.Bus scrambling apparatus 461 is held the transmission key with the form of hardware or software.
But in bus scrambling apparatus 461, even with respect to each the address modification scrambling key from CPU 466 inputs, if a certain address of connected reference, by the cost regular hour, the analyzed possibility of the scrambling of address area increases.So scrambling key is not a constant scrambling key.Make it variable by technology as described below.
For example, when giving energising such as SAM chip 408 grades, scrambling key management devices 434 causes producing random number, so that produce scrambling key.Scrambling key only needs to be known by the bus scrambler in essence, can not produce therefore that key transmits, synchronous and so on problem.
In addition, 434 exchanges of scrambling key management devices are used for the scrambling key with respect to each time visit of external memory storage 407.In this case, must be different to the key that is present in the data encryption in the external memory storage 407 with the current key of holding.
So, for example, as shown in Figure 77 and Figure 78, upgrade scrambling key.
[1]: encryption device 431 is from CPU 466 input data " d3 ", and bus scrambling apparatus 461 is from CPU 466 Input Address " a1 ".
[2]: the address of bus scrambling apparatus 461 access external memory 407 " f (a1) ".
[3]: data " e ({ d1, d2}) " are read into decryption device 432 from the address " f (a1) " of external memory storage 407.
[4]: 432 pairs of data of decryption device " e (d1, d2}) " deciphering, the generation data " d1, d2} ".
At this moment, scrambling key management devices 434 is selected scrambling key K1, and decryption device 432 utilizes scrambling key K1 to be decrypted.
In addition, " d3 " rewrites by data, the generation data " d3, d2} ".
[5]: bus scrambling apparatus 461 changes over K2 to scrambling key from K1.Scrambling key K1 and K2 are the values of timer, the value of preserving in each address, the perhaps value that is produced by random number generation or other technology.
[6]: the scrambling key K2 after encryption device 431 utilization changes encrypts the data that rewrite " { d3, d2} ", produces data " e ({ d3, d2}) ".
[7]: externally the address of storer 407 " f (a1) " writes data " e ({ d3, d2}) ".
[parity checking of parity checking treating apparatus 435 is handled]
When data are write external memory storage 407, the parity data of parity checking treating apparatus calculated in advance data before encrypting, and this parity data and enciphered data write external memory storage 407 together.
Thus, in storer 407 externally, produce the physical problem of some kind, when data are altered or the like, when reading, detect these situations, thus executive routine more safely.
In addition, owing to added parity data, even the length of length expressly and ciphertext is identical, the address space of the address space of CPU 466 and external memory storage 407 also will never conform to fully.This is that when " a1 " write data " d1 " in the address, externally the somewhere in the storer 407 write the parity data " p1 " (big or small Np) of data " d1 " because ought and write the identical time of Nc part at f (a1).Under following situation, parity data is stored in any memory block in the external memory storage 407.
And then parity data is placed on by after the data that corresponding plain text encryption is obtained.Like this, bus scrambling apparatus 461 is from address " fa (the 1) " reading of data " e (d1) " of external memory storage 407, and " f (a1)+Nc/Nb " reads parity data " p1 " subsequently from the address.Like this, except the mapping f of address, bus scrambling apparatus 461 needn't be carried out any specific calculations.
In addition, external memory storage 407 obtains being exclusively used in the memory block of parity data therein in advance.Parity data " p1 " is written in this dedicated memory.In this case, bus scrambling apparatus 461 must be handled according to parity checking map addresses fp.Parity data " p1 " is written into the address " fp (a1) " in the external memory storage 407.
Mistake when parity checking treating apparatus 435 detects parity errors, it suspends the processing of CPU466 etc., to prevent the illegal processing of data or program.Notice that the content that parity checking is handled is not particularly limited.
[pipeline processes of pipeline processes control line 436]
In the present embodiment, under the control of pipeline processes controller 436, the processing of bus scrambling apparatus 461 is divided into some stages, is that unit forms streamline with the stage, thereby can shortens the 466 observed access times with respect to external memory storage 407 of CPU.
That is, when not forming streamline, the visit of 407 primary memory needs to handle the time that cryptographic block is required at least from CPU 466 to external memory storage.
For example, if reading command for the data of the address " a1 " of sending according to CPU 466, the processing of being carried out by bus scrambling apparatus 461 forms streamline, then as CPU 466 when the data of high address are more asked in " a1 " beginning continuously from the address according to program code etc., if bus scrambling apparatus 461 reads the data of address " f (a1+Nc/Nb) " afterwards, address " f (a1) " in advance, then can eliminate the expense that encryption and decryption are handled.
For example, if the situation of the time of memory access is ignored in consideration, then in three circulations (round), carry out the encryption of each data as triple des and so on, an encryption cycle needs a time clock, and Nc/Nb=1, CPU 466 sends assigned address " a1 ", and the instruction of " a1+1 " and " a1+2 " is so that from external memory storage 407 continuous reading of data.
At this moment, must carry out the three-wheel deciphering, and each data decryption is needed three time clock.
If execution pipeline is not handled, as shown in Figure 79 A, CPU 466 sends three time clock after first reading command, utilize decrypted three times of the data " e3 (d1) " that address " a1 " reads from external memory storage 407, obtain data " d1 ", described data " d1 " are transfused to CPU 466 subsequently.Subsequently, after three other time clock, utilize decrypted three times of the data " e3 (d2) " that address " a1+1 " reads from external memory storage 407, obtain to be transfused to subsequently the data " d2 " of CPU 466.Afterwards, after three other time clock, utilize decrypted three times of the data " e3 (d3) " that address " a1+2 " reads from external memory storage 407, obtain to be transfused to subsequently the data " d3 " of CPU 466.
That is, during nine time clock after CPU 466 sends first reading command, data " d1 ", " d2 " and " d3 " are transfused to CPU 466.
In contrast, in the present embodiment, by each circulation as a stage, pipeline processes controller 436 converts the decryption processing of decryption device 432 to as shown in Figure 79 B three stage pipeline processes.
Thus, on the other hand, though send reading command first from CPU 466, corresponding to the data of address " a1 " input CPU 466 usefulness three time clock, each time clock handle is imported CPU466 continuously corresponding to the data of address " a1+1 " and " a1+2 " subsequently.
Thus, five time clock after CPU 466 sends reading command first, all data " d1 ", " d2 " and " d3 " are transfused to CPU 466.
Notice that when CPU 466 requests " a1 " during afterwards away from the data of the address " a2 " of address " a1 ", the data on the streamline are dropped, and pack address " a2 ", " a2+1 " in streamline ... data.
[address scrambling of address management apparatus 433]
When SAM chip 408 repeatedly during the specific continuation address district in the access external memory 407, can predict that to a certain extent this continuation address district is subroutine or array.If array or other data, then attack this continuation address district, data that the assailant is easy to obtain is useful (key concerning the side of operation) by concentrating.
For fear of this situation, in the present embodiment, the address bus between CPU 466 and the SAM chip 408 passes through bus scrambling apparatus 461, and makes 433 pairs of address scramblings of address management apparatus, so that can prevent the visit to continuum in the external memory storage 407.This scramble is corresponding to above mentioned mapping f.If not to address scrambling, then shine upon f and become just mapping for the zone of parity data assurance.For example, " a ∈ [cpu address space], f (a)=(1+p) a ".Here, p is the adjustment size of parity data.
The integrated operation of the communication system 401 shown in Figure 64 will be described below.
Figure 80 has illustrated the integrated operation of the communication system 401 shown in Figure 64.
Step ST431:
415_1-415_3 of enterprise or the side that these enterprises asked produce application A P_1, AP_2 and the AP_3 that is used for being used by enterprise the processing of the transaction that IC-card 403 carries out on personal computer 416_1,416_2 shown in Figure 64 and 416_3.
In addition, the managerial personnel of SAM chip 408 produce AP management data 421, to its scramble and be kept in the external memory storage 407.
Step ST432:
Application A P_1, AP_2 and AP_3 are downloaded to SAM chip 408 by demo plant 417_1,417_2 and 417_3 from personal computer 416_1,416_2 and 416_3.
Step ST433:
The user is sent to IC-card 403.
The IC of IC-card 403 preserves the key information that is used for the transaction that user and enterprise reach.
Attention is after distribution IC-card 403, and the contract between user and the enterprise also can be concluded by the Internet 410 etc.
Step ST434:
For example, use personal computers 405 access servers 402 when the user passes through the Internet 410, when attempting to buy product, server 402 sends the request of processing by the Internet 410 to ASP server 406.
When ASP server 406 receives when handling request from server 402, it is by the Internet 410 visit personal computers 405.In addition, the processing request that relates to IC-card 403 of sending from card reader/writer 404 is transmitted to SAM chip 408 by personal computer 405, the Internet 410 and ASP server 406.
Step ST435:
In the implementation of application program, SAM chip 408 and external memory storage 407 communicate according to the processing of above mentioned bus scrambling apparatus 461.
Step ST436:
Figure 81 is a functional-block diagram of representing the functional block of the chip of SAM shown in Figure 67 408 in more detail.
As shown in Figure 81, SAM chip 408 links to each other with CPU 466 with card I/F device 491, ASP communication interface 460, bus scrambling apparatus 461, encryption/decryption device 465, storer 463 by internal bus 490.
The partial function of signature treating apparatus 462 shown in Figure 67 and checking treating apparatus 463 is realized by CPU 466.
As shown in Figure 82, SAM chip 408 shown in Figure 81 can make the card I/F device 491 that links to each other with internal bus 490 and be positioned at SAM chip 408 outer RF reception/emitters 492 and link to each other, and, transmit data with respect to IC-card 203 by contactless system by the antenna 492a of RF reception/emitter 492.
As mentioned above,, give above-mentioned functions, obtain following effect by the bus scrambling apparatus 461 in SAM chip 408 according to communication system 401.
That is, according to communication system 401, can be safely being kept in the external memory storage 407 with the relevant confidential data of processing that uses IC-card 403.
In addition, according to communication system 401, form streamline by the processing that makes bus scrambling apparatus 461, SAM chip 408 can high speed access external memory storage 407.
In addition, according to communication system 401,, can improve the reliability of the data that read from external memory storage 407 by giving parity function to bus scrambling apparatus 461.
The 6th embodiment
Present embodiment is the embodiment corresponding to the present invention the 19th aspect.
[correlation technique of present embodiment]
The computing machine of the transaction commercial programs of the use IC-card of carrying out correlation technique of the present invention at first is described.
Figure 83 is the functional-block diagram for the computing machine 501 of the usefulness of the electronic accounting of correlation technique of the present invention.
As shown in Figure 83, computing machine 501 has CPU 502, storer 503 and telecommunication circuit 504.
The operation of CPU 502 comprehensive control computer 501, according to the instruction works that is kept at the program in the storer 503, and in its course of work reference-to storage 503.
Handle according to the program that is kept at the storer 503 by CPU 502 from the data that IC-card 508 receives by telecommunication circuit 504.In addition, the data that obtain of the processing by CPU 502 are transmitted to IC-card 508 by telecommunication circuit 504.
In addition, 502 checkout result write stories 503 of communicating by letter and producing of CPU with IC-card 508.
Figure 84 has illustrated the software arrangements of the CPU 502 shown in Figure 83.
In Figure 84, the bottom is a hardware layer, that is, and and the nextport hardware component NextPort of the CPU 502 shown in Figure 83.
It on the hardware layer communication drivers program layer.Be mounted with the communication drivers program layer of the telecommunication circuit 504 that control links to each other with CPU 502 in the communication drivers program layer.The program of communication drivers program layer is stored in the nonvolatile memory usually.
Provide operating system (OS) layer of the program on the operation basis that constitutes CPU 502 on the communication drivers program layer.Compare with following each layer, the highest application of OS course (AP) layer provides higher notion service.For example, its example comprises the function " get card type () " that illustrates later, " read card data () " and " write card data () ".
In addition, on the OS layer be the AP layer of determining by the specific function (service) of computing machine 501 realizations.The AP layer has application program MAIN, AP_1, AP_2 and AP_3.
In the present embodiment, will illustrate the preparation of other transaction of clearing or use IC-card 508 with the form of application program.
For example, in OS layer and AP layer, determine that the function of IC-card type 508 is defined by " get cardtype () ".
In OS layer and AP layer, can determine the type of IC-card 508 by calling this function.For example, suppose the IC-card 508 of three types of existence, i.e. type A, B and C.This function is defined by as shown in Figure 85 about the rreturn value of IC-card 508.
For example, suppose and use category-B IC-card 508 that then the rreturn value of the execution result of function " get card type () " becomes " 2 ".
In addition, in OS layer and AP layer, " read data (
*Rp) " be defined by from the function of the internal storage reading of data of IC-card 508.
Here, "
*Rp " at the conceptive pointer that is similar in the C language, the variable of " * " expression back is the pointer variable, the particular location in the internal storage of " rp " expression IC-card 508.When show "
*Rp " time, the content of " rp address " in the storer of this expression IC-card 508.The supposition internal storage is preserved data as shown in Figure 86 now.
In addition, if the supposition " rp=102H ", then function " read data (
*Rp) " rreturn value becomes " 56H ", can read the data of " 102H address ".
In addition, in OS layer and AP layer, " write data (
*Wp, wdata) " be defined by writing the function of data in the particular address of the internal storage of IC-card 508.Here, "
*Wp " at the conceptive pointer that is similar in the C language, the variable of " * " expression back is the pointer variable, the specific address of the internal storage of " wp " expression IC-card 508.When show "
*Wp " time, the content of the wp address of the internal storage of indication IC-card 508." wdata " is the variable in the write data.The storer of supposition IC-card 508 is preserved data as shown in Figure 87 now.Here, if " wp=102H " and " wdata=73H ", and the execution function " writedata (
*Wp, wdata) ", as shown in Figure 87, the data of " the 102H address " of this storer are rewritten into " 73H ".
Application A P_1 shown in Figure 84, AP_2 and AP_3 determine the processing of the transaction relevant with dissimilar IC-card 508.Represented corresponding relation among Figure 88.
In Figure 84, executive utility MAIN first when starting computing machine 501.Application program MAIN uses above mentioned function " get card type () " to determine the type of the IC-card 508 of use.CPU 502 selects and carries out corresponding application according to the type of the IC-card of determining according to the mapping table shown in Figure 88 508.
If the situation that imagination category-A, category-B and C class IC-card 508 are used by different enterprises, then application A P1, AP2 and AP3 are produced by individual enterprise.In addition, the memory block of the internal storage of IC-card 508 is employed program AP1, AP2 and AP3 and shares.Application program is used the subregion of distributing to them in advance.
As mentioned above, application A P1, AP2 and AP3 are produced by individual enterprise, but have mistake in the program sometimes, the application program of another enterprise is utilized the illegal program malice of this enterprise to read by a certain enterprise, and perhaps the memory block that does not allow to visit in the IC-card 508 is by unauthorized access.
[embodiments of the invention]
Figure 89 is the topology view of computing machine 551 according to an embodiment of the invention.
As shown in Figure 89, computing machine 551 has CPU 552, storer 553, telecommunication circuit 504, decision circuitry 560 and on-off circuit 561.
Here, CPU 552 is corresponding to counting circuit of the present invention, and storer 553 is corresponding to memory circuit of the present invention, and telecommunication circuit 504 is corresponding to telecommunication circuit of the present invention, decision circuitry 560 is corresponding to connection control circuit of the present invention, and on-off circuit 561 is corresponding to connection on-off circuit of the present invention.
In addition, on-off circuit 561 links to each other with storer 553 by memory data bus 562.
In addition, cpu address bus 507 is attached thereto storer 553, decision circuitry 560 and telecommunication circuit 504.
When the peripheral unit outside CPU 552 reference-to storage 553 or the computing machine 551, cpu address bus 507 transmits the CPU ADR of presentation address.
In Figure 89, be endowed with Figure 83 in illustrate among telecommunication circuit 504 and IC-card 508 and Figure 83 of same reference numerals identical.
In addition, CPU 552 have and above utilize Figure 84 to illustrate the same software structure.That is, determine and three kinds of IC-cards 508 that promptly the program of the processing of category-A, transaction that category-B is relevant with the C class is used as application A P1, AP2 and AP3.
Handle according to the program that is kept at the storer 553 by CPU 552 from the data that IC-card 508 receives by telecommunication circuit 504.In addition, the data that obtain of the processing by CPU 552 are transmitted to IC-card 508 by telecommunication circuit 504.
In addition, CPU 552 handles are by in the checkout result write store 553 that produces of communicating by letter with IC-card 508.
On-off circuit 561 is according to the judging result signal S560 (control signal of the present invention) from decision circuitry 560, CPU switching data bus 506 and memory data bus 562 between connection status and off-state.
In addition, CPU 552 carries out from the program of the OS layer shown in Figure 84 of storer 553 taking-ups (reading), the instruction (code) of program MAIN and application A P1, AP2 and AP3.
Here, instruction type explanation signal S552a points out that CPU 552 carries out the signal that takes out instruction, reading command and write which instruction in the instruction.
Here, taking out instruction is to be used for the instruction that CPU 552 takes out instruction code by cpu data bus 506.
Reading command is to be used for the instruction of CPU 552 by cpu data bus 506 reading of data.
Writing instruction is to be used for CPU 552 writes data by cpu data bus 506 instruction.
In addition, carrying out AP explanation signal S552b is that just the instruction of being carried out by CPU 552 belongs to the signal of which program in the instruction of application A P1, AP2, AP3 and MAIN shown in expression Figure 84 and OS program.
When the program module of carrying out as CPU 552 was called another program module, the program module that the AP that is called explanation signal S552c represents to call the destination belonged to which program in application A P1, AP2, AP3 and MAIN and the OS program.
In addition, when on-off circuit 561 entered off-state as described later, CPU 552 suspended cpu data bus 506 and operation thereof.
Describe decision circuitry 560 below in detail.
Figure 90 is the topology view of decision circuitry shown in Figure 89.
As shown in Figure 90, decision circuitry 560 has the circuit 570 of selection, takes out decision circuitry 571, reads decision circuitry 572 and write decision circuitry 573.
Specifically, when instruction is taken out in instruction type explanation signal S552a indication, select circuit 570 that switch 574b is linked to each other with terminal 5751.
Thus, export to on-off circuit 561 with the form of judging result signal S560 from decision circuitry 560 by terminal 5751 and switch 574 from the taking-up judging result signal S571 that takes out decision circuitry 571 outputs.
In addition, when instruction type explanation signal S552a indication reading command, select circuit 570 that switch 574 is linked to each other with terminal 575_2.
Thus, export to on-off circuit 561 with the form of judging result signal S560 from decision circuitry 560 by terminal 575_2 and switch 574 from the judging result signal S572 that reads that reads decision circuitry 572 outputs.
In addition, when instruction type explanation signal S552a indication writes instruction, select circuit 570 that switch 574 is linked to each other with terminal 575_3.
Thus, export to on-off circuit 561 with the form of judging result signal S560 from decision circuitry 560 by terminal 575_3 and switch 574 from the judging result signal S573 that writes that writes decision circuitry 573 outputs.
Take out decision circuitry 571 uses and illustrate that from the execution AP explanation signal S552b of CPU 552 inputs, the AP that is called signal S552c and address CPU_ADR produce taking-up judging result signal S571, and output it to the terminal 575_1 that selects circuit 570.
Figure 91 is the topology view of the taking-up decision circuitry 571 shown in Figure 90.
As shown in Figure 91, take out decision circuitry 571 and have storer 581_1 and judgment means 582_1.
Storer 581_1 preserves the taking-up scope and limits data 584_1 and take out call relation qualification data 58 between AP.
It is the various situations that CPU 552 is carrying out the application program MAIN shown in OS layer program and Figure 84, AP1, AP2 and AP3 that the taking-up scope limits data 584_1, limits when CPU 552 carries out the taking-up instruction addressable address in the storer 553.
Figure 92 has illustrated that the taking-up scope limits data 584_1.
Program and the application program MAIN shown in Figure 84, AP1, AP2 and the AP3 of the row among Figure 92 (vertically) direction indication OS layer.
The start address of the memory block of the program of permission storage respective column in " FROM " expression storer 553 in row (level) direction.
The start address of the address realm of the program of permission visit respective column in " FROM " expression storer 553 in the line direction.
The end address of the address realm of the program of permission visit respective column in " TO " expression storer 553 in the line direction.
For example, allow the scope of address " 2000H "-" 2FFFH " of application A P1 reference-to storage 553.
When CPU 552 carries out when taking out instruction, take out between AP call relation and limit data 585_1 and represent when calling a certain program module, from its send call or invoked program module under the combination of program.
Figure 93 has illustrated that call relation limits data 585_1 between taking-up AP.
The column direction of Figure 93 is represented program and the application program MAIN shown in Figure 84, AP1, AP2 and the AP3 of OS layer.
The line direction of Figure 93 is represented program and the application program MAIN shown in Figure 84, AP1, AP2 and the AP3 of OS layer.
Whether the intersection location of ranks represents to allow the program module of the program of respective column to call the program module of the program of corresponding line." o " expression permission is called.And " x " represents to disapprove to call.
For example, allow the program module of application A P1 to call the program module of OS program, MAIN and application A P3, but do not allow the program module of invokes application AP2.
Judgment means 582_1 is according to execution AP explanation signal S552b and address CPU_ADR from 552 inputs of the CPU shown in Figure 89, and the taking-up scope that reads from storer 581_1 limits data 584_1, judges whether address CPU_ADR is included in the address realm shown in Figure 92 and reached the storer 553 that " TO " limit by " FROM " of the row of carrying out the program correspondence that AP explanation signal S552b indicates.
When judging that this address packet is contained in the described address realm, judgment means 582_1 produces the taking-up judging result signal S571 that explanation connects, and this signal is exported to the terminal 575_1 of the selection circuit 570 shown in Figure 90.
On the other hand, when judging that this address is not included in the described address realm, judgment means 582_1 produces the taking-up judging result signal S571 that explanation disconnects, and this signal is exported to the terminal 575_1 of the selection circuit 570 shown in Figure 90.
In addition, when the program module of the program of just being carried out by CPU 552 is called the program module of another program, judgment means 582_1 illustrates signal S552c according to the execution AP explanation signal S552b and the AP that is called from 552 inputs of the CPU shown in Figure 89, and call relation limits data 585_1 between the taking-up AP that reads from storer 581_1, judges whether this call to be limited the combination that data 585_1 represents by call relation between the taking-up AP shown in Figure 93 and allowed.
Call when licensed when judgement, judgment means 582_1 produces the taking-up judging result signal S571 that indication connects, and this signal is exported to the terminal 575_1 that selects circuit 570 shown in Figure 90.
On the other hand, call when not licensed when judgement, judgment means 582_1 produces the taking-up judging result signal S571 that indication disconnects, and this signal is exported to the terminal 575_1 that selects circuit 570 shown in Figure 90.
Read decision circuitry 572 and use from the execution AP command signal S552b of CPU 552 inputs, the AP that is called explanation signal S552c and address CPU_ADR produce and read judging result signal S572, and this signal is exported to the terminal 575_2 that selects circuit 570.
Figure 94 is the topology view that reads decision circuitry 572 shown in Figure 90.
As shown in Figure 94, read decision circuitry 572 and have storer 581_2 and judgment means 582_2.
Storer 581_2 preserves read range and limits data 584_2 and read call relation qualification data 585_2 between AP.
It is that CPU 552 is carrying out the program of OS layer and the various situations of the application program MAIN shown in Figure 84, AP1, AP2 and AP3 that read range limits data 584_2, determines as CPU 552 during in the execution reading command addressable address in the storer 553.
Figure 95 has illustrated that read range limits data 584_2.
Program and the application program MAIN shown in Figure 84, AP1, AP2 and the AP3 of the row among Figure 95 (vertically) direction indication OS layer.
The start address of the memory block of the program of permission storage respective column in " FROM " expression storer 553 on row (level) direction.
The start address of the address realm of the program of permission visit respective column in " FROM " expression storer 553 in the line direction.
The end address of the address realm of the program of permission visit respective column in " TO " expression storer 553 in the line direction.
When CPU 552 carries out reading command, read between AP call relation and limit data 585_2 and represent when calling a certain program module, can send the combination of calling or can invoked program module corresponding programme.
Figure 96 has illustrated and has read call relation qualification data 585_2 between AP.
The column direction of Figure 96 is represented program and the application program MAIN shown in Figure 84, AP1, AP2 and the AP3 of OS layer.
The line direction of Figure 96 is represented program and the application program MAIN shown in Figure 84, AP1, AP2 and the AP3 of OS layer.
Whether the intersection location of ranks represents to allow the program module of the program of respective column to call the program module of the program of corresponding line." o " expression permission is called.And " x " represents to disapprove to call.
Judgment means 5822 is according to execution AP explanation signal S552b and address CPU_ADR from 552 inputs of the CPU shown in Figure 89, and the read range that reads from storer 581_2 limits data 584_2, judges whether address CPU_ADR is included in the address realm shown in Figure 95 and reached the storer 553 that " TO " limit by " FROM " of the row of carrying out the program correspondence that AP explanation signal S552b indicates.
When judging that this address packet is contained in the described address realm, judgment means 582_2 produces that explanation connects reads judging result signal S572, and this signal is exported to the terminal 575_2 of the selection circuit 570 shown in Figure 90.
On the other hand, when judging that this address is not included in the described address realm, judgment means 582_2 produces that explanation disconnects reads judging result signal S572, and this signal is exported to the terminal 575_2 of the selection circuit 570 shown in Figure 90.
In addition, when the program module of the program of just being carried out by CPU 552 is called the program module of another program, judgment means 582_2 illustrates signal S552c according to the execution AP explanation signal S552b and the AP that is called from 552 inputs of the CPU shown in Figure 89, and limit data 585_2 from the call relation that reads between AP that storer 581_2 reads, judge whether this call to be limited the combination that data 585_2 represents and allowed by the call relation between AP of reading shown in Figure 96.
When judgement is called when licensed, judgment means 582_2 produces that indication connects reads judging result signal S572, and this signal is exported to the terminal 575_2 that selects circuit 570 shown in Figure 90.
On the other hand, when judgement is called when not licensed, judgment means 582_2 produces that indication disconnects reads judging result signal S572, and this signal is exported to the terminal 575_2 that selects circuit 570 shown in Figure 90.
Write decision circuitry 573 and use from the execution AP command signal S552b of CPU 552 inputs, the AP that is called explanation signal S552c and address CPU_ADR produce and write judging result signal S573, and this signal is exported to the terminal 575_3 that selects circuit 570.
Figure 97 is the topology view that writes decision circuitry shown in Figure 90.
As shown in Figure 97, write decision circuitry 573 and have storer 581_3 and judgment means 582_3.
Storer 581_3 preserves writing range and limits data 584_3 and write call relation qualification data 585_3 between AP.
It is that CPU 552 is carrying out the program of OS layer and the various situations of the application program MAIN shown in Figure 84, AP1, AP2 and AP3 that writing range limits data 584_3, determines to write when instructing addressable address in the storer 553 when CPU 552 is carrying out.
Figure 98 has illustrated that writing range limits data 584_3.
Program and the application program MAIN shown in Figure 84, AP1, AP2 and the AP3 of row (vertically) direction indication OS layer among Figure 98.
The start address of the memory block of the program of permission storage respective column in " FROM " expression storer 553 on row (level) direction.
The start address of the address realm of the program of permission visit respective column in " FROM " expression storer 553 in the line direction.
The end address of the address realm of the program of permission visit respective column in " TO " expression storer 553 in the line direction.
When CPU 552 carries out reading command, write between AP call relation and limit data 585_3 and represent when calling a certain program module, can send the combination of calling or can invoked program module corresponding programme.
Figure 99 has illustrated and has write call relation qualification data 585_3 between AP.
The column direction of Figure 99 is represented program and the application program MAIN shown in Figure 84, AP1, AP2 and the AP3 of OS layer.
The line direction of Figure 99 is represented program and the application program MAIN shown in Figure 84, AP1, AP2 and the AP3 of OS layer.
Whether the intersection location of ranks represents to allow the program module of the program of respective column to call the program module of the program of corresponding line." o " expression permission is called.And " x " represents to disapprove to call.
Judgment means 582_3 is according to execution AP explanation signal S552b and address CPU_ADR from 552 inputs of the CPU shown in Figure 89, and the writing range that reads from storer 581_3 limits data 584_3, judge address CPU_ADR whether be included in shown in Figure 98 and by carrying out in the address realm that " FROM " that AP illustrates the row of the indicated program correspondence of signal S552b reach the storer 553 that " TO " limit.
When judging that this address packet is contained in the described address realm, judgment means 582_3 produces that explanation connects writes judging result signal S573, and this signal is exported to the terminal 575_3 of the selection circuit 570 shown in Figure 90.
On the other hand, when judging that this address is not included in the described address realm, judgment means 582_3 produces that explanation disconnects writes judging result signal S573, and this signal is exported to the terminal 575_3 of the selection circuit 570 shown in Figure 90.
In addition, when the program module of the program of just being carried out by CPU 552 is called the program module of another program, judgment means 582_3 illustrates signal S552c according to the execution AP explanation signal S552b and the AP that is called from 552 inputs of the CPU shown in Figure 89, and limit data 585_3 from the call relation that writes between AP that storer 581_3 reads, judge whether this call to be limited the combination that data 585_3 represents and allowed by the call relation between AP of writing shown in Figure 99.
When judgement is called when licensed, judgment means 582_3 produces that indication connects writes judging result signal S573, and this signal is exported to the terminal 575_3 that selects circuit 570 shown in Figure 90.
On the other hand, when judgement is called when not licensed, judgment means 582_3 produces that indication disconnects writes judging result signal S573, and this signal is exported to the terminal 575_3 that selects circuit 570 shown in Figure 90.
The following describes and select circuit 570.
Specifically, when instruction is taken out in instruction type explanation signal S552a indication, select circuit 570 that switch 574 is linked to each other with terminal 575_1, and export to on-off circuit 561 taking out judging result signal S571 with the form of judged result S560.Thus, the connection/disconnection of on-off circuit 561 is by taking out judging result signal S571 control.
In addition, when instruction type explanation signal S552a indication reading command, select circuit 570 that switch 574 is linked to each other with terminal 575_2, and export to on-off circuit 561 reading judging result signal S572 with the form of judged result S560.Thus, the connection/disconnection of on-off circuit 561 is by reading judging result signal S572 control.
In addition, when instruction type explanation signal S552a indication writes instruction, select circuit 570 that switch 574 is linked to each other with terminal 575_3, and export to on-off circuit 561 writing judging result signal S573 with the form of judged result S560.Thus, the connection/disconnection of on-off circuit 561 is by writing judging result signal S573 control.
The following describes the example of the operation of computing machine 551.
[first operational example]
The following describes computing machine 551 and in the process of the program module of executive utility AP1, carry out and take out instruction, and the example of operation the when address of assigned address storer 553 " 2100H ".
In this case, the CPU_ADR of indication " 2100H " flows on cpu address bus 507, and the instruction type explanation signal S552a of instruction is taken out in indication and the execution AP explanation signal S552b of indication AP1 is exported to decision circuitry 560 from CPU 552.
In addition, judgment means 582_1 shown in Figure 91 is according to execution AP explanation signal S552b and address CPU_ADR from CPU 552 inputs, and the taking-up scope shown in the Figure 92 that reads from storer 581 limits data 584_1, judges whether address " 2100H " comprises among address realm " 2000H "-" 2FFFH " by the storer 553 that limits corresponding to " FROM " and " TO " of the row of AP1 in Figure 92.
In addition, judgment means 582_1 produces the taking-up judging result signal S571 that explanation connects, and outputs it to the terminal 575_1 of the selection circuit shown in Figure 90.
In addition, because instruction type explanation signal S552a indication is taken out, therefore select circuit 570 that switch 574 is linked to each other with terminal 575_1.
Thus, illustrate that the taking-up judging result signal S571 that connects is exported to the on-off circuit 561 shown in Figure 89 by selecting circuit 570 with the form of judging result signal S560.
In addition, on-off circuit 561 makes cpu data bus 506 and memory data bus 562 be in connection status, so that allow CPU 552 reference-to storage 553.
Note, in the above in Shuo Ming the situation, when address CPU_ADR indication " 3100H ",, illustrate that the taking-up judging result signal S571 that disconnects is exported to on-off circuit 561 from selecting circuit 570 because this address is not included among address realm " 2000H "-" 2FFFH ".Thus, on-off circuit 561 makes cpu data bus 506 and memory data bus 562 be in off-state, to prevent CPU 552 reference-to storage 553.
[second operational example]
Example of operation under the program situation of the program module invokes application AP1 of application A P2 will be described below when computing machine 551 is carried out reading command.
In this case, the AP explanation signal S552c that is called of the execution AP explanation signal S552b of demonstration AP2 and demonstration AP1 is exported to from CPU 552 and reads decision circuitry 572.
The judgment means 582_2 that reads decision circuitry 572 checks the call relation qualification data 585_2 between AP that reads shown in Figure 96, and judges whether to allow to call AP1 from AP2.
In addition, judgment means 582_2 produces that explanation connects reads judging result signal S572, and outputs it to the terminal 575_2 of the selection circuit 570 shown in Figure 90.
In addition, because therefore instruction type explanation signal S552a indication reading command selects circuit 570 that switch 574 is linked to each other with terminal 575_2.
Thus, illustrate that the judging result signal S572 that reads that connects is exported to the on-off circuit 561 shown in Figure 89 by selecting circuit 570 with the form of judging result signal S560.
In addition, on-off circuit 561 is arranged to connection status to cpu data bus 506 and memory data bus 562, thereby CPU 552 can reference-to storage 553.
On the other hand, in above-mentioned situation, when the program of the program module invokes application AP3 of application A P2, limit data 585_2 and judge and do not allow calling from AP2 to AP3 according to the call relation that reads between AP shown in Figure 96.
In addition, judgment means 582_2 produces that explanation disconnects reads judging result signal S572, and outputs it to the terminal 575_2 that selects circuit 570 shown in Figure 90.
Thus, illustrate that the judging result signal S572 that reads that disconnects is exported to the on-off circuit 561 shown in Figure 89 by selecting circuit 570 with the form of judging result signal S560.
In addition, on-off circuit 561 is arranged to off-state to cpu data bus 506 and memory data bus 562, to prevent CPU 552 reference-to storage 553.
As mentioned above, according to the program that CPU 552 carries out, decision circuitry 560 and on-off circuit 561 are determined the connection status between storer 553 and the cpu data bus 506 according in advance according to each program established data.
So, can prevent that the application program unauthorized access of just being carried out by CPU 552 is kept at the instruction and data of the Another Application program in the storer 553, even and when CPU 552 is carrying out some application programs, also can between each application program, obtain high security.
The present invention is not limited to the foregoing description.
For example, in the above among Shuo Ming the embodiment, understand that for example decision circuitry 560 preserves the taking-up scopes and limit data 584_1, take out call relation between AP and limit data 585_1, read range and limit data 584_2, read call relation between AP and limit data 585_2, writing range and limit data 584_3 and write the situation that call relation between AP limits data 585_3, but as shown in Figure 100, also can use IC-card 558 to utilize the such data of key information K encrypting storing.
In this case, decision circuitry 560 is held key information K and decrypted program 590, by CPU 506 and telecommunication circuit 504 visit IC-cards 558, read the taking-up scope from IC-card 558 and limit data 584_1, take out call relation qualification data 585_1 between AP, read range limits data 584_2, read call relation qualification data 585_2 between AP, writing range limits data 584_3 and writes call relation qualification data 585_3 between AP, and uses the taking-up scope by utilizing predetermined decrypted program 590 and key information K to decipher to limit data 584_1, take out call relation qualification data 585_1 between AP, read range limits data 584_2, read call relation qualification data 585_2 between AP, writing range limits data 584_3 and writes call relation qualification data 585_3 between AP.
In addition, the present invention can be top decrypted program encrypting storing in IC-card 558, by telecommunication circuit 504 and cpu data bus 506 described decrypted program is read in decision circuitry 560, utilize predetermined key information that it is deciphered by decision circuitry 560, decrypted program after the deciphering is kept in the storer 553, and makes decision circuitry 560 read and carry out decrypted program from storer 553.
In addition, in the above among Shuo Ming the embodiment, represented that CPU 552 carries out AP explanation signal S552b and the situation of the AP explanation signal S552c that is called to decision circuitry 560 outputs, but as shown in Figure 101, these signals can be produced also by the decision circuitry 560 that monitors cpu address bus 507.
The 7th embodiment
Present embodiment is the embodiment corresponding to the present invention 20-21 direction.
Figure 102 is the topology view of the semi-conductor chip 631 of embodiments of the invention.
As shown in Figure 102, semi-conductor chip 631 has internal storage 632, on-off circuit 633, on-off circuit 634, and decision circuitry 635 is selected circuit 636 and CPU 637.
Internal storage 632, on-off circuit 633, on-off circuit 634, decision circuitry 635 and CPU 637 link to each other with cpu data bus 640.
Internal storage 632, decision circuitry 635 and CPU 637 link to each other with address bus 641.
Internal storage 632, decision circuitry 635 and CPU 637 link to each other with signal wire 642.
In addition, internal storage 632 also links to each other with internal data bus 643.
In addition, on-off circuit 634 also links to each other with external memory storage 660 by external data bus 644.
In addition, select circuit 636 also to link to each other with debugger 661 by external data bus 645.
Here, semi-conductor chip 631 is corresponding to the semiconductor circuit of first aspect present invention, cpu data bus 640 is corresponding to first transmission line of first semiconductor circuit, program module PM_1 is corresponding to the instruction of the program of carrying out first aspect present invention, internal storage 632 is corresponding to the memory circuit of first aspect present invention, CPU 637 is corresponding to the treatment circuit of first aspect present invention, on-off circuit 633 connects change-over circuit corresponding to first of first aspect present invention, on-off circuit 634 connects change-over circuit corresponding to second of first aspect present invention, decision circuitry 635 is corresponding to the connection control circuit of first aspect present invention, select circuit 636 to connect change-over circuit corresponding to the 3rd of first aspect present invention, external memory storage 660 is corresponding to the memory device of first aspect present invention, and debugger 661 is corresponding to the external unit of first aspect present invention.
In addition, signal wire 642 is corresponding to the 3rd transmission line of first aspect present invention, and address bus 641 is corresponding to the 4th transmission line of first aspect present invention.
In addition, judging result signal S635a is corresponding to first control signal of first aspect present invention, judging result signal S635b is corresponding to second control signal of first aspect present invention, and judging result signal S635c is corresponding to the 3rd control signal of first aspect present invention.
Figure 103 has illustrated the software arrangements of the semi-conductor chip 631 shown in Figure 102.
In Figure 103, the bottom is a hardware layer, that is, and and the nextport hardware component NextPort of the semi-conductor chip 631 shown in Figure 102.
It on the hardware layer communication drivers program layer.Be mounted with the communication drivers program layer of control communication in the communication drivers program layer.The program of communication drivers program layer is stored in the nonvolatile memory usually.
Provide operating system (OS) layer of the program on the operation basis that constitutes semi-conductor chip 631 on the communication drivers program layer.Compare with following each layer, the highest application of OS course (AP) layer provides higher notion service.
In addition, on the OS layer be the AP layer of determining by the specific function (service) of semi-conductor chip 631 realizations.The AP layer has application A P1, AP2 and the AP3 that is realized by the program module PM_1 shown in Figure 102, PM_2 and PM_3.
Internal storage 632 is preserved the program module PM_1 of application A P1 shown in Figure 103.
Figure 104 has illustrated the structure of program module PM_1.
As shown in Figure 104, program module PM_1 is made up of plurality of function modules.Figure 104 has represented the situation that program module PM_1 is made up of n functional module FM_1-FM_n.
As shown in Figure 104, the instruction (code) that is positioned at the head of each functional module FM_1-FM_n is a unlock command, and the instruction at end is a lock instruction.
Here, lock instruction is to instruct the decision circuitry 635 that illustrates later before next unlock command, the instruction that makes on-off circuit 633 keep connection status.
In addition, unlock command is the instruction that instruction on-off circuit 633 is transformed into off-state.
On-off circuit 633 is between cpu data bus 640 and internal data bus 643.
On-off circuit 633 becomes connection status or off-state according to the judging result signal S635a from decision circuitry 635 inputs.
On-off circuit 634 is between cpu data bus 640 and external data bus 644.
On-off circuit 634 becomes connection status or off-state according to the judging result signal S635b from decision circuitry 635 inputs.
Decision circuitry 635 monitor address buses 641 and signal wire 642.When the address that CPU 637 exports to save routine module PM_1 in the address signal indication internal storage 632 of address bus 641, and CPU 637 exports to the instruction type explanation signal S637a indication of signal wire 642 and takes out when instructing, and its produces the judging result signal S635a that indication connects.In other cases, it produces the judging result signal S635a that indication disconnects.
Decision circuitry 635 is exported to on-off circuit 633 to judging result signal S635a.
In addition, when decision circuitry 635 produced the judging result signal S635a of indication connection, its produced the judging result signal S635b that indication disconnects, and outputs it to on-off circuit 634.
In addition, when decision circuitry 635 produced the judging result signal S635a of indication disconnection, its produced the judging result signal S635b that indication connects, and outputs it to on-off circuit 634.
In addition, when the judging result signal S635a that connects was indicated in decision circuitry 635 generations, its produced the judging result signal S635c that indicates invalid/disconnection, and outputed it to selection circuit 636.
In addition, when decision circuitry 635 produced the judging result signal S635a of indication disconnection, its produced the judging result signal S635c that indicates effectively/connect, and outputed it to selection circuit 636.
In addition, carry out in the process of the program module PM_1 shown in Figure 104 at CPU 637, when the functional module among the program module PM_1 just is comprised in branch instruction in another functional module of being carried out by CPU 637 and calls, with the instruction of the head that is positioned at the called functional module that log-on data first takes out be condition (promptly, when the branch instruction that is positioned at the instruction of called functional module head when appointment is performed), decision circuitry 635 is exported to on-off circuit 633 to the judging result signal S635a that indication connects.
As utilizing Figure 104 to illustrate, because the head of each functional module has the unlock command (disconnection of first aspect present invention is released order) that is arranged at this place, therefore carrying out next lock instruction (the disconnection sign on of first aspect present invention) before, decision circuitry 635 is according to unlock command, and the judging result signal S635a that indication is connected exports to on-off circuit 633.At this moment, as previously mentioned, the judging result signal S635b that indication disconnects is sent to on-off circuit 634, and the judging result signal S635c that indicates invalid/disconnection is sent to selection circuit 636, therefore debugger 661 can not stop the operation of CPU 637 temporarily, perhaps can not gather the CPU internal state information from CPU637.So, can not be from the functional module FM_1-FM_n shown in the program module PM_2 being present in external memory storage 660 and PM_3 or debugger 661 visit Figure 104.
In addition, when CPU 637 is carrying out the program module PM_1 shown in Figure 104, when the functional module among the program module PM_1 is performed the CPU 637 that is included in the branch instruction in another functional module and calls, when the instruction of taking out first except that the instruction that is positioned at the functional module head that calls the destination, decision circuitry 635 is exported to on-off circuit 633 to the judging result signal S635a of indication disconnection.In addition, in this case, decision circuitry 635 is suspended the operation of CPU 637 or is carried out predetermined fault processing.
When from the judging result signal S635c of decision circuitry 635 indication invalid/when disconnecting, it is invalid to select circuit 636 to make from the HALT signal S661a (the operation suspension request of first aspect present invention) of debugger 661 inputs, and does not output it to CPU 637.Here, HALT signal S661a is the signal of indicating the operation that temporarily stops CPU 637.
When from the judging result signal S635c of decision circuitry 635 indication invalid/when disconnecting, select circuit 636 to make and read request signal S661b and CPU internal state overwrite request signal S661c is invalid, and these signals are not exported to CPU 637 from the CPU internal state of debugger 661 inputs.
Here, the CPU internal state reads the signal that request signal S661b is the information of the request internal state that shows CPU 637.
CPU internal state overwrite request signal S661c is the signal that request rewrites the information that shows CPU 637 internal states.
On the other hand, when from the judging result signal S635c of decision circuitry 635 indication effectively/when connecting, select circuit 636 that the HALT signal S661a from debugger 661 inputs are exported to CPU 637.
When from the judging result signal S635c of decision circuitry 635 indication effectively/when connecting, select circuit 636 that the CPU internal states from debugger 661 inputs are read request signal S661b and CPU internal state overwrite request signal S661c exports to CPU 637.In addition, select circuit 636 to export to debugger 661 read the CPU internal state signal S637d of request signal S661b according to the CPU internal state from CPU 637 inputs.
CPU 637 exports to address bus 641 to the address of internal storage 632, the instruction type explanation signal S637a of the type of the instruction of representing just be performed is exported to signal wire 642, and, carry out to use by the processing of the instruction and data of the program module PM_1 that reads of storer 632 internally of on-off circuit 633 and cpu data bus 640 according to above-mentioned signal.
In addition, CPU 637 exports to address bus 641 to the address of external memory storage 660, S637a exports to signal wire 642 instruction type explanation signal, and carries out the processing of the instruction and data that utilizes the program module PM_2, the PM_3 that read from external memory storage 660 by external data bus 644, on-off circuit 634 and cpu data bus 640 according to above-mentioned signal.
When passing through to select circuit 636 from debugger 661 input HALT signal S661a, CPU637 stops the operation of CPU 637.
In addition, when CPU 637 receptions were read request signal S661b by the CPU internal state of selecting circuit 636 to import from debugger 661, it was by selecting circuit 636 comprising that the internal state signal S637d of expression by the information of internal state among the CPU 637 of signal S661b appointment exports to debugger 661.
In addition, pass through to select the CPU internal state overwrite request signal S661c of circuit 636 from debugger 661 inputs when CPU 637 receives, its utilizes the information that is rewritten the internal state of representing CPU 637 by the content of this signal S661c appointment.
Debugger 661 uses the operation of HALT signal S661a control CPU 637 according to debugger object, utilize internal state to read the operation of request signal S661b and internal state signal S637d supervision CPU 637, and utilize CPU internal state overwrite request signal S661c customization CPU 637.
The following describes the example of operation of semi-conductor chip 631.
[first operational example]
For example, consider that debugger 661 reads one of request signal S661b and CPU internal state overwrite request signal S661c to HALT signal S661a, CPU internal state and exports to the situation of selecting circuit 636.
In this case, when CPU 637 visits internal storages 632 by cpu data bus 640 and on-off circuit 633, promptly when on-off circuit 633 is in connection status, owing to come from the cause of the judging result signal S635c of decision circuitry 635, select circuit 636 to become invalid/off-state, selection circuit 636 HALT signal S661a, CPU internal state is not read request signal S661b and CPU internal state overwrite request signal S661c exports to CPU 637.
So debugger 661 can not be visited CPU 637, can not visit internal storage 632.
On the other hand, when CPU 637 does not visit internal storage 632, promptly when on-off circuit 633 is in off-state, owing to come from the cause of the judging result signal S635c of decision circuitry 635, select circuit 636 to become effectively/connection status, HALT signal S661a, CPU internal state are read request signal S661b to selection circuit 636 and CPU internal state overwrite request signal S661c exports to CPU 637.
So debugger 661 can monitor and adjust the operation of CPU 637, but, therefore can not visit internal storage 632 because on-off circuit 633 is in off-state.
[second operational example]
For example, consider that CPU 637 is passing through the situation of on-off circuit 634 and external data bus 644 access external memory 660.
In this case, because from the judging result signal S635b of decision circuitry 635 and the cause of S635c, on-off circuit 634 and selection circuit 636 become connection status, but because the cause of judging result signal S635a, on-off circuit 633 becomes off-state.So, can not be from external data bus 644 and 645 visit internal storages 632.
As mentioned above, in semi-conductor chip 631, when internal storage 632 and cpu data bus 640 are in connection status, do not allow external reference from external data bus 644 and 645.
So,, can prevent reliably that outside semi-conductor chip 631 unauthorized access is kept at the program module PM_1 the internal storage 632, so can keep the confidentiality of program module PM_1 according to semi-conductor chip 631.
In addition, according to semi-conductor chip 631, can not be from the process of exterior monitoring and analysis CPU 637 execution of program modules PM_1.
In addition, according to semi-conductor chip 631, can prevent program module PM_2 and PM_3 unauthorized access secret program module PM_1 from be kept at external memory storage 660.
The 8th embodiment
Present embodiment is the embodiment corresponding to the present invention the 20th and the 21st aspect.
Figure 105 is the topology view of the semi-conductor chip 6131 of embodiments of the invention.
As shown in Figure 105, semi-conductor chip 6131 has encryption/decryption circuit 6134, and decision circuitry 6135 is selected circuit 6136 and CPU 6137.
Encryption/decryption circuit 6134 links to each other with cpu data bus 6140 with CPU 6137.
Decision circuitry 6135 links to each other with address bus 6141 with CPU 6137.
Decision circuitry 6135 links to each other with signal wire 6142 with CPU 6137.
In addition, encryption/decryption circuit 6134 also links to each other with external memory storage 6160 by external data bus 6144.
In addition, select circuit 6136 also to link to each other with debugger 6161 by external data bus 6145.
The software configuration shown in Figure 103 is used in attention equally similarly in semi-conductor chip 6131.
Here, semi-conductor chip 6131 is corresponding to the semi-conductor chip of second aspect present invention, external data bus 6144 is corresponding to first transmission line of first aspect present invention, external memory storage 6160 is corresponding to the memory device of second aspect present invention, program module PM_1 is corresponding to the instruction of the program of carrying out second aspect present invention, encryption/decryption circuit 6134 is corresponding to the encryption/decryption circuit of second aspect present invention, decision circuitry 6135 is corresponding to the control circuit of second aspect present invention, select the selection circuit of circuit 6136 corresponding to second aspect present invention, CPU 6137 is corresponding to second counting circuit, and external data bus 6145 is corresponding to second transmission line of second aspect present invention.
External memory storage 6160 at first is described.
As shown in Figure 105, external memory storage 6160 save routine module PM_1, PM_2 and PM_3.
In the present embodiment, the situation that program module PM_1 has confidentiality will be illustrated.
Secret program module PM_1 is encrypted and be kept in the external memory storage 6160.Non-secret program module PM_2 and PM_3 can encryptedly can not encrypt yet.
Figure 106 has illustrated the structure of program module PM_1.
As shown in Figure 106, program module PM_1 is made up of plurality of function modules.Figure 106 has represented the situation that it is made up of n functional module FM_1-FM_n.
As shown in Figure 106, the head of functional module FM_1-FM_n is provided with the ID indication information of indicating ID number.The ID indicator is not encrypted.
Here, ID number is the information of identification corresponding function module.As described later, when the deciphering of the 6134 pairs of functional modules of encryption/decryption circuit, be used to be identified for the key information of this deciphering ID number.
In addition, the end of functional module FM_1-FM_n be provided with indication ID number for " #0 " and instruction (instruction of indication back is not used key, promptly not encrypted instruction).
As shown in Figure 107, be that unit is encrypted functional module with the data block of tentation data length.Data block 1-n has the parity data 1-n that makes an addition to wherein.
For example, as shown in Figure 107, encryption/decryption circuit 6134 is a unit with the tentation data piece, and the functional module shown in the Figure 106 that will be written into the program module PM_1 in the external memory storage 6160 is encrypted.
At this moment, encryption/decryption circuit 6134 utilizes arbitrary key information that each functional block is encrypted, and as utilizing Figure 106 to illustrate, be provided with at the head of each functional block and specify ID number the end that is used for the recognition function module to encrypt (expressly) ID indicator (information).
In addition, encryption/decryption circuit 6134 produces and keeps the cipher key information table 6190 shown in Figure 108, and described cipher key information table 6190 is expressed as ID number (the key appointed information of second aspect present invention) of functional block appointment and is used for being linked at functional module encrypted secret key information together.
In addition, when 6134 pairs of data block encryptions of encryption/decryption circuit, as shown in Figure 107, it produces the parity data of data block, and the parity data of handle and corresponding data block chaining is kept in the external memory storage 6160.At this moment, encryption/decryption circuit 6134 produces parity data, so that the summation of data block and parity data becomes predetermined value.
In addition, encryption/decryption circuit 6134 by by ID number of the ID designated order appointment that is positioned at the functional module head as key, check the cipher key information table 6190 shown in Figure 108, obtain key information about the functional module of importing from external memory storage 6160.In addition, encryption/decryption circuit 6134 uses this key information this functional module to be encrypted as unit with above mentioned data block.
In addition, the legitimacy corresponding to the parity data of this functional module is judged in 6134 pairs of this functional module deciphering of encryption/decryption circuit subsequently.At this moment, if judge that this parity data is legal, then the data after the deciphering are exported to CPU 6137.On the other hand, if judge that this parity data is illegal, then stop the operation of CPU 6137 or carry out predetermined fault processing.
Notice that in the present embodiment, the data length of data block and the data length of functional module can be identical or different.
Decision circuitry 6135 produce indication invalid/the judging result signal S6135 that disconnects, and when CPU 6137 is visiting (for example taking out) secret program module PM_1, output it to selection circuit 6136.
In addition, decision circuitry 6135 produce indication effectively/the judging result signal S6135 that connects, and when CPU 6137 does not visit (for example taking out) secret program module PM_1, output it to selection circuit 6136.
Decision circuitry 6135 monitors CPU 6137 output and address and instructions that flow through address bus 6141 and signal wire 6142, and judges that according to described address and instruction whether CPU 6137 is just at access program module PM_1.
When from the judging result signal S6135 of decision circuitry 6135 indication invalid/when disconnecting, select circuit 6136 to make HALT signal S6161a (operation of second aspect present invention stops request) invalid, and do not output it to CPU 6137 from debugger 6161 inputs.Here, HALT signal S6161a instructs the signal of the operation that temporarily stops CPU 6137.
When from the judging result signal S6135 of decision circuitry 6135 indication invalid/when disconnecting, select circuit 6136 to make and read request signal S6161b and CPU internal state overwrite request signal S6161c is invalid, and they are not exported to CPU 6137 from the CPU internal state of debugger 6161 inputs.
Here, the CPU internal state reads the signal that request signal S6161b is the information of the request internal state that shows CPU 6137.
CPU internal state overwrite request signal S6161c is the signal that request rewrites the information of the internal state that shows CPU 6137.
On the other hand, when from the judging result signal S6135 of decision circuitry 6135 indication effectively/when connecting, select circuit 6136 that the HALT signal S6161a from debugger 6161 inputs are exported to CPU 6137.
When from the judging result signal S6135 of decision circuitry 6135 indication effectively/when connecting, select circuit 6136 that the CPU internal states from debugger 6161 inputs are read request signal S6161b and CPU internal state overwrite request signal S6161c exports to CPU 6137.In addition, select circuit 6136 to export to debugger 6161 read the CPU internal state signal S6137d of request signal S6161b according to the CPU internal state from the CPU6137 input.
CPU 6137 exports to address bus 6141 to the address of external memory storage 6160, S6137a exports to signal wire 6142 the instruction type of the type that shows the instruction that just is being performed explanation signal, and, utilize the program module PM_1, the PM_2 that read from external memory storage 6160 by external data bus 6144 and encryption/decryption circuit 6134 and the instruction and data of PM_3 to handle according to these signals.
When CPU 6137 receives when selecting circuit 6136 from the HALT signal S6161a of debugger 6161 inputs, the operation of CPU 6137 is stopped.
In addition, when CPU 6137 receptions were read request signal S6161b by the CPU internal state of selecting circuit 6136 to import from debugger 6161, it was by selecting circuit 6136 comprising that the internal state signal S6137d of demonstration by the information of the internal state among the CPU 6137 of signal S6161b appointment exports to debugger 6161.
In addition, when CPU 6137 passed through to select circuit 6136 from debugger 6161 reception CPU internal state overwrite request signal S6161c, its utilized the information that is rewritten the internal state of demonstration CPU 6137 by the content of signal S6161c appointment.Thus, the operation of CPU 6137 is by debugger 6161 controls.
Debugger 6161 uses the operation corresponding to the HLAT signal S6161a control CPU6137 of debug target, utilize internal state to read the operation of request signal S6161b and internal state signal S6137d supervision CPU 6137, and utilize CPU internal state overwrite request signal S6161c customization CPU 6137.
The following describes the example of operation of semi-conductor chip shown in Figure 105.
[first operational example]
In this example of operation, explanation CPU 6137 is write the data of program module PM_1 the situation of external memory storage 6160.
CPU 6137 exports to encryption/decryption circuit 6134 by cpu data bus 6140 writing data.
In addition, as previously mentioned, by being unit with the data block, utilize the key information corresponding to functional module, 6134 pairs of encryption/decryption circuits write data encryption, and by external data bus 6144 data that write after encrypting are write in the external memory storage 6160.
In addition, relevant with being used for encrypted secret key information information is added to the cipher key information table 6190 shown in Figure 108.
At this moment, decision circuitry 6135 is invalid showing/and the judging result signal S6135 that disconnects exports to and selects circuit 6136, and read request signal S6161b and CPU internal state overwrite request signal S6161c is not exported to CPU 6137 from HALT signal S6161a, the CPU internal state of selecting circuit 6136 to send.
In addition and since not externally on the data bus 6144 to writing data encryption, even therefore external data bus 6144 is subjected to illegal detection, also can not lose the confidentiality of program module PM_1.
[second operational example]
In this example of operation, instruction or the data conditions of CPU 6137 from 6160 fetch program of external memory storage module PM_1 is described.
Because the cause of the reading command sent of CPU 6137,, and output it to encryption/decryption circuit 6134 by external data bus 6144 from instruction or the data of the assigned address fetch program module PM_1 of external memory storage 6160.
In addition, encryption/decryption circuit 6134 is checked the cipher key information table 6190 shown in Figure 108 according to by ID number shown in the ID designated order of the head that is arranged on each functional module, obtains the key information corresponding to this ID number.
In addition, encryption/decryption circuit 6134 is a unit with the data block, utilizes instruction or the data decryption of key information to reading from external memory storage 6160, carries out parity checking subsequently and handles.
Be exported to CPU 6137 through data after the parity checking processing or instruction by cpu data bus 6140.
At this moment, decision circuitry 6135 indication invalid/the judging result signal S6135 that disconnects exports to and selects circuit 6136, and reads request signal S6161b and CPU internal state overwrite request signal S6161c does not export to CPU 6137 from HALT signal S6161a, the CPU internal state of selecting circuit 6136 to send.
Since not externally on the data bus 6144 to writing data encryption, even therefore external data bus 6144 is subjected to illegal detection, also can not lose the confidentiality of program module PM_1.
As mentioned above, according to semi-conductor chip 6131,, also can keep the confidentiality of program module PM_1 even when secret program module PM_1 is kept at the external memory storage 6160 that is arranged in outside the semi-conductor chip 6131.
Promptly, when CPU 6137 visit is kept at secret program module PM_1 in the external memory storage 6160, select circuit 6136 to forbid that debugger 6161 communicates by letter with CPU 6137, so just can prevent that the processing of the program module PM_1 that carried out by CPU 6137 is subjected to the illegal supervision of debugger 6161.
In addition, owing to after to the data that read from external memory storage 6160 and instruction decryption, carry out the parity checking processing, therefore be used to deciphering or when described data with instruction is damaged or quilt when being altered when unfavorable key information, handle by parity checking and can detect described destruction or alter, and deal with rightly.
The present invention is not limited to the foregoing description.
For example, in the above-described embodiments, for example understand the cipher key information table 6190 shown in Figure 108, promptly key information is kept at the situation in the decision circuitry 6135, but also can encrypt cipher key information table 6190, and it is kept in the external memory storage 6160.
The 9th embodiment
Present embodiment is the embodiment corresponding to the present invention 22-24 aspect.
This embodiment of the present invention is described below with reference to the accompanying drawings.
Figure 109 is the integrally-built view of the communication system 701 of present embodiment.
Shown in Figure 109, communication system 701 is used server 702, IC-card 703, card reader/writer 704, personal computer 705, ASP (application service provider) server 719, and SAM (security applications module) device 709 is by Internet traffic, and carry out settlement process or other processing of the process of use IC-card 703 (integrated circuit of the present invention).
SAM device 709 (data processing equipment of the present invention) has external memory storage 707 (memory circuit of the present invention) and SAM chip 708 (semiconductor circuit of the present invention).
If desired, SAM chip 708 and another SAM chip 708a (second half conductor circuit of the present invention) transmit data.As shown in Figure 110, SAM chip 708a is different from SAM chip 708 and links to each other with another ASP server 719a, perhaps as shown in Figure 111, links to each other with SAM chip 708 the same with identical SAP servers 719.
The structure of SAM chip 708a is identical with SAM chip 708 basically.
The following describes the assembly shown in Figure 109.
[IC-card 703]
Figure 112 is the functional-block diagram of IC-card 703.
As shown in Figure 112, IC-card 703 has IC (integrated circuit) 703a that is furnished with storer 750 and CPU 751.
As shown in Figure 113, storer 750 has by the memory block 755_1 of credit card company or the 715_1 of other service enterprise use, by the memory block 755_2 of the 715_2 of service enterprise use and the memory block 755_3 that is used by the 715_3 of service enterprise.
In addition, storer 750 is preserved the key data that is used to judge for the access rights of memory block 755_1, is used to judge for the key data of the access rights of memory block 755_2 and is used to judge key data for the access rights of memory block 755_3.Key data is used for mutual checking, data encryption and deciphering or the like.
In addition, storer 750 is preserved the user's of IC-card 703 or IC-card 703 identity identification information.
Describe SAM device 709 below in detail.
As previously mentioned, SAM device 709 has external memory storage 707 (memory circuit of the present invention) and SAM chip 708 (semiconductor circuit of the present invention).
[software arrangements of SAM chip 708]
As shown in Figure 114, from the bottom to the top layer, SAM chip 708 has HW (hardware layer), OS layer, rudimentary handling procedure layer, advanced processes program layer and AP layer.
Rudimentary handling procedure layer comprises driver layer.
Here, in the AP layer, read and move application A P_1, AP_2 and the AP_3 (application program of the present invention) that definition credit card company or the 715_1 of other enterprise, 715_2 and 715_3 use the process of IC-card 703 from external memory storage 707.
In the AP layer, between application A P_1, AP_2 and AP_3 and the advanced processes program layer fire wall FW is set.
[external memory storage 707]
Figure 115 has illustrated the memory block of external memory storage 707.
As shown in Figure 115, the memory block of external memory storage 707 comprises the AP memory block 7220_1 of the application A P_1 that preserves the 715_1 of service enterprise, preserve the AP memory block 7220_2 of the application A P_2 of the 715_2 of service enterprise, preserve the AP memory block 7220_3 of the application A P_3 of the 715_3 of service enterprise, and the AP management storage region of using by the managerial personnel of SAM chip 708 7221.
The application A P_1 that is kept among the 7220_1 of AP memory block is made up of the some applying unit data APE (data module of the present invention) that illustrate later.Visit to AP memory block 7220_1 is limited by fire wall FW_1.
The application A P_2 that is kept among the 7220_2 of AP memory block is made up of the some applying unit data APE that illustrate later.Visit to AP memory block 7220_2 is limited by fire wall FW_1.
The application A P_3 that is kept among the 7220_3 of AP memory block is made up of the some applying unit data APE that illustrate later.Visit to AP memory block 7220_3 is limited by fire wall FW_1.
In the present embodiment, applying unit data APE is the least unit that downloads to external memory storage 707 outside SAM device 709.The number that constitutes the applying unit data APE of each application program can freely be determined by corresponding service enterprise.
In addition, be kept at application A P_1, AP_2 in the external memory storage 707 and AP_3 by scramble.In the time of in being read into SAM chip 708, they are separated scramble.
In addition, application A P_1, AP_2 and AP_3 are produced by the 715_1 of service enterprise, the 715_2 that utilize personal computer 716_1,716_2 shown in Figure 109 and 716_3 and 715_3, and are downloaded to external memory storage 707 by SAM chip 708.
To describe application A P_1, AP_2 and AP_3 in detail below.
The one or more application programs that in SAM, have each service enterprise.
As shown in Figure 116, application A P_1, AP_2 and AP_3 (below be called AP) are by the recognition data AP_ID that is used for recognition application AP, expression is included in data APE_NUM and one or more applying unit data APE of the number of the application program unit data APE in the application program.
Recognition data AP_ID is configured to for each service enterprise different.
As shown in Figure 116, applying unit data APE is by the data APE_SIZE of the size of data of expression applying unit data APE, and recognition data APE_ID and the data characteristics (proper) of identification applying unit data APE are formed.
Here, recognition data APE_ID is made up of the data I NS_NUM of the data APE_TYPE of the type of expression applying unit data APE and the identifier of the applying unit data APE in expression the type (example recognition number).Data I ND_NUM is managed by final user (service enterprise) square tube.
For example, when applying unit data APE was the file system configuration, data APE_TYPE became " 2 ", and data I NS_NUM becomes " 1 ".Thus, if SAM is identical, then can utilize recognition data APE_ID to determine applying unit data APE clearly.
With respect to each application program and different encryption key data is used as encryption key data K_AP.
The type of utilizing the applying unit data APE that Figure 116 illustrates will be described below.
Figure 117 has represented to be kept at the example of an applying unit data APE in the AP district.
As shown in Figure 117, the AP district divides key packet, regional record (registration) key packet, zone deletion key packet, service log key packet, service deletion key packet and AP asset keys data K_APE to key packet key data, IC-card operation macros shell script (processing routine data of the present invention), storer between card access key data, file system configuration data, the mutual authentication secret data of SAM, SAM and saves as applying unit data APE.
Applying unit data APE shown in Figure 117 will be described below.
Zero card access key data
Card access key data are the key datas that are used for respect to the read or write operation of the storer 750 of IC-card 703.The key data that the IC-card operation macros shell script that will be illustrated later in addition, is checked also is included among the applying unit data APE of same type with the form of card access key data.
Zero file system configuration data
The file system configuration data comprises log data, negative (negative) data and kind (genre) data.
Log data is the data of the use history of applying unit data APE, and negative data is the expiration information of IC-card, and the kind data are the executive loggings at SAM.
For example, the type of file system selection of configuration file access (record cipher key flag classification ring), and if the record key then is provided with record size, the whole number that writes down, record signature version, record endorsement method type, record data size and record signature key.In addition, when writing data the file system from the outside, it indicates whether to carry out signature verification etc.Here, " record " is the least unit that writes/read of file data.
The mutual authentication secret data of zero SAM
This also is used for the mutual checking between the identical SAM AP.
The mutual authentication secret data of SAM are the key datas that use when the applying unit data APE of another AP visit correspondence from identical SAM or another SAM.
Key packet key between zero SAM
The key packet key is between SAM mutually after the checking between SAM, the encryption key data of using when switching card access key data or other data.
Zero IC-card operation macros shell script
IC-card operation macros shell script is produced by service enterprise self, and describes the processing that relates to IC-card 703, perhaps with the order of the transaction of ASP server 719.IC-card operation macros shell script is arranged in the SAM device 709, is analyzed by SAM chip 708 subsequently, thereby produces corresponding IC-card solid data.
Zero storer is divided key packet
It is to begin to utilize before IC-card 703 serves in service enterprise that storer is divided key packet, is used to divide the data of memory block of the storer of external memory storage 707 or IC-card 703.
Zero regional record key packet
The regional record key packet is to begin to utilize before IC-card 703 serves in service enterprise, the data of using when carrying out regional record in the memory block at the storer of IC-card 703.
Zero zone deletion key packet (the inner generation)
Zone deletion key packet is can be according to card access key data automatic key packet that produces in SAM.
Zero service log key (the inner generation)
The service log key packet be used for service enterprise begin to utilize IC-card 703 serve before the applying unit data APE of record external memory storage 707.
The service log key packet is can be according to card access key data automatic key packet that produces in SAM.
Zero service deletion key packet (the inner generation)
Service deletion key packet is used for the applying unit data APE of omission excepted portion storer 707 records.
Service deletion key packet is can be according to card access key data automatic key packet that produces in SAM.
Zero key data K_APE
When applying unit data APE was set, key data K_APE was used as encryption key.For distinguishing, each AP is used in the different key data K_APE that applying unit data APE is set.
Describe above-mentioned IC-card operation macros shell script (below be also referred to as shell script) below in detail.
Shell script is to be used to determine to run on the 715_1 of service enterprise, 715_2 on the SAM chip 708 and application A P_1, AP_2 and the AP_3 of 715_3, and the program of the processing procedure of being carried out by IC-card 703 when executive utility.
In the present embodiment, as described later, as shown in Figure 118, SAM chip 708 explains that according to script downloading task 769 and script task 770 handles, and produces IC-card physical template data 730_1, input block 731_x1, output block 732_x2, log data piece 733_x3 and be used to relate to the calculating definition of data piece 734_x4 of the process of the 715_1 of service enterprise, 715_2 and 715_3 according to AP admin table data and shell script.
Figure 119 has illustrated the order that is used to describe IC-card operation macros shell script.
With regard to order, be endowed initial " S " about the order of SAM chip 708 self, and the order that relates to the operation of IC-card 703 is endowed initial " C ".
In addition, use second letter selectively according to using.For example, publisher for IC-card 703 is provided with explanation, second letter is " I ", and for the explanation (COS cell descriptions) of applying unit APE, second letter is " S ", for simply reading explanation with respect to IC-card 703, second letter is " R ", for respect to IC-card 703 simply write explanation, second letter is " W ", calculate definition for applying unit data APE, second letter is " F ".
The order that is used for description script program 721_1,721_2 and 721_3 comprises SC order, SO order, SI order, SL order, SF order, CI order, CS order, CR order and CW order.
SC order is the maximum number that explanation SAM chip 708 can simultaneously treated IC-card solid data.
When SAM chip 708 can be handled 1000 groups of IC-card solid datas simultaneously, describe " SC:1000 ".
SO order be explanation when utilizing IC-card 703 to carry out processing according to aftermentioned IC-card solid data, in the data block that provides in SAM chip 708, formation will be preserved the order of data block of the output block 732_x2 of the data that read from IC-card 703.
For example, when data block 1-10 is provided, when being kept at the data that read from IC-card 703 data block 1, describe " SO:1 ".
The SI order is to illustrate when utilizing IC-card 703 to handle according to aftermentioned IC-card solid data, in the data block that provides in SMA chip 708, constitutes the order of the data block of the input block 731_x1 that preserves the data that will be written into IC-card 703.
For example, when data block 1-10 is provided, when being kept at the data that to write IC-card 703 in the data block 2,3, describe " SI:2,3 ".
SL order be explanation when utilizing IC-card 703 to handle according to aftermentioned IC-card solid data, in the data block that in SAM chip 708, provides, be configured for preserving order with the data block of the log data piece 733_x3 that operates relevant log data.
For example, when data block 1-10 is provided, when log data being kept in the data block 4, describe " SL:4 ".
The SF order provides the order that constitutes the data block of calculating definition of data piece 734_x4, and described education department limits the definition of data block 734_x4 description with respect to the relation between the applying unit data APE of IC-card 703.
The content of calculating definition of data piece 734_x4 becomes the pretreatment information of IC-card solid data.
The CI order is the order of the publisher (service enterprise) of explanation IC-card 703.
Determine to order the data of the service enterprise that limits to become the IC-card type information of IC-card solid data by CI.
CS order is the title APE_N of applying unit data APE (COS unit) by reference, the order of operation in the time of the some services of IC-card 703 explanations.The CS order also can illustrate by the functional definition in the applying unit data APE of title APE_N appointment to be handled.
" CS: " Rc "+" Wc "+" Wd " " for example, can be described.
According to the content of CS order, determine the APE_N appointed information and the processing sequence information of IC-card solid data.
The CR command specification is kept at the data that read from IC-card 703 specified data block when the relation between the applying unit data APE uncertain (when not describing SF order).
For example, when being saved in the data block 1, " CR:SO:1=" Rc " " is described to the data that read from IC-card 703.
The CW command specification writes IC-card 703 to the data that are kept in the specified data block when the relation between the applying unit data APE is uncertain.
For example, when when being kept at data in the data block 2 and writing IC-card 703, " CW:SI:2=" Wc " " is described.
The CF command specification is used to describe the data block of calculating content generation service.
For example, when in SF data block 1, describing calculating content generation service, describe " CF:CES_FUNC=SF:1 ".
In addition, SF data block 1 has for example been described " " Wc "=If (" Wc ">10) then (" Wc "-10 therein; " Wd "=" Wc " * 0.8+ " Wd ") ".This formulae express when the residue number Wc of service greater than 10 the time, from the value of Wc, deduct 10, and be increased to operation among the Wd counting as accumulation corresponding to counting of 8% Wc.
Below explanation is kept at the data in the AP management storage region 7221 of the external memory storage 707 shown in Figure 115.
Visit to AP management conservation zone 7221 is limited by fire wall FW_4.
Notice that fire wall FW_4 is corresponding to the fire wall FW shown in Figure 114.
Figure 120 has illustrated the details that is kept at the data in the AP management conservation zone 722.
As shown in Figure 120, AP management storage region 7221 is preserved AP admin table data 7300_1,7300_2 and 7300_3 (management data of the present invention) and APP table data 7310_1,7310_2 and 7310_3 (application permission data of the present invention).
Here, in configuration SAM chip 708, write down AP admin table data 7300_1,7300_2 and 7300_3 and APP table data 7310_1,7310_2 and 7310_3 in advance.In addition, AP admin table data 7300_1,7300_2 and 7300_1 and APP table data 7310_1,7310_2 and 7310_3 are rewritten by the managerial personnel of SAM chip 708 only.
With respect to each application A P definition AP admin table data 7300_1,7300_2 and 7300_3.
In addition, with respect to the mutual authentication secret data definition of each SAM APP table data 7310_1,7310_2 and 7310_3.
Figure 121 has illustrated AP admin table data 7300_1.The form of AP admin table data 7300_2 and 7300_3 is identical with AP admin table data 7300_1.
As shown in Figure 121, its expression checks that with respect to the quilt that uses in the IC-card operation macros shell script each title APE_N of applying unit data APE is linked at recognition data APE_ID, inner/outer designation data IEI, recognition data SAM_ID, recognition data AP_ID, key data K_CARDA (second key data of the present invention), key data K_SAM (first key data of the present invention), data SET_APP, data FLAG_IP and data FLAG_STR together.
The title APE_N of applying unit data APE is a title of distributing to the service (applying unit data APE) that the application program by the 715_1 of service enterprise, 715_2 and 715_3 provides.The identifier that title APE_N is checked, rather than the service name of the service that can use of the application program of each service enterprise.
Here, recognition data APE_ID is the recognition data of applying unit data APE.
Outer/inner designation data IEI is that to be used to distinguish APE be that form with entity exists (the inner appointment) still to be mentioned the sign of (outside appointment) by another SAM.
Recognition data SAM_ID is when SAM chip 708 is being carried out the processing that relates to these applying unit data APE, is positioned at the recognition data of the opposing party's who transmits data SAM.
Figure 122 has illustrated SAM_ID.
SAM_ID is the data of 4 bytes, and has the notion of the netmask that is similar to TCP/IP.Can for unit netmask be set in the position.
For example, the netmask as shown in Figure 122 is divided into three classes, i.e. category-A, category-B and C class.In addition, between the SAM that is assigned with the identical network mask, a class key data that is used for checking mutually is just enough.For example, in the present embodiment, identical service enterprise is assigned with identical netmask.
In Figure 122, the Class A Network mask is by " 255.XX.XX.XX " indication, and first byte is allocated for specifies such other predetermined value, back three bytes to be allocated for to specify the numerical value that belongs to such other single SAM.Here, " XX " can be configured to any number.That is, the Class A Network mask can be used for determining to belong to 16777215 SAM_ID of category-A.
In addition, the class b network mask is by " 255.255.XX.XX " indication, and two bytes are allocated for the predetermined value of specifying the type, and latter two byte is allocated for specifies the numerical value that belongs to such other single SAM.That is, the class b network mask can be used for determining to belong to 65535 SAM_ID of category-B.
In addition, the class c network mask is by " 255.255.255.XX " indication, and three bytes are endowed and are used to specify such other predetermined value, and last byte is endowed specifies the numerical value belong to such other single SAM.That is, the class b network mask can be used for determining to belong to 255 SAM_ID of C class.
Recognition data AP_ID carries out when relating to the processing of applying unit data APE when SAM chip 708, the recognition data of the application program of being carried out by the opposing party's who transmits data SAM.
Key data K_CARDA is when 708 execution of SAM chip relate to the processing of applying unit data APE, is used for transmitting with the storer 750 of IC-card 703 key data of data.
Key data K_SAM is when 708 execution of SAM chip relate to the processing of applying unit data APE, is used for transmitting with another SAM the key data of data.
Data SET_APP is used to specify when 708 execution of SAM chip relate to the processing of applying unit data APE APP table data 7310_1, the 7310_2 of (checking) and the data of 7310_3 used.
Data FLAG_IP represents whether disclose the flag data of being managed the data of (holding) by SAM chip 708 to another SAM chip 708 grades.
Data FLAG_STR is a flag data of representing whether to allow the data of SAM chip 708 management (holding) to be held by another SAM chip 708 grades.
In Figure 121, APE_N " service A " is the access key of the IC-card 703 determined by application program in this SAM chip 708.The key data of " service A " is configured to underground, so the Another Application program of the application program of another SAM or same SAM can not be checked described key data.
In addition, " service C " is the access key by the definite IC-card 703 of this application program.When this SAM is assigned with the class c network mask that illustrates later, the key data of the application program on SAM open " service C " with SAM_ID " 43.17.19.XX ".At this moment, the mutual authentication secret of SAM is " TT1..., TTn ".Determined in addition before using whether another SAM can hold the key data of " service C " next time.When can the time, when another SAM then uses " service C " on this card, needn't obtain the card access key from SAM once more.The access key of service B does not obtain from this SAM, but obtains from the SAM with SAM_ID " 43.17.19.XX "." SS1...SSn " is used as the mutual authentication secret between the SAM.
Whether can hold the access key of " service B " before using is determined by the sign of this SAM appointment next time.
The file of log data is wherein preserved in " service B logout " indication, and the SAM_ID of " 43.13.137.XX " is assigned to this logout." service B logout " is and " service B " identical SAM netmask, and therefore authentication secret is used " SS1...SSn " mutually.Here, provide APP table data for each mutual authentication secret.In this example, determine the permission of visit " service B logout " and " service B " in the APP of other SAM table data 7310, the AP admin table data on described other SAM are checked described access permission.
Figure 123 has illustrated APP table data 7310_1.
It is identical that APP table data 7310_2,7310_3 and 7310 form and APP show data 7310_1.
As shown in Figure 123, APP table data 7310_1 represents the recognition data APE_ID of each applying unit data APE and whether can read, write or carry out these applying unit data APE from Another Application program (Another Application cell data APE).
For example, the APP table data 7310_1 shown in Figure 123 represents that it is possible reading for " service B logout ", and it is possible writing, and it is impossible carrying out (deletion).
In addition, preserve when the AP of the external memory storage shown in Figure 115 707 management storage region 7221 and show that the IC-card categorical data that is linked at together and the AP of AP_ID select data.
The IC-card categorical data is represented the type of the IC-card shown in Figure 109, and is the recognition data of credit card company of clearing that carry out to use the transaction of IC-card 703.
In the present embodiment, IC-card operation macros shell script defines the service content of the title APE_N of the some applying unit data APE of (description) combination therein.By describing described service content in the IC-card solid data (task management data) of explanation in the back, can provide the service of combination corresponding to the service of some applying unit data APE.
For example, can be in the IC-card solid data combinations of definitions from the service of reading of IC-card 703 reading of data with data are write the service of the service that writes of server 702.
In addition, when the service that is provided by the 715_1 of service enterprise, 715_2 and 715_3 was provided, APE_N or its service number were the operational orders that sends to IC-card 703, and can be analyzed by IC-card 703.
Application A P_1 is determined by the IC-card operation macros shell script that is kept at the AP admin table data 7300_1 in the external memory storage 707 and is scheduled to.
Application A P_2 is determined by the IC-card operation macros shell script that is kept at the AP admin table data 7300_2 in the external memory storage 707 and is scheduled to.
Application A P_3 is determined by the IC-card operation macros shell script that is kept at the AP admin table data 7300_3 in the external memory storage 707 and is scheduled to.
[SAM chip 708]
Produce the operational order that sends to IC-card 703 and analyze the respond packet that comes from IC-card 703 in SAM device 709 1 sides.So, card reader/writer 704, personal computer 705 and place 719 of ASP servers between them to play a part order or response contents are kept at data service load part and relay data service load part, they do not participate in the encryption of data or other practical operation in deciphering, authentication or the IC-card 703.
Personal computer 716_1,716_2 and 716_3 can download to the shell script that illustrates later on the SAM chip 708, thus custom application AP_1, AP_2 and AP_3.
Figure 124 is the functional-block diagram of the SAM chip 708 shown in Figure 109.
As shown in Figure 124, SAM chip 708 has ASPS communication interface 760, external memory storage communication interface 761, bus scrambling apparatus 762, randomizer 763, encryption/decryption device 764, storer 765 and CPU 766.
ASPS communication interface 760 is the interfaces that are used for respect to ASP server 719 inputoutput datas shown in Figure 109.
External memory storage communication interface 761 is the interfaces that are used for respect to external memory storage 7 inputoutput datas.
When the external memory storage communication interface 761 input and output data, 762 pairs of output data scrambles of bus scrambling apparatus and frequently to the input data de-scrambling.
The random number that randomizer 763 uses when producing authentication process.
764 pairs of data of encryption/decryption device are encrypted and enciphered data are deciphered.
As described later, storer 765 is preserved task, program and the data that CPU 766 uses.
The following describes the task, program and the data that are kept in the storer 765.
Figure 125 has illustrated task, program and the data that are kept in the storer 765.
As shown in Figure 125, storer 765 is preserved script downloading task 769, script explains that task 770, entity produce task 771, IC-card process management task 772, IC-card operation macros shell script 721_1-721_3, AP admin table data 7300_1-7300_3, APP table data 7310_1-7310_3, IC-card physical template data 730_1-730_3, IC-card solid data 773_x, input block 731_x1, output block 732_x2, daily record data piece 733_x3 and calculate definition of data piece 734_x4.
As shown in Figure 118, script downloading task 769 is from the downloaded AP admin table data 7300_1-7300_3 of each service enterprise (if desired, APP table data 7310_1-7310_3), and they are loaded in the SAM chip 708.
Script explains that task 770 use service definition table data (APP table data 7310_1-7310_3 if desired) and shell script produce IC-card physical template data, input block, output block, the daily record data piece of each enterprise and calculate the definition of data piece.
The number of the data block that produces for each enterprise is not particularly limited.
When entity produces task 771 from ASP server 719 receiving entities generation request, it carries out poll with respect to IC-card 703, utilize the IC-card physical template data corresponding to service enterprise to produce the IC-card solid data subsequently, described IC-card solid data is used for the processing of the process between IC-card 703 and this service enterprise.At this moment, IC-card physical template data become classification, with the form generation IC-card solid data of such other example.
The processing that entity produces task 771 generation IC-card solid datas will describe in detail in the back.
IC-card process management task 772 uses the one or more IC-card solid data 773_x that are present in the storer 765 to carry out the processing of the process between IC-card 703 and the 715_1-715_3 of service enterprise.
In the present embodiment, some processing of the process of carrying out between some IC-cards 703 and the 715_1_715_3 of service enterprise are carried out simultaneously.
These some processing of a plurality of processes of IC-card process management task 772 executed in parallel.
When a series of process is finished, IC-card process management task 772 deletion IC-card solid data 773_x.
The processing of IC-card process management task 772 will describe in detail in the back.
Shell script 721_1_721_3 is imported and is kept at the storer 765 from external memory storage 707 by script downloading task 769.
AP admin table data 7300_1-7300_3 is imported and is saved in the storer 765 from external memory storage 707 by script downloading task 769.
APP table data 7310_1-7310_3 is imported from external memory storage 707 by script downloading task 769, and is saved in the storer 765.
IC-card physical template data 730_1-730_3 explains that by script task 770 produces, and when producing the IC-card solid data 773_x of the process relevant with service enterprise, is used as template (classification).
By IC-card physical template data 730_1-730_3 is used as classification, entity produces the form generation IC-card solid data 773_x of task 771 with an example of classification.
Input block 731_x1, output block 732_x2, daily record data piece 733_x3 and calculating definition of data piece 734_x4 explain that by script task 770 produces.
The following describes IC-card solid data 773_x.
When SAM chip 708 when ASP server 719 receives the processing request that the application program of utilizing IC-card 3 and reservation service enterprise handles, by utilizing the corresponding IC-card physical template data of this service enterprise that has produced, in SAM chip 708, produce task 771 and produce IC-card solid data 773_x by entity.
Figure 126 has illustrated the form of IC-card solid data 773_x.
As shown in Figure 126, IC-card solid data 773_x has managing pointer data 780, entity ID data 781, entity state data (status data) 782, IC-card type information 783, APE_N specific data 784, processing sequence data, preprocessed data 786 and aftertreatment data 787.
Managing pointer data 780 are the bidirectional pointers that are used for the IC-card solid data 773_x of diode-capacitor storage 765.
The state of a process of the process that entity state data 782 expression and IC-card 703 are relevant.
As shown in Figure 127, the basic status of IC-card solid data 773_x comprises the state (RS) of the processing of the service that investigation IC-card 703 can use, SAM chip 708 is by the state (A1) of the processing of its checking IC-card 703, IC-card 703 is by the state (A2) of the processing of its checking SAM chip 708, from the state (R) of the processing of IC-card 703 reading of data with data are write the state (W) of the processing of IC-card 703.
In the present embodiment, the processing of investigation service enterprise, the processing of SAM chip 708 checking IC-cards 703, the processing of IC-card 703 checking SAM chips 708 writes the processing of IC-card 703 corresponding to operation from the processing of IC-card 703 reading of data with data.
As described later, " operation " is that IC-card process management task 772 is determined the processing unit of execution sequence for it.
Notice that A1 and A2 constitute the mutual authentication processing between IC-card 703 and the SAM chip 708.
In addition, in the present embodiment, consider the call duration time on the Internet 710, as shown in the state transition diagram of Figure 127, above mentioned basic status is divided into startup back (after giving an order) state and finishes (after receiving response) state.
Specifically, using the state of the processing of IC-card solid data 773_x to produce (generations of IC-card solid data) state, RS by example starts back state, RS completion status, A1 and starts back state, A1 completion status, A2 and start back state, A2 completion status, R and start back state, R completion status, W and start back state, W completion status and example (IC-card solid data) and delete condition managing.
IC-card type information 783 is the information that is used to determine send the service enterprise of IC-card 703.
When producing IC-card solid data 773_x, utilize by the order of the CI in the above mentioned shell script established data IC-card categorical data 783 is set.
COS unit specific data 784 expression AP admin table data 7300_1-7300_3 and the applying unit data APE that in the processing that utilizes IC-card solid data 773_x, defines among the employed APP table data 7310_1-7310_3.
When producing IC-card solid data 773_x, utilize one or more applying unit data APE of the CS order appointment in the above mentioned shell script that COS unit specific data 784 is set.
That is, processing sequence data 785 are used the execution sequence of applying unit data APE corresponding to the operation of the basic operation of IC-card 703.
Here as described later, operation is corresponding to the RS shown in Figure 127, A1, A2, R and W.Concrete operations about IC-card 703 are realized by the processing sequence of utilizing the operation appointment.For example, for only there being the processing of using IC-card 703 under the situation that reads and do not verify mutually, processing sequence information 785 is configured to " RS → R ".In addition, reading and writing with regard to what verify mutually, processing sequence information 785 is configured to " RS → A1 → A2 → R → W ".
When producing IC-card solid data 773_x, utilize the sequence of events set handling order information 785 of the order correspondence of the service unit of appointment in the CS order in shown in Figure 127 and the shell script that mention in the above.
Utilization is used to carry out the management data that uses IC-card solid data 773_x, from ASP server 719 1 sides pretreatment information 786 is set.
For example, utilization counting of computing formula of specified services in SF data block (applying unit data APE) is provided with pretreatment information 786.
In addition, when not handling function between the definition service, utilize institute processing of request expense (charge) that pretreatment information 786 is set.
For example, just clearing are provided with and expense number of giving or relevant state such as count.
Utilization is provided with post-processing information 787 in the data of the result of the required IC-card solid data 773_x of ASP server 719 1 sides.For example, with regard to clearing, utilize the data of expression normal termination clearing that post-processing information 787 is set.
The processing routine of being undertaken by the some IC-cards 703 relevant IC-card process management tasks 772 with using some IC-card solid data 773_x shown in Figure 125 will be described below.
IC-card process management task 772 is started on the CPU 766 of the SAM chip 708 shown in Figure 124 continuously.
Figure 128 is the process flow diagram of the processing of IC-card process management task 772 execution.
Step ST701:
Select an IC-card solid data 773_x to carry out next processing among some IC-card solid data 773_x of IC-card process management task 772 from be present in storer 765.
Selecting the method for IC-card solid data 773_x may be the IC-card solid data 773_x that selects successively to be present in the storer 765, perhaps distributes priority orders, and selects according to priority according to the order of limit priority.
Step ST702:
IC-card process management task 772 judges whether the operation of the IC-card solid data 773_x that selects at step ST701 is activated.When judging that this had been activated already, it proceeds to the processing of step ST705, and when judging that this operation also is not activated, then forwards the processing of step ST703 to.
Step ST703:
IC-card process management task 772 judges according to the entity status information shown in Figure 126 of the IC-card solid data 773_x that selects at step ST701 782 processing relevant with this solid data is in which state in the state transition diagram shown in Figure 172, and determines next step operation that will carry out according to processing sequence information 785.
At this moment, processing sequence information 785 utilizes the service unit that is provided with in the foregoing service definition table data to determine the execution sequence of operation.
Step ST704:
IC-card process management task 772 is enabled in the operation that step ST703 selects.
The input block 731_x1 that IC-card process management task 772 utilizes Figure 125 to illustrate above using, output block 732_x2, daily record data piece 733_x3 and the calculating definition of data piece 734_x4 relevant data block of this operation that neutralizes is carried out this operation.
At this moment, when when the IC-card 703 of carrying out operation is given an order, IC-card process management task 772 is used as search AP admin table data 7300_1-7300_3 to the service unit corresponding to this operation, thereby obtains the key word (operational order of IC-card 703 can be analyzed by IC-card 703) corresponding to the service-number of this service unit.In addition, IC-card process management task 772 uses the service-number that obtains to IC-card 703 issue an orders.
In addition, as utilizing Figure 113 to illustrate, when the memory block of visit IC-card 703a needed key information, IC-card process management task 772 was used the service unit search AP admin table data 7300_1-7300_3 corresponding to this operation, and obtained the key information corresponding to this service unit.In addition, IC-card process management task 772 these key informations of use are finished the mutual checking with IC-card 703, to the data encryption and decryption, perhaps carry out other and handle, and obtain the authority of the predetermined memory area of visit IC-card 703.
Step ST705:
When IC-card process management task 772 is given an order to IC-card 703, and when waiting for the result of IC-card 703, execution in step ST705.
When IC-card process management task 772 when IC-card 703 receives results, it is placed on this result among the IC-card solid data 773_x.
Step ST706:
IC-card process management task 772 is upgraded the entity status information 782 of the IC-card solid data 773_x shown in Figure 126.
Like this, in the present embodiment, the 772 parallel processing that are present in the some IC-cards 703 in the SAM chip 708 of IC-card process management task, the while is selected the IC-card solid data 773_x of described some IC-cards 703 in order.So even when receiving the processing request of the process of using some IC-cards 703, SAM chip 708 also can be proceeded to handle simultaneously.
Figure 129 and Figure 130 illustrated when the step S704 in above-mentioned Figure 128 carries out operation,, during according to the data carried out by SAM chip 708 when visit, by applying unit data APE or handle the routine of determining, by the definite processing of Another Application cell data APE.
Step ST741:
When carrying out processing, specify for the applying unit data in the application program of using (visit) and this application program according to predetermined applying unit data APE.
In addition, reading, write and one of carrying out of these applying unit data APE specified in described use.
Step S742:
Step ST743:
Step ST744:
If in the mutual checking of step ST743, SAM chip 708 and 708a confirm legitimacy each other, and then SAM chip 708 forwards the processing of step ST747 to.If do not have affirmation legitimacy each other, then forward step ST751 to.
Step ST745:
In addition, for the same applying unit data APE that will use in step ST741 appointment, SAM chip 708 is checked the AP admin table data 7300_1-7300_3 corresponding to these applying unit data APE similarly, the key data K_SAM that acquisition and respective service (applying unit data APE) are corresponding.
In addition, SAM chip 708 compares two key data K_SAM that obtained.
Scrambler 746:
Judge two key data K_SAM that compare in the processing of step ST745 when SAM chip 708 and conform to that then routine forwards the processing of step ST747 to, otherwise thinks step ST751.
Step ST747:
Step ST748:
Specifically, it judges the authority that reads, writes and carry out the applying unit data APE that will use.
Step ST749:
There are access rights when SAM chip 708 or 708a judge at step ST748, then forward step ST750 to, otherwise forward the processing of step ST751 to.
Step ST750:
Step ST751:
In addition, when the step ST704 of the Figure 128 that illustrates in the above carries out operation, when SAM chip 708 transmits data according to the routine of being determined by applying unit data APE with respect to IC-card 703, SAM chip 708 is checked the AP admin table data 7300_1-7300_3 shown in Figure 125, acquisition is corresponding to the key data K_CADR of these applying unit data APE, and uses the storer 750 of this key data K_CARD visit IC-card 703.
The integrated operation of the communication system shown in Figure 109 will be described below.
Figure 131 and Figure 132 have illustrated the integrated operation of communication system 701 shown in Figure 109.
Step ST721:
715_1-715_3 of service enterprise or the side that these enterprises asked produce shell script 721_1,721_2 and 721_3 on the 716_1 of personal computer shown in Figure 109,716_2 and 716_3, described shell script 721_1,721_2 and 721_3 describe the processing that service enterprise utilizes the transaction that IC-card 703 carries out.
In addition, the managerial personnel of SAM chip 708 produce the AP admin table data 7300_1-7300_3 corresponding to the 715_1-715_3 of service enterprise.
Step ST722:
The AP admin table data 7300_1-7300_3 that produces at step ST721 is stored in the external memory storage 707.
In addition, shell script 721_1,721_2 and the 721_3 that produces at step ST721 is downloaded to external memory storage 707 by the Internet 710, ASP server 719 and SAM chip 708 from personal computer 716_1,716_2 and 716_3.As shown in Figure 118, manage by the script downloading task in the SAM chip 708 769 about the processing of downloading.
Step ST723:
Script in the SAM chip shown in Figure 118 in 708 explains that task 770 uses AP admin table data 7300_1-7300_3 and shell script to produce the IC-card physical template data of each service enterprise, input block, output block, daily record data piece and calculating definition of data piece.
The data that produce are stored in the storer 765 of the SAM chip 708 shown in Figure 124.
Step ST724:
The user is sent to IC-card 703.
As shown in Figure 113, the storer of the IC 703a of IC-card 703 750 is preserved the key information that is used for the transaction that user and service enterprise reach.
Attention is after distribution IC-card 703, and the contract between user and the service enterprise also can be concluded by the Internet 710 etc.
Step ST725:
For example, pass through the Internet 710 access servers 702 when the user uses personal computer 705, when attempting to buy product, server 702 sends the request of processing by the Internet 710 to ASP server 719.
When ASP server 719 receives when handling request from server 702, it is by the Internet 710 visit personal computers 705.In addition, the IC-card 703 processing requests that relate to of sending from card reader/writer 704 are transmitted to SAM chip 708 by personal computer 705, the Internet 710 and ASP server 719.
Step ST726:
Step S727:
When SAM chip 708 receiving entities produced request, it carried out the poll for IC-card 703.
Step ST728:
After the end of polling(EOP), the entity of SAM chip 708 produces task 771 and judges whether the number that is present in the IC-card solid data 773_x in the SAM chip 708 orders within the maximum number of determining at the SC by shell script.If within maximum number, then forward the processing of step ST729 to, if not within maximum number, end process then.
Step ST729:
Entity produces task 771 according to being kept at the information that entity produces the publisher of the demonstration IC-card 703 in the request, appointment will be used the IC-card physical template data of which service enterprise, and uses the IC-card physical template data of appointment to produce IC-card solid data 773_x.
This produces corresponding to the example shown in Figure 127.
Step ST730:
Step ST731:
The service that the IC-card process management task 772 investigation IC-cards 703 of SAM chip 708 can use.
This is the processing corresponding to the RS of operation shown in Figure 127.
Step ST732:
The legitimacy of the IC-card process management task 772 checking IC-cards 703 of SAM chip 708.
This is the processing corresponding to the A1 of operation shown in Figure 127.
Step ST733:
The legitimacy of IC-card 703 checking SAM chips 708.
This is the processing corresponding to the A2 of operation shown in Figure 127.
According to step ST32 and ST33, IC-card 703 and SAM chip 708 are verified mutually.
At this moment, as previously mentioned, according to the applying unit data APE that is just being carried out by SAM chip 708, check the AP admin table data 7300_1-7300_3 shown in Figure 21 1, obtain key data K_CARD, and this key data K_CARD is used to the mutual checking between the CPU 751 of SAM chip 708 and IC-card 703.
Step ST734:
The IC-card process management task 772 of SAM chip 708 reads and writes about the required data of the process of IC-card 703.
This is corresponding to operation R shown in Figure 127 and the processing of W.
In addition, IC-card process management task 772 is used the processing formula according to the preprocessed data appointment of IC-card solid data 773_x, and the computing of using the data that read from IC-card 703 to be scheduled to.
Step ST735:
The IC-card process management task 772 of SAM chip 708 is exported to ASP server 719 to the result of step ST734.
Step ST736:
For example, IC-card process management task 772 deletion IC-card solid data 773_x.
As mentioned above, according to communication system 701 and SAM device 709, use the application A P of some applying unit data APE by configuration, and use the calculating content of AP admin table data and APP table data definition applying unit data APE, the difference service of using IC-card 703 can be provided.
In addition,, can keep the sensitive while, use AP admin table data and APP table data to realize the utilization of applying unit data APE among the identical SAM flexibly according to communication system 701, and the utilization of applying unit data APE between the different SAM.
In addition, according to communication system 701, when between different SAM, using applying unit data APE,, therefore can improve the confidentiality of application program owing between SAM, verify mutually.
In addition, according to communication system 701, by to the similar SAM_ID of the application assigned of same services enterprise, can prevent between the applying unit data APE of the application program of same enterprise, to carry out complicated mutual authentication processing, thereby alleviate the key information management of SAM chip and the burden of processing.
In addition, according to communication system 701, can handle for each of the process that together takes place with IC-card 703 and produce IC-card solid data 773_x, and make IC-card process management task 772 use some IC-card solid data 773_x to proceed to relate to the processing of described some IC-cards 703 simultaneously.
In addition, just enough according to verification system 701 owing to the IC-card solid data 773_3 that is actually used in the processing of IC-card 703 is saved in the storer 765, so the memory block that can use storer 765 effectively.
In addition, according to verification system 701, as shown in Figure 127, because being divided into, the executing state of IC-card process management task 772 operations of handling starts back state and completion status, therefore after beginning to carry out an operation, can come from the processing of another operation of beginning under the state of data of IC-card 703 in wait.So, can eliminate by the Internet 10 and IC-card 703 and transmit the stand-by period that data cause.
In addition, according to verification system 701, AP admin table data 7300_1-7300_3 wherein describes the title of the COS that expression provides by each service enterprise, i.e. APE_N, the numbering of the service of using in the IC-card 703, and the key information that when these services are provided, uses.These are kept in the external memory storage 707.So, the 715_1-715_3 of service enterprise that is not the developer of SAM chip 708 can be by producing shell script 721_1,721_2 and 721_3, and by SAM chip 708 these shell scripts are downloaded to external memory storage 707, customize themselves the application program on the SAM chip 708 of running on.That is, not the key information of direct control IC-card 703 or operational order, perhaps under the situation of other sensitive information notification 715_1-715_3 of service enterprise, customizable themselves the application program of these service enterprisees.In addition, when custom application, key data or card operational order needn't be known by service enterprise, thereby have alleviated the burden of service enterprise.
In addition, according to verification system 701, owing to can define the calculating content that generates some services, therefore can provide difference service that the some Services Combination in a large amount of services of carrying out simultaneously through approval are got up in IC-card 3 one sides.
In addition, according to verification system 701,, can easily manage data input and output and daily record data with respect to IC-card 703 by introducing the notion of data block.
Reference numeral
1... communication system, 2... server, 3...IC card, 4... card reader/writer, 5... personal computer, 6...ASP server, 7... external memory storage, 8...SAM chip, 9...SAM device, 10... the internet, 15_1,15_2,15_3... credit card enterprise, 16_1,16_2,16_3... personal computer
101... communication system, 102... server, 103...IC card, 104... card reader/writer, 105... personal computer, 106...ASP server, 107... external memory storage, 108...SAM chip, 109...SAM device, 110... internet, 115_1,115_2 and 115_3... credit card enterprise, 116_1,116_2 and 116_3... personal computer, 117_1 117_2,117_3... demo plant
201... communication system, 202... server, 203...IC card, 204... card reader/writer, 205... personal computer, 206...ASP server, 207... external memory storage, 208...SAM chip, 209...SAM device, 210... internet, 215_1,215_2,215_3... credit card enterprise, 216_1,216_2,216_3... personal computer, 217_1,217_2,217_3... demo plant
301... communication system, 302... server, 303...IC card, 304... card reader/writer, 305... personal computer, 306...ASP server, 307... external memory storage, 308...SAM chip, 309...SAM device, 310... the internet, 315_1,315_2,315_3... credit card enterprise, the developer of 315_4... handling procedure layer, 315_5...SAM management of software ic personnel, 316_1,316_2,316_3... personal computer, 317_1,317_2,317_3... demo plant, 318...ICE
401... communication system, 402... server, 403...IC card, 404... card reader/writer, 405... personal computer, 406...ASP server, 407... external memory storage, 408...SAM chip, 409...SAM device, 410... internet, 415_1,415_2,415_3... credit card enterprise, 416_1,416_2,416_3... personal computer, 417_1,417_2,417_3... demo plant
501... computer, 502...CPU, 503... memory, 504... telecommunication circuit, 506...CPU data/address bus, 507...CPU address bus, 508...IC card, 551... computer, 552...CPU, the 553... memory, 560... judges circuit, 561... on-off circuit, 562... memory data bus, 570... selects circuit, and 571... takes out and judges circuit, 572... read the judgement circuit, 573... writes the judgement circuit
631... semiconductor circuit, 632... internal storage, 633... on-off circuit, 634... on-off circuit, 635... judges circuit, and 636... selects circuit, 637...CPU, 660... external memory storage, 6131... semiconductor chip, 6134... encryption/decryption circuit, 6135... the judgement circuit, 6136... selects circuit, 6137...CPU, 6160... external memory storage, 6190... key information table
701... communication system, the 702... server, the 703...IC card, 704... card reader/writer, 705... personal computer, 707, the 707a... external memory storage, 708, the 708a...SAM chip, 709,709a...SAM device, 715_1-715_3... service enterprise, 719...ASP server.
Claims (154)
1, a kind of data processing method of carrying out by semiconductor circuit, the application program of the processing that described semiconductor circuit operation is relevant with the process of using integrated circuit,
Wherein said semiconductor circuit can be checked the correspondence designation data, and the indication of described correspondence designation data is used for described application program and operates the operation code of described integrated circuit and the title of described operation, i.e. correspondence between the action name,
Described method comprises the steps:
Described semiconductor with the form of input receive the operation utilize described action name to describe described application program the operation instructions program and
Described semiconductor circuit is by checking described correspondence designation data, the corresponding described operation code of described action name that obtains and in described operation instructions program, describe, and use the operation code that obtains to define the processing of described application program.
2, according to the described data processing method of claim 1, wherein:
Described correspondence designation data also show described action name and the key information that when integrated circuit is carried out the operation corresponding with these action names, uses between correspondence, and
Described semiconductor circuit is by checking described correspondence designation data, obtains and the described key information of the described action name correspondence described in described operation instructions program, and uses the key information that obtains to define the processing of described application program.
3, according to the described data processing method of claim 1, also comprise the steps:
Described semiconductor circuit produces the task management data that comprise operation execution sequence data and status data, operation execution sequence data representation forms the execution sequence of a plurality of operations of the processing of described application program, status data is represented the state of the executive process of described a plurality of operations
Described semiconductor circuit is selected next step operation that will carry out according to the described status data and the described processing sequence data of described task management data,
Described semiconductor circuit carry out the described operation selected and
Described semiconductor circuit upgrades the described status data of the described task management data of selecting according to the execution of this operation.
4, according to the described data processing method of claim 3, also comprise the steps:
Described semiconductor circuit use described correspondence designation data and described operation instructions program produce described task management data template data and
Described semiconductor circuit utilizes described template data to produce described task management data according to handling request.
5, according to the described data processing method of claim 3, also comprise the steps:
Described semiconductor circuit is that each the processing request in a plurality of processing requests produces described task management data,
Described semiconductor circuit is selected task management data from described a plurality of data modules,
Described semiconductor circuit is selected next step operation that will carry out according to the described status data and the described processing sequence data of the described task management data of selecting,
Described semiconductor circuit is carried out the described operation of selecting,
Described semiconductor circuit is according to the execution of described operation, upgrade the described task management data of selecting described status data and
After described renewal, described semiconductor circuit is selected task management data from described a plurality of data modules.
6,, comprise that also described semiconductor circuit is deleted the step of described task management data when the All Jobs that forms processing according to the request of processing is finished execution according to the described data processing method of claim 5.
7, according to the described data processing method of claim 5,
Wherein said operation instructions program comprises the explanation of the described task management data of specifying the accessible maximum number of described semiconductor circuit,
Described method comprises also that when the number of described operation deal with data is not more than the described maximum number of appointment described semiconductor circuit produces the step of described task management data according to the request of processing.
8, according to the described data processing method of claim 5, comprise that also described semiconductor circuit produces the step of the described task management data that comprise described execution sequence data, the execution sequence of a plurality of operations that a plurality of operations of described execution sequence data representation and described integrated circuit are corresponding.
9, according to the described data processing method of claim 5,
Wherein said operation instructions program comprises that definition preserves the data block of the data that read from described integrated circuit, preservation will be written into the data block of the data of described integrated circuit, with the explanation of preserving about at least one data block among the data block of the log information of the processing of the process of utilizing described integrated circuit
Described method comprises that also described semiconductor circuit produces the step of described data block according to described operation instructions program.
10, according to the described data processing method of claim 1, wherein said action name is a macros.
11, according to the described data processing method of claim 1, wherein said integrated circuit is installed on the card.
12, a kind of running application so that carry out the semiconductor circuit of the processing relevant with the process of utilizing integrated circuit,
Described semiconductor circuit comprises:
Preserve the memory circuit of correspondence designation data, described correspondence designation data indication is used for described application program and operates the operation code of described integrated circuit and the title of described operation, i.e. correspondence between the action name,
The input utilize described action name describe described application program operation the operation instructions program interface and
By checking described correspondence designation data, obtain and the described operation code of the described action name correspondence in the described operation instructions program of input, described, and use the operation code that obtains to define the control circuit of the processing of described application program.
13, according to the described semiconductor circuit of claim 12, wherein
Described correspondence explanation data also show described action name and the key information that when the described integrated circuit execution operation corresponding, uses with these action names between correspondence, and
Described semiconductor circuit is by checking described correspondence designation data, obtains and the described key information of the described action name correspondence described in described operation instructions program, and uses the key information that obtains to define the processing of described application program.
14, according to the described semiconductor circuit of claim 13, wherein said control circuit:
Produce the task management data that comprise operation execution sequence data and status data according to the request of processing, operation execution sequence data representation forms the execution sequence of a plurality of operations of the processing of described application program, status data is represented the state of the executive process of described a plurality of operations
Described status data and described processing sequence data according to described task management data are selected next step operation that will carry out,
The described operation of carry out selecting and
According to the execution of this operation, upgrade the described status data of the described task management data of selecting.
15, according to the described semiconductor circuit of claim 14, wherein said control circuit
Use described correspondence designation data and described operation instructions program produce described task management data template data and
According to handling request, utilize described template data to produce described task management data.
16, according to the described semiconductor circuit of claim 14, wherein said control circuit:
For each the processing request in a plurality of processing requests produces described task management data,
From described a plurality of data modules, select task management data,
Described status data and described processing sequence data according to the described task management data of selecting are selected next step operation that will carry out,
Carry out the described operation of selecting,
According to the execution of described operation, the described status data of the described task management data of upgrade selecting and
After described renewal, from described a plurality of data modules, select task management data.
17, according to the described semiconductor circuit of claim 16, wherein
When described control circuit is finished execution at the All Jobs that forms processing according to the request of processing, delete described task management data.
18, according to the described semiconductor circuit of claim 16, wherein said control circuit,
When described operation instructions program comprises the explanation of the described task management data of specifying the accessible maximum number of described semiconductor circuit,
The described maximum number that is not more than appointment with the number of task management data is a condition, produces described task management data according to the request of processing.
19, according to the described semiconductor circuit of claim 16, wherein said control circuit produces the described task management data that comprise described execution sequence data, the execution sequence of a plurality of operations that a plurality of operations of described execution sequence data indication and described integrated circuit are corresponding.
20, according to the described semiconductor circuit of claim 16, wherein said control circuit,
When comprising definition, described operation instructions program preserves the data block of the data that read from described integrated circuit, preservation will be written into the data block of the data of described integrated circuit, during with the explanation of preserving about at least one data block among the data block of the log information of the processing of the process of utilizing described integrated circuit
Produce described data block according to described operation instructions program.
21, according to the described semiconductor circuit of claim 16, wherein said action name is a macros.
22, according to the described semiconductor circuit of claim 16, wherein said integrated circuit is installed on the card.
23, according to the described semiconductor circuit of claim 16, wherein this circuit is the semiconductor circuit of tamperproof.
24, a kind of by running application so that carry out the program that the semiconductor circuit of the processing relevant with the process of utilizing integrated circuit is carried out, described program comprises:
Input utilizes the title of operation of described integrated circuit, and promptly action name is described the routine of operation instructions program of the operation of described application program,
Check that indication is used to operate the operation code of described integrated circuit and the correspondence designation data of the correspondence between the described action name by described application program, thereby the routine of the described operation code of the described action name correspondence that obtains and in described operation instructions program, describe and
Utilize the described operation code that obtains to define the routine of the processing of described application program.
25, a kind of data processing method of finishing by the semiconductor circuit of executive utility,
Described data processing method comprises the steps:
Utilize this program module of firewall protection of distributing to each program module in a plurality of program modules that form described application program in a plurality of fire walls in advance,
The program module that record and the fire wall identifying information of discerning the fire wall distribute to program module link and
To carry out the described condition that is recorded as, carry out described program module.
26, according to the described data processing method of claim 25, comprise that also the data that allow between record and a plurality of program modules that identical fire wall identifying information link transmit or data are checked, and the data transmission between a plurality of program modules that link with the different fire-proof identifying information of forbidding writing down or the data step of checking.
27, according to the described data processing method of claim 25, also comprise the steps:
The program module that record also links with the download key information that uses when program module is downloaded to described semiconductor circuit outside described semiconductor circuit and
When the download request that receives about described program module, whether utilize the described download key information with described program module link of record to judge to download may, and download this program module when downloading possibility when judging.
28,, also comprise when the described download key information corresponding to described program module is not recorded the step of the module that do not download according to the described data processing method of claim 27.
29, according to the described data processing method of claim 27, comprise that also the person of sending about described download request verifies mutually, the described person's of sending for confirmation legitimacy is judged the step that described download is whether possible subsequently.
30, according to the described data processing method of claim 27, also comprise the steps:
Record also with carry out program module that the key information that uses before the described program module links and
Utilize and ask the described key information of received program module correspondence to judge whether described program module has been changed or is altered, when judging that described program module is not changed or being altered, carry out described program module about its execution.
31, according to the described data processing method of claim 27, also comprise the steps:
When program module being kept in the semiconductor memory circuit that is arranged at outside the described semiconductor circuit,
Described semiconductor circuit is to described program module scramble, subsequently it is write in the described semiconductor memory circuit and
Described semiconductor circuit is separated scramble to the program module that reads from described semiconductor memory circuit.
32, according to the described data processing method of claim 27, also comprise the steps:
When described application program defines the processing of the process of utilizing integrated circuit to transmit data with respect to described semiconductor circuit,
Described semiconductor circuit utilizes second key information that first key information of the operation that is used for described integrated circuit is encrypted, and it is kept in the described semiconductor memory circuit and
Described semiconductor circuit is kept at described second key information in the described semiconductor circuit.
33, according to the described data processing method of claim 27, wherein said integrated circuit is installed on the card.
34, according to the described data processing method of claim 27, also comprise the steps:
A plurality of application programs of a plurality of process supplier's correspondences of the process of utilizing described integrated circuit execution are carried out and provided to described semiconductor circuit, and
Described semiconductor circuit utilizes identical firewall protection to form a plurality of described program module of same application domain.
35, a kind of semiconductor circuit that runs application,
Described semiconductor circuit
Utilize this program module of firewall protection of distributing to each program module in a plurality of program modules that form described application program in a plurality of fire walls in advance,
The program module that record and the fire wall identifying information of discerning the fire wall distribute to this program module link and
With described record is being condition, carries out described program module.
36, according to the described semiconductor circuit of claim 35, described semiconductor circuit allows the data between record and a plurality of program modules that identical fire wall identifying information link to transmit or data are checked, and data transmission or data between a plurality of program modules that link with the different fire-proof identifying information of forbidding writing down are checked.
37, according to the described semiconductor circuit of claim 35, described semiconductor circuit:
The program module that record also links with the download key information that uses when program module is downloaded to described semiconductor circuit outside described semiconductor circuit and
When the download request that receives about described program module, whether utilize the described download key information with described program module link of record to judge to download may, when judge download may the time, download this program module.
38, according to the described semiconductor circuit of claim 37, when the described download key information corresponding to described program module is not recorded, the described semiconductor circuit module that do not download.
39, according to the described semiconductor circuit of claim 37, described semiconductor circuit is verified mutually with respect to the person of sending of described download request, and the described person's of sending for confirmation legitimacy judges subsequently whether described download is possible.
40, according to the described semiconductor circuit of claim 35, described semiconductor circuit:
Record also with carry out program module that the key information that uses before the described program module links and
Utilize and ask the described key information of received program module correspondence to judge whether described program module is changed or alters, when judging that described program module is not changed or when altering, carrying out described program module about its execution.
41, according to the described semiconductor circuit of claim 35, wherein:
When program module being kept in the semiconductor memory circuit that is arranged at outside the described semiconductor circuit,
Described semiconductor circuit is to described program module scramble, subsequently it is write in the described semiconductor memory circuit and
Described semiconductor circuit is separated scramble to the program module that reads from described semiconductor memory circuit.
42, according to the described semiconductor circuit of claim 35, described semiconductor circuit,
When described application program defines the processing of the process of utilizing integrated circuit to transmit data with respect to described semiconductor circuit,
Utilize second key information that first key information of the operation that is used for described integrated circuit is encrypted, and it is kept in the described semiconductor memory circuit and
Described second key information is kept in the described semiconductor circuit.
43, according to the described semiconductor circuit of claim 35, wherein said integrated circuit is installed on the card.
44, according to the described semiconductor circuit of claim 42, wherein said semiconductor circuit:
Carry out and provide a plurality of application programs of a plurality of process supplier's correspondences of the process of utilizing described integrated circuit execution, and
Utilize identical firewall protection to form a plurality of described program module of same application domain.
45, a kind of program of carrying out by semiconductor circuit that is used for executive utility, described program comprises:
Utilize the routine of this program module of firewall protection of distributing to each program module in a plurality of program modules that form described application program in a plurality of fire walls in advance,
The routine of the program module that record and the fire wall identifying information of discerning the fire wall distribute to this program module link and
With described record is being condition, carries out the routine of described program module.
46, according to the described program of claim 45, comprise that also the data that allow between record and a plurality of program modules that identical fire wall identifying information link transmit or data are checked, and the data transmission between a plurality of program modules that link with the different fire-proof identifying information of forbidding writing down or the data routine of checking.
47, a kind of data processing method of carrying out by semiconductor circuit that is used for executive utility,
Described data processing method comprises the steps:
Independent a plurality of application programs of carrying out by firewall protection,
The condition that record permission in advance communicates between described application program by described fire wall,
When application requests and Another Application interprogram communication, judge communication request whether satisfy described record condition and
When judging that communication request satisfies described record condition, carry out communication between the application program according to described communication request.
48,, also comprise allowing indication the information of the combination of the person's of sending the application program of the described communication request by described fire wall communication and described other application program to be recorded as the step that allows described condition of communicating by letter according to the described data processing method of claim 47.
49, according to the described data processing method of claim 47, also comprise the steps,
When described semiconductor circuit receives the processing request outside described semiconductor circuit,
Between described a plurality of application programs, select and described processing request corresponding application program and
According to the described application program of selecting, carry out the processing that conforms to described processing request.
50,, comprise that also the predetermined memory area of utilizing the semiconductor memory apparatus outside the described semiconductor circuit transmits the step of following the data of communicating by letter between the described application program according to the described data processing method of claim 47.
51, according to the described data processing method of claim 50, also comprise the steps:
The application program that data send a side writes described predetermined memory area to data,
The application program that data send a side the ongoing true notification data of write operation receive a side application program and
Data Receiving one side's application program reads described data according to described notice from described predetermined memory area.
52, according to the described data processing method of claim 50, also comprise when the request of access that produces about described predetermined memory area, judge the legitimacy of described visit by fire wall, have only, just allow the step of the described predetermined memory area of visit being judged as legal request of access.
53, according to the described data processing method of claim 50, also comprise to and described application program between the data scramble that transmits together of communication, subsequently it is kept at the step in the described predetermined memory area.
54,, also comprise the step of section processes at least of the execution of the subsidiary described application program of second half conductor circuit request of described semi-conductor electricity road direction according to the described data processing method of claim 47.
55, a kind of semiconductor circuit, described semiconductor circuit
Independent a plurality of application programs of carrying out protected by firewall,
The condition that record permission in advance communicates between described application program by described fire wall,
When application requests and Another Application interprogram communication, judge communication request whether satisfy described record condition and
When judging that communication request satisfies described record condition, carry out communication between the described application program according to described communication request.
56, according to the described semiconductor circuit of claim 55, described semiconductor circuit allows indication the information of the combination of the person's of sending the application program of the described communication request by described fire wall communication and described other application program to be recorded as the described condition of communicating by letter that allows.
57, according to the described semiconductor circuit of claim 55, described semiconductor circuit when receive handling request from the outside,
Between described a plurality of application programs, select and described processing request corresponding application program and
According to the described application program of selecting, carry out the processing that conforms to described processing request.
58, according to the described semiconductor circuit of claim 55, described semiconductor circuit utilizes the predetermined memory area of the semiconductor memory apparatus outside the described semiconductor circuit to transmit and follows the data of communicating by letter between the described application program.
59, according to the described semiconductor circuit of claim 58, described semiconductor circuit
In data send a side application program, data are write described predetermined memory area,
The ongoing true notification data of write operation receive a side application program and
Described data are read in Data Receiving one side's application program according to described notice from described predetermined memory area.
60, according to the described semiconductor circuit of claim 58, when the request of access that produces about described predetermined memory area, described semiconductor circuit is judged the legitimacy of described visit by fire wall, has only being judged as legal request of access, just allows the described predetermined memory area of visit.
61, according to the described semiconductor circuit of claim 58, described semiconductor circuit to and described application program between the data scramble that transmits together of communication, subsequently it is kept in the described predetermined memory area.
62, according to the described semiconductor circuit of claim 55, the section processes at least of the execution of the subsidiary described application program of second half conductor circuit request of described semi-conductor electricity road direction.
63, a kind of program that makes semiconductor circuit carry out following routine:
The independent routine of carrying out a plurality of application programs of protected by firewall,
In advance record allows the routine of the condition that communicates by described fire wall between described application program,
When application requests and Another Application interprogram communication, judge communication request whether satisfy described record condition routine and
When judging that communication request satisfies described record condition, the routine of carrying out the communication between the described application program according to described communication request.
64, semiconductor circuit or the addressable semiconductor memory apparatus of described semiconductor circuit are loaded in the data processing method of the program of moving in the described semiconductor circuit down by it,
Wherein said semiconductor circuit has the software configuration of forming by a plurality of layers, and makes corresponding to every layer download signed validation key information and can be checked by described semiconductor circuit,
Described data processing method comprises the steps:
When receiving described download request, the download signed information that described semiconductor circuit utilizes described download signed validation key information checking to produce according to download request,
Legal with described download signed information is condition, and described semiconductor circuit allows the person of sending of described download request to download and is used for the program of that one deck of the download signed validation key information correspondence of this checking.
65, according to the described data processing method of claim 64, also comprise the steps:
The visit master key information of that layer correspondence under the program that Authentication devices is preserved and allowed to be downloaded,
Described Authentication devices described download request send to described semiconductor circuit and
Described Authentication devices uses this visit master key information to produce described download signed information, and this download signed information is sent to described semiconductor circuit.
66, according to the described data processing method of claim 64, also comprise the steps:
Authentication devices preserve described semiconductor circuit identifying information and
Described Authentication devices utilizes described visit master key information to being the expressly described identifying information encryption of form, produces and downloads master key information, and use this download master key information to produce described download signed information.
67, according to the described data processing method of claim 65, also comprise the steps:
Described Authentication devices preserve and allow to download to described semiconductor circuit described that layer correspondence the first visit master key information and corresponding to one or more more high-rise one or more second visit master key information of described layer and
Described Authentication devices uses the described first visit master key information and described one or more second visit master key information to produce described download signed information.
68, according to the described data processing method of claim 65, comprise that also described Authentication devices verifies mutually with respect to described semiconductor circuit, subsequently described download signed information is sent to the step of described semiconductor circuit.
69, according to the described data processing method of claim 68, also comprise the steps:
Described Authentication devices is preserved the mutual checking master key information and the identifying information of described semiconductor circuit,
Described Authentication devices utilizes described mutual checking master key information to encrypt being expressly the described identifying information of form, produce mutual validation key information and
Described Authentication devices is used for mutual checking with described semiconductor circuit to described mutual validation key information.
70, according to the described data processing method of claim 64, the software configuration of wherein said semiconductor circuit is divided into the ground floor that the managerial personnel that have only described semiconductor circuit just are endowed the power of download, be arranged on the described ground floor, the program of the predetermined integrated circuit of operation belongs to the second layer of this layer, be arranged on the described second layer, the application program of the process of exchange content of the described integrated circuit of definition use belongs to the 3rd layer of this layer.
71, according to the described data processing method of claim 70, wherein
Described integrated circuit is installed on the card, and
Described semiconductor circuit is by communication line and the described integrated circuit of communications device accesses that links to each other with described communication line.
72, according to the described data processing method of claim 70, a plurality of enterprises corresponding application program that the transaction of using integrated circuit is carried out in its neutralization belongs to described the 3rd layer, be described a plurality of application program definition fire walls, and check by transmission of the data between the described application program of described firewall restriction or data.
73, according to the described data processing method of claim 65, also comprise when detecting the physical external force that puts on the described Authentication devices, by described external force, when described visit master key information may illegally be started, described Authentication devices was deleted the described visit master key information of preservation automatically.
74, a kind of semiconductor circuit that has by a plurality of layers of software configuration of forming,
Described semiconductor circuit can be checked the download signed validation key information corresponding to each layer,
When receiving download request, utilize download signed information that described download signed validation key information checking produces according to download request and
Legal with described download signed information is condition, allows the person's of sending handle of described download request and the program of one deck of the download signed validation key information correspondence that is used for this checking to download to this semiconductor circuit or the addressable semiconductor memory circuit of described semiconductor circuit.
75, according to the described semiconductor circuit of claim 74, the software configuration of wherein said semiconductor circuit is divided into the ground floor that the managerial personnel that have only described semiconductor circuit just are endowed the power of download, be arranged on the described ground floor, the program of the predetermined integrated circuit of operation belongs to the second layer of this layer, be arranged on the described second layer, the application program of the process of exchange content of the described integrated circuit of definition use belongs to the 3rd layer of this layer.
76, according to the described semiconductor circuit of claim 74, wherein
Described integrated circuit is installed on the card, and
Described semiconductor circuit is by communication line and the described integrated circuit of communications device accesses that links to each other with described communication line.
77, according to the described semiconductor circuit of claim 76, a plurality of enterprises corresponding application program that the transaction of using integrated circuit is carried out in its neutralization belongs to described the 3rd layer, be described a plurality of application program definition fire walls, and check by transmission of the data between the described application program of described firewall restriction or data.
78, a kind of when the program of moving in semiconductor circuit being downloaded to when having by the semiconductor circuit of a plurality of layers of software configuration of forming or the semiconductor memory apparatus that can be visited by this semiconductor circuit, the Authentication devices that is used to verify,
Described Authentication devices:
The corresponding visit master key information of one deck under the program of preserving and allowing to be downloaded,
Described download request send to described semiconductor circuit and
Utilize this visit master key information to produce described download signed information, and this download signed information is sent to described semiconductor circuit.
79, according to the described Authentication devices of claim 78, described Authentication devices:
Preserve described semiconductor circuit identifying information and
Utilize described visit master key information to being the expressly described identifying information encryption of form, download master key information thereby produce, and use this download master key information to produce described download signed information.
80, according to the described Authentication devices of claim 79, described Authentication devices:
Preserve and allow to download to described semiconductor circuit described one deck correspondence the first visit master key information and with one or more more high-rise corresponding one or more second visit master key information of described layer, and
Utilize the described first visit master key information and described one or more second visit master key information to produce described download signed information.
81, according to the described Authentication devices of claim 79, the mutual checking of described Authentication devices execution and described semiconductor circuit sends described download signed information to described semiconductor circuit subsequently.
82, according to the described Authentication devices of claim 81, described Authentication devices:
Preserve the mutual checking master key information and the identifying information of described semiconductor circuit,
Utilize described mutual checking master key information to encrypt to being expressly the described identifying information of form, produce mutual validation key information and
Described mutual validation key information is used for mutual checking with described semiconductor circuit.
83, according to the described Authentication devices of claim 79, wherein ought detect the physical external force that puts on the described Authentication devices, by described external force, when described visit master key information may illegally be started, described Authentication devices was deleted the described visit master key information of preservation automatically.
It is 84, a kind of by the program that has by the semiconductor circuit execution of a plurality of layers of software configuration of forming,
Described program comprises:
Utilize the described download signed validation key information of corresponding one deck in the described a plurality of layer, checking when receiving download request according to the routine of the download signed information of such download request generation and
Legal with described download signed information is condition, and the program that allows the person's of sending handle of described download request and be used for corresponding one deck of download signed validation key information of this checking downloads to the routine of this semiconductor circuit or the addressable semiconductor memory circuit of described semiconductor circuit.
85, a kind of semiconductor circuit with data processing circuit and data I/O treatment circuit, wherein
Described data processing circuit by described data I/O treatment circuit by means of the bus inputoutput data outside this semiconductor circuit and
Described data input/output circuit:
To being unit with tentation data length, and data encrypted is exported to described bus from the data encryption of described data processing circuit input,
To data decryption, and the data after the deciphering are exported to described data processing circuit from the input of described bus, and
When Nc/Nb=n, be unit with m data I/O transaction, carry out data I/O transaction by described bus, the width of bus described here is Nb, and data length is Nc, and the smallest positive integral of n or bigger value (n or more) is m.
86, according to the described semiconductor circuit of claim 85, wherein,
Described data input/output circuit,
When according to from first address of described data processing circuit input during by described bus access semiconductor memory circuit,
Described first address translation is become second address,, and use described second address to visit described semiconductor memory circuit so that be that unit visits described semiconductor memory circuit with the memory block of the data of preserving Nc.
87, according to the described semiconductor circuit of claim 86, wherein said data input/output circuit,
When described data processing circuit reception writes the instruction of first address to first data,
Described first address translation is become described second address,
Use described second address to read the data of the presumptive address scope that comprises described first address from described semiconductor memory circuit,
To the described data decryption that reads,
Data corresponding to described first address are write in the described data decryption again,
To the described data encryption of the presumptive address scope that comprises described overwriting data, and
Utilize described second address that described enciphered data is write described semiconductor memory circuit.
88, according to the described semiconductor circuit of claim 86, wherein said data input/output circuit,
When described data processing circuit receives instruction from first address reading data,
Described first address translation is become described second address,
Use described second address to read the data of the presumptive address scope that comprises described first address from described semiconductor memory circuit,
To the described data decryption that reads,
Data corresponding to described first address are write in the described data decryption again, and
Take out in the described data decryption and the data of the described first address correspondence, and output it to described data processing circuit.
89, according to the described semiconductor circuit of claim 85, wherein with when to described data encryption in case the key data that uses when writing described semiconductor memory circuit be all condition mutually when the key data that reads from described semiconductor memory circuit and use during to described data decryption, described data input/output circuit exchanges the key data that is used for described encryption and decryption rightly.
90, according to the described semiconductor circuit of claim 89, wherein:
Described data input/output circuit is preserved a plurality of described keys,
Described a plurality of key is exchanged rightly for use.
91, according to the described semiconductor circuit of claim 89, wherein said data input/output circuit is used for the address of the described semiconductor memory circuit of visit to calculate, so that produce described key.
92, according to the described semiconductor circuit of claim 89, wherein said data input/output circuit produces parity data according to the data that will write described semiconductor memory circuit, described parity data is write in the described semiconductor memory circuit that links with described data, read corresponding parity data together with reading of described data, and verify the legitimacy of described reading of data according to described parity data.
93, according to the described semiconductor circuit of claim 85, wherein said data input/output circuit is divided into a plurality of processing at least and data is write the processing of described semiconductor memory circuit and from one of processing of described semiconductor memory circuit reading of data, and carries out pipeline processes with the unit of being treated to after the described division.
94, according to the described semiconductor circuit of claim 86, the address scrambling of wherein said data input/output circuit to importing from described data processing circuit, thus produce second address.
95, when semiconductor circuit links to each other by bus with semiconductor memory circuit, when the visit semiconductor memory circuit, the data processing method that semiconductor circuit is performed,
Described data processing method comprises the steps:
To will being the data encryption that unit writes described semiconductor memory circuit, and enciphered data be exported to described bus with tentation data length,
To from the data decryption of described bus input and
When Nc/Nb=n, be unit with m data I/O transaction, carry out data I/O transaction by described bus, the width of bus described here is Nb, and described data length is Nc, and the smallest positive integral of n or bigger value (n or more) is m.
96,, also comprise generation when the address that visit is used during described semiconductor memory circuit, so that be the step that unit visits described semiconductor memory circuit with the memory block of the data of preserving Nc according to the described data processing method of claim 95.
97, according to the described data processing method of claim 96, also comprise the steps:
The data of presumptive address scope are read from described semiconductor memory circuit in the address of using described generation,
To the described data decryption that reads,
Data necessary is write in the described data decryption again,
To the described data encryption of the presumptive address scope that comprises described overwriting data and
Utilize the address of described generation that described enciphered data is write described semiconductor memory circuit.
98, according to the described data processing method of claim 96, also comprise the steps:
The data of presumptive address scope are read from described semiconductor memory circuit in the address of using described generation,
To the described data decryption that reads and
Take out and handle the necessary data in the described data decryption.
99, according to the described data processing method of claim 95, also comprise with when to described data encryption in case the key data that uses when writing described semiconductor memory circuit be all condition mutually when the key data that reads from described semiconductor memory circuit and use during to described data decryption, exchange is used for the step of the key data of described encryption and decryption rightly.
100, according to the described data processing method of claim 99, also comprise the steps:
Preserve a plurality of described keys and
Exchange described a plurality of key rightly for use.
101,, also comprise the address of the described semiconductor memory circuit of visit is used for calculating, so that produce described key according to the described data processing method of claim 99.
102, according to the described data processing method of claim 95, also comprise according to the data that will write described semiconductor memory circuit and produce parity data, described parity data is write in the described semiconductor memory circuit that links with described data, read corresponding parity check data together with reading of described data, and verify the step of the legitimacy of described reading of data according to described parity data.
103, according to the described data processing method of claim 95, also comprise at least a plurality of processing are divided into data being write the processing of described semiconductor memory circuit and, and carry out the step of pipeline processes with the unit of being treated to after the described division from one of processing of described semiconductor memory circuit reading of data.
104, a kind of data processing equipment comprises:
Preserve the memory circuit of the instruction and data of a plurality of programs,
Visit described memory circuit by transmission line, and use the instruction and data of described a plurality of programs to carry out the counting circuit of described a plurality of programs,
Place between described transmission line and the described memory circuit, described transmission line and described memory circuit be arranged to the change-over circuit that is connected of connection status and one of off-state according to control signal,
According to limiting for each program in described a plurality of programs when counting circuit is being carried out described a plurality of program, the access profile definition of data of address realm that can be accessed in the described memory circuit, counting circuit described in the described memory circuit sends the address of request of access for it, carrying out which program implementation program indication information in described a plurality of program with the described counting circuit of explanation, produce control signal, control described transmission line and described memory circuit be arranged to connection status and one of off-state be connected control circuit and
By described transmission line with respect to described counting circuit inputoutput data, and with respect to the input/output interface circuit of the outside inputoutput data of this data processing equipment.
105, according to the described data processing equipment of claim 104, wherein when counting circuit described in the described memory circuit sends request of access for it address is within and program corresponding address scope that just be performed that limit by described access profile definition of data, connect control circuit and produce the described control signal that connection status is arranged to described transmission line and described memory circuit in indication, and when described address is not within this address realm, produce the described control signal that off-state is arranged to described transmission line and described memory circuit in indication.
106, according to the described data processing equipment of claim 104, wherein said connection control circuit is according to described access profile definition of data serving as the basic instruction of carrying out, produce described control signal, described access profile definition of data according to described counting circuit carrying out taking-up, reading and writing in the instruction which the instruction, define can be accessed in the described memory circuit address realm.
107, according to the described data processing equipment of claim 104, wherein said connection control circuit has the storer of preserving described access profile definition of data.
108, according to the described data processing equipment of claim 104, wherein:
The integrated circuit that the utilization of described input/output interface circuit is kept at the described access profile definition of data of encrypting outside the described data processing equipment transmits data,
Described counting circuit by described transmission line and described telecommunication circuit visit described integrated circuit and
Described connection control circuit is preserved predetermined key information, receive the access profile definition of data of described encryption from described integrated circuit by described telecommunication circuit and described transmission line, utilize of the access profile definition of data deciphering of described key information, and use the access profile definition of data of described deciphering to produce described control signal described reception.
109, according to the described data processing equipment of claim 108, wherein said connection control circuit receives the decrypted program of having encrypted that is used to carry out described deciphering by described input/output interface circuit and described transmission line, decrypted program deciphering to described reception, it is kept in the described memory circuit, and uses the described decrypted program that is kept in the described memory circuit that described access profile definition of data is deciphered.
110, according to the described data processing equipment of claim 104, wherein when described connection control circuit was arranged to off-state to described transmission line and described memory circuit, described counting circuit stopped the operation of described counting circuit.
111, according to the described data processing equipment of claim 104, wherein when the function of described another program of routine call of just being carried out by described counting circuit, described connection control circuit is according to the program of pre-defined caller and allow call relation definition of data between the program of combination of the caller that calls, judge described call whether licensed, when judging described calling when licensed, the described control signal of connection status is arranged to described transmission line and described memory circuit in generation, and, produce the described control signal of described transmission line and described memory circuit being arranged to off-state when judging described calling when not licensed.
112, according to the described data processing equipment of claim 111, wherein said connection control circuit is according to call relation definition of data between described program serving as the basic instruction of carrying out, produce described control signal, between described program the call relation definition of data according to described counting circuit carrying out taking-up, reading and writing in the instruction which the instruction, the combination of define program.
113, according to the described data processing equipment of claim 111, wherein said connection control circuit has the storer of preserving call relation definition of data between described program.
114, according to the described data processing equipment of claim 111, wherein:
The integrated circuit that the utilization of described input/output interface circuit is kept at call relation definition of data between the described program of encrypting outside the described data processing equipment transmits data,
Described counting circuit by described transmission line and described telecommunication circuit visit described integrated circuit and
Described connection control circuit is preserved predetermined key information, receive call relation definition of data between described encrypted program by described telecommunication circuit and described transmission line from described integrated circuit, utilize described key information to call relation definition of data deciphering between the program of described reception, and use that the call relation definition of data produces described control signal between the program of described deciphering.
115, according to the described data processing equipment of claim 114, wherein said connection control circuit receives the decrypted program of having encrypted that is used to carry out described deciphering by described input/output interface circuit and described transmission line, decrypted program deciphering to described reception, it is kept in the described memory circuit, and uses the described decrypted program that is kept in the described memory circuit call relation definition of data deciphering between described program.
116, a kind of semiconductor circuit of executive routine,
Described semiconductor circuit comprises:
First transmission line,
Preserve the instruction of the described program of execution or the memory circuit of data,
According to the counting circuit of the described instruction manipulation that reads from described memory circuit by described first transmission line,
According to first control signal described first transmission line and described memory circuit are arranged to first of connection status and one of off-state and are connected change-over circuit,
According to second control signal second transmission line outside this semiconductor circuit and described first transmission line be arranged to second of connection status and one of off-state be connected change-over circuit and
When described first control signal that indication is connected exports to described first when connecting change-over circuit, connect described second control signal that change-over circuit output indication disconnects to described second, when described first control signal that indication is disconnected exports to described first when connecting change-over circuit, to the described second connection control circuit that connects described second control signal that change-over circuit output indication connects.
117, according to the described semiconductor circuit of claim 116, wherein said second connects change-over circuit links to each other with memory device outside being positioned at described semiconductor circuit by described second transmission line.
118, according to the described semiconductor circuit of claim 116, wherein,
When described counting circuit during from described memory circuit reading command,
Described first control signal that described connection control circuit connects indication is exported to described first and is connected change-over circuit, and connects change-over circuit indicating described second control signal that disconnects to export to described second.
119, according to the described semiconductor circuit of claim 118, wherein:
Described counting circuit is exported to the 3rd transmission line to the signal that shows the type that will execute instruction, will being exported to the 4th transmission line by the address of the memory block of described instruction access, and
Described connection control circuit
Monitor described the 3rd transmission line and described the 4th transmission line, and when judging that described counting circuit is being carried out the taking-up instruction and visited described memory circuit,
Described first control signal that indication connects is exported to the described first connection change-over circuit, and connect change-over circuit indicating described second control signal that disconnects to export to described second.
120, according to the described semiconductor circuit of claim 116, wherein,
Described memory circuit is preserved and is used to carry out described program, and preserves the functional module of a plurality of instructions, and described a plurality of instructions comprise that the disconnection that places their heads releases order and place the disconnection sign on of their afterbodys,
When described counting circuit execution disconnection is released order, described first control signal that described connection control circuit connects indication is exported to described first and is connected change-over circuit, and when described counting circuit is carried out the disconnection sign on, described first control signal that indication disconnects is exported to the described first connection change-over circuit.
121, according to the described semiconductor circuit of claim 120, wherein after the described disconnection of execution is released order, described connection control circuit is exported to described first to described first control signal and is connected change-over circuit, so that described first transmission line and described memory circuit are arranged to connection status constantly, disconnect sign on up to execution next time of described counting circuit.
122, according to the described semiconductor circuit of claim 116, also comprise:
The request of reading with the internal state that sends from described counting circuit to described counting circuit, the overwrite request of described internal state, link to each other with one of at least external unit during the operation of described counting circuit stops to ask, and determine whether to export the described request of reading according to the 3rd control signal, what described overwrite request and described operation stopped to ask the 3rd is connected change-over circuit, and
When described first control signal that indication is connected exports to described first when connecting change-over circuit, described connection control circuit is not exported the described request of reading to indication to described counting circuit, described overwrite request is exported to the described the 3rd with described the 3rd control signal that described operation stops to ask and is connected change-over circuit, when described first control signal that indication is disconnected exports to described first when connecting change-over circuit, indication is exported the described request of reading to described counting circuit, and described overwrite request is exported to the described the 3rd with described the 3rd control signal that described operation stops to ask and is connected change-over circuit.
123, a kind of semiconductor circuit of executive routine,
Described semiconductor circuit comprises:
Preserve the encrypted instruction or the data of described program, to exporting to the data encryption of memory device by first transmission line outside this semiconductor circuit, and to passing through described first transmission line from the encrypted instruction of described memory device input or the encryption/decryption circuit of data decryption
The counting circuit that utilizes described decryption instructions or data to calculate,
According to control signal select whether to permit the selection circuit of second transmission line outside the described semiconductor circuit and the communication between the described counting circuit and
When described counting circuit is utilizing the instruction of described program or data to handle, do not allow the control circuit of the described control signal of communicating by letter between described second transmission line and the described counting circuit to described selection circuit output indication.
124, according to the described semiconductor circuit of claim 123, wherein said selection circuit is the external unit that links to each other with described second transmission line, and the request of reading between the internal state that sends described counting circuit to described counting circuit, the overwrite request of described internal state, and operation stop to ask between one of at least the external unit and described counting circuit.
125, according to the described semiconductor circuit of claim 123, the predetermined key information of wherein said encryption/decryption circuit utilization is encrypted the functional module that forms described program, produce to specify to be used for by expressly, and described key appointed information is exported to the described memory device that the functional module with described encryption links the key appointed information of described functional module encrypted secret key information.
126, according to the described semiconductor circuit of claim 123, wherein said encryption/decryption circuit is preserved a plurality of key informations that are used for described encryption, and uses the described functional module deciphering of key information to importing from described memory device by described second transmission line according to the described key appointed information appointment of importing from described memory device.
127, according to the described semiconductor circuit of claim 125, wherein said encryption/decryption circuit is a unit with the data block of tentation data length, to described functional module encryption and decryption.
128, according to the described semiconductor circuit of claim 27, wherein when described functional module is encrypted, described encryption/decryption circuit is that unit produces parity information with described data block, and described parity data is kept in the described memory device with described block-chaining.
129, according to the described semiconductor circuit of claim 128, wherein said encryption/decryption circuit produces described parity data, so that the summation of the numerical value of described data block and parity data is predetermined numerical value.
130, according to the described semiconductor circuit of claim 128, wherein said encryption/decryption circuit is to deciphering from the data block of described memory device input by described first transmission line, judge legitimacy subsequently corresponding to the parity data of this data block, when judging that this parity data is illegal, stop the operation of described counting circuit or carry out predetermined fault processing.
131, according to the described semiconductor circuit of claim 125, the data length of wherein said data block is identical with the data length of described functional module.
132, a kind of data processing equipment comprises:
In predetermined memory block, preserve a plurality of application programs that constitute by a plurality of data modules, and the memory circuit of preserving management data, thereby described a plurality of data module comprises that describing communicates by letter with integrated circuit provides the processing routine data of the processing of service routine, described management data is represented to be linked at together data module, is used at first key data that uses another data module according to the processing of this data module, with be used for according to the processing of this data module with respect to described integrated circuit transmit data second key data and
Carry out the processing relevant according to data module with service, in this processing, check described management data, utilization is used another data module corresponding to described first key data of this data module, and utilizes the semiconductor circuit that transmits data corresponding to described second key data of this data module with respect to described integrated circuit.
133, according to the described data processing equipment of claim 132, wherein said memory circuit is preserved the daily record data of the processing that utilizes described data module execution at least with the form of data module, show the routine data that described data module is recorded the routine in the memory block, demonstration delete from described memory block described data module record routine routine data and show one of routine data of the routine be defined for the described memory block of preserving described application program.
134, according to the described data processing equipment of claim 132, wherein when semiconductor circuit will be carried out processing according to another data module, described semiconductor circuit uses described management data to obtain corresponding to first key data of described tentation data module with corresponding to described first key data of described another data module, and conforming to two first key datas that obtain is condition, uses described another data module from the described tentation data module that just is being performed.
135, according to the described data processing equipment of claim 134, wherein
Described memory circuit is preserved the application permission data of each described data module, the approved applications mode of described application permission data representation data module, and
When described two first key datas conformed to, described semiconductor circuit used another data module according to described application permission data in the mode that the described application permission data corresponding to described another data module allow.
136, according to the described data processing equipment of claim 132, wherein when second half conductor circuit is being carried out processing according to another data module, described semiconductor circuit uses described first key data of described management data acquisition and described tentation data module correspondence, use described first key data to carry out mutual checking with described second half conductor circuit, and being confirmed with mutual legitimacy is condition, uses described another data module from the described tentation data module that just is being performed.
137, according to the described data processing equipment of claim 136, wherein when described mutual legitimacy is proved, described semiconductor circuit uses described another data module according to the mode of using the described according to this application permission of license count license data, uses the mode of described another data module of permission data indication permission to use.
138, according to the described data processing equipment of claim 132, it is identical that wherein said first key data is defined by for the data module that forms same application domain described first key data.
139, according to the described data processing equipment of claim 132, wherein said memory circuit is preserved the described application program of utilizing unique key data of distributing to described application program to encrypt.
140, according to the described data processing equipment of claim 132, wherein said semiconductor circuit:
Produce the task management data that comprise operation execution sequence data and status data according to described data module data, described operation execution sequence data representation forms the execution sequence of a plurality of operations of the processing of described application program, described status data is represented the state of the executive process of described a plurality of operations
Described status data and described processing sequence data according to described task management data are selected next step operation that will carry out,
Carry out the described operation of selecting, and
According to the execution of described operation, upgrade the described status data of the described task management data of selecting.
141, according to the described data processing equipment of claim 140, wherein said semiconductor circuit:
Use described processing sequence data and described management data to produce the template data of described task management data, and
Utilize described template data, produce described task management data according to the request of processing.
142, according to the described data processing equipment of claim 141, wherein said semiconductor circuit:
For each the processing request in a plurality of processing requests produces described task management data,
From described a plurality of data modules, select task management data,
According to the described status data and the described processing sequence data of the described task management data of selecting, select next step operation that will carry out,
Carry out the described operation of selecting,
According to the execution of described operation, upgrade described selection the task management data described status data and
After described renewal, from described a plurality of data modules, select task management data.
143, according to the described data processing equipment of claim 142, wherein when the All Jobs that forms processing according to the request of processing was complete, described semiconductor circuit was deleted described task management data.
144, be used for communicating by letter, transmit the data processing method of data by it with respect to memory circuit thereby handle semiconductor circuit that service is provided with integrated circuit,
Described data processing method comprises the steps:
When described memory circuit is preserved in predetermined memory block by comprising that thereby a plurality of application programs of communicating by letter and providing a plurality of data modules of the processing routine data of the processing of service routine to form with integrated circuit are provided in description; And preservation shows the data module that links together; Be used in the first key data of using another data module according to the processing of this data module; Be used for when the processing according to this data module transmits the management data of the second key data of data with respect to described integrated circuit
Described semiconductor circuit is carried out the processing relevant with service according to described data module,
Described semiconductor circuit is checked described management data in the processing relevant with described service, and utilize described first key data corresponding to a data module use another data module and
Described semiconductor circuit uses described second key data corresponding to described data module to transmit data with respect to described integrated circuit in the processing relevant with described service.
145, according to the described data processing method of claim 144, described semiconductor circuit also comprise when will be carried out processing according to described another data module, described semiconductor circuit uses described management data to obtain corresponding to first key data of described tentation data module with corresponding to described first key data of described another data module, and conforming to described two first key datas is condition, uses the step of described another data module from the described tentation data module that just is being performed.
146, according to the described data processing method of claim 144, also comprise the steps:
When described memory circuit is preserved the application permission data of approved applications mode of expression data module of each described data module,
When described two first key datas conformed to, described semiconductor circuit used another data module according to described application permission data in the mode that the described application permission data corresponding to described another data module allow.
147, according to the described data processing method of claim 144, also comprise when second half conductor circuit is being carried out processing according to another data module, described semiconductor circuit uses described first key data of described management data acquisition and described tentation data module correspondence, use described first key data to carry out mutual checking with described second half conductor circuit, and being confirmed with mutual legitimacy is condition, uses the step of described another data module from the described tentation data module that just is being performed.
148, according to the described data processing method of claim 147, also comprise when described mutual legitimacy is proved, described semiconductor circuit permits the mode of license data to use the step of described another data module according to using the described according to this application of license count, uses the mode of described another data module of permission data indication permission to use.
149, according to the described data processing method of claim 144, it is identical that wherein said first key data is defined by for the data module that forms same application domain described first key data.
150, according to the described data processing method of claim 144, also comprise the steps:
Described semiconductor circuit produces the task management data that comprise operation execution sequence data and status data according to described data module data, described operation execution sequence data representation forms the execution sequence of a plurality of operations of the processing of described application program, described status data is represented the state of the executive process of described a plurality of operations
Described semiconductor circuit is selected next step operation that will carry out according to the described status data and the described processing sequence data of described task management data,
Described semiconductor circuit is carried out the described operation of selecting, and
Described semiconductor circuit upgrades the described status data of the described task management data of selecting according to the execution of described operation.
151, according to the described data processing method of claim 150, also comprise the steps:
Described semiconductor circuit use described processing sequence data and described management data produce described task management data template data and
Described semiconductor circuit utilizes described template data, produces described task management data according to the request of processing.
152, according to the described data processing method of claim 151, also comprise the steps:
Described semiconductor circuit is that each the processing request in a plurality of processing requests produces described task management data,
Described semiconductor circuit is selected task management data from described a plurality of data modules,
Described semiconductor circuit is selected next step operation that will carry out according to the described status data and the described processing sequence data of the described task management data of selecting,
Described semiconductor circuit is carried out the described operation of selecting,
Described semiconductor circuit is according to the execution of described operation, upgrade described selection the task management data described status data and
After described renewal, described semiconductor circuit is selected task management data from described a plurality of data modules.
153,, comprise that also described semiconductor circuit is deleted the step of described task management data when the All Jobs that forms processing according to the request of processing is complete according to the described data processing method of claim 152.
154, a kind ofly communicate by letter with integrated circuit by semiconductor circuit being used for of carrying out, thereby carry out the processing that service is provided, and transmit the program of data with respect to memory circuit,
Described program comprises,
When described memory circuit is preserved in predetermined memory block by comprising that thereby a plurality of application programs of communicating by letter and providing a plurality of data modules of the processing routine data of the processing of service routine to form with integrated circuit are provided in description; And preservation shows the data module that links together; Be used in the first key data of using another data module according to the processing of this data module; Be used for when the processing according to this data module transmits the management data of the second key data of data with respect to described integrated circuit
According to the routine of the described data module execution processing relevant with described service,
In the processing relevant, check described management data with described service, and utilize described first key data corresponding to this data module use described another data module routine and
In the processing relevant, use the routine that transmits data corresponding to described second key data of this data module with respect to described integrated circuit with described service.
Applications Claiming Priority (10)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP2001039969A JP2002244755A (en) | 2001-02-16 | 2001-02-16 | Data processing method, semiconductor circuit, and program |
| JP200140414 | 2001-02-16 | ||
| JP200139969 | 2001-02-16 | ||
| JP200140415 | 2001-02-16 | ||
| JP200140705 | 2001-02-16 | ||
| JP200142445 | 2001-02-19 | ||
| JP200142396 | 2001-02-19 | ||
| JP200142446 | 2001-02-19 | ||
| JP200142397 | 2001-02-19 | ||
| JP2001262288 | 2001-08-30 |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN02801052.3A Division CN1261870C (en) | 2001-02-16 | 2002-02-15 | Data processing method and its apparatus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1892665A true CN1892665A (en) | 2007-01-10 |
| CN100481103C CN100481103C (en) | 2009-04-22 |
Family
ID=18902662
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610077336.3A Expired - Lifetime CN100481103C (en) | 2001-02-16 | 2002-02-15 | Data for processing method and apparatus |
Country Status (2)
| Country | Link |
|---|---|
| JP (1) | JP2002244755A (en) |
| CN (1) | CN100481103C (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103605622A (en) * | 2013-11-19 | 2014-02-26 | 北京邮电大学 | Method and equipment for data transmission |
| CN107609428A (en) * | 2017-08-16 | 2018-01-19 | 大唐高鸿信安(浙江)信息科技有限公司 | Date safety storing system and method |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4622474B2 (en) * | 2004-11-17 | 2011-02-02 | 横河電機株式会社 | Field device and system using the same |
| JP4627266B2 (en) * | 2006-02-16 | 2011-02-09 | 株式会社日立ソリューションズ | Information leakage prevention system due to unknown malware |
| EP2169900A1 (en) * | 2008-09-30 | 2010-03-31 | Gemplus | Regulator of commands sent to a sensitive application |
| EP2500838A1 (en) * | 2011-03-16 | 2012-09-19 | Samsung SDS Co. Ltd. | SOC-based device for packet filtering and packet filtering method thereof |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3489155B2 (en) * | 1993-10-28 | 2004-01-19 | カシオ計算機株式会社 | Card usage |
| JPH08272625A (en) * | 1995-03-29 | 1996-10-18 | Toshiba Corp | Device and method for multiprogram execution control |
| JPH09167135A (en) * | 1995-12-15 | 1997-06-24 | Fujitsu Ltd | System, device and method for deciding share of processing |
| JP2000010782A (en) * | 1998-06-18 | 2000-01-14 | Hitachi Ltd | Control system for communication between client components |
| JP4242494B2 (en) * | 1998-12-24 | 2009-03-25 | 大日本印刷株式会社 | Portable signal processor |
-
2001
- 2001-02-16 JP JP2001039969A patent/JP2002244755A/en active Pending
-
2002
- 2002-02-15 CN CN200610077336.3A patent/CN100481103C/en not_active Expired - Lifetime
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103605622A (en) * | 2013-11-19 | 2014-02-26 | 北京邮电大学 | Method and equipment for data transmission |
| CN103605622B (en) * | 2013-11-19 | 2016-06-22 | 北京邮电大学 | A kind of method and apparatus transmitting data |
| CN107609428A (en) * | 2017-08-16 | 2018-01-19 | 大唐高鸿信安(浙江)信息科技有限公司 | Date safety storing system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| JP2002244755A (en) | 2002-08-30 |
| CN100481103C (en) | 2009-04-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1261870C (en) | Data processing method and its apparatus | |
| CN1309487A (en) | Data processing device, system and method | |
| CN1296846C (en) | Information transmission system, transmitter, and transmission method as well as information reception system, receiver and reception method | |
| CN1290009C (en) | Technique for permitting access across a context barrier in a small footprint device using global data structures | |
| CN1273901C (en) | System and method for testing computer device | |
| CN1252581C (en) | Secreting and/or discriminating documents remote-controlling printing | |
| CN1365474A (en) | Authentication system | |
| CN1304977C (en) | Data providing system, device, and method | |
| CN1183449C (en) | using a high level programming language with a microcontroller | |
| CN1668990A (en) | Open type general-purpose attack-resistant CPU and application system thereof | |
| CN1293482C (en) | Storage area dividing method for portable device | |
| CN1241144C (en) | Autonomous integrated circuit card | |
| CN1476580A (en) | Content usage authority management system and management method | |
| CN1338070A (en) | Techniques for permitting access across a context barrier on a small footprint device using on entry point object | |
| CN1157655C (en) | Techniques for implementing security on a small footprint device using a context barrier | |
| CN1282071C (en) | Data processor, data processing method and program thereof | |
| CN1322322A (en) | Data providing system and method therefor | |
| CN1902604A (en) | Data communicating apparatus and method for managing memory of data communicating apparatus | |
| CN1313917C (en) | Data processor, data processing method and program thereof | |
| CN1212773A (en) | Personal electronic settlement system, its terminal, and management apparatus | |
| CN1957336A (en) | Information management device and information management method | |
| CN1756150A (en) | Information management apparatus, information management method, and program | |
| CN1236132A (en) | Secure processor with external memory using block chaining and block re-ordering | |
| CN1758590A (en) | Information processing apparatus, information processing method, and program | |
| CN1306259A (en) | Digital content delivery adopting network broadcasting service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 1098849 Country of ref document: HK |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: GR Ref document number: 1098849 Country of ref document: HK |
|
| CX01 | Expiry of patent term | ||
| CX01 | Expiry of patent term |
Granted publication date: 20090422 |