JP2000181870A - Portable electronic device and fault detecting method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To evade a wrong decision which results from performing low- precision individual identification on the basis of defective information on individual feature parameters by detecting the fault or registered registration data. SOLUTION: In a processing of an individual identification system by living body information which uses a portable electronic device 10 and data processor 20, the input 210 of living body information such as a fingerprint, a retina pattern, or voice, handwriting, etc., is performed. The feature parameters of the inputted raw data are extracted 220 and sent to the portable electronic device 10. The portable electronic device 10 performs a comparison decision process 120 between an individual feature parameters 110 which are already registered and the received feature parameters. Simultaneously, the read individual feature parameters are sent to a fault detecting means 130. If some abnormality is detected through diagnosis, the processing is interrupted and the data processor 20 informs the user of abnormality detection by an abnormality notifying means 240.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for improving security of an information processing apparatus. More specifically, the present invention relates to a method for detecting data tampering and improving the accuracy of personal authentication of a portable information device such as an IC card and a device therefor.

[0002]

2. Description of the Related Art A card having a magnetic stripe (hereinafter referred to as a magnetic card) is widely used as a means for authenticating a specific individual in a bank withdrawal or purchase of a product. When withdrawing cash from an automatic teller machine at a bank using a cash card, the identity of the person is identified using a password. When purchasing a product with a credit card, the identity of the person is identified by checking the signature written on the credit card in advance with the signature at the time of purchasing the product.

On the other hand, a problem relating to security has been pointed out for the personal authentication method. For example, if the cash card and its password are stolen by a third party, the deposit is easily withdrawn. With a credit card,
There is a risk of plagiarism by imitating a signature by a third party.

Therefore, paying attention to the fact that the amount of information that can be stored in a card can be increased by using an IC card instead of a magnetic card, personal authentication is performed using biometric information such as a fingerprint, retinal pattern, or voice. The scheme is beginning to spread. In many cases, it is assumed that processing is performed by the IC card terminal in consideration of the load required for the processing. However, security issues remain because personal registration data leaks out of the IC card, and personal registration data can be stolen or modified by accessing the IC card terminal relatively easily. I have.

Therefore, an idea of using a fingerprint as a personal identification code and performing fingerprint feature extraction and collation processing with an IC card has been proposed in Japanese Patent Application Laid-Open No. 61-199162, "Personal identification system". Hereinafter, this prior art will be briefly described with reference to some drawings.

FIG. 5 shows a configuration of a portable electronic device represented by an IC card or the like. Portable Electronic Devices, Portable Electronic Devices 10
It comprises a CPU 121 for overall control, a RAM / ROM 111 for storing application programs and data, and an I / O 101 for communicating between the portable electronic device 10 and the outside. RAM / ROM111
Is, for example, EEPROM (Electronic Erasable Programmable
Read Only Memory). The EEPROM is a storage device that can maintain data without power and can rewrite data. CPU121, RAM / ROM111, I /
O101 is connected by a bus (address bus, data bus). The CPU 121 receives an external I / O signal via the I / O 101, executes an application program on the RAM / ROM 111, and writes an execution result to the RAM / ROM 111, or
Output to the outside via

FIG. 6 shows a configuration of a data processing device 20 typified by an IC card terminal, an IC card reader, and the like. The data processing device 20 includes a CPU 20 that executes a program.
1, RAM that stores programs and data to be executed
205, an initial program boot ROM 202, a portable electronic device I / O 203 for exchanging information with the portable electronic device, an external I / O 204 for exchanging information with an external network, an input device connected to the data processing device 20 ( It has a user I / O 206 for controlling a keyboard, a pin pad, etc. 208 and an output device (display, speaker, etc.) 209, and the above components are connected by a bus 207.

As shown in FIG. 7, the data processing device 20
Connected to portable electronic device 10 by O signal. Further, the data processing device can exchange information with the external information processing device 30 via a network such as the Internet as needed.

A conventional example of processing of a personal authentication system based on biological information using the portable electronic device 10 and the data processing device 20 will be described with reference to FIG.

First, biological data such as fingerprints, retinal patterns, voices, and handwritings are input 210 to the data processing device 20. This process is performed by the input device 208 shown in FIG. Next, a feature amount extraction 220 of the input raw data is performed.
Is performed. This extraction is processed by the CPU 201 shown in FIG. The extracted features are used in the I / O 203 for portable electronic devices.
Is sent to the portable electronic device 10 via the.

On the other hand, in the portable electronic device 10, the personal feature amount 110 registered in advance is stored in the RAM / ROM 111 shown in FIG.
The data is read out and compared with the feature value sent from the data processing device 20 to perform a determination process. This process is performed by the CPU 121 shown in FIG. The collation determination result is sent to the personal authentication result notifying means 230 in the data processing device 20 via the I / O 101. If the collation result is true, the personal authentication result notifying means 230 terminates the personal authentication and continuously performs the following processing. If the collation result is false, the personal authentication is rejected and the next processing is stopped. Also, the output device 209 notifies the user via the user I / O 206 that the personal authentication result has been rejected.

Here, taking the case of a fingerprint as an example, an explanation will be given on the input device of the biometric information and the extraction of the characteristic amount.

FIG. 8 shows an input device 208 for fingerprints. The input device 208 includes an optical device (for example, a fingerprint sensor using a CCD camera or the like) 2081 and a digital device 20 for digitizing image data captured from the optical device 2081.
With 82. Digitized image data (raw data)
Is input to the data processing device 20. The CPU 201 executes a program for extracting a feature amount from the input raw data in order to shorten the matching time of the biometric information and improve the accuracy. Several methods for extracting a feature have been proposed. For example,
Minami et al. Can use the method described in "Development of a New Security System for Fingerprint Verification" (Electronics, September 1988). As shown in FIG. 9, this method performs gradation conversion 221, leveling 222, and ridge direction extraction on raw data.
This is a method in which each of the processes of 223 is performed in a corresponding manner.

For comparison with FIG. 2, FIG. 4 shows a conventional example in which the data processing apparatus 20 performs the collation judgment processing 120. In the example of FIG. 4, the personal characteristic amount 110 registered in the RAM / ROM 111 in the portable electronic device 10 is sent to the data processing device 20 and the CPU 201 in the data processing device 20 performs the collation determination. Is the same as

In the example of FIG. 4, the personal registration data leaks out of the IC card, the IC card terminal is accessed relatively easily, and the personal registration data is stolen.
There are security issues, such as the possibility of modification. As a solution to this problem, Japanese Patent Laid-Open Publication No. 61-199162 "Personal identification system" has been devised.

[0016]

In the above prior art, in both cases where the collation determination process is performed on the data processing device side and when the collation determination process is performed on the portable electronic device side, the biometric information registered in advance in the portable electronic device ( It is indispensable to assume that the personal characteristic amount) is always correct information.

On the other hand, the probability of occurrence of a physical failure of an IC card is significantly increased depending on how the user carries the card. For example,
By applying strong pressure, twisting, etc., such as sitting with the IC card in the pants pocket, messing up in the crowded train even if it is in the chest pocket,
The probability that a physical failure occurs in a logic circuit, wiring, memory, or the like inside the IC increases. Further, even if a physical failure has occurred in a logic circuit, wiring, memory, or the like inside the IC, the user does not have a function for easily recognizing the failure. Therefore, there is a possibility that the collation determination may be performed while a physical failure exists in a part of the personal feature quantity, and there is a problem in the reliability of the determination result.

Alternatively, it is conceivable that the personal characteristic amount registered in advance in the IC card has been falsified with malicious intent. For example, when a feature is falsified by a third party, in the above-described conventional example, there is a risk that a deposit is withdrawn by a third party or personal information is stolen.

An object of the present invention is to address these problems of the prior art. That is, the first purpose is
An object of the present invention is to perform low-accuracy personal authentication while a physical failure exists in a part of the personal feature quantity, and to avoid giving an erroneous determination result. A second object is to provide a function for notifying a user of the occurrence of a failure as soon as possible when a physical failure occurs in the IC card. Furthermore, the third purpose is to provide a function of detecting the possibility of falsification of the personal characteristic amount and, if there is a possibility of tampering, stopping the leakage of the personal characteristic amount and the processing after the personal authentication. is there.

[0020]

To solve the above problems, the following means are provided.

First, a portable electronic device according to the present invention includes a memory for storing feature amounts of first biological information as registration data;
A transmission / reception interface for receiving the feature amount of the second biometric information to be authenticated from the data processing device, a processor for comparing and matching the registered data with the received feature data, and a unit for performing a failure diagnosis process in real time are provided. .
For example, a unit for generating a test pattern from personal characteristics registered in advance, a unit for compressing a test pattern,
There is means for comparing the compressed test pattern with an expected value. Next, as a result of the diagnosis, if any abnormality (failure or tampering) is detected, a means for generating an interrupt signal for prohibiting reading of the characteristic amount for personal authentication is provided. Also, a means for notifying the user of the detection of the abnormality is provided. For example, the failure detection signal is transferred from the portable electronic device to the data processing device, and in the data processing device, the detection of the abnormality is displayed on an output device such as a display.

According to the present invention, there are provided a means for generating a test pattern from personal feature amounts registered in advance, a means for compressing the test pattern, and a means for comparing the compressed test pattern with an expected value. Therefore, the failure diagnosis processing is performed in real time in parallel with the personal authentication processing, and it is possible to detect the presence of an abnormality (failure or data falsification) in the registered feature amount during the personal authentication processing. Further, as a result of the diagnosis, when an abnormality of the feature amount (failure or data falsification) is detected, a means for generating an interrupt signal for inhibiting reading of the individual feature amount is provided. Accordingly, when a physical failure exists in a part of the personal feature amount registered in advance, it is possible to avoid performing incorrect personal authentication and giving an erroneous determination result. On the other hand, if the personal feature amount registered in advance has been tampered with, any unauthorized access to the tampered cardholder can be prohibited.

Next, a means is provided for notifying a user of the detection of an abnormality when an abnormality is detected as a result of the above diagnosis.
For example, the failure detection signal is transferred from the portable electronic device to the data processing device, and in the data processing device, the detection of the abnormality is displayed on an output device such as a display. Therefore, the user
You can easily notice abnormalities in the IC card. Also IC
The notification of the card abnormality can be used as a signature for replacing the IC card. As a result, the IC card provider can provide an IC card update service at an appropriate timing. For example, updating can be neglected until a user complains that the device does not operate properly, thereby avoiding losing the trust of the user. Alternatively, it is possible to avoid updating the system more quickly than necessary even when the device is sufficiently usable, and thereby spending more manufacturing costs than necessary.

[0024]

FIG. 10 shows the configuration of a portable electronic device 11 according to a first embodiment of the present invention. The portable electronic device 11 includes a CPU 121 that controls the entire portable electronic device 11, a RAM / ROM 111 that stores application programs and data, an I / O 101 that performs communication between the portable electronic device 11 and the outside, a test sequence generation unit 131, and a pattern. It comprises a compression circuit 132 and a failure determination circuit 133. The RAM / ROM 111 is, for example, an EEPROM (Electroni
c Erasable Programmable Read Only Memory). The EEPROM is a storage device that can maintain data without power and can rewrite data.
The CPU 121, the RAM / ROM 111, and the I / O 101 are connected by a bus (address bus, data bus). The CPU 121 has an external I / O
An O signal is received via the I / O 101, an application program on the RAM / ROM 111 is executed, and the execution result is written to the RAM / ROM 111 or output to the outside via the I / O 101. The test sequence generating means 131 generates a test pattern for failure diagnosis from the data flowing on the data bus and sends it to the pattern compression circuit 132. The pattern compression circuit 132 performs compression processing of the test sequence generation means 131 and sends it to the failure determination circuit 133 in order to shorten the test time and reduce the amount of expected value data to be stored. In the failure judgment circuit 133, a pattern compression circuit
The compressed data S (T) sent from 132 is compared with the expected value. If any abnormality is detected as a result of the comparison and collation, a failure detection signal for notifying the abnormality detection is sent to the data processing device 20 via the I / O 101. Further, it interrupts an input from the data processing device 20. In order to suppress an increase in the chip area, it is also possible to use a comparator and a register in the CPU 121 to substitute a function of a failure determination circuit such as a comparison function and storage of an expected value.

Next, the flow of processing of a personal authentication system based on biometric information using the portable electronic device 11 and the data processing device 20 according to the present invention will be described with reference to FIG.

First, biological data such as fingerprints, retinal patterns, voices, and handwritings are input 210 to the data processing device 20. This process is performed by the input device 208 shown in FIG. Next, a feature amount extraction 220 of the input raw data is performed.
Is performed. This extraction is processed by the CPU 201 shown in FIG. The extracted features are used in the I / O 203 for portable electronic devices.
Is sent to the portable electronic device 11 via the.

On the other hand, in the portable electronic device 11, the personal feature amount 110 registered in advance is stored in the RAM / ROM 111 shown in FIG.
The data is read out and compared with the feature value sent from the data processing device 20 to perform a determination process. This process is performed by the CPU 121 shown in FIG. At the same time, a part (or all) of the personal feature read from the RAM / ROM 111 is sent to the failure detecting means 130. If any abnormality is detected as a result of the diagnosis by the failure detecting means, an interrupt is issued to data input (such as a feature amount) from the data processing device 20. This processing is realized by the test sequence generation means 131, the pattern compression circuit 132, and the failure determination circuit 133 shown in FIG. Also,
The failure detection signal is transferred from the portable electronic device 11 to the data processing device 20.

In the data processing device 20, the abnormality notifying means 240
To notify the user of the abnormality detection. For example, through the user I / O 206, the fact that an abnormality is detected in the registered feature amount is displayed through an output device 209 such as a display. Therefore, the user can easily notice the abnormality of the IC card. Further, the notification of the abnormality of the IC card can be used as a signature for replacing the IC card. As a result, the IC card provider can provide an IC card update service at an appropriate timing. For example, updating can be neglected until a user complains that the device does not operate properly, thereby avoiding losing the trust of the user. Or,
It can be renewed when it is sufficiently usable, thereby avoiding unnecessary production costs.

When the RAM / ROM 111 is composed of one row of M bits × L columns, and the feature amount is read out one row (M bits) at a time,
Each time one or several rows of the feature value 110 are read, a failure detection process is performed. Further, the process of reading out the feature amount 110 and the failure detection process are executed in parallel. Therefore, the feature amount 11
If there is an abnormality such as a physical failure or data tampering in 0, an interrupt is issued to the data input (such as feature value) from the data processing device 20 before the verification result of the personal authentication is output. And the personal authentication process is stopped. That is, there is a physical failure in a part of the individual feature value 110,
Alternatively, it is possible to avoid performing the collation determination using the falsified data.

If no abnormality is detected as a result of the diagnosis by the failure detecting means, the conventional personal authentication processing is continued and the collation determination processing 120 is performed. Check result is I / O
It is sent to the personal authentication result notifying means 230 in the data processing device 20 via 101. If the collation result is true, the personal authentication result notifying means 230 terminates the personal authentication and continuously performs the following processing. If the collation result is false, the personal authentication is rejected and the next processing is stopped. Also, the output device 209 notifies the user via the user I / O 206 that the personal authentication result has been rejected.

FIG. 11A shows an example of the test sequence generating means 131. FIG. 11A shows a case where a part of the registered features transmitted from the RAM / ROM 111 via the data bus is used as a test pattern in order to perform the personal authentication process. In this example, using a cell array composed of a fuse ROM, 4-bit 131-of the 16-bit feature quantities 111-0 to 111-15 are used.
An example in which 0 to 131-3 is selected is shown. Fuse ROM
This is a memory cell that can control connection / disconnection depending on whether the fuse is blown.

FIG. 11B shows a second embodiment of the test sequence generation means 131. In this example, an example in which a part of the registered feature amount is selected as a test pattern by the switch element array 1312 instead of the fuse ROM is shown. A signal for controlling ON / OFF of the switch element is generated by decoding a value in a rewritable memory mat 1310 by a decoder 1311. When the combinations of switch on / off are limited to several types in advance, the memory mats corresponding to these combinations may be prepared in advance, and the specification may be such that a control signal for selecting which memory mat to use is provided. Conceivable.

Although FIGS. 11A and 11B both show an example in which a part of the registered feature is selected as a test pattern, it is possible to use 111-0 to 111-15 as test patterns without providing a selection means. Of course, it is also possible. Whether to use all bit information, select a part, and select a bit number when selecting a part depends on a user or biometric information to be handled. This is because the bit position where the feature of the person appears strongly differs depending on the individual and the biological information to be handled.

In general, an m-bit signal A (i) = [a0, ia1, i] as a test pattern. . . If am−1, i] is selected, n clocks of the m-bit signal are sent to the pattern compression circuit 132. For example, the two-dimensional m shown in FIG. 11C
The × n matrix A is sent to the pattern compression circuit 132. Where G
F (q) represents a Galois field of order q. First, the (n-
1) The column A (n-1) is input to the pattern compression circuit 132. Next, the (n-2) th column A (n-2) is input, and finally the 0th column A (0)
Is entered.

FIG. 12A shows an example in which a multi-input signature register is used as the pattern compression circuit 132. The multi-input signature register 132 is an m-stage shift register (SR),
It is an LFSR (Linear Feedback Shift Register) composed of m exclusive OR gates and (m-1) coefficient units. This is one of the linear sequential circuits. A state transition as a linear sequential circuit is represented by a transition transformation matrix T shown in FIG. 12B. The initial value of the multi-input signature register 132 is all 0s.
When the test response A (n-1) is input to the multi-input signature register 132, the value of the input signature register 132 is A (n-1)
Becomes Next, when the test response A (n−2) is input, the value of the multi-input signature register 132 is A (n−2) + A (n−1) T. Similarly, the value of the multi-input signature register 132 when the test response A (0) is input is defined as a signature S (T). That is, the signature S (T) is: S (T) = A (0) + (A (1) + (A (2) +... (A (n-2) + A (n-1) T)) T ...)) T = A (0) + A (1) T + A (2) T2 +. . . + A (n-2) Tn-2 + A (n-1) Tn-1. The value of signature S (T) is output to failure determination circuit 133.

The failure determination circuit 133 receives the signature S (T) from the pattern compression circuit, and compares the signature S (T) with an expected value S * (T) when the registered feature does not include an abnormality such as a failure or falsification. Here, Y (T) = S * (T) -S (T) is defined as a syndrome. At this time, the failure determination circuit makes the following determination.

Y (T) = 0: There is no abnormality such as failure or alteration in the registered feature amount.

When the value of Y (T) does not become 0, it is determined that some abnormality such as failure or tampering exists in the registered feature quantity, and an interrupt signal is sent to the I / O 101.

According to the first embodiment of the present invention, since the characteristic amount for personal authentication (or a part thereof) is diverted as a test pattern for failure detection, a storage device dedicated to the test pattern is used. There is no need to add a new one, and an increase in area can be suppressed. Since the processing for personal authentication and the failure diagnosis processing are performed in parallel, the processing time for failure diagnosis is invisible to the user. As a result of the failure diagnosis, if an abnormality such as a failure or data tampering is detected, the data input from the processing device (such as feature values) is interrupted and the personal authentication process is stopped. It is possible to avoid personal authentication processing including low reliability and access by falsified data. Since the user has a function of notifying the user of the detection of an abnormality through an output device such as a display, the user can easily notice the abnormality of the IC card. It can also be used by IC card providers as a guide for IC card renewal timing.

FIG. 3 shows a second embodiment of the present invention in which a countermeasure is taken by the data processing device 20. In FIG. 3, the personal feature quantity 110 registered in advance in the RAM / ROM 111 in the portable electronic device 10 is sent to the data processing device 20 and the CPU 201 in the data processing device 20 is sent.
It is assumed that the collation determination is performed by using. The process for personal authentication is basically the same as the example in FIG. Part (or all) of the personal feature value 110 taken into the data processing device 20 from the portable electronic device 10
Is sent to the failure detecting means 130 in parallel with being sent to the collation judgment 120. As a result of the diagnosis in the failure detection means,
If any abnormality is detected, an interrupt is issued to data input (such as a feature amount) from the portable electronic device 10. This processing can be realized by including the test sequence generation means 131, the pattern compression circuit 132, and the failure determination circuit 133 shown in the first embodiment in the data processing device 20. Alternatively, if the performance of the data processing device 20 is sufficiently high, the function may be realized by software. The abnormality notification processing is basically the same as that of the first embodiment, and therefore the description is omitted.

According to the second embodiment of the present invention, it is possible to solve the problem only on the data processing device side without changing the portable electronic device. If this function is implemented by software, no additional hardware is required.

A portable electronic device according to a third embodiment of the present invention.
FIG. 13 shows the configuration of Twelve. Portable electronic device 11 introduced in FIG.
The difference is that the CPU 121 controls the entire portable electronic device 12,
RAM / RO for storing application programs and data
M111, I / O101 that performs communication between the portable electronic device 100 and the outside,
An access control unit 140 is provided in addition to the test sequence generation unit 131, the pattern compression circuit 132, and the failure determination circuit 133. The access control means 140 stores the number of failure detections based on the failure detection signal sent from the failure determination circuit 133, and if the number of failure detections is equal to or more than a predetermined fixed number, the access control means 140 sends the information to the CPU 121 and the RAM / ROM 111. Generate a signal to invalidate the access to

FIG. 14 shows an example of the access control means 140. The access control means 140 includes a failure detection counter 140
1. It comprises a set value storage memory 1402 and a comparator 1403. The failure detection number counter 1401 is a failure determination circuit 133
It counts the number of times a failure detection signal sent from is received and stores the value. The set value storage memory 1402 stores how many failure detections are allowed. Comparator 1403
Compares the value of the failure detection number counter 1401 with the value stored in the set value storage memory 1402, and
When the value of 1401 exceeds the value stored in the set value storage memory 1402, an interrupt signal is transmitted to the ROM / RAM 111 and the CPU 121 to stop the functions of the ROM / RAM 111 and the CPU 121.

According to the third embodiment of the present invention, it is possible to prevent a portable electronic device such as an IC card from being tampered with and illegally used from being repeatedly used.

A portable electronic device according to a fourth embodiment of the present invention.
FIG. 16 shows the configuration of the thirteenth embodiment. The difference from the portable electronic device 11 shown in FIG. 10 is that only when no abnormality is detected as a result of the diagnosis by the failure detecting means, a data input permission signal (such as a feature amount) from the data processing device 20 is output. Is to be generated.

Next, the flow of processing of a personal authentication system based on biometric information using the portable electronic device 13 and the data processing device 20 according to the present invention will be described with reference to FIG.

The processing of the data processing device 20 is basically the same as that of FIG. 2 and will not be described. In the portable electronic device 13, a part (or all) of the personal feature read from the RAM / ROM 111 is sent to the failure detecting means 130. Only when no abnormality is detected as a result of the diagnosis by the failure detecting means, a data input permission signal (such as a feature amount) from the data processing device 20 is generated. This process is shown in FIG.
Test sequence generation means 131, a pattern compression circuit 132,
This is realized by the failure determination circuit 133. The process of the portable electronic device 13 after the generation of the input permission signal from the data processing device to the portable electronic device is the same as the personal authentication process shown in FIG.

According to the fourth embodiment of the present invention, an unnecessary personal authentication process can be removed in advance because a failure diagnosis process is performed immediately before personal authentication.

FIG. 17 shows a fifth embodiment of the present invention. The processing of the data processing device 20 is basically the same as that of FIG. The portable electronic device 14 reads the personal feature amount 110 registered in advance from the RAM / ROM 111, and performs a comparison determination process with the feature amount sent from the data processing device 20. This process is performed by the CPU 121. If the comparison does not reveal the identity of the individual, the possibility of a decrease in the similarity due to a failure is checked only if the error between the applicant's similarity and the threshold is smaller than a certain value (or ratio). For this purpose, a failure diagnosis process 130 is performed. In addition, the failure detection signal is transferred from the portable electronic device 14 to the data processing device 20.

According to the fifth embodiment of the present invention, when the person is not recognized as the result of the comparison and judgment, and when the error between the similarity of the applicant and the threshold is a certain value (or ratio) Since the failure diagnosis process is performed only when the value is smaller than the above, the load for the failure diagnosis can be minimized.

The expected value used in the failure detection circuit in all the above embodiments is the expected value for the compressed data S (T). Therefore, even if a registered feature can be decrypted by a third party, it is difficult to obtain an expected value corresponding to the falsified feature without understanding the compression rule. In order to improve security, it is conceivable to store the expected value by encrypting it. It is also conceivable to store the expected value in a location where it is difficult for a third party to specify the storage location, such as a part of a general-purpose register in the CPU. The expected value is not resident in the portable electronic device, but is stored in an external information processing device such as a server, and is read via the data processing device every time personal authentication is performed. By doing so, it is conceivable to prevent the expected value data from leaking.

In all of the above embodiments, the test pattern is a part (or all) of the personal feature amount registered in advance.
However, other information can be used as a test pattern. For example, even in a portable electronic device that does not have a personal authentication function based on biometric information, it is possible to divert an application program or a part of various data on the portable electronic device as a test pattern.

In all of the above embodiments, the case where the failure detection means is a signature inspection method has been described as an example. However, the present invention is not particularly limited to the signature inspection method. If the area has a sufficient margin, it is possible to detect a failure by a parity check. If only the stuck-at "0" / "1" fault of the bus is detected, a simple fault detection method shown in FIG. 18 can be considered.

In FIG. 8, the RAM / ROM 1 in the portable electronic device 10
The value of all "0" (or all "1") is stored in a part of the register 11 and a part of the register 1212 in the CPU 121, and the CPU 121 is stored at a certain time interval (or a preset time or timing). The difference between the two is obtained using the ALU 1211 in the above and stored in a specific address of the register 1212. The CPU 121 determines the presence or absence of a failure from the value stored in the address, and generates a failure detection signal as needed.

[0055]

According to the present invention, firstly, it is possible to perform low-precision personal authentication while a physical failure exists in a part of the personal feature quantity, and to avoid giving an erroneous determination result. . Second, when a physical failure occurs in the IC card, the user can be notified of the failure. Third, when there is a possibility that the personal characteristic amount has been tampered with, it is possible to stop the leakage of the personal characteristic amount and the processing after the personal authentication.

[Brief description of the drawings]

FIG. 1 is a diagram showing a processing flow of a first embodiment.

FIG. 2 is a diagram showing a processing flow of a first conventional example.

FIG. 3 is a diagram showing a processing flow of a second embodiment.

FIG. 4 is a diagram showing a processing flow of a second conventional example.

FIG. 5 is a diagram illustrating a configuration of a portable electronic device.

FIG. 6 is a diagram showing a configuration of a data processing device.

FIG. 7 is a diagram showing a relationship among a portable electronic device, a data processing device, and an external information processing device.

FIG. 8 is a diagram showing a configuration of an input device when a fingerprint is used as biometric information.

FIG. 9 is a diagram showing a method for obtaining a feature amount of a fingerprint.

FIG. 10 is a portable electronic device corresponding to the first embodiment.

FIG. 11A is a first example of a test sequence generation unit, B is a second example of a test sequence generation unit, and C is an example of a test response.

12A is an example of a pattern compression circuit, and FIG. 12B is an example of a linear transformation matrix.

FIG. 13 is a portable electronic device corresponding to the third embodiment.

FIG. 14 is a configuration example of an access control unit.

FIG. 15 is a diagram showing a processing flow of the fourth embodiment.

FIG. 16 is a portable electronic device corresponding to the fourth embodiment.

FIG. 17 is a diagram showing a processing flow of the fifth embodiment.

FIG. 18 shows an example of a bus stuck-at fault detection method.

Claims (21)

[Claims] A means for storing a feature amount of the first biometric information as registration data; a transmission / reception interface for receiving, as feature amount data, second biometric information to be authenticated from a data processing device; A portable electronic device, comprising: a processor for comparing and collating with the feature amount data; and a failure detection unit for the registered data. 2. The portable electronic device according to claim 1, wherein said failure detecting means is means for detecting physical degradation failure of registered data or data tampering. 3. The portable electronic device according to claim 1, wherein said biological information is any of a fingerprint, a retinal pattern, a voice, and a handwriting. 4. The portable electronic device according to claim 1, wherein said late detection and disconnection processing is performed in real time in parallel with the personal authentication processing. 5. The portable electronic device according to claim 1, wherein when any failure is detected as a result of the failure detection using said failure detecting means, the detection of the abnormality is transmitted to said data processing device through said transmission / reception interface. With
A portable electronic device having a function of stopping data input processing from a data processing device. 6. The portable electronic device according to claim 1, wherein the function of the portable electronic device is reset when any abnormality is detected more than a preset number of times as a result of the failure detection using the detection and disconnection means. A portable electronic device having a function of invalidating the portable electronic device. 7. The portable electronic device according to claim 1, wherein the registered data, the application program, and other test data stored in the portable electronic device are stored in the portable electronic device without newly adding test data dedicated to the failure detecting means. A fault detection method characterized by utilizing various types of data. 8. The portable electronic device according to claim 1, wherein said failure detection means includes a test sequence generation means, a pattern compression circuit, and a failure determination circuit. 9. The portable electronic device according to claim 8, wherein the test sequence generating means selects a part or all of the registration data, the application program, and other various data stored in a storage device on the portable electronic device. A portable electronic device, wherein the selection result is programmable. 10. The portable electronic device according to claim 9, wherein said means for making programmable is realized by blowing a fuse ROM. 11. The portable electronic device according to claim 9, wherein said means for making programmable is a switch cell array;
A portable electronic device implemented by a rewritable memory mat for storing signal information for controlling the switch cell array. 12. The portable electronic device according to claim 9, wherein said means for making programmable is a switch cell array;
A portable electronic device, which is realized by a plurality of rewritable memory mats for storing signal information for controlling the switch cell array and a selection signal for selecting one of the plurality of memory mats. 13. The portable electronic device according to claim 8, wherein
A portable electronic device, wherein the pattern compression circuit is realized using a multi-input signature register. 14. The portable electronic device according to claim 8, wherein
The portable electronic device according to claim 1, wherein the failure determination circuit has means for comparing data sent from the pattern compression circuit with an expected value stored in advance. 15. The portable electronic device according to claim 2, wherein
The expected value for failure detection is not stored in the portable electronic device, but is read from the external information processing device via the data processing device to the portable electronic device as necessary, and the used value on the portable electronic device is used after use. A failure detection method characterized by erasing expected value information. 16. A data processing device for performing personal authentication of a portable electronic device which holds a feature amount of first biometric information as registration data, wherein a second biometric information converted into a digital signal is received as raw data. A transmission / reception interface, a processor for extracting a characteristic amount from the raw data, a second transmission / reception interface for transmitting the extracted characteristic amount to the portable electronic device as second biological information characteristic data, and personal authentication. A data processing device having an output device for notifying a user of a result, based on a failure detection signal transmitted from the portable electronic device via the second transmission / reception interface, and performing intelligent degeneration. Data having a function of notifying a user from the output device that an abnormality such as a failure or data tampering exists in the portable electronic device. Management apparatus. 17. A portable electronic device that holds a feature amount of first biological information as registration data and a data processing device,
In the personal authentication method of performing personal authentication of the portable electronic device, the data processing device extracts a feature amount from the input second biometric information, and transmits the extracted feature amount to the portable electronic device, The personal authentication method, wherein the portable electronic device compares the characteristic data with the registration data. 18. The personal authentication according to claim 14, wherein personal authentication processing and failure detection processing are performed in parallel using part or all of the registration data read for personal authentication. Method. 19. A failure detection method according to claim 14, wherein a failure detection process is performed before the personal authentication process. 20. In the personal authentication according to claim 14, only when the personal authentication processing is determined to be rejection and the difference between the similarity and the threshold is smaller than a predetermined value or ratio. A failure detection method comprising performing a failure detection process. 21. In the personal authentication according to claim 14, all "0" or "all" is stored in a part of a storage device in the portable electronic device and a part of a register in a processor.
A fault characterized by storing a value of "1" and comparing the two at a certain time interval or at a preset time or timing to detect a "0" / "1" stuck-at fault in the bus. Detection method.