JP2003076968A - Portable electronic device and method for inhibiting the use - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a portable electronic device preventing illegal exploitation of stored data under a state that a use of a transaction function is inhibited (invalidated), and a method for inhibiting the use. SOLUTION: At the time of receiving a card block command from the outside (ST21), a control element 15 verifies MAC of the received card block command (ST22). As a result of the verification, in the case that the MAC is a proper value, an LSB of state management information of a data memory 16 is updated from '1(usable state)' to '0(unusable state)' (ST24). When updating is ended, all input/output data 130 of the data memory 16 are erased (ST25). When updating of the state management information and erasure of the data are normally ended, the control element 15 outputs a status '9000' indicating normal end to the outside, ends a series of function invalidating processings and an IC card 1 becomes unusable thereafter (ST26).

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION The present invention relates to, for example, writing / writing.
An IC (integrated circuit) chip having a rewritable nonvolatile memory and a control element such as a CPU is built in, and various processes are executed based on command data supplied from the outside.
The present invention relates to a portable electronic device such as a C card and a method of prohibiting the use thereof.

[0002]

2. Description of the Related Art In recent years, as a portable electronic device, a rewritable nonvolatile data memory and a CPU (Central Processing Unit) for controlling the rewritable nonvolatile data memory have been provided to input / output data from the outside. I with means
So-called IC cards with built-in C chips have been developed in various industrial fields. An IC card has a significantly larger memory capacity than conventional magnetic cards, etc., and unauthorized access is difficult. Therefore, personal information such as a personal identification number and various security information such as encryption key data used for encryption functions are stored. And is beginning to be used especially in the field of EC (electronic commerce). However, as the use of the IC card expands, there is a greater possibility that the IC card will be caught in danger such as unauthorized access, and the importance of security is increasing.

As such a security measure, for example, in Japanese Patent Laid-Open No. 4-153791, in an IC card provided with an inspection mode for investigating the cause of the trouble, privacy in the inspection mode is protected. Therefore, there is described an IC card which, when an inspection command is given from the outside, erases the data in the memory and then shifts to the inspection mode.

[0004]

However, in the case of the prior art as described above, it is limited to the special case of the inspection mode, and it is required to establish security measures in various functions during the operation of the IC card. There is. In addition, in EMV, which is the standard specification of IC cards, I
The card block command that disables the C card is specified, but the security measure for the IC card whose all functions are disabled by this card block command is that the IC card cannot be used. I wasn't thinking about anything.

The present invention has been made in view of the above points, and a portable electronic device for preventing illegal exploitation of stored data under a state where the use of the transaction function is prohibited (invalid), and its portable electronic device. The purpose is to provide a method of prohibiting the use.

[0006]

To achieve the above object, a portable electronic device according to the present invention has a memory for storing various data and operates based on command data received from the outside. In the device, receiving means for receiving command data instructing prohibition of use of the portable electronic device from outside, and command data instructing prohibition of use of the portable electronic device by the receiving means, Control means for controlling the portable electronic device by prohibiting the use of the portable electronic device by erasing the data stored in the memory. In addition, in order to achieve the above object, the portable electronic device of the present invention has an application function, and in a portable electronic device that operates based on command data received from the outside, rewriting that stores data related to the application function. Possible memory, receiving means for receiving command data for instructing to disable all application functions from the outside, and receiving instruction data for disabling functions by this receiving means disables all application functions. It is characterized by having a changing means for changing to a state and an erasing means for erasing the data relating to the application function stored in the memory when changed to an invalid state by the changing means. Further, in order to achieve the above object, the portable electronic device of the present invention has an application function, and in the portable electronic device that operates based on command data received from the outside, the portable electronic device can output to the outside regarding the application function. A rewritable memory that stores data and data that is prohibited from being output to the outside, a receiving unit that receives instruction data that instructs the invalidation of all application functions from the outside, and a function that is invalidated by this receiving unit When the command data to be converted is received, the changing means for changing all the application functions to the invalid state, and the output related to the application function stored in the memory when the changing to the invalid state by the changing means is performed. And erasing means for erasing the prohibited data. In order to achieve the above object, the portable electronic device of the present invention has an application function, and in a portable electronic device that operates based on command data received from the outside, data relating to the application function and this data. A rewritable memory that stores type information that indicates whether the data is to be erased when invalidating the application function for each, and a receiving unit that receives command data that instructs invalidation of all application functions from the outside. , When the command data for invalidating the function is received by this receiving means,
It has been shown that the changing means changes all the application functions to the invalid state and the data to be deleted based on the type information stored in the memory when the changing means changes the state to the invalid state. And an erasing means for erasing data.

[0007]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below in detail with reference to the drawings. FIG. 2 is a diagram for explaining a system configuration using an IC card 1 (including both contact type and wireless type) and a reader / writer 4 (including both contact type and wireless type) as a portable electronic device according to the present invention. Is.

As shown in FIG. 2, a system using the IC card 1 includes a host computer 3 as an upper device having an internal memory (not shown), and a reader / writer as a terminal device connected to the host computer 3. 4 and
It has a display device 5, a keyboard 6, and a printer 7.

The reader / writer 4 has an internal memory and an IC
Reading and writing (sending and receiving) electronic messages to and from the card 1
Is performed by contact or non-contact. The display device 5 informs the operator of the operating procedure and operating state. The keyboard 6 is operated and input by an operator. The printer 7 prints the instructed information according to the operation instruction of the operator.

When the contact type IC card is used, an IC card insertion portion (not shown) for inserting the contact type IC card is provided in the reader / writer 4, and the wireless type I card is used.
When the C card is used, the reader / writer 4 and the wireless I
A communication unit (not shown) for communicating with the C card is provided.

FIG. 3 is a diagram schematically showing the functional blocks of the IC card 1 which constitutes the system of FIG. As shown in FIG. 3, the IC card 1 includes a read / write unit (R /
W part) 11, password setting / password collating part 12, encryption /
It is composed of a portion that executes basic functions such as the decoding unit 13 and a supervisor 14 that manages these basic functions.

The R / W unit 11 has a function of reading, writing, or erasing data with respect to a data memory or the like. The PIN setting / PIN collation unit 12 performs a process of storing and reading the personal identification number set by the user and, after setting the personal identification number, collating the personal identification number with a personal identification number input from an external device, and subsequent processing. It has the function of giving permission.

The encryption / decryption unit 13 communicates with the reader / writer 4 via a communication line or by wireless communication.
It has a function of performing encryption and decryption for preventing leakage and forgery of communication data when transmitting / receiving data to / from the C card 1.

The encryption / decryption unit 13 also has a function of performing encryption on transmission data and decrypting the encrypted data. The supervisor 14 has a function of decoding an instruction code input from the reader / writer 4 or an instruction code added with data and executing this instruction. The encryption / decryption unit 13 constitutes the decryption means of the present invention.

FIG. 4 is a schematic control block diagram of the IC card 1. As shown in FIG. 4, at least one or more applications can be registered in both the wireless type and the contact type IC card, and in order to execute various functions as shown in FIG. The device 15 includes a data memory 16 serving as various storage units, a program memory 18, a working memory 17, a receiving unit for exchanging signals with the reader / writer 4, and a communication unit 19 serving as an output unit. Examples of registered applications include credits and a point system.

In the case of the wireless IC card 1, the communication section 19 is configured as an antenna section so as to receive the modulated wave transmitted from the reader / writer 4 in a non-contact manner or to transmit the modulated wave to the outside. There is. Further, a power supply and a clock for supplying the internal circuit with the modulated wave received by the antenna unit 19 are generated.

Further, in the case of the contact type IC card 1, the contact type IC card 1 is configured as a contact portion, and a power source and a clock are obtained by contacting with an IC card terminal portion (not shown) provided in the reader / writer 4. Among these configurations, the control element 15, the data memory 16, the program memory 18, and the working memory 17 are configured by one IC chip (or a plurality of IC chips) 20 and are embedded in the IC card main body. The control element 15 is a control unit that performs various types of determination processing / determination processing and data processing such as writing to and reading from a memory.

The program memory 18 is, for example, a mask R.
It is composed of a non-rewritable fixed memory such as an OM, and stores a control program of the control element 15 having a subroutine for realizing each basic function as described above.

The data memory 16 is used for storing various data such as application data, and is, for example, EEPR.
It is composed of erasable (rewritable) nonvolatile memory such as OM. The working memory 17 includes the control element 15
Is a working memory for temporarily holding processing data when the processing is performed, and is composed of, for example, a volatile memory such as a RAM.

FIG. 5 is a conceptual diagram showing the structure of the data memory 16. The data memory 16 is, as shown in FIG.
The control data 110 and the input / output data 130 are largely defined. The control data 110 includes, for example, system data 111 including data used for managing the entire data memory 16 and the like, and file control information 121, 122, 123, ... For managing a plurality of files. The memory 16 is sequentially arranged from the beginning.

A plurality of files 131, 132, 133, ... Associated with the file control information 121, 122, 123, ... Are sequentially arranged from the end of the data memory 16 and set in the input / output data 130. ing. The files 131, 132, 133, ... Store data such as the cardholder's personal identification number, encryption key, and balance information.

An empty area 120 exists between the control data 110 and the input / output data 130. This free area 120
Is an area that does not belong to either the control data 110 or the input / output data 130, and is an area used when a file is added.

FIG. 6 is a diagram showing the structure of the file control information 121, 122, 123, ... Of the data memory 16. File control information 121, 122, 123,
Is a file ID 210, file type information 211, address information 212, size information 2 as shown in FIG.
13 and access control information 214.

The file ID 210 is identification information for identifying a file. The file type information 211 is information indicating the type of data stored in the file, and in the present embodiment, is it internal reference data such as a personal identification number that cannot be output to the outside and is referred to only internally, It indicates whether or not the data is readable / writable information such as balance information. The address information 212 indicates the start position of the file. The size information 213 indicates the size of the file. In the access control information 214, conditions for controlling access to the file are set.

FIG. 7 shows the state management information 3 for identifying the state of the IC card, which is set in the system data 111.
It is a figure which shows the structure of 10. The state management information 310 is composed of 1 byte as shown in FIG. 7, and indicates the “operating state (state in which the IC card 1 can be used)” when the LSB bit is “1”. When the LSB bit is "0", it indicates "function disabled state (state where IC card cannot be used)".

When the IC card 1 is operated, use (invalidation) of all application functions described later is prohibited.
When a card block command, which is a command for instructing, is received, the control element 15 refers to the state management information 310 and changes the LSB bit from "1" to "0".

FIG. 8 is a diagram showing a format of data transmitted and received between the reader / writer 4 and the IC card 1.
FIG. 8A shows command data supplied from the reader / writer 4 to the IC card 1 (in particular, a card block command for instructing invalidation of all application functions).
FIG. 8B shows the IC card 1 to the reader / writer 4.
The response data to be transmitted is shown.

As shown in FIG. 8A, command data for instructing invalidation of all application functions of the IC card 1 is a command code including command classification (CLA: class) and command (INS: instruction). Section, parameter data P1 / P2, Lc indicating the data length of the data to be written, and write data DATA.

In the command data (card block command) for instructing the invalidation of all application functions, "8416" indicating the instruction for invalidating the function is given in the command code portion, and "08" is given in the data length Lc. However, the write data DATA has a message authentication code (MAC: M
Essage Authentication Cod
The data in e) is used. The MAC data guarantees the validity of the command, and encryption is used for its generation.

The response data to the card block command shown in FIG. 8 (a) is composed of status codes (SW1, SW2) as shown in FIG. 8 (b). 9000 "is output.

FIG. 9 is a flow chart for command processing in the IC card 1 thus constructed. As shown in FIG. 9, when a command is received from the outside (ST11), the control element 15 of the IC card 1 refers to the state management information 310 of the data memory 16 to check whether the card is in the operating state or in the function disabled state. Check if there is (S
T12).

At ST12, the LSB of the status management information 310
Is “0”, and when it is determined that the function is in the invalid state (ST13), the control element 15 determines that the error status indicates that the function is invalid (for example, an error indicating that the function is not supported). (Status) is output to the outside, and a series of processing is terminated without performing any other operation (ST14).

At ST12, the LSB of the status management information 310
Is "1", and when it is determined to be in the operating state (ST13), the control element 15 executes the process corresponding to the received command (ST15), and when it is completed normally, the processing is normally ended. Is output, and if an error occurs, an error status that indicates the content of the error that has occurred is output, and a series of processing ends (ST1
6).

The function invalidation process in the IC card 1 thus constructed will be described with reference to FIGS. 1 and 10. (First Embodiment) A first embodiment of the function invalidation process in the IC card 1 thus configured will be described with reference to FIGS. 1, 10 and 11. FIG. 1 is a flow chart of the first embodiment of the function invalidation process in the IC card 1. In this embodiment, the IC card 1
When externally instructed to invalidate the function, the state management information 310 is changed and all input / output data is erased.

As shown in FIG. 1, when a card block command is received from the outside (ST21), the control element 15 of the IC card 1 determines whether the MAC is a valid value from the received card block command. Verify (ST2
2). As a result of the verification in ST12, when it is determined that the MAC is not a legal value, an error status meaning “MAC abnormality” is output to the outside (ST23).

When the MAC is judged to be a valid value as a result of the verification in ST12, the control element 15 sets the LSB of the state management information of the data memory 16 from "1 (usable state)" to "0 (use state). Impossible state) ”(S
T24). When the updating of the state management information in ST14 is completed, then all the input / output data 130 in the data memory 16 is erased (ST25).

Update of status management information by ST24, ST
When the erasing of data by 25 is completed normally, the control element 15 sends the status "900" which means normal completion to the outside.
"0" is output, a series of function invalidation processing is completed, and thereafter,
The IC card 1 becomes unusable (ST26).

That is, in this embodiment, as shown in FIG. 10A, for example, as the input / output data 130 stored in the data memory 16, the file # 1 (encryption key) 131,
File # 2 (personal identification number) 132 and file # 3 (balance information) 133 exist.

When the IC card 1 is instructed to invalidate the function from the outside, the status management information 3 is set in ST24.
After changing the LSB bit of 10 to "0" indicating the function disabled state, the file # 1 (encryption key) 131, ST25
The file # 2 (personal identification number) 132 and the file # 3 (balance information) 133 are deleted. As a result, the data memory 16 of the IC card 1 in the function disabled state is shown in FIG.
As shown in FIG. 3, it is composed of only the system data 111, the file control information 121, 122, 123, and the free area 120.

The erasing method as shown in FIG. 10 is particularly effective in the case of a wireless IC card because it erases only the data to be erased with a small amount of power and in a short time. In addition to the erasing method of FIG. 10B, not only the files 131, 132, 133 are erased by ST25, but also corresponding file control information 121, 122, 123.
It is also conceivable to erase the. As a result, the data memory 16 of the IC card 1 in the function disabled state is shown in FIG.
As shown in (b), it is composed of only the system data 111 and the free area 120.

As described above, in this embodiment, I
When the instruction data for instructing the invalidation of the function of the C card 1 is received, not only the function of the IC card 1 itself cannot be used (the state that the IC card 1 does not react) but also the stored data is erased. It is possible to prevent unauthorized data exploitation due to analysis of an IC card that has become unusable, and it is possible to protect the privacy of the cardholder or the like.

(Second Embodiment) A second embodiment of the function invalidation processing in the IC card 1 configured as described above will be described with reference to FIGS. 12 to 14. Figure 12
It is a flowchart figure regarding the 2nd Example of the function invalidation process in the IC card 1 comprised in this way. In the present embodiment, when the IC card 1 is instructed to invalidate the function from the outside, the state management information 310 is changed and all the internal reference data are erased. This point is the first embodiment. Different from the example. Other than that is the same as FIG. 1, the same step number is given, and the description is omitted.

As shown in FIG. 12, when a card block command is received from the outside (ST21), the control element 15 of the IC card 1 receives the received card block command.
Verify whether the MAC is a valid value from the command (ST
22). As a result of the verification in ST12, when it is determined that the MAC is not a legal value, an error status meaning “MAC abnormality” is output to the outside (ST23).

When the MAC is determined to be a valid value as a result of the verification in ST12, the control element 15 sets the LSB of the state management information 310 in the data memory 16 from "1 (usable state)" to "0 ( (Unusable state) ”(ST24). Upon completion of updating the state management information in ST14, the control element 16 then refers to the file type information 211 of the file control information 121, 122, 123, ... Is confirmed (ST31).

When it is confirmed by ST31 that the internal reference data exists (ST32), the control element 15 of the input / output data 130 of the data memory 16 is indicated by the state management information 310 as the internal reference data. All existing files are deleted (ST33).

When it is confirmed in ST31 that the internal reference data does not exist (ST32), when the internal reference data is erased normally in ST33, the control element 15
Is a status "9000" that means normal termination to the outside
Is output, and a series of function invalidation processing is completed.
The card 1 becomes unusable (ST34).

That is, in this embodiment, as shown in FIG. 13A, for example, as the input / output data 130 stored in the data memory 16, the file # 1 (encryption key) 131,
File # 2 (personal identification number) 132 and file # 3 (balance information) 133 exist.

When the IC card 1 is instructed to invalidate the function from the outside, the status management information 3 is set in ST24.
After changing the LSB bit of 10 to "0" indicating the function disabled state, the file #
1 (encryption key) 131 and file # 2 (password) 132
Erase. As a result, the data memory 16 of the IC card 1 in the function disabled state has the system data 111, the file control information 121, as shown in FIG.
122, 123, file # 3 (balance information) 133, and free area 120 only.

In addition to the erasing method of FIG. 13B, ST33
File # 1 (encryption key) 131 and file # 2
It is conceivable that not only the (personal identification number) 132 but also the corresponding file control information 121 and 122 are erased. As a result, the IC card 1 in the function disabled state
14B, the data memory 16 includes only system data 111, file control information 123, file # 3 (balance information) 133, and a free area 120.

In this embodiment, when the command data for instructing the invalidation of the function of the IC card 1 is received, the IC card 1
In addition to not using the function of itself (not reacting), by deleting the data of the type that is not output to the outside (data used only for internal reference), it is illegal due to analysis of the IC card that has become unusable. It is possible to prevent unauthorized data exploitation, and it is possible to prevent not only protection of privacy but also unauthorized use act (spoofing act) resulting from unauthorized use of data that can be used only internally.

[0051]

As described above, according to the present invention,
It is possible to prevent illegal exploitation of stored data under the condition where the use of the transaction function is prohibited (invalid).

[Brief description of drawings]

FIG. 1 is an IC card 1 according to a portable electronic device of the present invention.
FIG. 6 is a flowchart for explaining the first example of the function invalidation process in FIG.

FIG. 2 is a diagram for schematically explaining a system configuration using an IC card 1 and a reader / writer 4.

FIG. 3 is a diagram showing basic functional blocks of the IC card 1.

FIG. 4 is a diagram showing a control block of the IC card 1.

FIG. 5 is a diagram for explaining a configuration of a data memory 16 of the IC card 1.

FIG. 6 is a diagram for explaining the configuration of file control information in the data memory 16.

FIG. 7 shows status management information 310 in system data 111.
For explaining the configuration of FIG.

FIG. 8 is a diagram showing a format of data exchanged between the reader / writer 4 and the IC card 1.

FIG. 9 is a flowchart for explaining command processing in the IC card 1.

FIG. 10 is a conceptual diagram for explaining a first example of a function invalidation process in the IC card 1.

FIG. 11 is a conceptual diagram for explaining a first example of a function invalidation process in the IC card 1.

FIG. 12 is a flow chart for explaining the second embodiment of the function invalidation processing in the IC card 1.

FIG. 13 is a conceptual diagram for explaining a second embodiment of the function invalidation processing in the IC card 1.

FIG. 14 is a conceptual diagram for explaining a second embodiment of a function invalidation process in the IC card 1.

[Explanation of symbols]

1 IC card 4 Reader / Writer 16 data memory (non-volatile memory) 17 Working memory (RAM) 18 Program memory (ROM)

Continued front page    F-term (reference) 2C005 MA05 MB08 NA02 NA08 NB04                       SA02 SA05 SA07 SA12 SA23                       SA25 TA21 TA22                 5B017 AA03 BA08 CA14                 5B035 AA13 BB09 CA11 CA38                 5B058 CA01 CA27 KA02 KA04 KA08                       KA31 YA02 YA20

Claims (10)

[Claims] 1. A portable electronic device, which has a memory for storing various data and operates based on command data received from the outside, receives command data instructing prohibition of use of the portable electronic device from the outside. Receiving means and a command data for instructing prohibition of use of the portable electronic device, the receiving means erases the data stored in the memory to use the portable electronic device. A portable electronic device, comprising: a control unit that controls so as to prohibit. 2. In a portable electronic device having an application function and operating based on command data received from the outside, a rewritable memory for storing data relating to the application function and invalidation of all the application functions from the outside. Receiving means for receiving the command data for instructing, and, when the receiving means receives the command data for invalidating the function, the changing means for changing all the application functions to the invalid state, and the changing means for invalidating the function. A portable electronic device, comprising: erasing means for erasing data relating to application functions stored in the memory when the state is changed. 3. In a portable electronic device having an application function and operating based on command data received from the outside, data that can be output to the outside and data that is prohibited to output to the outside are related to the application function. A rewritable memory to be stored, a receiving means for receiving command data for instructing invalidation of all application functions from the outside, and a command data for invalidating the function by this receiving means, all application functions are received. And an erasing means for erasing the data for which output related to the application function stored in the memory is prohibited when the invalid state is changed by the changing means. A portable electronic device characterized by the above. 4. A portable electronic device having an application function, which operates based on command data received from the outside, comprising data relating to the application function and data to be deleted when the application function is invalidated for each data. A rewritable memory that stores the type information indicating whether or not it exists, a receiving unit that receives command data that instructs the invalidation of all application functions from the outside, and command data that invalidates the function by this receiving unit. Then, the changing means for changing all the application functions to the invalid state, and the data to be erased based on the type information stored in the memory when changing to the invalid state by the changing means. Portable electronic device having erasing means for erasing data indicated by 5. The memory further stores state management information indicating whether the application function is valid or invalid, and the changing unit invalidates the function by the receiving unit. 5. The method according to claim 2, further comprising means for rewriting the state management information of the memory to indicate that all application functions are in an invalid state when the command data is received. Portable electronic device. 6. The data relating to the application function of the memory includes a data section and definition information including address information in which the data section is stored, and the erasing means sets the invalid state by the changing means. 6. The portable electronic device according to any one of claims 2 to 5, characterized in that, when changed as shown, only the data part of the data relating to the application function stored in the memory is erased. 7. A method for prohibiting the use of a portable electronic device which has a memory for storing various data and operates based on command data received from the outside, wherein the use of the portable electronic device is prohibited from the outside. When receiving the command data to instruct, and when the command data instructing to prohibit the use of the portable electronic device is received by the receiving step, the data stored in the memory is erased to erase the mobile device. A method for inhibiting the use of a portable electronic device, the method comprising: inhibiting the use of a portable electronic device. 8. A method for prohibiting the use of a portable electronic device having a rewritable memory for storing data relating to application functions and operating based on command data received from the outside, comprising: The step of receiving instruction data for instructing invalidation, the step of changing all the application functions to the invalid state when the instruction data for invalidating the function is received by this receiving step, and the step of invalidating by this changing step Erasing the data relating to the application function stored in the memory when the state is changed. 9. A portable device that has a rewritable memory that stores data that can be output to the outside and data that is prohibited from being output to the outside regarding an application function, and that operates based on command data received from the outside. In the method of prohibiting the use of an electronic device, a step of receiving command data instructing to invalidate all application functions from the outside, and a command data for invalidating the function is received by this receiving step, all applications are received. It has a step of changing the function to an invalid state and a step of erasing the data for which output related to the application function stored in the memory is prohibited when the state is changed to the invalid state by the changing step. A method of banning the use of portable electronic devices characterized by. 10. A command received from the outside, having a rewritable memory for storing data related to an application function and type information indicating for each data whether or not the data is data to be deleted when the application function is invalidated. In a method of prohibiting the use of a portable electronic device that operates based on data, a step of receiving command data for instructing to disable all application functions from the outside, and a command data for disabling the function by this receiving step are included. When received, the data is a step of changing all application functions to an invalid state, and data to be deleted based on the type information stored in the memory when being changed to an invalid state by this changing step. And a step of erasing data indicated by How to prohibit the use of the device.