JP2003316459A - Ic card application program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a license management method which controls the use limitation and expiration date for use of an application software program in an IC card to which the application software is loaded, and also provide a system therefor. <P>SOLUTION: The application program to be managed, a peculiar serial number and an original collation key corresponding to the serial number are held within the IC card. Initially, only a command reading out the serial number and an activation command effectuating all of the functions are operative, and other functions are not operative. A function, which makes all of the functions of the program operative only when the collation key is verified to be right in the application program when a user commands the matching key relating to the serial number in addition to the activation command, is provided. <P>COPYRIGHT: (C)2004,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an application program installed in an IC card provided with a special function so that software license management can be easily performed.

[0002]

2. Description of the Related Art An application program recorded and used on an IC card is normally installed on the IC card by the card issuer side and distributed to the user in a usable state. A card equipped with such a software program cannot normally be set so that the application operates only on some specific cards.

[0003]

For example, it is assumed that 10,000 cards X loaded with application A are manufactured and distributed to users (customers). At this time, the user said, "The card will be distributed to all employees, but application A
For the time being, since only 100 people will use it for the time being, I want to use the license fee for application A for 100 people in the first year. " It could not be restricted according to the attributes of the.

The present invention has been made in consideration of such problems, and easily manages the use permission or the use limitation of the application program mounted on the IC card without collecting the once-distributed card. It is an object to provide an IC card-installed program that enables the above.

[0005]

A first invention for solving the problem is an application program having the following features designed to be mounted on an IC card. That is, the unique serial number and the original verification key corresponding to the serial number are held internally, and initially,
Only the command that reads the serial number and the activation command that activates all the functions of the program are valid, and the other functions are in an unusable state. All functions of the program are valid only when it is verified that the collation key matches the original collation key when receiving the command of the activation command to which the collation key related to the serial number is added. It is characterized by having the function of Only the card issuer knows the original verification key corresponding to the serial number. Therefore, when the collation key equal to the original collation key is received, the program can be used.

A more preferable second aspect of the application program according to the first invention is the application program according to the first aspect, wherein the collation key or the original collation key is the encryption key owned by the card issuer. It is assumed to be created by encrypting with. If the encryption method and the encryption key are decided, the original collation key can be obtained if the serial number is decided, so that it is not necessary for the card issuer side to record all the original collation keys for each serial number.

A more preferable third aspect of the application program according to the first invention is the application program according to the first aspect or the second aspect, which comprises a software invalidation command for invalidating all of its functions. Therefore, when this command is received from the user, all the functions of the user cannot be provided, and a response to the invalidation command including the serial number of the application program and the original collation key is returned. It is a thing.

A more preferred fourth aspect of the application program according to the first invention is an improvement of the application program according to the second aspect by using a public key cryptosystem. That is, the unique serial number and the private key corresponding to the serial number are held inside, and initially, only the command that reads the serial number and the activation command that enables all the functions of the program are valid. The other functions are in an unusable state, and when the command of the activation command to which the collation data related to the serial number is added is received from the user, the secret An application program for mounting an IC card, which has a function of enabling all the functions of the program only when the validity of the collation data can be verified using a key.

The application program can use all the functions only when it receives as the verification data the same data as the one encrypted by the public key corresponding to the serial number known only to the card issuer. Is.

A more preferable fifth aspect of the application program according to the first invention is the application program according to the fourth aspect, which is also provided with a software invalidation command for invalidating all of its functions. When this command is received from a person who has received the command, all the functions of the application cannot be provided, and the serial number of the application program is written and the serial number is encrypted with the private key of the application. It is characterized in that it returns a response to the compliant command.

A more preferable sixth aspect of the application program according to the first invention is to internally store a unique serial number, a secret key corresponding to the serial number, and a control variable. Initially, the serial number and Only the command that reads the value of the control variable and the activation command that enables all the functions of the program are valid, and the other functions are in the unusable state. , Only when the validity of the collation data can be verified using the secret key when receiving the command of the activation command to which the collation data related to the serial number and the value of the control variable is added, It is an application program for mounting an IC card, which has a function of enabling all the functions of the program.

A more preferable seventh aspect of the application program according to the first invention is that a command for reading out the serial number and the value of the control variable after enabling all the functions once and all the functions of the program. An application program according to a sixth aspect including a software invalidation command that returns to an initial state in which only an activation command for enabling a function operates, and when the user receives this command, the serial number and control A command for reading the value of a variable and a function other than the activation command cannot be provided, and a part in which the serial number of the application program is described and a part in which the serial number is encrypted by its own secret key are included. The response to the configured invalidation command is returned, and the control variable Is characterized in carrying out the process of updating the procedure stipulated values.

An eighth aspect of the first invention is an IC card mounting according to the seventh aspect, wherein a value generated by a random number generation algorithm is used as a new value of the control variable when updating the value of the control variable. Is an application program for. For the random number generation, an existing pseudo random number generation algorithm or a random number generation function using it may be used.

A second invention for solving the problem is an IC card having the application program according to the first invention mounted therein.

A third invention for solving the problem is a license management method for an application program according to the seventh or eighth embodiment of the first invention, in which the user:
If you want to use this application program,
The serial number of the program and the value of the control variable read from this application program are sent to the card issuer, and the card issuer publishes the corresponding serial number based on the value of the serial number and the control variable. A procedure of encrypting the serial number and the value of the control variable with a key to create verification data, recording that the verification data was created for this serial number, and then responding the verification data to the user. The license management of the application program installed in the IC card is carried out according to.

A fourth invention for solving the problem comprises a client computer equipped with a card reader / writer device equipped with a license management client means, and a license management database equipped with a license management server means installed by a card issuer. A license management system for an application program according to a seventh aspect or an eighth aspect of the first invention, which is configured by being connected to a server computer via a network, wherein the license management client means comprises:
According to the instruction of the card user, the serial number and the control variable values recorded in the application program are read from the target IC card through the card reader / writer device and transmitted to the license management server means through the network. The license management server means receives a response from the license management server means and gives it to the application program to enable all the functions thereof. The license management server means uses the serial number of the distributed application program. It holds the corresponding public key data, and when the serial number and the value of the control variable are received from the license management client means, they are encrypted by the public key prepared corresponding to the serial number. Then, the collation data is created, and the fact that the collation data is created for this serial number is recorded in the license management database, and the generated collation data is returned to the license management client means. When the invalidation response is received from the means, the encrypted part is decrypted with the corresponding public key, the serial number description part is collated, and the serial number is verified to be valid. The serial number is registered in the license management database, and the fact that the invalidation registration is completed is returned to the license management client means, whereby invalidation and reactivation of the application program can be managed without omission. It is a license management system.

[0017]

BEST MODE FOR CARRYING OUT THE INVENTION An application program according to the present invention, an application program management method using the same (hereinafter referred to as "basic management method"), and a configuration using the method will be described below with reference to the drawings. An application program license management system 1 will be described. First, an outline of the basic management method will be explained.

First, it is assumed that the application program targeted by the basic management method has the following features. 1) The application records a serial number and a verification key (serial number encrypted with the issuer's key). 2) Command to read serial number (READ command)
Has been implemented. 3) Command that compares the collation key stored in the application with the accepted collation key, and if all match, enables all commands of the application (EN
ABLE command) is implemented. 4) A command (DISA BLE command) that disables the application and outputs a check code is implemented. 5) In the initial state, all commands other than the above three commands are disabled.

Next, referring to FIG. 1, a procedure for enabling the program A, which is the target program of the basic management method, will be described. First, the user sends a READ command to the IC card equipped with the program A to read the serial number (). Next, create a list of read serial numbers for the number of cards and send them to the issuer (). The issuer encrypts the serial number with a key managed by the issuer, and generates a collation key to enable the application (). Send the list of verification keys generated by the issuer to the user (). The user issues the ENABLE command to the IC card equipped with the program A and sends the verification key, and the program A
Is available (). Program A in IC card
Compares the sent collation key with the collation key contained therein, and when they match, brings all the functions into a state in which they can be provided.

In the above procedure, the encryption method is not particularly limited. A well-known encryption method such as the DES encryption method may be used, but any other encryption method may be used. Further, in the basic management method target program installed in the IC card, the control method of not enabling (providing) the functions included in the program is not particularly limited. Any method that can be implemented by software may be used. For example, there is a flag that determines validity / invalidity for each prepared command, these are stored in the non-volatile memory area of the IC card, and this flag is inspected at the beginning of the processing function of each command. Can be considered.

Next, the procedure for making the program A unusable will be described with reference to FIG. First, the card user DISABLEs the IC card that wants to invalidate program A.
Issue the command and get the response data (). This response data includes the serial number unique to the application program and the verification key. Next, the response data created in this way for a plurality of cards is collected, a list of response data is created and sent to the issuer (). The issuer side extracts the serial number and verification key from the response data. The response data is composed of a serial number and a verification key. The verification key has a relationship that the serial number is encrypted with the key of the card issuer.
Therefore, the card issuer separates the verification key part from the response data (). Then, the verification key is decrypted by the key managed by the issuer (). The decryption result is compared with the serial number part extracted from the response data (). If the two match, the issuer side was able to confirm that they were invalidated correctly. The card issuer records this correctly invalidated serial number in the license management record database and notifies the user that the invalidation processing has been completed normally (). If the two do not match, the card user is notified to that effect ().

FIG. 3 shows the configuration of a license management system 1 for implementing the basic management method described with reference to FIGS. 1 and 2 without requiring human labor. The license management system 1 will be described below with reference to FIG.

Reference numeral 10 is a client computer used by the card user. Client computer 1
0 comprises a card reader / writer device 12 and a license management client means 11. 13 is an application program which is a license management target
It is an IC card equipped with. The license management client means 11 has a user interface function for receiving an instruction from a card user and a communication function for exchanging necessary data with a license management server means 21 described later through a network.

Reference numeral 20 is a license management server device installed by the card issuer. A management database 22 for managing licenses of application programs mounted on the card, and license management server means 21.
Is equipped with.

The license management client means 11 is
When activated, a user interface screen is displayed on the display 18 and waits for input from the card user. The card user uses the input keyboard 19 or the like to instruct activation of the installed application. Then, the license management client means 11 that has received this instruction
Sends a READ command to the card 13 through the card reader / writer 12 to read the serial number (corresponding to FIG. 1). Then, this serial number is transmitted to the license management server means as a verification key request message (corresponding to FIG. 1).

The license management client means 11 and the license management server means 21 execute processing for license management of application programs according to a predetermined message exchange protocol. That is, the license management server means 21
The verification key request message created in a predetermined format sent from the license management client means 11 is received, and the serial number is taken out from the message and encrypted by the same procedure as the step of FIG. 1 to create the verification key. This is included in the response message to the verification key request message and returned to the request source (corresponding to FIG. 1).

The client means 11 extracts the target collation key from the response message and gives it to the IC card 13 together with the ENABLE command through the card reader / writer 12 (corresponding to FIG. 1). As a result, all the functions of the application program installed in the IC card 13 are valid.

Next, the case of invalidating the application program will be described. When the license management client means 11 is activated, the user interface screen is displayed on the display 18, and the card user waits for an input from the card user, and the card user gives an instruction to invalidate the installed application, a license is issued. The management client means 11 is a card reader / writer 1.
A DISABLE command is given to the IC card 13 through 2. Then, the application program returns a response including the serial number and the verification key recorded therein to the license management client means 11 (corresponding to FIG. 1).

The license management client means 11 is
An invalidation request message of a predetermined format including this response is sent to the license management server means 21 (corresponding to FIG. 2). The license management server means 21 extracts the serial number part and the collation key part from the received invalidation request message (corresponding to FIG. 2), decrypts the collation key (corresponding to FIG. 2), and separates this result first. Compare the serial number parts (corresponding to Figure 2). If they match, it means that the owner of the application program with this serial number is a valid invalidation request message, so the software program with that serial number has been invalidated in the license management database. Register things. Then, the fact that the invalidation processing is normally completed is returned as a reply message to the invalidation request message (corresponding to FIG. 2). If they do not match, a message to that effect is returned as a reply message to the invalidation request message (corresponding to FIG. 2).

According to the license management system 1, by exchanging messages between the license management client means 11 and the license management server means 21, the server device 20 can automatically manage the enabled / disabled state of the application program. It is possible to collect software usage fees and supply service information to users who are actually using the software without error.

Next, as a modified example of the embodiment of the present invention, a management method (hereinafter referred to as "improved management method") improved from the basic management method just described, and an application program configured by using this improved management method. The license management system 2 will be described.

In the improved management method, the public key cryptosystem is used to create / verify the collation data used when the application program is validated, and to create / verify the response data when the application program is invalidated to improve the security. Is characterized by. In the improved management method, the word "collation data" is used instead of "collation key". Therefore, the application program that the improvement management method manages (hereinafter referred to as "improvement method support program") not only records the serial number internally, but also holds the private key data corresponding to the serial number. is doing. Further, the improved method target program has a function of decrypting the input data with its own private key, or of encrypting its own serial number with its own private key and outputting it. The issuer side holds a plurality of public key data corresponding to each serial number of the distributed application program. FIG. 5 shows a procedure for validating the application program by the improved management method, and FIG. 6 shows a procedure for invalidating the application program by the improved management method.

A procedure for activating the program B, which is one of the improvement method corresponding programs, by the improvement management method will be described by comparing FIG. 5 with FIG. First, the user READs the IC card on which he wants to use program B
Send command and read serial number (Fig. 5
). Next, a list of read serial numbers is created for each card and sent to the issuer (Fig. 5).
Up to this point, it is the same as in FIG. On the issuer side,
As shown in FIG. 4, each serial number is encrypted with a public key prepared according to the serial number, and the program B
Generate collation data for making available (Fig. 5
). The list of collation data generated on the issuer side is sent to the user (Fig. 5). The user who received the verification data,
The ENABLE command is issued to the program B and the collation data is transmitted to make the program B available (FIG. 5). The program B decrypts the sent verification data with its own secret key data, and when they match, brings all the functions into a state where it can be provided. In this procedure,
Is a procedure using the public key cryptosystem, which is different from the method shown in FIG.

Next, the procedure for invalidating the program B will be described while comparing FIG. 6 with FIG. First, the card user issues a DISABLE command to a card whose application is desired to be invalidated, and obtains response data (FIG. 6). At this time, the program B has disabled all its functions. The response data in FIG. 2 includes a serial number unique to the application program and a collation key. In the improved management method, the serial number and the serial number encrypted with its own private key are used as the response data. . Next, the response data created in this way for a plurality of cards is collected, a list of response data is created and sent to the issuer (FIG. 6). On the issuer side, the serial number part and the encrypted part are separated from the response data (FIG. 6), and the encrypted part is decrypted by the corresponding public key data (FIG. 6). This decryption result is compared with the previous serial number part (FIG. 6). If the two match, the issuer side was able to confirm that they were invalidated correctly. The card issuer records the correctly invalidated serial number in the license management record database and notifies the user that the invalidation processing has been normally completed (FIG. 6). If the two do not match, the card user is notified to that effect (FIG. 6). As described above, the procedure other than the improved management method is different from the basic management method by adopting the public key cryptosystem.

With respect to the license management system 1, if the license management server means 21 is improved to execute the steps and of FIG. 6 described above, the improvement management method is unattended for the improvement method corresponding program. The license management system 2 can be realized. As the public key cryptosystem, any existing technology such as the RSA cryptosystem may be used. The license management client means 11 handles the collation data instead of the collation key, but since these are nominally different from each other, substantial improvement is not necessary.

The license management system 2 not only has all the features of the license management system 1, but also employs a public key cryptosystem to enhance the security against unauthorized use. In the license management system 2,
This is because it is almost impossible to forge the response data generated when the application is invalidated (FIG. 6). The response data is generated by using the secret key assigned in accordance with the serial number of each improvement method corresponding program inside the improvement method corresponding program. Therefore, even if the application program is not actually invalidated, the response data is forged and sent to the license management server means 21 to continue the use of the application program without paying the subsequent license fee. Is virtually impossible to do.

It should be noted that both the license management system 1 and the license management system 2 can be used as a system that only manages when the program is activated by not mounting the DISABLE command in the application program to be managed. . Even in that case, it works effectively as a system that automatically manages the serial number of the activated program.

In the license management system 1 and the license management system 2 described above, the application program that has received the invalidation command "cannot provide all of its own functions".
After being deactivated, even if an activation command is sent from the outside again, it will never return to the usable state. The license management system 1 and the license management system 2 are systems that provide a management method for such application programs that can be used "only once." As an application program, unlike this,
When the invalidation command is received, it is possible to think of a product having a specification of "return to the initial state". An application program having such a specification will be hereinafter referred to as a "reusable type" program. Even if it is invalidated, it only returns to the initial state, so it can be reused any number of times by sending the activation command again.

In the license management system 1 and the license management system 2, the card issuer may not be able to manage the license for the “reusable” program every time the program is activated. Save the verification data when the unauthorized user activated last time. By using it, the program can be activated without notifying the card issuer.

FIG. 7 and FIG. 8 are schematic explanatory diagrams of the license management system 3 that manages the license of the “reusable” program every time the program is activated. The point of the license management system 3 is to prevent the verification data received from the card issuer last time from working effectively in the next activation.
Therefore, as shown in FIG. 7, when the data is activated, the data to be sent to the card issuer is connected with a serial number and a control variable independent of the serial number and then sent (FIG. 7). The control variable may be an integer with an appropriate number of digits and is recorded in the non-volatile memory area of the IC card and its initial value is zero. The card issuer
Data obtained by concatenating this control variable with the serial number is encrypted with the public key to create collation data (see FIG. 7).
), The application program decrypts this collation data with the private key, and confirms whether the decrypted values match the serial number and the value of the control variable stored internally (FIG. 7). Enable all features of the program only if confirmed.

On the other hand, at the time of invalidation, as shown in FIG.
When outputting the response data, the control variables recorded in the non-volatile memory area of the IC card are changed by an appropriate method inside the application (FIG. 8). For this change, for example, a random number may be generated inside the application or using another program inside the IC card, and the result may be used as a new control variable value. At that time, an existing pseudo-random number generation algorithm may be used as the random number generation algorithm. Alternatively, the control variable may be updated by simply adding 1. Each time this invalidation is performed, I
By changing the internal state of the C card, the next time the application is activated, it can be activated only with the verification data newly created by the card issuer. Even for "reusable" programs, it is possible to properly manage the license each time it is activated.

[0042]

As described in detail above, by using the software program of the present invention, it is possible to use the above license management method and to realize the above license management system by systemizing this method. Without collecting the IC card once distributed, the license management of the application program installed in the IC card can be accurately performed without error.
In addition, the remarkable effect that it becomes possible for the target software user to comply with the license through this is achieved.

[Brief description of drawings]

FIG. 1 is a schematic explanatory diagram of a license management method using an application program according to an embodiment of the present invention.

FIG. 2 is a schematic explanatory diagram of a license management method using an application program according to an embodiment of the present invention.

FIG. 3 is an overall configuration diagram of a license management system using an application program according to an embodiment of the present invention.

FIG. 4 is a schematic explanatory diagram of an improved management method of a license management method using an application program according to an embodiment of the present invention.

FIG. 5 is a schematic explanatory diagram of an improved management method of a license management method using an application program according to an embodiment of the present invention.

FIG. 6 is a schematic explanatory diagram of an improved management method of a license management method using an application program according to an embodiment of the present invention.

FIG. 7 is a schematic explanatory diagram of a license management method corresponding to a reusable program according to an embodiment of the present invention.

FIG. 8 is a schematic explanatory diagram of a license management method corresponding to a reusable program according to an embodiment of the present invention.

[Explanation of symbols]

9 network 10 client computers 11 License management client means 12 Card reader / writer device 13 IC card 15 Managed application programs 18 display 19 keyboards, etc. 20 server computer 21 License Management Server Means 22 License Management Database

Claims (11)

[Claims] 1. An application program mounted on an IC card, which internally holds a unique serial number and an original collation key corresponding to the serial number. Initially, a command for reading the serial number, and
Only the activation command that activates all the functions of the program is valid, and other functions are disabled, and the user needs to input the verification key associated with the serial number. When the command of the added activation command is received, it is provided with a function of enabling all the functions of the program only when it can be verified that the collation key matches the original collation key. Characteristic application program. 2. The application program according to claim 1, wherein the verification key and the original verification key are created by encrypting the serial number unique to the application program with an encryption key owned by the application program issuer. 3. The application program according to claim 1, further comprising a software invalidation command for invalidating all of its own functions, and when receiving this command from the user, all of its own functions are received. An application program, which disables a function and returns a response to an invalidation command including the serial number of the application program and the original collation key. 4. An application program mounted on an IC card, which internally holds a unique serial number and a secret key corresponding to the serial number. Initially, a command for reading the serial number and the program Only the activation command that enables all the functions of is valid and other functions are disabled, and the user added the verification data related to the serial number. When a command of the activation command is received, a function of activating all the functions of the program is provided only when the validity of the collation data can be verified using the secret key. The application program to do. 5. The application program according to claim 4, comprising a software invalidation command for invalidating all of its own functions, and when receiving this command from the user, it is impossible to provide all of its own functions. In addition, the application program is characterized by returning a response to an invalidation command including a part in which the serial number of the application program is described and a part in which the serial number is encrypted by its own secret key. 6. An application program mounted on an IC card, which internally holds a unique serial number, a secret key corresponding to the serial number, and a control variable. Initially, the serial number and the value of the control variable are stored. Only the command that reads out the command and the activation command that enables all the functions of the program are valid, and other functions cannot be used. And when the validity of the collation data can be verified by using the secret key when receiving the command of the activation command to which the collation data related to the value of the control variable is added, all the programs An application program having a function of enabling a function. 7. A command for reading out the serial number and the value of a control variable after once activating all the functions,
7. The application program according to claim 6, further comprising a software invalidation command that returns to an initial state in which an activation command that enables all the functions of the program does not operate, and the command is received from a user. And the command for reading the serial number and the value of the control variable, and the function other than the activation command cannot be provided, and the part in which the serial number of the application program is described and the serial number are protected by its own secret key. An application program characterized by returning a response to an invalidation command including an encrypted part and updating the value of the control variable according to a predetermined procedure. 8. The application program for mounting an IC card according to claim 7, wherein the value generated by the random number generation algorithm is used as a new value of the control variable. 9. An IC card on which the application program according to claim 1 is installed. 10. The license management method for an application program according to claim 7, wherein if the user wants to use this application program, the serial number and the serial number of the program read from this application program are stored. The value of the control variable is sent to the card issuer, and based on the serial number and the value of the control variable, the card issuer uses the public key prepared corresponding to the serial number and the value of the serial number and the control variable. The license management of the application program installed in the IC card is performed by the procedure of encrypting the verification data and recording the verification data for this serial number and then returning the verification data to the user. How to do. 11. A client computer equipped with a card reader / writer device equipped with a license management client means and a server computer equipped with a license management server means installed by a card issuer and equipped with a license management database are connected via a network. 9. The license management system for an application program according to claim 7 or claim 8, wherein the license management client means is a target I according to an instruction from a card user.
The value of the serial number and the control variable recorded in the application program is read from the C card through the card reader / writer device, transmitted to the license management server means through a network, and transmitted from the license management server means. All the functions are validated by receiving a response and giving it to the application program. The license management server means holds public key data corresponding to the serial number of the distributed application program. When the serial number and the value of the control variable are received from the license management client means, the collation data is created by encrypting with the public key prepared corresponding to the serial number. Cereal That created the verification data after recorded in the license management database for items,
When the generated collation data is returned to the license management client means, and when the invalidation response is received from the license management client means, the encrypted part is decrypted by the corresponding public key to describe the serial number description part. By verifying that the serial number is valid by registering with the license management database, and returning the fact that the invalidation registration is completed to the license management client means. A license management system characterized by being able to manage invalidation and reactivation of application programs without omission.