JP2005100378A - Program execution device and authentication station device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a program execution device for securely executing programs by preventing unauthorized alteration and analysis. <P>SOLUTION: The program execution device includes; a processing means to be operated in accordance with a first and a second computer program and for controlling the operation in accordance with instructions from an external device; a first protection means for disconnecting the processing means from the external device while the processing means is operated in accordance with the first computer program; and a second protection means for protecting the first computer program while the processing means is operated in accordance with the second computer program. Thus, the program execution device protects the programs against an attack by external hardware as well as the attack by software. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a technique for preventing unauthorized tampering and analysis of a program.

In recent years, with the spread of PCs and the Internet, digital contents can be easily copied and edited. In order to prevent such illegal analysis and falsification of software, tamper resistant technology is indispensable.
Tamper resistance technology has been studied for some time, and Non-Patent Document 1 describes basic principles and specific methods for preventing software analysis. Non-Patent Document 2 describes technical problems and countermeasures regarding software analysis prevention.
"Protect software from reverse analysis and modification" Nikkei Electronics 1998.1.5 (pp. 209-220) “Software tamper resistance technology” Fuji Xerox Technical Report No. 13 (20-28 pages)

  However, in order to protect the program from malicious users, provision of various protection technologies is desired.

DISCLOSURE OF THE INVENTION Accordingly, the present invention has been made in view of such problems, and an object thereof is to provide a program execution apparatus that prevents unauthorized tampering and analysis and executes a program securely.
In order to achieve the above object, the present invention provides a program execution device that operates in accordance with the first and second computer programs, and that controls the operation in accordance with an instruction from an external device; A first protection means for separating the processing means from the external device when operating in accordance with the first computer program; and a first protection means for protecting the first computer program when the processing means operates in accordance with the second computer program. 2 is a program execution device.

  As a result, the program can be protected from both external hardware attacks and software attacks.

The present invention is a program execution device configured as described above.
According to this configuration, the program can be protected from both external hardware attacks and software attacks. Also, since it is disconnected from the external device, high security can be maintained.
Here, the second protection means includes a storage area in which the processing means writes data when the processing means operates in accordance with the first computer program, and the processing means includes the first computer program. Immediately before switching to the second computer program, the data written in the storage area may be encrypted, and when the second computer program is switched to the first computer program, the encrypted data may be decrypted.

The first computer program further includes a call instruction for calling the second computer program, and the second protection means immediately before the processing means executes the call instruction and switches to the second computer program. The data written in the storage area may be encrypted.
According to this configuration, when control is transferred to another program during execution of the first computer program, the data written in the storage area is encrypted, so that the data handled by the first computer program is transferred from the other program. It can be protected and analysis of the first computer program can be prevented. Further, since the data in the area is encrypted, the processing can be executed with a small amount of memory usage. As a result, high security can be maintained even in devices such as mobile phones and PDAs that have limited resources such as CPU processing speed and memory capacity.

  Here, the program execution device further includes an interrupt detection means for detecting the occurrence of an interrupt, the second computer program indicates a process to be performed when an interrupt occurs, and the second protection means If the interrupt detection means detects an interrupt while the processing means is executing the first computer program, the data written in the storage area is encrypted, and after the encryption, the processing means operates according to the second computer program. It may be allowed to do.

According to this configuration, when an interrupt occurs, the data handled by the first computer program is encrypted before the execution of the second computer, which is an interrupt process, so that the first computer program is analyzed from software analysis using the interrupt process. Can be protected.
Here, the program execution device further includes interrupt detection means for detecting occurrence of an interrupt, and further comprises storage means for storing an encrypted program generated by encrypting the first computer program, The computer program indicates processing to be performed when an interrupt occurs, and the second protection unit prohibits the processing unit from operating according to the second computer program, acquires a program decryption key, and acquires the acquired program decryption The encryption program is decrypted using a key to generate the first computer program, the program decryption key is erased, and after the program decryption key is erased, the processing means operates according to the second computer program You may allow that.

According to this configuration, since the interrupt is not accepted while the program key for decrypting the encrypted program is held, the program decryption key can be protected from the analysis using the interrupt. Can be prevented from serious analysis.
Here, the second protection means acquires a first falsification detection value generated based on at least a part when a processing program including the first computer program is generated, and the processing means is configured to acquire the first falsification value. Before executing the computer program, a second falsification detection value is generated based on at least a part of the processing program, and if the first falsification detection value and the second falsification detection value are different, the processing means The operation according to the first computer program may be suppressed.

According to this configuration, the second protection means prohibits the processing means from executing the first computer program when a falsification of the protection program is detected. Even if the first computer program is falsified, The falsified first computer program is not executed and damage can be reduced.
Here, the processing program may include the first tampering detection value, and the second protection unit may acquire the first tampering detection value from the processing program.

  According to this configuration, when the processing program holds a falsification detection value generated based on at least a part of the processing program, such as when the processing program is falsified, it is necessary to change the processing program In addition, only the processing program can be changed without changing other processing means of the program execution apparatus.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
1. Configuration of Secure Processing System 1 The secure processing system 1 includes a certificate authority device 100, a ROM writer 200, a portable terminal 300, and a memory card 400, as shown in FIG.
The secure processing system 1 is a system that protects a program executed by the mobile terminal 300 from unauthorized analysis and tampering. The program to be protected is generated in the certificate authority device 100 and written to the ROM by the ROM writer 200. The ROM in which the program is written is incorporated in the mobile terminal 300.

Here, the case where the program to be protected is an encrypted music data decryption program for decrypting encrypted music data recorded on the memory card 400 will be described as an example.
1.1 Certificate Authority Device 100
The certificate authority device 100 is a device that generates a second secure processing program including an area reservation program, an interrupt prohibition program, a calling program, a key reception program, an execution flag, an interrupt handler, a decryption program, and a secure program. The secure program includes an encrypted music data decryption program to be protected.

The generated second secure processing program is recorded in the ROM by the ROM writer 200 and incorporated into the portable terminal 300.
Each program will be described later.
As shown in FIG. 2, the certificate authority device 100 includes a compiler 101, a program encryption unit 102, a key encryption unit 103, a hash value calculation unit 104, a data embedding unit 105, a storage unit 106, and a transmission unit 107. The

Specifically, the certificate authority device 100 is a computer system including a microprocessor, ROM, RAM, a hard disk unit, a display unit, a keyboard, and the like. A computer program is stored in the RAM or the hard disk unit. The certificate authority apparatus 100 achieves its functions by the microprocessor operating according to the computer program.
(1) Compiler 101
The compiler 101 receives as input the source code of an area reservation program, an interrupt prohibition program, a key reception program, a protection program including an execution flag and an interrupt handler, a calling program, a decryption program, and a secure program. The calling program is a program that transmits data used when detecting whether or not the second secure processing program has been tampered with, and includes a TRS area head address. The TRS area program corresponds to the decryption program 516 and the encryption program 517 of the second secure processing program. The TRS area head address is the head address on the memory after being incorporated in the mobile terminal 300.

When the compiler 101 receives the source code of the calling program, the decryption program, the secure program, and the protection program, the compiler 101 compiles each program as shown in FIG. First, lexical analysis is performed (step S621), syntax analysis is performed (step S622), and binary data that is an executable program is generated (step S623).
The compiler 101 outputs the generated calling program binary data and protection program binary data to the data embedding unit 105. Also, the decryption program binary data and the secure program binary data are output to the program encryption unit 102.
(2) Program encryption unit 102
The program encryption unit 102 receives decryption program binary data and secure program binary data. It also accepts program key input. The program encryption unit 102 generates an encrypted program by applying the encryption algorithm E1 to the secure program using the program key. As an example, the encryption algorithm E1 is AES (Advanced Encryption Standard). Since AES is publicly known, description thereof is omitted. Of course, other encryption algorithms may be used.

The program encryption unit 102 outputs the decryption program and the encryption program to the data embedding unit 105 as a TRS area program.
The generated TRS area program is output to the hash value calculation unit 104.
(3) Key encryption unit 103
The key encryption unit 103 accepts input of a program key and a master key.

The key encryption unit 103 encrypts the program key by applying the encryption algorithm E1 using the master key, and generates an encryption key. The generated encryption key is output to the data embedding unit 105.
(4) Hash value calculation unit 104
The hash value calculation unit 104 calculates a hash value for at least a part of the second secure processing program.

Here, a TRS area program and a secret key are accepted as inputs, and a hash value for the TRS area program is calculated using the secret key.
For example, an algorithm used in HMAC (Keyed-Hashing for Message Authentication) is used to calculate the hash value.
Here, H is a hash function, K is a secret key, text is data to be hashed, opad is a character string in which the byte value Ox36 is repeated 64 times, ipad is a character string in which the byte value Ox5C is repeated 64 times, and Then, the algorithm for calculating the hash value is expressed as H (K XOR opad, H (K XOR ipad, text)).

Further, the hash value calculation unit 104 derives the binary size of the TRS area program.
The hash value calculation unit 104 outputs the generated hash value and the binary size of the TRS area program that is the target of hash value calculation to the data embedding unit 105.
(5) Data embedding unit 105
The data embedding unit 105 receives calling program binary data and protection program binary data from the compiler 101, and receives a hash value and a binary size from the hash value calculation unit 104. Also, the encryption key is received from the key encryption unit 103 and the TRS area program is received from the program encryption unit 102.

The data embedding unit 105 embeds the hash value received from the hash value calculation unit 104 in the calling program as a falsification detection value. Also, the binary size and the encryption key are embedded in the calling program. In addition, the calling program in which data is embedded is included in the protection program, and the protection program and the TRS area program received from the program encryption unit 102 are combined to generate a second secure processing program and write it to the storage unit 106.
(6) Storage unit 106
The storage unit 106 stores the second secure processing program written by the data embedding unit 105.
(7) Transmitter 107
The transmission unit 107 outputs the second secure processing program stored in the storage unit 106 to the ROM writer.
1.2 ROM writer 200
The ROM writer is connected to the certificate authority device 100 and writes a second secure processing program received from the certificate authority device 100 to the ROM. The ROM in which the program is written by the ROM writer 200 is incorporated into the portable terminal 300.
1.3 Memory card 400
As illustrated in FIG. 4, the memory card 400 includes a control unit 401, an input / output unit 402, an authentication unit 403, and an information storage unit 404.
(1) Input / output unit 402
The input / output unit 402 performs input / output of data between the other device and the control unit 401 when the memory card 400 is connected to another device.
(2) Information storage unit 404
The information storage unit 404 includes a data area 410 and a secure area 420.

The data area 410 stores encrypted music data 411. The encrypted music data 411 is generated by applying the encryption algorithm E1 to the music data in MP3 format using the title key 421.
The secure area 420 stores a title key 421 and can be read only by a device that has been successfully mutually authenticated with the authentication unit 403.

When data is recorded in the information storage unit 404, it may be encrypted and recorded based on information unique to the memory card 400.
(3) Authentication unit 403
The authentication unit 403 performs mutual authentication based on the mobile terminal 300 and a CPRM (Content Protection for Recordable Media) mechanism, and shares the key with the authenticated device when the authentication is successful. The shared key is output to the control unit 401. Since CPRM is publicly known, description thereof is omitted. Further, authentication may be performed according to another authentication method.
(4) Control unit 401
The control unit 401 inputs / outputs information with other devices via the input / output unit 402. The data stored in the secure area 420 permits access only to devices that have been successfully authenticated by the authentication unit 403. In addition, when outputting the data memorize | stored in the secure area | region 420, it encrypts using the shared key produced | generated by the authentication by the authentication part 403, and outputs it.

The data stored in the data area 410 permits access from other devices without performing authentication.
1.4 Mobile device 300
As shown in FIG. 5, the portable terminal 300 includes a CPU 301, a debugger interface 302, a debugger invalidation circuit 303, an interrupt controller 304, a memory 305, a memory card interface 306, an input unit 307, a display unit 308, a speaker 309, a decoder 310, The microphone 312, the conversion unit 313, the radio control unit 314, the radio unit 315, and the antenna 316 are connected by a bus 317, and an interrupt line 318 is connected from the interrupt controller 304 to the CPU 301.

Each configuration will be described below.
(1) Debugger invalidation circuit 303, debugger interface 302
The debugger invalidation circuit 303 is provided between the CPU 301 and the debugger interface 302, and can connect or disconnect the CPU 301 and the debugger interface 302.

When receiving a debugger control signal indicating “valid” from the CPU 301, the debugger invalidation circuit 303 connects the CPU 301 and the debugger interface 302, and when receiving a debugger control signal indicating “invalid” from the CPU 301, the CPU 301 and the debugger interface 302. And disconnect.
When the CPU 301 and the debugger interface 302 are connected, the debugger connected to the outside of the debugger interface 302 is effective, and when the CPU 301 and the debugger interface 302 are disconnected, the debugger 301 is connected to the outside. The debugger to be used is invalid. As a specific example, the debugger invalidation circuit 303 is realized by a switch. Note that the connection may be physically disconnected like a switch circuit, or may be electrically disconnected.

The debugger interface 302 is an interface for connecting the mobile terminal 300 to an external debugger.
(2) Memory 305
The memory 305 stores a first secure processing program 501, a second secure processing program 502, a vector table 503, a music playback program 504, and an application 505 shown in FIG.

(A) Second secure processing program 502
The second secure processing program 502 is a program generated by the certificate authority device 100 described above and recorded in the ROM, and is configured by each program shown in FIG.
Each program will be described below.
(Area reservation program 511)
The area securing program 511 secures a memory area for securing a dynamic memory used during execution of the authentication communication program 523 and the encrypted music data decryption program 524.

(Interrupt prohibited program 512)
The interrupt prohibition program 512 prohibits interrupt processing by masking interrupts.
(Calling program 513)
The calling program 513 calls and starts the first secure processing program 501.

The calling program 513 includes falsification detection data including a falsification detection value 541, a TRS area head address 542, a binary size 543, and an encryption key 544 shown in FIG. The first secure processing program 501 is called and falsification detection data is transmitted. The falsification detection data is data embedded in the data embedding unit 105 of the certificate authority device 100.
The falsification detection value 541 is a hash value calculated by the certificate authority device 100 for the range of the TRS area of the second secure processing program 502.

The TRS area head address 542 indicates the head address in the memory 305 of the data for which the hash value is calculated.
The binary size 543 indicates the binary size of the data for which the hash value is calculated.
The encryption key 544 is generated by encrypting the program key using the master key by the key encryption unit 103 of the certificate authority device 100.

(Key reception program 514)
The key reception program 514 receives the program key transmitted from the first secure processing program 501 and transmits it to the decryption program 516.
(Execution flag 515)
The execution flag 515 indicates whether or not the secure program is being executed. Before the decryption program 516 decrypts the encryption program 517, it is set to “ON” indicating that the secure program is being executed, and is set to “OFF” when the execution of the secure program is completed.

(Decryption program 516)
The decryption program 516 receives the program key from the key receiving program 514, decrypts the encryption program 517 using the decryption algorithm D1 using the program key, and generates a secure program.
Here, for decryption of the encryption program, a technique disclosed in WO04 / 013744 (2004.02.12) is used. This technology loads the encryption program into the memory little by little and executes it. For this reason, the entire decrypted program does not exist in the memory, and therefore the program is not analyzed even if the data in the memory is illegally read from the outside.

(Encryption program 517)
The encryption program 517 is generated by encrypting a secure program. The secure program includes an interrupt prohibition release program 521, an area initialization program 522, an authentication communication program 523, an encrypted music data decryption program 524, an area key 525, an area encryption program 526, an area decryption program 527, and an area shown in FIG. It is composed of an end processing program 528. The interrupt prohibition release program 521, the area initialization program 522, the authentication communication program 523, the area key 525, the area encryption program 526, the area decryption program 527, and the area end processing program 528 are used to transfer the encrypted music data decryption program 524 to the other Protect from programs.

(A) Interrupt prohibition release program 521
The interrupt prohibition cancel program 521 cancels the interrupt prohibition performed by the interrupt prohibition program 512.
(B) Area initialization program 522
The area initialization program 522 initializes the memory area secured by the area securing program 511 and secures a storage area to be encrypted.

The storage area is a storage area used by the authentication communication program 523 and the encrypted music data decryption program 524, in which data used during execution is written.
(B) Authentication communication program 523
The authentication communication program 523 holds an authentication key 531.
The authentication communication program 523 performs one-way authentication as to whether or not the first secure processing program 501 is a valid program.

(C) Encrypted music data decryption program 524
The encrypted music data decryption program 524 decrypts the encrypted music data 411 recorded on the memory card 400 by using the title key and the decryption algorithm D1 to generate music data. The decryption algorithm D1 is an algorithm that performs the reverse process of the encryption algorithm E1.

(D) Area key 525
The area key 525 is used when the data in the storage area is encrypted in the area encryption program 526 described below, and when the encrypted data is decrypted in the area decryption program 527.
(E) Area encryption program 526
The area encryption program 526 uses the area key 525 to encrypt the data in the storage area by applying the encryption algorithm E2. Note that the encryption algorithm E2 is an algorithm that can perform processing faster than the encryption algorithm E1, and is an XOR operation as an example. Note that the encryption algorithm E2 is not limited to the XOR operation, and other encryption algorithms may be used, which are determined by required security strength and CPU processing capability.

When the first secure processing program 501 is called from the second secure processing program 502, the region encryption program 526 encrypts data in the storage region before the control is transferred to the first secure processing program 501.
(F) Area decoding program 527
When the control returns from the first secure processing program 501 to the second secure processing program 502, the area decryption program 527 decrypts the encrypted data in the storage area by applying the decryption algorithm D2, and returns it to plaintext data. .

(G) Area end processing program 528
The area end processing program 528 releases the storage area secured by the area initialization program 522, calls the end function of the first secure processing program 501, and ends the music data reproduction process.
(Interrupt handler 518)
The interrupt handler 518 is executed when an interrupt occurs during the execution of the second secure processing program 502. The interrupt handler 518 holds an encryption / decryption key (not shown).

FIG. 9 shows the processing of the interrupt handler 518. Note that the interrupt handler 518 is actually a computer program, but will be described with reference to a flowchart in FIG. 9 for simplicity.
The execution flag 515 is read (step S611). Next, it is determined whether the read execution flag 515 indicates “ON” or “OFF” (step S612). If it indicates “ON” (ON in step S612), the storage area is stored using the encryption / decryption key. The data is encrypted by applying the encryption algorithm E2 (step S613). Thereafter, the process proceeds to interrupt processing. If the read execution flag indicates “OFF” (OFF in step S612), the process proceeds to interrupt processing without encrypting the data in the storage area.

When the interrupt processing is completed, if the execution flag indicates “ON” (ON in step S614), the data in the storage area is decrypted by applying the decryption algorithm D2 using the encryption / decryption key (step S615), and the original processing Return to. When the execution flag indicates “OFF” (OFF in step S614), the process returns to the original process without performing the decoding process.
(B) First secure processing program 501
As shown in FIG. 10, the first secure processing program 501 includes a circuit disconnection program 551, a falsification detection program 552, a key decryption program 553, a key transmission program 554, an authentication communication program 555, a data read program 556, and a circuit connection program 557. Configured and executed in the secure processing mode of the CPU 301. The secure processing mode will be described later.

(Circuit cutting program 551)
When the first secure processing program 501 is activated, the circuit disconnection program 551 outputs a debugger control signal indicating “invalid” to the debugger invalidation circuit 303.
(Falsification detection program 552)
The falsification detection program 552 includes a secret key 562 and detects falsification of the second secure processing program 502. The falsification detection program 552 acquires falsification detection data from the second secure processing program 502.

  The falsification detection program 552 reads the data of the size indicated by the binary size from the position indicated by the acquired TRS area start address in the memory 305 as the TRS area program that is the target of hash value calculation. A hash function is calculated by applying a hash function to the read TRS area program using the secret key 562. The calculated hash value is compared with the acquired falsification detection value. If they are the same, it is determined that the falsification has not been made. If they are not the same, it is determined that they have been tampered with, and subsequent processing is prohibited.

(Key decryption program 553)
The key decryption program 553 includes a master key 563. If the falsification detection program 552 does not detect falsification of the second secure processing program 502, the key decryption program 553 decrypts the encryption key 544 with the decryption algorithm D1 using the master key 563, and decrypts the program key. Generate. The generated program key is transmitted to the key transmission program 554.

(Key transmission program 554)
The key transmission program 554 receives the program key from the key decryption program 553 and transmits it to the second secure processing program 502.
(Authentication communication program 555)
The authentication communication program 555 includes an authentication key 565, and authenticates with the second secure processing program 502 using the authentication key 565. If authentication is successful, the session key is shared. Thereafter, when transmitting / receiving data to / from the second secure processing program 502, encrypted communication is performed using the session key.

(Data reading program 556)
The data reading program 556 performs mutual authentication with the memory card 400 according to the CPRM method, and when the authentication is successful, accesses the secure area 420 of the memory card 400 and acquires the title key 421.
(Circuit connection program 557)
The circuit connection program 557 outputs a debugger control signal indicating “valid” to the debugger invalidation circuit 303.

(C) Vector table 503
As shown in FIG. 11, the vector table 503 describes processing destinations when software interrupts, exceptions, and hardware interrupts occur.
(D) Music playback program 504
The music reproduction program 504 is a program for performing reproduction processing on the music data decrypted by the second secure processing program 502, and sends the music data to be reproduced to the buffer 311.

(E) Application 505
The application 505 receives an input by a user operation. Further, the second secure processing program 502 is activated in accordance with the input.
(3) CPU301
The CPU 301 operates in accordance with a program stored in the memory 305. Further, the operation is controlled by an instruction of a debugger connected via the debugger interface 302. As shown in FIG. 12, the CPU 301 fetches an instruction of the program stored in the memory 305 (step S601), interprets the read instruction (step S602), and executes it (step S603). Further, the address of the program counter is advanced (step S604), the next instruction is fetched, and the process is repeated.

Here, the CPU 301 performs processing in one of the secure processing mode and the normal processing mode. The normal processing mode indicates a state in which the CPU 301 is performing normal processing, and the secure processing mode is a mode in which processing is performed with high security so that the data in the memory cannot be observed from the outside with high security. .
The CPU 301 executes the first secure processing program 501 in the secure processing mode and executes the second secure processing program 502 in the normal mode.

  In addition, the CPU 301 receives an interrupt signal from the interrupt controller 304 via the interrupt line 318. The CPU 301 does not accept an interrupt when the interrupt prohibition program 512 of the second secure processing program 502 is being executed. When the interrupt signal is accepted when the interrupt inhibition is released, the address corresponding to the processing of the accepted interrupt signal is read with reference to the vector table of FIG. Processing is performed according to the interrupt handler of the read address, and when the interrupt processing ends, the processing returns to the original processing.

When receiving an interrupt signal during the execution of the second secure processing program 502, the CPU 301 refers to the vector table 503 and executes the interrupt handler 518 shown in FIG.
(4) Input unit 307
The input unit 307 receives an external input from the user.
When receiving an input from the outside, the input unit 307 notifies the interrupt controller 304 of the occurrence of an interrupt.
(5) Interrupt controller 304
The interrupt controller 304 outputs an interrupt signal to the CPU 301 through the interrupt line 318 when notified of the occurrence of an interrupt such as mail reception, incoming call, or user operation from the input unit 307 or the wireless control unit 314.
(6) Speaker 309 and decoder 310
The decoder 310 includes a buffer 311, the buffer 311 buffers audio data received from the CPU 301, and the speaker 309 generates and outputs an audio signal from the audio data stored in the buffer 311.
(7) Memory card interface 306
The memory card interface 306 is an interface for connecting the mobile terminal 300 and the memory card 400, and outputs data to the memory card 400 under the control of the CPU 301, and outputs data to the CPU 301 when data is received from the memory card 400. To do.
(8) Radio control unit 314, radio unit 315, antenna 316
The antenna 316, the radio unit 315, and the radio control unit 314 perform transmission / reception of voice or information with a connected partner device via a radio base station and a mobile phone network.

Here, the radio control unit 314 notifies the interrupt controller 304 of an interrupt when receiving a mail via the antenna 316 and the radio unit 315 and when there is an incoming call.
(9) Microphone 312 and conversion unit 313
The conversion unit 313 converts the sound received from the microphone 312 into an electrical signal and outputs it to the wireless control unit 314.
2. Operation of Secure Processing System 2.1 Operation of Certificate Authority Device 100 When the compiler 101 receives input of the calling program source code and the protection program source code, the compiler 101 generates and generates the calling program binary data and the protection program binary data. The binary data is output to the data embedding unit 105. Also, it receives input of the decryption program source code and secure program source code, compiles to generate binary data of each program, and outputs the generated binary data to the program encryption unit 102.

  When the program encryption unit 102 receives the decryption program and the binary data of the secure program and receives the program key, the program encryption unit 102 encrypts the secure program using the program key and generates an encrypted program. The decryption program and the generated encryption program are output to the data embedding unit 105 and the hash value calculation unit 104 as a TRS area program.

When the hash value calculation unit 104 receives the TRS area program and receives the secret key, it applies a hash function to calculate a hash value for the TRS area program. Also, the size of the TRS area program binary data is derived. The hash value calculation unit 104 outputs the hash value and binary size to the data embedding unit 105.
When receiving the input of the program key and the master key, the key encryption unit 103 encrypts the program key using the master key and generates an encryption key. The generated encryption key is output to the data embedding unit 105.

  When the data embedding unit 105 receives the calling program binary data and receives the hash value, binary size, and encryption key, the data embedding unit 105 embeds the hash value in the calling program as a falsification detection value, and further stores the binary size and encryption key in the calling program binary. Embed in data. When the protection program binary data is received from the compiler and the TRS area program is received from the program encryption unit 102, the second secure processing program is generated by combining the protection program including the calling program and the TRS area program, and the storage unit 106 is written.

The transmission unit 107 reads the second secure processing program from the storage unit 106 and outputs it to the ROM writer 200.
2.2 Operation of Music Data Reproduction Process in Portable Terminal 300 (1) The operation when the portable terminal 300 reproduces music data recorded on the memory card 400 will be described with reference to FIGS.

When receiving an input to reproduce the music data recorded on the memory card 400 from the input unit 307 of the portable terminal 300 by the user's operation, the application 505 activates the second secure processing program 502 (step S701). .
The second secure processing program 502 secures a virtual memory space for dynamically securing the memory while executing the TRS area program by executing the area securing program 511 (step S702). Also, the interrupt prohibition program 512 is executed to prohibit interrupts and invalidate the program analysis action using the interrupts (step S703). After that, interrupts are masked until interrupt disable is released. Next, the calling program 513 is executed to transmit the falsification detection data and call the first secure processing program 501 (step S704).

  The first secure processing program 501 receives the falsification detection value, the TRS area head address, the binary size, and the encryption key as falsification detection data from the second secure processing program 502 (step S705). The circuit disconnection program 551 is executed to output a debugger control signal indicating “invalid” to the debugger invalidation circuit 303 (step S706). As a result, the debugger invalidation circuit 303 disconnects the switch and invalidates the analysis by the debugger.

Further, the falsification detection program 552 is executed as follows.
The falsification detection program 552 reads data in a range indicated by the binary size as target data for hash value calculation from the position indicated by the TRS area head address received in step S705. Also, a hash value for the extracted target data is calculated using the secret key (step S709).

  The calculated hash value is compared with the falsification detection value received in step S708, and it is determined whether or not they match (step S710). If they do not match (NO in step S710), the subsequent processing is suppressed as having been tampered with. Also, the circuit connection program 557 is executed to output a debugger control signal indicating “valid” to the debugger invalidation circuit 303 (step S737), and the process is terminated.

  If the hash value calculated in step S709 matches the falsification detection value (YES in step S710), the subsequent processing is continued assuming that the falsification has not been made. The first secure processing program 501 executes the key decryption program 553. The key decryption program 553 decrypts the encryption key received in step S708 using the master key 563, and generates a program key (step S711). The generated program key is transmitted to the key transmission program 554. The key transmission program 554 transmits the received program key to the second secure processing program 502 (step S712).

  The second secure processing program 502 receives the program key by executing the key receiving program 514 (step S713). Further, the execution flag is set to “ON” (step S714). Next, the decryption program 516 is executed. The decryption program 516 decrypts the encryption program 517 using the received program key to generate a secure program (step S715). When the secure program is generated, the program key used for decryption is deleted (step S716).

The second secure processing program 502 starts executing the secure program (step S717).
First, the interrupt prohibition release program 521 is executed. The interrupt prohibition cancellation program 521 cancels the interrupt prohibition performed in step S703 (step S718). Thereafter, when an interrupt occurs, the secure program is interrupted and interrupt processing is executed. Processing when an interrupt occurs will be described later.

Next, the area initialization program 522 is executed to secure a storage area to be encrypted in the memory space (step S719).
The second secure processing program 502 executes the authentication communication program 523 and performs the processing described below to authenticate the first secure processing program 501 (step S720). The first secure processing program 501 executes the authentication communication program 555 and receives authentication. If the authentication fails, the second secure processing program 502 suppresses subsequent processing. If the authentication fails, the first secure processing program 501 outputs a debugger control signal indicating “valid” to the debugger invalidation circuit 303 (step S737) and ends the process.

If the authentication is successful, the second secure processing program 502 and the first secure processing program 501 share the session key. Thereafter, when communication is performed between the second secure processing program 502 and the first secure processing program 501, encrypted communication is performed using the shared session key.
The second secure processing program 502 transfers control to the music playback program when the authentication is successful.

The music playback program 504 reads the encrypted music data 411 from the memory card 400 (step S721). In addition, the music playback program 504 requests the second secure processing program 502 to decrypt the encrypted music data 411 (step S722).
When requested to decrypt the encrypted music data 411, the second secure processing program 502 executes the area encryption program 526. The area encryption program 526 encrypts the data in the storage area secured in step S719 using the area key 525 (step S723). When the storage area is encrypted, the second secure processing program 502 requests the first secure processing program 501 to obtain a title key (step S724).

  The first secure processing program 501 executes the data reading program 556. The data read program 556 performs mutual authentication with the authentication unit 403 of the memory card 400 (step S725). When the authentication is successful (YES in step S726), the data read program 556 accesses the information storage unit 404 of the memory card 400 to access the title key. To get. If the authentication fails, the title key cannot be acquired, and the first secure processing program 501 outputs a debugger control signal indicating “valid” to the debugger invalidation circuit 303 (step S737) and ends the process. .

When the first secure processing program 501 succeeds in mutual authentication with the memory card 400 and acquires the title key (step S727), the first secure processing program 501 encrypts the title key using the session key shared in step S720, and uses the encrypted title key. Generate (step S728). The generated encrypted title key is transmitted to the second secure processing program 502.
The second secure processing program 502 executes the area decryption program 527. The area decryption program 527 decrypts the encrypted storage area using the area key 525 and returns it to the original state (step S729). Further, the authentication communication program 523 decrypts the encrypted title key received from the first secure processing program 501 using the session key, and obtains a title key (step S730). Next, the second secure processing program 502 executes the encrypted music data decryption program 524. Using the title key, the encrypted music data decryption program 524 decrypts the encrypted music data 411 read from the memory card 400 by the music playback program (step S731), and generates music data. The generated music data is transmitted to the music playback program.

The music playback program plays back the received music data (step S732).
When the reproduction of the music data is finished (step S733), the control is transferred to the second secure processing program 502, and the second secure processing program 502 executes the region end processing program 528. The area end processing program 528 releases the storage area secured in step S719 (step S734) and calls the end function of the first secure processing program 501 (step S735). Further, the execution flag is set to “OFF” (step S736).

The first secure processing program 501 executes the circuit connection program 557, outputs a debugger control signal indicating “valid” to the debugger invalidation circuit 303 (step S737), and ends the processing.
(2) Authentication Processing when the second secure processing program 502 authenticates the first secure processing program 501 in step S720 described above will be described with reference to FIG.

The second secure processing program 502 generates a random number R0 and transmits it to the first secure processing program 501 (step S751).
The first secure processing program 501 receives the random number R0, encrypts the received random number R0 using the authentication key 565, and generates an authentication value R1 (step S752). The generated authentication value R1 is transmitted to the second secure processing program 502 (step S753).

  The second secure processing program 502 receives the authentication value R1 from the first secure processing program 501. Also, the random number R0 generated using the authentication key 531 is encrypted to generate an authentication value R2 (step S754). The second secure processing program 502 compares the received authentication value R1 and the generated authentication value R2 (step S755), and if they do not match (NO in step S755), “different” is indicated to the first secure processing program 501. The determination result shown is transmitted, and the process ends. If the comparison results in step S755 match (YES in step S755), a determination result indicating “same” is transmitted to the first secure processing program 501. Further, a session key is generated from the generated random number R0 and the authentication key 531 using a one-way function (step S759).

If the received determination result indicates “different” (difference in step S758), the first secure processing program 501 ends the process. If the received determination result indicates “same” (same in step S758), a session key is generated from the random number R0 and the authentication key 565 using a one-way function (step S760).
In this way, the second secure processing program 502 authenticates the first secure processing program 501 and shares the session key if the authentication is successful. Thereafter, when data is transmitted and received between the second secure processing program 502 and the first secure processing program 501, the communication is performed by encrypting using the session key.
(3) Interrupt The operation of the CPU 301 when there is an interrupt will be described with reference to FIG. Here, a case where mail is received will be described as an example.

When receiving an interrupt signal from the interrupt controller 304 (step S771), the CPU 301 reads the vector table (step S772). Further, the interrupt handler is executed according to the vector table (step S773).
First, an execution flag is read (step S774), and it is determined whether it is “ON” or “OFF” (step S775). If “ON” (ON in step S775), the data in the storage area is encrypted using the area key 525 (step S776). Further, the context is saved (step S777), and mail reception processing is performed (step S778). If the execution flag is “OFF” (OFF in step S775), the processes in steps S777 and 778 are performed without performing encryption in the storage area.

When the mail reception process ends, if the execution flag is “ON” (ON in step S779), the data in the storage area is decrypted (step S780), and the process returns to the original process. If the execution flag is “OFF” (OFF in step S779), the process returns to the original process without performing the decoding process.
3. Other Modifications Although the present invention has been described based on the above-described embodiment, it is needless to say that the present invention is not limited to the above-described embodiment. The following cases are also included in the present invention.
(1) In the present embodiment, the case where the encrypted music data decryption program executed on the portable terminal is protected has been described as an example, but the present invention is not limited to this.

A device that executes a program to be protected may be a DVD player, a DVD recorder, a PC, a PDA, or the like.
Further, the program to be protected may be a decryption program used when executing video content or a game on a portable terminal, or may be a recording program used when recording content with a DVD recorder. Any program that wants to prevent unauthorized analysis and tampering can be used.
(2) Although the hash value is used as the falsification detection value in this embodiment, the falsification detection value may be a value uniquely determined for the TRS area program, and is a digital signature for the TRS area program. Alternatively, encrypted data generated by encrypting the TRS area program may be used as the falsification detection value. The hash value may be calculated using another algorithm.

Further, although the falsification detection value is generated for the TRS area program, it may be generated for at least a part of the TRS area program, or for at least a part of the second secure processing program. It may be generated.
It is also possible to perform matching for a part or all of the second secure processing program or TRS area program, or to detect falsification by embedding pseudo-random numbers, and detect whether the program to be executed is the same as when it was generated. If possible, other tamper detection methods may be used.

In this embodiment, the falsification detection is performed after the debugger invalidation circuit is disconnected. However, the falsification detection is performed before the debugger invalidation circuit is disconnected, and if no falsification is detected, the debugger invalidation circuit is set. It is good also as cutting and performing a subsequent process.
(3) The falsification detection data is transmitted by the calling program of the second secure processing program to the first secure processing program 501, but may be transmitted by a program different from the second secure processing program. In this case, the calling program only calls the first secure processing program 501, and the transmission program for transmitting the falsification detection data is stored in the memory 305. The first secure processing program 501 is the second secure processing program 501. When called by the program and activated, it requests the transmission program to transmit falsification detection data. The transmission program transmits the falsification detection data in response to the request.

In this case, the certificate authority device 100 does not include the transmission program in the protection program and generates it as a program different from the second secure processing program.
Further, the first secure processing program 501 may hold the alteration detection data of the second secure processing program in advance.
(4) In this embodiment, the second secure processing program uses the one-way authentication for authenticating the first secure processing program 501, but the authentication may be performed in both directions. Further, although challenge-response type authentication is performed, the present invention is not limited to this, and other authentication methods may be used as long as the authenticity of the communication partner can be authenticated.

The authentication values R1 and R2 are generated by encrypting the random number R0 using the authentication key, but may be generated by applying a one-way function to the random number R0.
In addition, the session key is generated from the random number R0 and the authentication key using a one-way function, but may be generated using an encryption method.
(5) The area encryption program 526 encrypts the storage area when calling the first secure processing program 501 from the second secure processing program. However, when calling the external function from the second secure processing program, 2. When control is transferred to a program other than the secure processing program, the storage area is encrypted to protect the data in the storage area.

Further, when the control returns from the other program to the second secure processing program, the area decryption program 527 decrypts the data in the storage area and restores the original data.
(6) The master key may be unique for each device that executes a program to be protected. In this case, even if the master key is stolen by an unauthorized user, the device other than the device whose key was stolen is encrypted using another key. It does not work properly. Therefore, damage caused by illegal acts can be reduced.
(7) The authentication key is configured to be held by the first secure processing program 501 and the second secure processing program, but may be calculated based on the program key or the falsification detection value.

Further, the certificate authority device 100 may encrypt the authentication key using the master key. In this case, the program key for decrypting the encrypted program is calculated based on the authentication key.
As described above, any key may be encrypted as long as the key used for authentication and the key used for decryption of the encryption program have a dependency. Further, the encryption hierarchy may be deepened using more keys, such as encrypting the encrypted key with another key.
(8) The present invention may be the method described above. Further, the present invention may be a computer program that realizes these methods by a computer, or may be a digital signal composed of the computer program.

  The present invention also provides a computer-readable recording medium such as a flexible disk, hard disk, CD-ROM, MO, DVD, DVD-ROM, DVD-RAM, BD (Blu-ray Disc). ), Recorded in a semiconductor memory or the like. Further, the present invention may be the computer program or the digital signal recorded on these recording media.

In the present invention, the computer program or the digital signal may be transmitted via an electric communication line, a wireless or wired communication line, a network represented by the Internet, or the like.
The present invention may be a computer system including a microprocessor and a memory, wherein the memory stores the computer program, and the microprocessor operates according to the computer program.

In addition, the program or the digital signal is recorded on the recording medium and transferred, or the program or the digital signal is transferred via the network or the like, and is executed by another independent computer system. It is good.
(9) The above embodiment and the above modifications may be combined.

  In the software industry that provides software such as contents and computer programs in which works such as movies and music are digitized, the present invention can be used managemently, repetitively, and continuously. In addition, the program execution device of the present invention can be produced and sold in the manufacturing industry of electrical appliances and the like.

1 shows the overall configuration of a secure processing system 1. 2 is a block diagram showing a configuration of a certificate authority device 100. FIG. It is a flowchart which shows the processing content of a compiler. 3 is a block diagram showing a configuration of a memory card 400. FIG. 2 is a block diagram showing a configuration of a mobile terminal 300. FIG. A program recorded in the memory 305 is shown. The data structure of a 2nd secure processing program is shown. The data structure of a calling program is shown. It is a flowchart which shows the processing content of an interrupt handler. The data structure of the 1st secure processing program 501 is shown. The structure of a vector table is shown. The operation of the CPU 301 is shown. It is a flowchart which shows a music data reproduction process. Continuing with FIG. It is a flowchart which shows a music data reproduction process. Continuing with FIG. It is a flowchart which shows a music data reproduction process. Continuing with FIG. It is a flowchart which shows a music data reproduction process. Continuing with FIG. It is a flowchart which shows a music data reproduction process. It is a flowchart which shows an authentication process. It is a flowchart which shows operation | movement of CPU301 at the time of interruption generation | occurrence | production.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Secure processing system 100 Certificate authority apparatus 101 Compiler 102 Program encryption part 103 Key encryption part 104 Hash value calculation part 105 Data embedding part 200 ROM writer 300 Portable terminal 303 Debugger invalidation circuit 304 Interrupt controller 305 Memory 306 Memory card Interface 317 Bus 318 Interrupt line 400 Memory card 421 Title key 501 Secure processing program 502 Secure processing program

Claims (11)

A program execution device,
Processing means that operates in accordance with the first and second computer programs, and that controls the operation in accordance with instructions from an external device;
First protection means for disconnecting the processing means from the external device when the processing means operates in accordance with the first computer program;
And a second protection means for protecting the first computer program when the processing means operates in accordance with the second computer program. The second protection means includes
When the processing means is operating according to the first computer program, the processing means includes a storage area for writing data,
When the processing means encrypts data written in the storage area immediately before switching from the first computer program to the second computer program and switches from the second computer program to the first computer program, the encryption The program execution device according to claim 1, wherein the data is decrypted. The first computer program further includes a call instruction for calling the second computer program,
The second protection unit encrypts data written in the storage area immediately before the processing unit executes the call instruction and switches to the second computer program. Program execution device. The program execution device further includes:
An interrupt detection means for detecting the occurrence of an interrupt is provided,
The second computer program indicates processing to be performed when an interrupt occurs,
The second protection means encrypts data written in the storage area when the interrupt detection means detects an interrupt while the processing means is executing the first computer program, and after the encryption, the processing means 3. The program execution device according to claim 2, wherein the program execution device is permitted to operate according to the second computer program. The program execution device further includes:
An interrupt detection means for detecting the occurrence of an interrupt is provided,
Storage means for storing an encrypted program generated by encrypting the first computer program;
The second computer program indicates processing to be performed when an interrupt occurs,
The second protection means includes
Prohibiting the processing means from operating in accordance with the second computer program;
Obtaining a program decryption key, decrypting the encrypted program using the obtained program decryption key to generate the first computer program, erasing the program decryption key,
The program execution device according to claim 1, wherein after the program decryption key is erased, the processing means is allowed to operate according to the second computer program. The second protection means acquires a first tampering detection value generated based on at least a part when a processing program including the first computer program is generated,
Before the processing means executes the first computer program, a second falsification detection value is generated based on at least a part of the processing program,
2. The program execution device according to claim 1, wherein when the first falsification detection value and the second falsification detection value are different, the processing unit is prevented from operating according to the first computer program. The processing program includes the first falsification detection value,
The program execution device according to claim 6, wherein the second protection means acquires the first falsification detection value from the processing program. Falsification detection value generation means for generating a falsification detection value based on at least a part of the processing program including the protection target program;
A certificate authority apparatus comprising: an embedding unit that embeds the generated falsification detection value in the processing program. The certificate authority device further includes:
An encryption key is obtained by encrypting a program decryption key used for decrypting an encrypted program obtained by encrypting the first computer program based on a device key held by a program execution device permitted to execute the protection target program. A key encryption means for generating,
The certificate authority apparatus according to claim 8, wherein the embedding unit further embeds the encryption key in the processing program. A program used in a program execution device,
The program execution device includes a storage area used during execution of the protection target program,
The program is
An encryption step for encrypting data in the storage area immediately before switching from the protection target program to another program during execution of the protection target program;
And a decryption step of decrypting data in the storage area when the protection program is switched from the other program. The program execution device holds an encrypted program obtained by encrypting a secure program including the protection target program,
The program further includes:
A prohibition step that prohibits execution of other programs;
Obtaining a program decryption key used for decrypting the encrypted program after being prohibited; and
A program decrypting step of decrypting the encrypted program and generating the secure program using the program decryption key;
An erasing step of erasing the program decryption key;
The program according to claim 10, further comprising: a permission step for permitting execution of the other program after the program decryption key is erased.

Images