JP2005196410A - Data communication device and memory management method for data communication device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform a cancellation by an easy procedure in a state where a file system of a service provider agent is stored on a memory area without having the danger of cracking it. <P>SOLUTION: The memory area includes a "disposal flag". A protocol interface part determines the disposal flag on the memory area prior to access from external equipment or a program, and accepts access to an operating system when the disposal flag is false. On receipt of a disposal request by a disposal command from a card issuer, the disposal flag on the memory area is set to true so as not to accept the accesses to the operating system afterward. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a data communication apparatus having a relatively large memory area and a memory management method for the data communication apparatus, and more particularly, to secure electronic transactions such as electronic payment by storing electronic value information in the memory area. The present invention relates to a data communication apparatus for exchanging various information and a memory management method for the data communication apparatus.

  More specifically, the present invention relates to a data communication apparatus and data communication for allocating a file system for a service provider to a memory area and managing information for service operation by the provider in the file system. BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a memory management method for a device, and more particularly, to a data communication device and a data communication device in which a file system of a service provider is stored in a memory area and there is no risk of being cracked and discarded by an easy procedure The present invention relates to a memory management method.

  An example of a wireless communication means that can be applied only locally is a non-contact IC card.

  This type of wireless communication is generally realized based on the principle of electromagnetic induction. That is, an IC card having a memory function and a card reader / writer that performs read / write access to the memory of the IC card, a loop coil on the IC card side as a primary coil and a card as a secondary coil The antenna on the reader / writer side forms one transformer as a system. Then, power and information are similarly transmitted from the card reader / writer side to the IC card by electromagnetic induction, and the IC card side is driven by the supplied power to generate an inquiry signal from the card reader / writer side. You can respond to it.

  On the card reader / writer side, data is transmitted from the card reader / writer to the IC card by modulating the current that flows through the antenna, thereby modulating the induced voltage of the loop coil on the IC card. be able to. In addition, the IC card has a card reader due to the effect that the impedance between the antenna terminals on the IC card reader / writer side changes due to the load fluctuation between the terminals of the loop coil and the passing current and voltage of the antenna fluctuate. / Reply to the writer.

  Non-contact / proximity communication systems represented by IC cards are widely used because of their ease of operation. For example, while storing code codes, other personal authentication information, and value information such as electronic tickets on IC cards, card readers / writers are installed at cash dispensers, concert hall entrances, and ticket gates at stations. Keep it. Then, when the user holds the IC card over the card reader / writer, the user can access and perform the authentication process.

  Recently, along with improvements in miniaturization technology, IC cards having a relatively large memory space have appeared. Since an IC card with a large-capacity memory can store a plurality of applications simultaneously, one IC card can be used for a plurality of purposes. For example, by storing a large number of applications such as electronic money for electronic payment and electronic ticket for entering a specific concert venue on a single IC card, It can be applied to various uses. The electronic money and electronic ticket mentioned here refer to a mechanism in which payment (electronic payment) is made through electronic data issued according to funds provided by a user, or such electronic data itself.

  A general method of using an IC card is performed by a user holding the IC card over a card reader / writer. The card reader / writer side always polls the IC card, and when an external IC card is found, the communication operation between the two starts.

  At this time, the user inputs the personal identification number to the IC card reader side and collates the input personal identification number with the personal identification number stored on the IC card, so that the IC card and the IC card reader / writer can be compared. The identity verification or authentication process is performed. (The personal identification number used when accessing the IC card is called a PIN (Personal Identification Number) in particular.) And, when the identity verification or authentication process is successful, for example, an application stored in the IC card. Use, that is, access to a service memory area allocated to an application is possible (in this specification, a memory area allocated to an application is referred to as a “service memory area”). Access to the service memory area is appropriately encrypted according to the security level of the application.

  Furthermore, the IC card and the card reader / writer (card reader / writer) include a wired interface (not shown) for connecting to an external device in addition to the wireless / contactless interface. It is possible to equip each device such as a mobile phone, a PDA (Personal Digital Assistance), a CE (Consumer Electronics) device, or a personal computer with either or both of an IC card and a card reader / writer. In such a case, the IC card technology can be used as a versatile bidirectional proximity communication interface.

  For example, when a proximity communication system is configured between devices such as computers and information home appliances, non-contact communication using an IC card is performed one-to-one. In addition, it is possible for a certain device to communicate with a partner device other than a device such as a non-contact IC card. In this case, an application that performs one-to-many communication between one device and a plurality of cards is also conceivable.

  In addition, various applications using an IC card, such as electronic value information exchange with the outside such as electronic payment, can be executed on the information processing terminal. For example, user interaction with an IC card can be performed on the information processing terminal using a user interface such as a keyboard or display on the information processing terminal. Further, since the IC card is connected to the mobile phone, the contents stored in the IC card can be exchanged via the telephone network. Furthermore, it is possible to pay the usage fee with an IC card by connecting to the Internet from a mobile phone.

  In this way, a file system for a certain service provider company is allocated to the built-in memory of the IC card, and information (for example, user identification / authentication information of the user) for service operation by the company in this file system is allocated. And the remaining value information, usage history (log), etc.) to realize useful services based on contactless / proximity communication that replace conventional prepaid cards and service cards for each store. Can do.

  Conventionally, an IC card is issued for each service provider, and is used for the user. For this reason, the user has to prepare and carry IC cards for each service he / she wants to use. On the other hand, according to the IC card having a relatively large memory space, it is possible to secure a sufficient capacity for recording information on a plurality of services in the built-in memory of a single IC card.

  Here, with regard to prepaid cards such as prepaid cards, the main purpose is to ensure proper operation of operations such as issuance, to protect the profits of buyers of prepaid cards and to maintain credit for prepaid cards. As a special purpose, the “Regulation for Prepayment Voucher Regulations” (commonly known as the “Preca Act”) has been enacted for registration and other necessary regulations for issuers of prepayment vouchers. It is obliged to display certain items such as logos and contact information on the prepaid card (ticket face) for the purpose of maintaining convenience and distribution order (see Article 12 of the same law).

  When a prepaid card is realized by storing prepaid information in the memory function of the IC card, only a single service can be provided by printing necessary information regulated by law on a medium. On the other hand, when the IC card function is used on a portable terminal having a display function such as a mobile phone, information related to desired value information is displayed on the screen (for example, see Patent Document 1). The above-mentioned laws and regulations can be satisfied, and sharing by a plurality of service provider companies is possible. Therefore, the burden of issuing cards is reduced in the service provider, and the number of IC cards that are carried and managed by the user can be reduced.

JP 2003-141434 A

  Here, let us consider the disposal method of IC cards that have finished using the service.

  Conventionally, information written in the nonvolatile memory could be erased, but for this purpose, only the function of erasing the entire area in the nonvolatile memory can be used together.

  In addition, since the procedure for discarding data is complicated and the memory area can be accessed even after the data is erased, it is possible to crack the interface and IC card function of the IC card itself, Become a security threat.

  In order to completely eliminate such a threat, all data on the memory area of the IC card, data access means, and other functions must be disabled. This requires that the card itself be physically crushed or erased, and costs are required to protect security.

  For example, when an IC card is not used alone but is used as a mobile phone (or other portable terminal or CE device) incorporating a semiconductor chip on which a so-called IC card function is mounted, it is carried on the IC card. I want to continue to use the original functions of the device even after I stop using the service, but I have to physically discard the device itself.

  The present invention takes into account the technical problems as described above, and its main purpose is to store electronic value information in a memory area and to suitably exchange secure information including electronic payments. An object of the present invention is to provide an excellent data communication apparatus and a memory management method for the data communication apparatus that can be performed.

  A further object of the present invention is to provide an excellent data which can allocate a file system for a service provider to a memory area and manage information for service operation by the provider in the file system. To provide a memory management method for a communication device and a data communication device.

  A further object of the present invention is to provide an excellent data communication apparatus and data which can be destroyed by an easy procedure without risk of being cracked in a state where a file system of a service provider is stored in a memory area. The object is to provide a memory management method for a communication device.

The present invention has been made in view of the above problems, and is a data communication apparatus that has a memory space and is divided and managed into one or more file systems,
Protocol interface means for processing access to the memory space from an external device or program;
A discard flag assigned to the memory space and indicating whether or not the memory space is discarded;
The protocol interface means confirms the discard flag when accepting access from an external device or program, and rejects access when the value is true.
This is a data communication apparatus. The data communication device referred to here is the same as a wireless communication unit, a non-contact IC card containing an IC chip having a data transmission / reception function and a data processing unit, a contact IC card having a terminal on the surface, and a contact / non-contact IC card It is a device in which an IC chip having a function is incorporated in an information communication terminal device such as a mobile phone, a PHS (Personal Handyphone System), or a PDA (Personal Digital Assistance). This data communication apparatus has a memory area including a data storage memory such as an EEPROM and a data processing unit, and also has a data communication function. In the case of a mobile phone or the like, an external storage medium such as an IC card incorporating an IC chip may be detachable. Further, a SIM (Subscriber Identity Module) function that records subscriber information issued by a mobile phone company may be mounted on the IC chip. The data communication device may perform data communication via an information communication network such as the Internet, or may directly perform data communication with an external terminal device in a wired or wireless manner.

  The present invention provides a service that requires security including exchange of value information by utilizing tamper resistance and an authentication function of an IC card. More specifically, a single memory area in an IC card is shared among a plurality of service providers, and the burden of card issuance is reduced at the service provider, and it is portable for the user. The number of IC cards to be managed is reduced.

  When a single memory area is shared among multiple service providers, the memory area used by one service provider can be freely accessed by another provider sharing the memory. There is a problem that value information set for each person permits unauthorized use by other companies.

  On the other hand, in the present invention, a file system for each service provider is allocated on a single memory area, and a single data communication device is shared by a plurality of operators. Provided multiple services. By dividing the memory area into file systems, the boundaries between file systems function as firewalls, making access (illegal intrusion) from other file systems (that is, other service providers) preferable Can be eliminated.

  In the initial state of the memory area in the IC card, the original IC card issuer manages the entire memory area. When a service provider other than the IC card issuer divides a new file system from the memory area, both the authority to divide the memory area and authentication to the original IC card issuer are requested. Yes.

  By repeating such division operation, the memory area in the IC card has a structure in which a plurality of file systems coexist. The division of the file system is the issue of a virtual IC card. Once divided, access to the file system requires authentication from the service provider of the file system itself, not the original IC card issuer.

  Here, a problem arises regarding the disposal method of the IC card that has finished using the service. Conventionally, information written in the nonvolatile memory could be erased, but for this purpose, only the function of erasing the entire area in the nonvolatile memory can be used together. In addition, since the procedure for discarding data is complicated and the memory area can be accessed even after the data is erased, it is possible to crack the interface and IC card function of the IC card itself, Become a security threat.

  Therefore, in the present invention, a discard function for permanently stopping the use of the memory area in the IC card is added to securely discard the memory and the IC card function in which the memory is mounted.

  As a result, even after the use of the service is stopped, the portable device / CE device main body equipped with the IC card function can be safely managed and operated while maintaining the inaccessible state to the file system.

  Advantageous Effects of Invention According to the present invention, an excellent data communication device capable of storing electronic value information in a memory area and suitably exchanging secure information including electronic payment can be suitably performed, and memory management of the data communication device. A method can be provided.

  Further, according to the present invention, it is possible to allocate a file system for a service provider company on a memory area and manage information for service operation by the company in the file system. A data communication apparatus and a memory management method for the data communication apparatus can be provided.

  In addition, according to the present invention, an excellent data communication apparatus capable of being destroyed by an easy procedure without risk of being cracked in a state where the file system of the service provider is stored in the memory area, and A memory management method for a data communication apparatus can be provided.

  According to the present invention, by adding a discard function for permanently stopping the use of the memory area in the IC card, it is possible to securely discard the memory and the IC card function in which the memory is mounted. As a result, even after the use of the service is stopped, the portable device / CE device main body equipped with the IC card function can be safely managed and operated while maintaining the inaccessible state to the file system.

  Other objects, features, and advantages of the present invention will become apparent from more detailed description based on embodiments of the present invention described later and the accompanying drawings.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  The present invention provides a service that requires security including exchange of value information by utilizing tamper resistance and an authentication function of an IC card, and more specifically, in the IC card. A single memory area is shared among multiple service providers, which reduces the burden of issuing cards at the service provider and reduces the number of IC cards that are carried and managed by the user It is.

  Here, when a single memory area is shared among multiple service providers, the memory area used by one service provider can be freely accessed by another provider sharing the memory. Then, there is a problem that value information set for each business operator allows unauthorized use by other business operators.

  In the present invention, a file system for each service provider is allocated on a single memory area, a single data communication device is shared by multiple operators, and multiple services are provided by a single data communication device. Provided. By dividing the memory area into file systems, the boundaries between file systems function as firewalls, making access (illegal intrusion) from other file systems (that is, other service providers) preferable Can be eliminated.

  In the initial state of the memory area in the IC card, the original IC card issuer manages the entire memory area. When a service provider other than the IC card issuer divides a new file system from the memory area, both the authority to divide the memory area and authentication of the original IC card issuer are required.

  Once divided, access to the file system requires authentication not to the original IC card issuer but to the service provider of the file system itself. Therefore, it is possible for the user to ensure usability as if the IC card was issued by the operator when using each service.

  Here, first, the mechanism of contactless data communication between the IC card and the card read / write device will be described with reference to FIGS.

Wireless communication between the card read / write device and the IC card is realized based on the principle of electromagnetic induction, for example. FIG. 1 conceptually illustrates a wireless communication mechanism between a card read / write device based on electromagnetic induction and an IC card. The card read / write device includes an antenna _LRW composed of a loop coil, and generates a magnetic field around the antenna LRW by _passing a current _IRW . On the other hand, in the IC card side, the electrical loop coil L _c around the IC card is Katachi設. The loop coil L _c ends of the IC card side occurs voltage induced by the magnetic field emitted by the loop antenna L _c of the card reading and writing apparatus, is input to the IC card terminal connected to the loop coil L _c end .

Loop coil L _c of the antenna L _RW and IC card side of the card reading and writing apparatus is the degree of coupling will vary depending on the positional relationship of each other, can be regarded as examples of the system forms a single transformer, The read / write operation of the IC card can be modeled as shown in FIG.

On the card read / write device side, by modulating the current I _RW flowing through the antenna L _RW , the voltage V _O induced in the loop coil L _c on the IC chip is modulated, and the card read / write device is utilized by using the modulation. Can transmit data to the IC card.

Further, IC card has features to vary the load between the terminals of the loop coil L _c in accordance with the data to be returned to the card reading and writing device (Load Switching). When the load between the terminals of the loop coil L _c is varied, a card reading and writing apparatus to change the impedance between the antenna terminal appears as a variation of the passing current I _RW and voltage V _RW antenna L _RW. By demodulating the fluctuation, the card read / write device can receive the return data of the IC card.

  That is, the IC card performs communication by applying amplitude modulation to the signal appearing in the receiving circuit on the card read / write device side by changing the load between its own antennas according to the response signal to the interrogation signal from the card read / write device. That's why you can.

  The IC card may be a card-type data communication device, or an integrated circuit chip having a so-called IC card function may be built in an information communication terminal device such as a mobile phone (the IC card is built in the device). In some cases, it may be referred to as an “IC card” for convenience in this specification.) An integrated circuit chip having an IC card function is, for example, It is mounted on a mobile terminal such as a mobile phone or PDA or an information processing terminal such as a personal computer (PC) to perform data communication with an external device. In this case, an interface for connecting to an external device is provided in addition to an interface for connecting to the reader / writer device by wire or wirelessly.

  FIG. 3 shows a hardware configuration of the data communication apparatus according to the embodiment of the present invention. This data communication device includes an IC card function that can access an internal nonvolatile memory by adding a communication antenna, and a reader / writer that supplies power to an external device having the IC card function and exchanges data. An IC chip having a writer function and having a card function analog circuit unit 30, a data processing unit 40, and a reader / writer function analog circuit unit 50 is incorporated. In the example shown in the figure, the IC card also has a card read / write function, but the card read / write function is not an essential component of the present invention.

  In the card function analog circuit unit 30, the carrier wave received by the antenna 32 is rectified by the rectifier 31 and then supplied to the signal processing unit 44 in the data processing unit 40, and also through the serial regulator 33. 38.

The logic circuit 38 controls the voltage from the serial regulator 33 to supply an appropriate power supply voltage V _DD for use in the IC card.

  The serial regulator 33 keeps the output voltage substantially constant regardless of the input voltage. That is, when the input voltage is high, the internal impedance is increased, and conversely, when the input voltage is low, the internal impedance is decreased, thereby enabling the operation of maintaining the voltage.

  The voltage detector 39 monitors the output terminal voltage of an external power supply (battery or the like) connected to the logic circuit 38 and outputs a signal prohibiting the use of the external power supply when the voltage of the external power supply falls below a predetermined voltage. The data is output to the logic circuit 38.

  Further, in the card function analog circuit unit 30, the radio wave input from the antenna 32 is determined by the carrier wave detector 34 to determine whether or not the received radio wave is included in the received radio wave. The signal VR is output to the logic circuit 38. The logic circuit 38 can further output a signal indicating that a carrier wave has been detected to the data processing unit 40.

  The clock extractor 35 extracts a clock from the radio wave input from the antenna 32 and supplies it to the clock selector 36. The clock oscillator 37 is composed of, for example, a crystal resonator disposed outside the IC card, generates a clock having a driving frequency used on the IC card, and supplies the clock to the clock selector 36. The clock selector 36 selects either the clock supplied from the clock extractor 35 or the clock supplied from the clock oscillator 37 and supplies it to each part in the IC card.

  The reader / writer function analog circuit unit 50 includes a transmission amplifier 51, a reception signal detector 53, a reception amplifier / filter 54, and transmission / reception antennas 52 and 55.

  When transmitting data, a transmission signal modulated and D / A converted by the signal processing unit 44 of the data processing unit 40 and up-converted to an analog baseband is transmitted from the antenna 51 via a transmission amplifier. The signal received from the antenna 52 is detected by the reception signal detector 53, amplified by the reception amplifier 54, and then supplied to the signal processing unit 44. The signal processing unit 44 down-converts into an analog baseband signal, performs D / A conversion and demodulation processing, and reproduces digital data.

  The card read / write operation between the IC card and the card read / write device is as already described with reference to FIGS.

  In addition to the signal processing unit 44 described above, the data processing unit 40 uses a CPU (Central Processing Unit) 45, a data encryption engine 46 using DES (Data Encryption Standard), a CRC (Cyclic Redundancy Check), and the like. Error correction unit 47, RAM (Random Access Memory) 41, ROM (Read Only Memory) 42, EEPROM (Electrically Erasable and Programmable ROM) 43, UART interface 48, and I2C interface 49. Each part is interconnected by an internal bus.

  The CPU 45 is a main controller that comprehensively controls the operation in the IC card, and is stored in, for example, the ROM 42 (or the EEPROM 43) under an execution environment (described later) provided by the IC card operating system (OS). The program code is executed. For example, the CPU 45 executes an application related to data transmitted and received via the card function analog circuit unit 30 and the reader / writer function analog circuit unit 40.

  The signal processing unit 44 performs processing such as modulation, D / A conversion, and up-conversion of data transmitted via the card function analog circuit unit 30 and the reader / writer function analog circuit unit 40, down-conversion of received data, Processing such as A / D conversion and demodulation is performed.

  The DES engine 46 encrypts and decrypts data transmitted / received via the card function analog circuit unit 30 and the reader / writer function analog circuit unit 40 using a procedure public key encryption.

  The CRC 47 performs a cyclic redundancy check on data received via the card function analog circuit unit 30 and the reader / writer function analog circuit unit 40.

The UART 48 and the I ² C interface constitute an external wired interface for connecting the IC card to an external device (not shown in FIG. 3) such as a mobile phone, a PDA, or a personal computer. Among these, a UART (Universal Asynchronous Receiver Transmitter) 48 has a function of converting a parallel signal in a computer into a serial signal and converting a serial signal into a parallel signal.

  The RAM 41 is a writable memory device, and the CPU 41 executes a program using the RAM 41 as a work area. The memory space provided by the RAM 41 is addressable, and each device on the CPU 41 and the internal bus can access this memory space.

  The EEPROM 43 is a non-volatile memory device that writes new data together with the erase operation. The memory area built in the IC card in this specification basically refers to a writable area in the EEPROM 43.

  This memory area is composed of one or more file systems. In the initial state, the memory area is managed by a single file system managed by the original IC card issuer, and then the service provider other than the IC card issuer divides the new file system from the memory area. To do.

  FIG. 4 schematically shows the control system configuration of the memory area in the IC card according to the present embodiment. As shown in the figure, this control system is basically implemented as a subsystem in the operating system, and is composed of a protocol interface part, an OS central part, and a file system.

  The protocol interface unit handles an access request to the file system from an external device via an external device interface such as UART 48, or an access request to the file system from a card read / write device via a non-contact IC card interface. To do.

  The central part of the OS performs decoding / encoding of data exchanged with the file system, error correction by CRC, etc., management of the number of rewrites for each block of the EEPROM 43, PIN verification, mutual authentication, and the like.

Further, the OS central part includes several APIs (Application Programming Interfaces) to the file system such as PIN verification and mutual authentication at the time of file access, and file read / write.

  The file system has physical access to the EEPROM 43 as a file system entity. Since the physical access operation itself to a memory device such as an EEPROM is well known in the art, its description is omitted here.

  The memory area developed on the EEPROM 43 is composed of one or more file systems. In the initial state, the memory area is managed by a single file system managed by the original IC card issuer. When a service provider other than the IC card issuer divides a new file system from the memory area, both the authority to divide the memory area and authentication of the original IC card issuer are required. Once divided, access to the file system requires authentication not to the original IC card issuer but to the service provider of the file system itself. The division of the file system is the issue of a virtual IC card.

The OS manages a division authority key _Kd for permitting division. Also, for each file system, issuer and issuer key K _I of (original IC card issuer, or file divided carrier), and the system code, the area ID for identifying a file area is managed .

Access to the file system is performed through an area ID request by polling and a procedure of mutual authentication. The file system issuer (card issuer in the case of the original file system, service provider that uses the divided file system) first takes the system code that it knows as an argument. By polling the file system, the area ID on the memory area of the corresponding file system can be acquired. Then, perform mutual authentication using the issuer key K _I this area ID. When the mutual authentication is successful, access to the file system is permitted. Access to the file system, because performed by encrypted communication using the unique issuer key K _I to the file system and the appropriate issuer, other file systems or capture irrelevant data, issuer You cannot read or write to the file system without permission.

  FIG. 5 schematically shows the overall configuration of a service providing system that uses electronic money, electronic tickets, and other value information, which is realized using a relatively large-capacity IC card.

  The illustrated system 1 includes, for example, an issuer communication device 11 used by an IC card issuer 21, an operator communication device 12 used by a card storage area operator 22, and a manufacturer used by a device manufacturer 23. Communication device 13, storage area dividing device 14 used by card storage area user 24, and operation file registration apparatus 15.

  In the system 1, when the IC card issuer 21 issues the IC card 16 to the card holder 26, the file data related to the service provided by the card storage area user 24 is transferred to the IC card based on a predetermined condition. 16, the card holder 26 can receive the services of both the IC card issuer 21 and the card storage area user 24 using a single IC card 16.

  As shown in FIG. 5, in the system 1, the issuer communication device 11, the operator communication device 12, the manufacturer communication device 13, the storage area dividing device 14, and the operation file registration device 15 are connected via a network 17. Connected.

  The IC card issuer 21 is a person who issues the IC card 16 and provides its own service using the IC card 16.

  The card storage area operator 22 receives a request from the IC card issuer 21 and, among the storage areas configured in the storage unit (semiconductor memory) in the IC card 16 issued by the IC card issuer 21, the IC card A person who provides a service for lending a storage area not used by the issuer 21 to the card storage area user 24.

  The device manufacturer 23 is a person who receives a request from the card storage area operator 22, manufactures the storage area dividing device 14, and delivers it to the card storage area user 24.

  The card storage area user 24 makes a request to the card storage area operator 22 and provides his / her own service using the storage area of the IC card 16, and divides the memory area into a new file. -Corresponds to a service provider that creates a system (described above), and provides its own service using its own file system.

  The card holder 26 is a person who receives the IC card 16 issued from the IC card issuer 21 and receives a service provided by the IC card issuer 21. When the card holder 26 desires to receive the service provided by the card storage area user 24 after the IC card 16 is issued, the card owner 26 uses the storage area dividing device 14 and the operation file registration device 15 to store the card. The file data related to the service of the area user 24 is stored in the IC card 16, and then the service of the card storage area user 24 can be received.

  The system 1 provides the services of the IC card issuer 21 and the card storage area user 24 when providing the service of the IC card issuer 21 and the service of the card storage area user 24 using the single IC card 16. It has a configuration that makes it difficult for an unauthorized person to write or rewrite data in a storage area for storing such file data.

  The IC card 16 may be a card-type data communication device, literally, or embodied as a mobile phone (or other mobile terminal or CE device) incorporating a semiconductor chip on which a so-called IC card function is mounted. Sometimes it is done.

  5 illustrates the case where there is a single IC card issuer 21, a card storage area user 24, and a card owner 26, respectively, these may be plural.

  In this embodiment, a file system for each service provider is allocated on a single memory area of the IC card, and a single data communication device is shared by a plurality of carriers. Provide multiple services. With such a split file system configuration, in addition to the memory area used by the original card issuer, a memory area that can be used by a specific service provider with the permission of the original card issuer, With the permission of the original card issuer, a memory area that can be used in common among a plurality of business operators can be operated.

  In particular, in addition to the file system used by the original card issuer, when operating one or more file systems that can be used individually by each service provider, the boundary between the file systems is the firewall. And access (unauthorized intrusion) from other file systems (that is, other service providers) can be suitably excluded.

  Here, the operation mode of the memory area in the IC card will be described with reference to FIGS.

  FIG. 6 shows the state of the memory area where the original card issuer manages only its own file system. The system code SC1 of the original card issuer is given by the system code management mechanism. When the external device or program accesses the file system of the card issuer, SC1 is set as an identification code (that is, an argument of the request command).

  FIG. 7 shows that the card issuer can permit a certain range of memory to be lent (or transferred) to the area manager within the free area of his file system. At this stage, the file system in the memory area is not yet divided. The card issuer can permit a plurality of area managers to lend memory as long as there is a free area in his file system. For example, in an implementation in which a file system is identified by a 4-bit system code, a maximum of 16 divisions (up to 15 divisions) can be performed.

  FIG. 8 shows a state where another service provider has divided the memory area in the area permitted by the card issuer and created a new file system. The new file system is assigned the system code SC2 from the system code management mechanism. When the external device or program accesses the file system operated by the memory area manager (service provider), SC2 is used as an identification code (request command argument).

  FIG. 9 shows a state where the common area manager divides the memory with the system code SC0 of the common area in the area permitted by the card issuer. When an external device or program accesses the file system which is the operation area of the common area manager, the system code SC0 is used as an identification code (request command argument).

  As shown in FIG. 10, in this embodiment, the memory area on the IC card is divided into a plurality of file systems. A system code SC and an area ID are set for each file system, and mutual authentication is performed with the issuer key KI of the service provider (including the original card issuer) that uses the area. Can do. As a result, the service provider to which the file system is allocated must analyze, manage, and operate its file system security threats independently of the original card issuer or split engineer. Can do.

Further, when a service provider accesses its own file system, it is basically performed through a procedure of area ID request and mutual authentication. First, by polling the file system using the system code known to itself as an argument, the area ID on the memory area of the corresponding file system can be acquired. Then, perform mutual authentication using the issuer key K _I this area ID. When the mutual authentication is successful, access to the file system is permitted.

In addition, each service provider (including the original card issuer) sends a request command (for example, a read request, a write request, a data erasure request, an area / service registration, etc.) to the file system corresponding to the service provider itself. since performed by encrypted communication by packaging using a specific issuer key K _I in (see FIG. 11), Dari other file systems incorporate irrelevant data, the third party file system You cannot read or write without permission.

  As shown in FIG. 10, the memory area of the IC card has a structure in which a plurality of file systems coexist by repeating the division operation. The original card issuer and the service provider that has acquired its own file system on the IC card with the permission of the card issuer, use their own file system to arrange areas and services. (Described later), can be used for own business development.

FIG. 12 shows a procedure in which a service provider (including the original card issuer) requests command execution in its own file system. However, the communication between the service provider and the IC card is performed using a non-contact near field communication interface based on electromagnetic induction action or using a wired interface such as UART 48 or I ² C49.

  The service provider polls the operating system, which is the IC card execution environment, and requests the file system area ID using the file system system code SC as an argument.

  Using this request message as a trigger, after a mutual authentication procedure consisting of multiple round-trip communication operations between the service provider and the operating system that is the IC card execution environment, a return value for the request The area ID is returned to the service provider. Note that the configuration of the mutual authentication procedure differs depending on the specifications of the IC card and is not directly related to the gist of the present invention.

Following this authentication procedure, the service provider transfers the request command into the file system to the IC card operating system. This request command is executed with the area ID and the request package as arguments. Since the request package is encrypted with the issuer key K _I of the service provider company, not falsified by a third party.

When the request command reaches the operating system of the IC card, based on the area ID included in the argument, the request package is delivered to the file system of the service provider company, is decrypted with the issuer key K _I, The contents of the request package are retrieved. Then, when the processing requested in the package is executed in the file system, the status is returned to the requesting service provider.

  Here, let us consider the disposal method of IC cards that have finished using the service.

  Conventionally, information written in the nonvolatile memory could be erased, but for this purpose, only the function of erasing the entire area in the nonvolatile memory can be used together. In addition, since the procedure for discarding data is complicated and the memory area can also be accessed for data transfer, it is possible to crack the interface and IC card function of the IC card itself. Become a security threat.

  In order to completely eliminate such a threat, all data on the memory area of the IC card, data access means, and other functions must be disabled. This requires that the card itself be physically crushed or erased, and costs are required to protect security.

  For example, when an IC card is not used alone but is used as a mobile phone (or other portable terminal or CE device) incorporating a semiconductor chip on which a so-called IC card function is mounted, it is carried on the IC card. I want to continue to use the original functions of the device even after I stop using the service, but I have to physically discard the device itself.

  Therefore, in this embodiment, a discard function for permanently stopping the use of the memory area in the IC card is added to securely discard the memory and the IC card function in which the memory is mounted.

  FIG. 13 schematically shows the configuration of a control system to which a memory area discard function in the IC card is added. As shown in the figure, this control system is basically implemented as a subsystem in the operating system, and is composed of a protocol interface part, an OS central part, and a file system.

  The protocol interface unit handles an access request to the file system from an external device via an external device interface such as UART 48, or an access request to the file system from a card read / write device via a non-contact IC card interface. To do.

  The central part of the OS performs decoding / encoding of data exchanged with the file system, error correction by CRC, etc., management of the number of rewrites for each block of the EEPROM 43, PIN verification, mutual authentication, and the like.

  The file system has physical access to the EEPROM 43 as a file system entity. The memory area developed on the EEPROM 43 is composed of one or more file systems.

  Here, a “discard flag” is provided in the memory area. The protocol interface unit determines a discard flag on the memory area before accepting an access from an external device or program. If the discard flag is false, the protocol interface unit accepts access to the operating system.

  Further, the protocol interface unit sets the discard flag on the memory area to true in response to receiving the discard request by the discard command from the card issuer. After the discard flag becomes true, the protocol interface unit determines that the value of the discard flag is true when accessing from an external device or program, and does not accept any access to the operating system.

  FIG. 14 conceptually shows a state where the IC card is discarded using the discard function as described above.

  The protocol interface unit determines a discard flag on the memory area before accepting access from an external device or program. When it is confirmed that the value of the discard flag is true, access to the operating system is rejected.

  As described above, according to the present embodiment, only the memory area in the IC card can be securely discarded, and a crisis in which the memory area is mounted can be safely managed and operated. Therefore, even when it is used as a mobile phone (or other mobile terminal or CE device) with a built-in semiconductor chip with a so-called IC card function, the use of services carried on the IC card has been stopped. You can continue to use the original functions of the device.

  In this embodiment, it is assumed that the original card issuer has the authority to set a discard flag in the memory area. Therefore, when the user of the IC card wants to stop using the IC card, the user issues a request to that effect to the card issuer.

FIG. 15 shows a procedure in which the original card issuer requests execution of a command for setting a discard flag in the memory area. However, the communication between the service provider and the IC card is performed using a non-contact near field communication interface based on electromagnetic induction action or using a wired interface such as UART 48 or I ² C49.

  The card issuer polls the operating system, which is the execution environment of the IC card, and makes a file system area ID request using the file system system code SC as an argument.

  Using this request message as a trigger, the card issuer and the operating system, which is the IC card execution environment, undergo a mutual authentication procedure consisting of multiple round-trip communication operations. The ID is returned to the service provider. Note that the configuration of the mutual authentication procedure differs depending on the specifications of the IC card and is not directly related to the gist of the present invention.

Following this authentication procedure, the card issuer transfers a discard flag setting request command into the file system to the IC card operating system. This discard request setting request command is executed with the area ID and the request package as arguments. Since the request package is encrypted with the issuer key K _I of the service provider company, not falsified by a third party.

If the discard flag setting request command reaches the operating system of the IC card, based on the area ID included in the argument, the discard flag setting request package is delivered to the file system of the card issuer, at the issuer key K _I It is decrypted and the contents of the request package are retrieved. Then, after erasing the data in the memory area, if the discard flag is set to true, the status is returned to the card issuer as the request source.

  If the tamper resistance of the IC card is sufficiently reliable, the data erasing process when setting the discard flag can be omitted.

  Specific examples of using the IC card discard function include the following.

(1) When you want to discard defective IC chips at the time of production (2) When you want to discard defective IC chips at the time of issuance (3) When you want to discard defective devices (equipment incorporating IC cards) at the time of production (4) Issuing When you want to discard defective devices (equipment incorporating IC cards) (5) When you want to discard surplus IC cards and devices during production (6) When you want to discard devices that incorporate IC cards (7) IC Use of memory data in the card and access to the IC card are not permitted, but you want to continue using the device on which the IC card is mounted

  The present invention has been described in detail above with reference to specific embodiments. However, it is obvious that those skilled in the art can make modifications and substitutions of the embodiment without departing from the gist of the present invention.

  In the present specification, an embodiment of the present invention has been described by taking an information management method for a memory area built in an IC card as an example. However, the gist of the present invention is not limited to this, and the IC card is not limited thereto. The present invention can be similarly applied to the management of memories built in other devices.

  In short, the present invention has been disclosed in the form of exemplification, and the description of the present specification should not be interpreted in a limited manner. In order to determine the gist of the present invention, the claims section described at the beginning should be considered.

FIG. 1 is a diagram conceptually showing a mechanism of wireless communication between a card read / write device based on electromagnetic induction and an IC card. FIG. 2 is a diagram modeling a system composed of a card read / write device and an IC card as a single transformer. FIG. 3 is a diagram illustrating a hardware configuration of the data communication apparatus according to the embodiment of the present invention. It is the figure which showed typically the control system structure of the memory area in the IC card which concerns on one Embodiment of this invention. FIG. 5 is a diagram schematically showing the overall configuration of a service providing system using an IC card. FIG. 6 is a diagram showing a state of a memory area in which the original card issuer manages only its own file system. FIG. 7 is a diagram showing that the card issuer can permit a certain range of memory to be lent (or transferred) to the area manager within the free area of his file system. FIG. 8 is a diagram showing a state in which another service provider has divided a memory area in an area permitted by the card issuer and created a new file system. FIG. 9 is a diagram showing a state where the memory is divided by the common area system code SC0 in the area permitted by the card issuer by the common area manager. FIG. 10 is a diagram schematically showing the structure of a memory space in which a plurality of file systems coexist on the memory area of the IC card by repeating the dividing operation. FIG. 11 is a diagram schematically showing a configuration of a request command packaged with an issuer key. FIG. 12 is a sequence diagram illustrating a procedure in which a service provider (including the original card issuer) requests command execution in its own file system. FIG. 13 is a diagram schematically showing a configuration of a control system to which a memory area discard function in the IC card is added. FIG. 14 is a diagram conceptually showing a state in which the IC card is discarded using the discard function. FIG. 15 is a sequence diagram showing a procedure for requesting the original card issuer to execute a command for setting a discard flag in the memory area.

Explanation of symbols

DESCRIPTION OF SYMBOLS 11 ... Issuer communication apparatus 12 ... Operator required communication apparatus 13 ... Manufacturer communication apparatus 14 ... Storage area dividing apparatus 15 ... Operation file registration apparatus 16 ... IC card 17 ... Network 21 ... Card issuer 22 ... Card storage area Operator 23 ... Device manufacturer 24 ... Card storage area user 26 ... Card owner 30 ... Card function analog circuit unit 31 ... Rectifier 32 ... Antenna 33 ... Serial regulator 34 ... Carrier wave detector 35 ... Clock extractor 36 ... Clock Selector 37 ... Clock oscillator 38 ... Logic circuit 39 ... Voltage detector 40 ... Data processing unit 41 ... RAM
42 ... ROM
43… EEPROM
44 ... Signal processing unit 45 ... CPU
46 ... Data encryption engine 47 ... Error correction unit 48 ... UART interface 49 ... I ² C interface 50 ... Reader / writer function analog circuit unit 51 ... Transmission amplifier 52 ... Transmission antenna 53 ... Reception signal detector 54 ... Reception amplifier / filter 55 ... Receiving antenna 100 ... Data communication device

Claims (4)

A data communication device comprising a memory space and managing the data by dividing it into one or more file systems,
Protocol interface means for processing access to the memory space from an external device or program;
A discard flag assigned to the memory space and indicating whether or not the memory space is discarded;
The protocol interface means confirms the discard flag when accepting access from an external device or program, and rejects access when the value is true.
A data communication device. The discard flag has an initial value of false,
A means for truly rewriting the value of the discard flag;
The data communication apparatus according to claim 1. A memory management method for a data communication apparatus comprising a memory space and managing the data space by dividing it into one or more file systems, wherein a discard flag indicating whether the memory space is discarded is allocated to the memory space And
Checking the discard flag when accepting access from an external device or program;
Allowing access from an external device or program when the value of the discard flag is false;
Denying access from an external device or program when the value of the discard flag is true;
A memory management method for a data communication device. The discard flag has an initial value of false,
Further comprising the step of truly rewriting the value of the discard flag,
The memory management method for a data communication device according to claim 3.

Images