JP2006155159A - Tamper-proof device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a tamper-proof device for improving security performance at low costs by erasing data in a memory region in the priority order by software at the time of detecting tamper by giving a priority order to the memory region according to the significance of secret information. <P>SOLUTION: This tamper-proof device is provided with: a tamper detection switch 110 for detecting illegal access to data as secret information; a region/priority memory 120 for defining and storing the storage region of data in an internal memory 152 with erasure priority corresponding to the secrecy and significance of data; and a CPU 151 for erasing the data of the internal memory 152 according to the erasure priority at the time of detecting an illegal access. The internal memory 152 is provided with the storage region of an encryption key, and the storage region of data encrypted by using the encryption key, and the region/priority memory 120 stores the storage region of the encryption key in the internal memory 152 as a storage region whose erasure priority is the highest. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a tamper resistant apparatus applied to various electronic devices in order to prevent unauthorized access from the outside and protect confidential information in a memory.

In recent years, electronic payment systems using IC card type electronic money and network type electronic money are gradually spreading.
In these electronic payment systems, an IC card having an electronic money function, an encryption key used for encryption / decryption of data in various terminal devices such as mobile phones, PDAs (Personal Digital Assistants), payment terminals, and charge terminals. Various confidential information such as information, authentication information such as ID and password, personal information such as name and telephone number, and electronic value information such as the amount of electronic money are stored. For this reason, a function for preventing reading, analysis, falsification, and the like of such confidential information due to unauthorized access by a third party, a so-called tamper resistance function is indispensable.

As a prior art for realizing this tamper resistance function, one described in Patent Document 1 below is known.
The tamper resistant apparatus and method described in Patent Document 1 includes a fraud recognition means such as a tamper resistant switch that detects fraud by opening a housing of a terminal device and the like, and a memory such as a RAM when the fraud is recognized. Power supply control means for interrupting the power supply to the means and destroying the stored contents. Also, if the illegality recognition means operates when the circuit power is off, the power supply to the storage means is cut off. If the illegality recognition means operates when the circuit power is on, the CPU interrupts the CPU and erases the stored contents by the program. Means.
This prior art is a method to prevent unauthorized access of confidential information regardless of the presence or absence of circuit power supply. When unauthorized access is detected, the power supply to the storage means is shut off to destroy data or interrupt Confidential information is protected by erasing data by processing.

JP-A-2003-337753 (Claims 1, 2, 5, 6, paragraphs [0026] to [0033], [0058] to [0075], FIG. 1, FIG. 2, FIGS. 9 to 12 etc.)

The above prior art has the following problems.
First, a circuit that cuts off the power supply to the storage means at the time of unauthorized access is required. Since this circuit is constituted by an electronic switch using a semiconductor switch element, the manufacturing cost increases.
In recent years, as the memory capacity of electronic devices has increased, the amount of confidential information has been increasing. In other words, when these data are erased by software at the time of unauthorized access, the erasing operation takes a long time, and unerased data may be read and analyzed during that time.
Therefore, conventionally, there have been problems such as an increase in the manufacturing cost of a tamper resistant device and an electronic device incorporating the same, and inadequate security.

  Accordingly, the problem to be solved by the present invention is to provide an erase priority in the memory area according to the importance of the confidential information, and to erase data in the memory area in order of the erase priority by software when tampering (unauthorized access) is detected. Accordingly, it is an object of the present invention to provide a tamper resistant device that suppresses manufacturing costs and improves security.

In order to solve the above problem, the invention described in claim 1 is an electronic device in which data as confidential information is stored in confidential information storage means.
Tamper detection means for detecting unauthorized access to the data;
A storage area for data in the confidential information storage means, an area / priority definition storage means that defines and stores the confidentiality of data, and an erasure priority according to importance,
Erasing means for erasing data in the storage area in accordance with the erasing priority when unauthorized access is detected by the tamper detecting means.

The invention described in claim 2 is the tamper-proof device according to claim 1,
The confidential information storage means has an encryption key storage area and a data storage area encrypted using the encryption key, and
The area / priority definition storage means stores the encryption key storage area as the storage area with the highest erasure priority.

In the present invention, the deletion priority of the memory area is defined in advance according to the confidentiality and importance of the confidential information, and when unauthorized access is detected, the confidential information is sequentially deleted according to the deletion priority by software. . As a result, highly confidential and important data can be preferentially protected, and by combining encryption keys, a security system that is difficult to analyze and tamper with data can be constructed.
Furthermore, there is an advantage that less hardware is added and the cost can be reduced compared to the conventional technique in which the power supply is cut off when tampering is detected.
In addition, by erasing the encryption key storage area with the highest priority, it becomes substantially difficult or impossible to analyze other data. In the shortest case, there is only time to erase the encryption key storage area. Therefore, it is possible to protect confidential information, and it is possible to avoid an increase in erasure time.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
First, FIG. 1 is a functional block diagram of a tamper resistant apparatus according to the present embodiment. The tamper resistant device of this embodiment is built in various terminal devices such as payment terminals, charging terminals, mobile phones, PDAs, and IC cards. In the following, these various terminal devices and IC cards are used. For convenience, they are collectively referred to as electronic devices.

In FIG. 1, 11 is a tamper detection means for detecting unauthorized access to data (confidential information) stored in an internal memory (main memory) in an electronic device, and 12 is the confidentiality and importance of the data. Accordingly, the erasure memory area / priority definition storage means 13 which defines and stores the memory areas from which data is to be erased in the order of priority (erase priority), and uses the tamper detection signal from the tamper detection means 11 as a trigger. Memory area erasing means for erasing data in the memory.
Here, unauthorized access refers to various access to confidential information such as destruction of the casing of the electronic device, disassembly by a procedure other than the regular procedure, removal of the internal memory storing data, skimming from the outside, etc. This means that the tamper detection means 11 can detect these unauthorized access actions by physical and electrical means.

Next, FIG. 2 and FIG. 3 are diagrams showing a hardware configuration of an electronic device including the tamper resistant device of the present embodiment. For example, the tamper resistant device is built in a payment terminal for electronic money. .
2, 110 is a tamper detection switch as the tamper detection means 11 in FIG. 1, 150 is a settlement processing unit having a CPU, 210 is a keyboard, 220 is a display, 230 is a printer, 240 is an auxiliary storage device such as a hard disk, Reference numeral 250 denotes a read / write (read / write) unit.

The settlement processing unit 150 is connected to a host computer (not shown) via a communication line. The read / write unit 250 includes, for example, a card reader / writer capable of transmitting / receiving information to / from an IC card having an electronic money function, a transmission / reception unit transmitting / receiving information by non-contact wireless communication, and the like.
The configuration other than the tamper detection switch 110 in FIG. 2 is hardware of a conventional payment terminal, and peripheral devices such as the keyboard 210 and the display 220 depend on the functions and properties of the terminal (payment terminal, charge terminal, etc.). The connection is selectively made accordingly.

FIG. 3 is a configuration diagram of the settlement processing unit 150 in FIG.
The settlement processing unit 150 includes a CPU 151, an internal memory 152, and a bus 153, as in a normal computer system, and an interface 155 to which peripheral devices such as the keyboard 210 and the display 220 shown in FIG. And an interface 156 to which a read / write unit 250 and a host computer are connected.

  As is well known, the payment processing by the payment processing unit 150 uses programs and data stored in the internal memory 152, and further uses the data in the auxiliary storage device 240 of FIG. It verifies and authenticates encryption key information, authentication information, and personal information, updates electronic value information (decreases the amount of electronic money held by the user and records sales), and also displays the processing results and the above various information. It is executed by transmitting / receiving to / from the host computer.

The internal memory 152 collectively represents so-called main memory and cache memory. ROM such as flash ROM (flash memory), EEPROM (electrically erasable programmable ROM), SRAM (static RAM), DRAM It is configured by a RAM such as (dynamic RAM).
Data to be protected from unauthorized access is mainly stored in the internal memory 152, but may be stored in the auxiliary storage device 240.

In FIG. 3, reference numeral 120 denotes an area / priority memory as the erasure memory area / priority definition storage means 12 of FIG. 1, and this memory 120 contains confidentiality and importance of data to be protected from unauthorized access. Accordingly, the memory areas in the internal memory 152 (or auxiliary storage device 240) in which these data are stored are defined and stored in order of priority.
Further, the tamper detection switch 110 is connected to the bus 153 via the interface 154.
In the following description, it is assumed that confidential information data is stored in the internal memory 152 and that the memory areas of the internal memory 152 are stored in the area / priority memory 120 in order of deletion priority.

The CPU 151 in FIG. 3 corresponds to the memory area erasing unit 13 in FIG. 1. When a tamper detection signal is input from the tamper detection switch 110, the CPU 151 executes a deletion program using this as a trigger, and the area / priority According to the memory area read from the memory 120 and its priority, the memory areas in the internal memory 152 are selected in order and the data is erased.
Here, the erasure program may be resident in a memory other than the internal memory 152 or in the area / priority memory 120.

FIG. 4 shows information stored in advance in the area / priority memory 120 in FIG. 3, that is, information defining the memory area in the internal memory 152 from which data is to be erased together with the priority.
This information includes an erase memory area definition number 121 (the definition number is N) and N erase memory area definition information 122. The erase memory area definition information 122 includes an internal memory 152. Depending on the confidentiality and importance of the data, information about N memory areas in which each data is stored is defined together with the priority. In the illustrated example, the data stored in the erase memory area definition information 1 has the highest priority, and the data stored in the erase memory area definition information N has the lowest priority.

Each erase memory area definition information 122 includes an address 122a, a size 122b, a memory type 122c, and clear data 122d of the memory area of the internal memory 152. Here, the address 122b is the start address of the memory area to be erased, and the size 122b is the size of the data stored in the area. The memory type 122c is, for example, a type such as SRAM, flash ROM, or EEPROM, and the clear data 122d is data to be written in the memory area when erasing.
The CPU 151 performs data erasure processing when tampering is detected based on the above definition information.

FIG. 5 is a definition example of the above-described erase memory area.
In this example, the number of definitions of the erasure memory area is 5, the data with the highest priority (priority 1) is used as the encryption key, and the memory area is defined as definition information 1. Hereinafter, according to the priority, the electronic value information Are defined as definition information 2, authentication information memory area as definition information 3, personal information memory area as definition information 4, and program memory area required for settlement processing as definition information 5.
The CPU 151 operates to erase the data in each memory area in the order of priority according to the erase program.

In the internal memory 152, the data in each memory area of the definition information 2 to 5 is encrypted and stored using the encryption key in the memory area of the definition information 1.
Note that the addresses of the memory areas defined by the definition information 1 to 5 are not necessarily continuous, and may be random. As a result, a plurality of types of confidential information can be distributed and stored in the memory area regardless of their priorities.

Next, FIG. 6 is a flowchart showing a memory area erasing process at the time of tamper detection.
When an unauthorized access from the outside occurs and a tamper detection signal is output from the tamper detection switch 110, the CPU 151 calls an erasure program and starts data erasure processing described below.

First, the erase memory area definition number 121 of FIG. 4 is read from the area / priority memory 120 (step S1). Next, the erase memory area definition information 122 is read (S2), and the start address and size of the memory area to be erased are set (S3).
Then, the memory type of this memory area is determined (S4), and if the memory area is a volatile memory (for example, SRAM) area, the memory area is cleared by clear data designated in advance, that is, the data is deleted (S5). ). If the memory area is a non-volatile memory (for example, flash ROM, EEPROM), the data in the memory area is erased according to the clear sequence specified for each memory type (S6).
Thereafter, it is determined whether or not the number of erased memory areas defined is erased (S7), and the processes of steps S2 to S7 are repeatedly executed until the defined number is reached.

By performing the above processing, for example, the memory area of the encryption key is allocated to the definition information 1 (priority 1) and the other memory areas are sequentially allocated to the definition information 2 to 5 as illustrated in FIG. If the data in each memory area of the definition information 2 to 5 is encrypted using the key, the encryption key in the memory area with the highest priority is erased first when tampering is detected. Even if data is illegally read in the following areas, since the encryption key is unknown, it becomes difficult to analyze and tamper with the data, and the data can be protected.
For this reason, even if it takes a long time to erase the memory area below the definition information 2, at least the encryption key of the definition information 1 is erased with the highest priority to ensure the minimum necessary security performance. It is possible.

It is a functional block diagram which shows embodiment of this invention. It is a hardware structural example of the payment terminal containing the functional block shown in FIG. It is a block diagram of the payment process part in FIG. It is explanatory drawing of the memory | storage information of the area | region and priority memory in FIG. FIG. 5 is a diagram illustrating a definition example of an erase memory area corresponding to FIG. 4. It is a flowchart which shows the deletion process of the memory area in embodiment of this invention.

Explanation of symbols

11: Tamper detection means 12: Erase memory area / priority definition storage means 13: Memory area erase means 110: Tamper detection switch 120: Area / priority memory 121: Number of erase memory area definitions 122: Erase memory area definition information 122a: Address 122b: Size 122c: Memory type 122d: Clear data 150: Settlement processing unit 151: CPU
152: Internal memory 153: Buses 154, 155, 156: Interface 210: Keyboard 220: Display 230: Printer 240: Auxiliary storage device 250: Read / write unit

Claims (2)

In electronic equipment in which data as confidential information is stored in confidential information storage means,
Tamper detection means for detecting unauthorized access to the data;
A storage area for data in the confidential information storage means, an area / priority definition storage means that defines and stores the confidentiality of data, and an erasure priority according to importance,
An erasure unit for erasing data in the storage area according to the erasure priority when an unauthorized access is detected by the tamper detection unit;
A tamper resistant device characterized by comprising: The tamper resistant device according to claim 1,
The confidential information storage means has an encryption key storage area and a data storage area encrypted using the encryption key, and
The tamper resistant apparatus, wherein the area / priority definition storage means stores the encryption key storage area as a storage area having the highest erasure priority.

Images