JP2006260594A - Data processing method and data processing system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a data processing method and device for properly managing data to be kept secret to the other party and data that are to be disclosed. <P>SOLUTION: First and second data processors for executing first and second APs necessary for processing for performing access to the data stored in a memory are connected to first and second server devices, without going throught the network, and the first data processor and the second data processor, respectively determine whether to perform mutual authentication by referring to mutual authentication presence/absence data contained in the first and second management data and perform mutual authentication. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a data processing method and system used for providing a service using an integrated circuit such as an IC, for example.

Currently, a communication system that uses an IC card to perform transactions via a network such as the Internet has been developed.
In such a communication system, the server device executes an application program that executes a procedure process defined by the service provider in response to a request from a service provider that provides a service using an IC card.
The server device performs processing such as user authentication and data encryption and decryption based on the application program in response to a processing request from, for example, an IC card reader / writer or a PC (Personal Computer).

By the way, a service using an IC card as described above is performed using a SAM (Secure Application Module). However, when a plurality of SAMs cooperate to provide a service using a single IC card, a plurality of services are used. There is a request to quickly provide services linked between SAMs.
Further, in this case, there is a request for appropriately managing data to be concealed from the other party and data to be disclosed between SAMs storing data and programs related to service provision of different service providers.

The present invention has been made in view of such circumstances, and an object of the present invention is to provide a data processing method and a data processing system that can quickly provide a service linked between a plurality of SAMs (data processing devices). And
In addition, the present invention provides a data processing method capable of appropriately managing data to be concealed from the other party and data to be disclosed between SAMs (data processing apparatuses) storing data and programs related to service provision of different service providers. And a data processing system.

According to the present invention, using the data stored in the memory of the IC card or IC module that communicates with at least the first server device and the second server device via the network using the communication function of the communication device. A data processing method for performing data processing for providing
First and second data processing devices that respectively execute first and second application programs required for processing for accessing data stored in the memory are respectively connected to the first server without going through a network. Connected to the device and the second server device,
The first data processing apparatus holds first management data indicating a data module used by the first application program among a plurality of data modules constituting the second application program, and the first application When the second data processing device holds second management data indicating a data module permitted to be used by the program, the first data processing device and the second data processing device respectively When performing mutual authentication by deciding whether or not to perform mutual authentication with reference to mutual authentication presence / absence instruction data specifying whether or not to perform mutual authentication included in the first management data and the second management data After performing mutual authentication between the first data processing device and the second data processing device to confirm each other's validity, The first data processing device transmits a request specifying the data module to be used with reference to the first management data to the second data processing device, and the second data processing device In response to the request, the second management data is referred to, and when it is determined that the first application program is allowed to use the data module specified in the request, the data module specified in the request Is transmitted to the first data processing apparatus, and the first data processing apparatus executes the first application program including the data module acquired from the second data processing apparatus. There is provided a data processing method characterized in that data processing is performed by accessing data necessary for provision.

  According to the present invention, the first and second server devices connected to the network, respectively, and the IC card or IC module having the memory connected to the first and second server devices via the network And the first server necessary for processing to access the data stored in the memory of the IC card or the IC module, connected to the first server device and the second server device without going through the network, respectively. And a first data processing device for executing a second application program, respectively, and performs data processing for providing a service using data stored in the memory of the IC card or IC module. A data processing system, wherein the first data processing device includes the second application. The first management data indicating the data module used by the first application program among the plurality of data modules constituting the application program is held, and the second data processing apparatus causes the first application program to use the first management data. When holding the second management data indicating the data module that permits, the first data processing device and the second data processing device are respectively connected to the first management data and the second management data. In the case where mutual authentication is performed with reference to the mutual authentication presence / absence instruction data specifying whether or not to perform mutual authentication included in the data, and when performing mutual authentication, the first data processing device and the second data processing device After performing mutual authentication with the other data processing apparatus and confirming the mutual validity, the first data processing apparatus performs the first management. A request specifying the data module to be used with reference to the data is transmitted to the second data processing device, and the second data processing device responds to the request with the second management data. And when it is determined that the first application program is allowed to use the data module specified in the request, the data module specified in the request is transmitted to the first data processing device. The first data processing apparatus executes the first application program including the data module acquired from the second data processing apparatus, thereby accessing data necessary for providing a service and performing data processing. There is provided a data processing system characterized in that it performs.

  ADVANTAGE OF THE INVENTION According to this invention, the data processing method and data processing system which make it possible to provide quickly the service which cooperated between several data processing apparatuses (for example, SAM unit) can be provided.

  Further, according to the present invention, a data processing method capable of appropriately managing data to be concealed from the other party and data to be disclosed between data processing apparatuses storing data and programs related to service provision of different service providers A data processing system can be provided.

Embodiments of a data processing method and a data processing system according to the present invention will be described below with reference to the accompanying drawings.
FIG. 1 is an overall configuration diagram of a communication system 1 according to this embodiment of the present invention.
As shown in FIG. 1, a communication system 1 includes a server device 2, an IC card 3, a card reader / writer 4, a personal computer 5, ASP (Application Service Provider) server devices 19a, 19b, SAM (installed in a store, etc. Secure Application Module) Using the IC card 3 or the portable communication device 41 by communicating via the Internet 10 using the portable communication device 41 in which the units 9a and 9b and the IC module 42 (integrated circuit of the present invention) are built. It performs the procedure processing such as settlement processing.
The SAM unit 9a (first data processing apparatus of the present invention) has an external memory 7 (storage means of the present invention) and a SAM module 8 (processing means of the present invention).
Similarly, the SAM unit 9b (second data processing apparatus of the present invention) includes an external memory 7 and a SAM module 8.
The SAM module 8 exchanges data with other SAM modules (not shown) as necessary.

[Features of communication system 1]
In the present embodiment, the SAM unit 9a shown in FIG. 1 is characterized by communication between the SAM unit 9a and the SAM unit 9b when the application element data APE stored in the external memory 7 of the SAM unit 9b is used. is doing.
For example, in order to cooperate and operate a service between different service providers using the SAM units 9a and 9b, the card access key and card issuance key package necessary for IC card (IC module) operation are kept secret. It is necessary to hand it over to other service providers.

For example, in order to calculate a mutual authentication key with the IC card 3 between different service providers, it is necessary to obtain key information such as a card access key or a card degenerate key.
Specifically, when the SAM unit 9a determines the amount of money, the SAM unit 9b purchases a product, and when both processes are completed within one mutual authentication period with the IC card, the SAM unit 9a to the SAM unit It is necessary to transfer key information necessary for the amount settlement to 9b and synthesize a key necessary for accessing the IC card 3 on the SAM unit 9b side.
In this case, the SAM unit 9a and the SAM unit 9b can individually access the IC card 3 , but it is difficult to guarantee the simultaneity of operations and processing for both the amount settlement and the product purchase. For example, although the amount settlement by the SAM unit 9a is completed, a situation in which the product acquisition process by the SAM unit 9b is not completed occurs.

Further, a business operator who borrows a shared memory area of an IC card and develops a service independently, for example, from a manager of the shared memory area (memory operation mechanism), key information (registered service on the IC card 3). Area registration key package, etc.).
Also, a card partitioning key package necessary for logically dividing the memory in the IC card 3 to generate a shared memory area is exchanged between the memory operation mechanism and the shared area provider (for example, a service provider). There is a need.
When the communication system 1 provides services provided by a plurality of providers in cooperation with each other, and exchanges application element data APE such as a key package, the communication system 1 is connected between SAM units such as the SAM unit 9a and the SAM unit 9b. Provides a method for easily establishing a secure communication path.

The components shown in FIG. 1 will be described below.
[IC card 3 and portable communication device 41]
FIG. 2 is a functional block diagram of the IC card 3.
As shown in FIG. 2, the IC card 3 includes an IC (Integrated Circuit) module 3 a including a memory 50 and a CPU 51.
As shown in FIG. 3, the memory 50 includes a storage area 55_1 used by a service provider 15_1 such as a credit card company, a storage area 55_2 used by the service provider 15_2, and a storage area 55_3 used by the service provider 15_3. Have.
In addition, the memory 50 determines key data used to determine access authority to the storage area 55_1, key data used to determine access authority to the storage area 55_2, and access authority to the storage area 55_3. The key data used to do this is stored. The key data is used for mutual authentication, data encryption and decryption, and the like.
Further, the memory 50 stores identification data of the IC card 3 or the user of the IC card 3.

The mobile communication device 41 includes a communication processing unit 43 that communicates with the ASP server devices 19a and 19b via the mobile phone network and the Internet 10, and an IC module 42 that can exchange data with the communication processing unit 43. Communicate with the SAM unit 9a through the Internet 10 from the antenna.
The IC module 42 has the same function as the IC module 3a of the IC card 3 described above except that data is exchanged with the communication processing unit 43 of the mobile communication device 41.
The processing using the mobile communication device 41 is performed in the same manner as the processing using the IC card 3, and the processing using the IC module 42 is performed in the same manner as the processing using the IC module 3a. Now, processing using the IC card 3 and the IC module 3a will be exemplified.

Hereinafter, the SAM units 9a and 9b will be described in detail.
As described above, the SAM units 9a and 9b have the external memory 7 (storage means of the present invention) and the SAM module 8 (processing means of the present invention).
Here, the SAM module 8 may be realized as a semiconductor circuit, or may be realized as a device in which a plurality of circuits are accommodated in a housing.

[Software configuration of SAM module 8]
The SAM module 8 has a software configuration as shown in FIG.
As shown in FIG. 4, the SAM module 8 has a hardware HW layer, a driver layer (OS layer) including an RTOS kernel corresponding to the peripheral HW, and processing in logically united units from the lower layer to the upper layer. A lower handler layer, an upper handler layer in which application-specific libraries and the like are gathered, and an AP layer.
Here, in the AP layer, application programs AP_1, AP_2, which define procedures using the IC card 3 by personal personal computers (PC) 15_1, 15_2, 15_3 of a service provider such as a credit card company shown in FIG. AP_3 (the application program of the present invention) is read from the external memory 7 and is operating.
One or more macro scripts can be set for each application program.
In the AP layer, a firewall FW is provided between the application programs AP_1, AP_2, AP_3 and between the upper handler layer.

[External memory 7]
FIG. 5 is a diagram for explaining a storage area of the external memory 7.
As shown in FIG. 5, the storage area of the external memory 7 includes an AP storage area 220_1 and a PC 16-2 in which the application program AP_1 of the service provider 15_1 having the personal-personal computer (PC) 16-1 is stored. Used by the administrator of the AP storage area 220_2 for storing the application program AP_2 of the service provider 15_2, the AP storage area 220_3 of the application program AP_3 of the service provider 15_3 having the PC 16-3, and the SAM module 208 There is a storage area 221 for AP management.
Here, the application program stored in the external memory 7 of the SAM unit 9a corresponds to the first application program of the present invention, and the application program stored in the external memory 7 of the SAM unit 9b is the second application program of the present invention. It corresponds to the program.

The application program AP_1 stored in the AP storage area 220_1 is composed of a plurality of application element data APE (data module of the present invention) described later. Access to the AP storage area 220_1 is restricted by the firewall FW_1.
The application program AP_2 stored in the AP storage area 220_2 includes a plurality of application element data APE. Access to the AP storage area 220_2 is restricted by the firewall FW_2.
The application program AP_3 stored in the AP storage area 220_3 includes a plurality of application element data APE. Access to the AP storage area 220_3 is restricted by the firewall FW_3.
In the present embodiment, the application element data APE is, for example, the smallest unit downloaded to the external memory 7 from the outside of the SAM unit 9a. The corresponding service provider can arbitrarily determine the number of application element data APE constituting each application program.

The application programs AP_1, AP_2, AP_3 stored in the external memory 7 are scrambled (encrypted) and descrambled (decrypted) when read into the SAM module 8.
The application programs AP_1, AP_2, and AP_3 are created by the service providers 15_1, 15_2, and 15_3 using the personal computers (PC) 16_1, 16_2, and 16_3 shown in FIG. Downloaded to the external memory 7.

Hereinafter, the application programs AP_1, AP_2, and AP_3 will be described in detail.
One or a plurality of application programs exist in the SAM unit for each service provider.

First, the application program AP stored in the external memory 7 of the SAM unit 9a (SAM_A) shown in FIG. 1 will be described.
FIG. 6 is a diagram for explaining the application program AP stored in the external memory 7 of the SAM unit 9a (SAM_A) shown in FIG.
As shown in FIG. 6, the application program AP includes identification data AP_ID for identifying the application program AP, data APP_VER indicating the version (generation information) of the application program (or its package), and the application program Data APE_NUM indicating the number of application element data APE included in the data, identification data APE_ID of one or more application element data APE constituting the application program, tag data APE_TAG, usage permission data PT, option data OPT, And entity APE_PL of application element data APE.
The tag data APE_TAG, use permission data PT, and option data OPT shown in FIGS. 6 and 7 correspond to the first management data of the present invention.

The identification data AP_ID is determined to be different for each service provider.
Tag data APE_TAG is an identification tag for application element data APE that can be set by the service provider, and is determined so as to be uniquely identifiable within the application program AP.
In FIG. 6, among the four pieces of identification data APE_ID stored in the application program AP, the entity of the application element data APE corresponding to the three APE_IDs indicated by diagonal lines is from the SAM unit 9b (SAM_B) shown in FIG. The data is transferred to the SAM unit 9a (SAM_A) as described later.
That is, the substance of these three application element data APE does not exist in the external memory 7 of the SAM unit 9a.

FIG. 7A is a diagram for explaining the use permission data PT shown in FIG.
As shown in FIG. 7A, the use permission data PT includes the number of mutual authentication keys, the presence / absence of mutual authentication, the instance of the mutual authentication key of SAM_A, the application element data APE of the mutual authentication key of SAM_A, and the mutual authentication of SAM_B. Application element data APE of the mutual authentication key of the instance, SAM_B, and access authority data PMSD.
Here, the presence / absence of mutual authentication indicated by hatching in FIG. 7A, the instance of mutual authentication of SAM_B, and the application element data APE of the mutual authentication key of SAM_B exist in the SAM unit 9b, and the SAM unit 9b. Obtained by transferring from.

FIG. 7B is a diagram for explaining the option data OPT shown in FIG.
As shown in FIG. 7B, the option data OPT stores SAM_ID of SAM_B, application program identification data AP_ID (B) stored in SAM_B, and flag data PCF.
The flag data PCF includes a first flag indicating whether the application element data APE exists outside or inside the SAM unit 9a, and whether to disclose the application element data APE of the application program to the outside or not. And a third flag indicating whether it is temporarily used or stored (permanently used) when released to the outside.
In the example shown in FIG. 7B, the first flag indicates the outside, and the second and third flags are not set.

The use permission data PT or option data OPT stores, for example, data for authenticating the validity of the subject that can set each setting data in the application program AP, and the SAM module 8a stores the data. Based on the above, it is determined whether or not the installation of the setting data is permitted.
Further, in the present embodiment, the ports used by each application program are defined, and the authority, usage, etc. for using the ports defined in the application program are defined as management data. The SAM units 9a and 9b determine the usage mode of the ports defined in each application program based on the management data.

Next, the application program AP stored in the external memory 7 of the SAM unit 9b (SAM_B) shown in FIG. 1 will be described.
FIG. 8 is a diagram for explaining the application program AP stored in the external memory 7 of the SAM unit 9b (SAM_B) shown in FIG.
As shown in FIG. 8, the application program AP includes identification data AP_ID for identifying the application program AP, data APP_VER indicating the version (generation information) of the application program (or its package), and the application program Data APE_NUM indicating the number of application element data APE included in the data, identification data APE_ID of one or more application element data APE constituting the application program, tag data APE_TAG, usage permission data PT, option data OPT, And entity APE_PL of application element data APE.
The tag data APE_TAG, use permission data PT, and option data OPT shown in FIGS. 8 and 9 correspond to the second management data of the present invention.

In FIG. 8, among the four identification data APE_ID stored in the application program AP, the entity of the application element data APE corresponding to the three APE_IDs indicated in parentheses is from the SAM unit 9a (SAM_A) shown in FIG. Used.
The entities of these three application element data APE exist in the external memory 7 of the SAM unit 9b.

FIG. 9A is a diagram for explaining the use permission data PT shown in FIG.
As shown in FIG. 9A, the usage permission data PT includes the number of mutual authentication keys, the presence / absence of mutual authentication, the instance of the mutual authentication key of SAM_B, the application element data APE of the mutual authentication key of SAM_B, and the mutual authentication of SAM_A. Application element data APE of the mutual authentication key of the instance, SAM_A, and access authority data PMSD.
Here, the presence / absence of mutual authentication indicated by hatching in FIG. 9A, the mutual authentication instance of SAM_A, and the application element data APE of the mutual authentication key of SAM_A are transferred and acquired from the SAM unit 9a. .
Further, the access authority data PMSD designates a form (read, write, or execute) that permits access (use) from the outside of the APE for each application element data APE stored in the application program AP. . The designation may be performed in advance by specifying a predetermined authority.

FIG. 9B is a diagram for explaining the option data OPT shown in FIG.
As shown in FIG. 9B, option data OPT stores SAM_ID of SAM_A, application program identification data AP_ID (A) stored in SAM_A, and flag data PCF.
In the example of FIG. 9B, in the flag data PCF, the first flag indicates the inside, the second flag indicates disclosure, and the third flag indicates temporary use.

  The application element data APE is stored in the external memory 7 by setting an encrypted package for each area.

Hereinafter, the type (APE_TYPE) of the application element data APE will be described.
FIG. 10 is a diagram for explaining the type of application element data APE.
As shown in FIG. 10, types of application element data APE (APE_TYPE) include AP resource key data K_APR, card access key data (IC area key data, IC degenerate key data, etc.), file system configuration data, and SAM mutual data. Authentication key data, inter-SAM key package key data, IC card operation macro command script program, memory partition key package, memory partition key package, extended issue key package, issue key package, area registration key package, Area deletion key packages, service registration key data, and service deletion key packages are stored as application element data APE.

Hereinafter, a part of the types of application element data APE shown in FIG. 10 will be described in detail.
-AP resource key data K_APR
The AP resource key data K_APR is used as an encryption key when setting the application element data APE, and different key data K_APR is assigned for setting the application element data APE for each AP area.
Card access key data The card access key data is key data used for data read / write operations with respect to the IC card 3 and the memory 50 of the IC module 42.
The card access key data includes, for example, IC card system key data, IC card area key data, IC card service key data, and IC card degenerate key data.
Here, the IC card degenerate key data is key data that is generated by encryption using the IC card system key data and the storage area management key data of the memory 50 and is used for mutual authentication.
The key data referred to by the IC card operation macro command script program is also included in the same type of application element data APE as the card access key data.

File system configuration data File system configuration data includes, for example, log data, negative data, and journal data.
The log data is, for example, usage history data of the application element data APE, the negative data is, for example, IC card revocation information, and the journal data is, for example, an SAM execution history.
For example, in the file system configuration, the type of file access (record key specification / sorting / ring) is selected. If it is a record key, the record size, the total number of records, the record signature version, the record signature method type, Set the record data size and record signing key. Furthermore, it is specified whether or not signature verification is performed when data is written to the file system from the outside. Here, the record is a minimum unit for writing / reading file data.

SAM mutual authentication key data Used for mutual authentication between APs in the same SAM.
The SAM mutual authentication key data is key data used when the corresponding application element data APE is accessed from another AP or another SAM in the same SAM.
Inter-SAM Key Package Key The inter-SAM key package key is encryption key data used when exchanging data such as card access key data after mutual authentication between SAMs.
IC card operation macro command script program The IC card operation macro command script program is generated by the service provider itself, and describes the order of processing related to the IC card 3 and the exchange with the ASP server device 19. The IC card operation macro command script program is set in the SAM unit 9a and then interpreted in the SAM module 8 to generate corresponding IC card entity data.

Memory partition key package The memory partition key package is data used by the service provider to partition the storage area of the external memory 7 or the memory of the IC card 3 before the service operation using the IC card 3 is started. It is.
Area Registration Key Package The area registration key package is data used when the service provider performs area registration in the storage area of the memory of the IC card 3 before starting the operation of the service using the IC card 3.
-Area deletion key package (internally generated)
The area deletion key package is a package that can be automatically generated from the card access key data inside the SAM.

・ Service registration key (internally generated)
The service registration key package is used by the service provider to register the application element data APE in the external memory 7 before the service operation using the IC card 3 is started.
The service registration key package can be automatically generated from the card access key data inside the SAM.
-Key package for service deletion (internal generation)
The service deletion key package is used to delete the application element data APE registered in the external memory 7.
The service deletion key package is a package that can be automatically generated inside the SAM from the card access key data.

Further, the AP management storage area 221 in the external memory 7 shown in FIG. 5 stores AP management data for managing the application programs AP_1 to AP_3 described above.
Access to the AP management storage area 221 is restricted by the firewall FW_4.

[SAM module 8]
The SAM module 8 is connected to the ASP server devices 19a and 19b via SCSI or Ethernet (registered trademark). The ASP server device 19 is connected to a plurality of terminal devices including the personal computer 5 of the end user and the personal computers 16_1, 16_2, and 16_3 of the service providers 15_1, 15_2, and 15_3 via the Internet 10.
The personal computer 5 is connected to the Dumb type card reader / writer 4 via, for example, serial or USB. The card reader / writer 4 implements, for example, wireless communication corresponding to the physical level with the IC card 3 (IC module 42).
An operation command to the IC card 3 (IC module 42) and a response packet from the IC card 3 (IC module 42) are generated and decoded on the SAM unit 9a, 9b side. Therefore, the card reader / writer 4, personal computer 5, and ASP server device 19 interposed between them only serve to store the command and response contents in the data payload portion and relay them, and to transfer the data in the IC card 3. It is not involved in actual operations such as encryption, decryption and authentication.

  The personal computers 16_1, 16_2, and 16_3 can customize the application programs AP_1, AP_2, and AP_3, respectively, by downloading a script program to be described later to the SAM module 8.

FIG. 11 is a functional block diagram of the SAM module 8 shown in FIG.
As shown in FIG. 11, the SAM module 8 includes an ASPS communication interface unit 60, an external memory communication interface unit 61, a bus scramble unit 62, a random number generation unit 63, an encryption / decryption unit 64, a memory 65, and a CPU 66.
The SAM module 8 is a tamper resistant module.

The ASPS communication interface unit 60 is an interface used for data input / output with the ASP server devices 19a and 19b shown in FIG.
The external memory communication interface unit 61 is an interface used for data input / output with the external memory 7.
The bus scramble unit 62 scrambles data to be output and descrambles the input data when inputting / outputting data via the external memory communication interface unit 61.
The random number generator 63 generates a random number used when performing the authentication process.
The encryption / decryption unit 64 encrypts data and decrypts the encrypted data.
The memory 65 stores tasks, programs, and data used by the CPU 66 as will be described later.
The CPU 66 executes tasks such as an IC card procedure management task (job management data management task).
The CPU 66 performs processing defined in the SAM units 9a and 9b based on the operation commands in the SAM units 9a and 9b, and operates the operation commands of the IC module 3a of the IC card 3 and the IC module 42 of the portable communication device 41. The processing of the IC module 3a and the IC module 42 is controlled based on the above.
The CPU 66 of the SAM unit 9a and the CPU 66 of the SAM unit 9b control data exchange (communication) between the SAM units 9a and 9b, as will be described later.

[Communication between SAMs]
Hereinafter, as shown in FIG. 12, a communication method for transferring application element data APE between the SAM units 9a and 9b will be described.
In the communication system 1, as described above, when the SAM unit 9a and the SAM unit 9b cooperate to provide a service using the IC card 3 and the IC module 42, the application between the SAM units 9a and 9b. The element data APE is transferred.
In this case, communication is performed among the SAM unit 9a, the server device 19a, the server device 19b, and the SAM unit 9b using the ASPS communication interface unit 60 shown in FIG. 11 of the SAM units 9a and 9b.
For example, as shown in FIG. 13, the substance of the degenerate key data (APE) is stored in the application program AP (B) stored in the external memory 7 of the SAM unit 9b and stored in the external memory 7 of the SAM unit 9a. When referring to the degenerate key data from the application program AP (A), the SAM unit 9b becomes a public source and the SAM unit 9a becomes a reference source.
Then, the application element data APE of the degenerate key data is transferred from the SAM unit 9b to the SAM unit 9a.
The transfer is performed from the SAM units 9a to 9b to the SAM units 9a and 9b based on the setting contents of the option data OPT, flag data PCF, and access authority data PMSD in the application programs AP (A) and (B) of the SAM units 9a and 9b. An inter-element transfer command is transmitted, and an inter-SAM element transfer response is transmitted from the SAM units 9b to 9a accordingly.

FIG. 14 is a diagram for explaining the inter-SAM element transfer command SAMAPETC.
As shown in FIG. 14, the inter-SAM element transfer command SAMAPETC includes identification data AP_ID of its own (command transfer source) application program, identification data AP_ID of the partner (command transfer destination) application program, and transfer destination (partner side). ) Mutual authentication key instance number, number of application element data APE requesting transfer (number of element attributes), management ID of mutual authentication with the transfer destination (mutual authentication management ID), and application element data APE It has an attribute list (element attribute list).
Here, the element attribute list has a type (APE_TYPE) of the application element data APE and an element attribute.
As shown in FIG. 15, the element attribute has different items to be set depending on the type (APE_TYPE) of application element data APE requesting transfer.
For example, as shown in FIG. 15, when the application element data APE to be transferred is area service key data, the system code, area / service code, and element version are set as element attributes.

FIG. 16 is a diagram for explaining the inter-SAM element transfer response SAMAPETR.
As shown in FIG. 16, the inter-SAM element transfer response SAMAPETR includes the identification data AP_ID of the application program of its own (response transfer source), the identification data AP_ID of the application program of the other party (response transfer destination), and the transfer destination (the other party side). ) Mutual authentication key instance number, number of application element data APE to be transferred (number of element attributes), management ID of mutual authentication (mutual authentication management ID) performed with the transfer destination of response, flag data PCF, and element Have a list.
Here, the element list includes the type (APE_TYPE) of the application element data APE, the element attribute size, the element attribute, and the entity of the application element data APE.
As shown in FIG. 15, the element attribute has different items to be set depending on the type of application element data APE to be returned (APE_TYPE).
For example, as shown in FIG. 15, when the application element data APE to be returned is area service key data, area key data and service key data are set as element attributes.

  The transfer between the SAM units 9a and 9b using the inter-SAM element transfer command / response described above is performed after mutual authentication is performed between the SAM units 9a and 9b.

FIG. 17 is a diagram for explaining the mutual authentication procedure between the SAM units 9a and 9b.
Step ST201:
The CPU 66 of the SAM module 8 of the reference source SAM unit 9a performs the SAM_ID of the SAM unit 9b, the AP_ID of the application program AP to be referred to, the port ID of the application program AP to be used, and the application element data APE of the mutual authentication key of the SAM unit 9. The authentication command AUTH_C1 is generated by encrypting and storing the APE_ID, the encryption method, and the random value RA generated by the SAM unit 9a using the mutual authentication key data AK_B of the SAM unit 9b. The CPU 66 transmits an authentication command AUTH_C1 to the SAM unit 9b via the server devices 19a and 19b.

Step ST202:
The CPU 66 of the SAM module 8 of the SAM unit 9b on the application element data APE providing side decrypts the authentication command AUTH_C1 received in step ST201 using the mutual authentication key data AK_B, and the data obtained by the decryption, the SAM An authentication response AUTH_R1 is generated by encrypting and storing the random value RB generated by the unit 9b using the mutual authentication key data AK_A of the SAM unit 9a. The CPU 66 transmits an authentication response AUTH_R1 to the SAM unit 9a via the server devices 19b and 19a.

Step ST203:
The CPU 66 of the SAM module 8 of the SAM unit 9a decrypts the authentication response AUTH_R1 received in step ST202 using the mutual authentication key data AK_A, and the random value RA obtained by the decryption and the random value RA generated in step ST201. And the authentication command AUTH_C2 in which the random number value RB is encrypted and stored using the mutual authentication key data AK_B is generated. The CPU 66 transmits an authentication command AUTH_C2 to the SAM unit 9b via the server devices 19a and 19b.

Step ST204:
The CPU 66 of the SAM module 8 of the SAM unit 9b decrypts the authentication command AUTH_C2 received in step ST203 using the mutual authentication key data AK_B, and the random value RB obtained by the decryption and the random value RB generated in step ST202. Is determined to match, and if it is determined to match, the mutual authentication management ID is stored and an authentication response AUTH_R2 is generated. The CPU 66 transmits an authentication response AUTH_R2 to the SAM unit 9a via the server devices 19b and 19a.
Thereby, the mutual authentication between the SAM units 9a and 9b is completed.

When the mutual authentication is already completed and the session is established between the SAM units 9a and 9b, following the transmission of the authentication command AUTH_C1 in step ST201, steps ST202 and ST203 are omitted, and the step The authentication response AUTH_R2 of ST204 may be transmitted.
That is, the SAM units 9a and 9b manage mutual authentication in units of mutual authentication key data, and the mutual authentication procedure can be omitted if the session is already established. Here, with respect to the requested processing, whether or not a session has already been established using the corresponding mutual authentication key data is determined at the request destination (SAM unit 9b in the case of FIG. 17).

Hereinafter, an operation example of the transfer of the degenerate key data between the SAM units 9a and 9b will be described with reference to FIG.
FIG. 18 is a diagram for explaining the operation example.
Step ST221:
The server device 19b confirms whether the degenerate key data has already been set (updated) in the SAM unit 9b.
Step ST222:
The server device 19b notifies the server device 19a that the degenerate key data has already been set in the SAM unit 9b. That is, the application element data APE to be transferred is notified to the reference source that the SAM unit 9b has already been prepared.
Step ST223:
The server device 19a changes the internal state (mode) of the CPU 66 of the SAM unit 9a to a mode in which inter-SAM cooperation is possible.
Step ST224:
The server device 19a requests the SAM unit 9a to perform processing using the IC card 3 (IC module 42).
Step ST225:
The CPU 66 of the SAM unit 9a performs processing based on the request, and during the processing,
When degenerate key data that is application element data APE existing in the SAM unit 9b is required and the degenerate key does not exist in the SAM unit 9a, the description has been made with the SAM unit 9b with reference to FIG. Perform mutual authentication and establish a session.

Step ST226:
The CPU 66 of the SAM unit 9a transmits a degenerate key data transfer request (SAMAPETC shown in FIG. 14) to the SAM unit 9b.
Step ST227:
In response to the transfer request, the CPU 66 of the SAM unit 9b generates an inter-SAM element transfer response (SAMAPETR) shown in FIG. 16 in which the application element data APE of the designated degenerate key data is stored, and sends this to the SAM unit 9a. Send.
Step ST228:
The CPU 66 of the SAM unit 9a blocks the session established in step ST225, and performs processing related to the IC card 3 (IC module 42) using the degenerate key data stored in the received inter-SAM element transfer response.

Next, description will be made regarding an example in which the memory partitioning key package shown in FIG. 10 is generated and split by communication between the SAM units 9a and 9b. In this example, for example, the IC card 3 and the IC module 42 A memory operator who performs operations such as lending a memory storage area uses the SAM unit 9b, and a memory area provider uses the SAM unit 9a.
Here, the memory partitioning package is generated using the memory partitioning source package as a base.
The memory partitioning source package is generated by the SAM unit 9a on the operator side, and the memory partitioning package is generated by the SAM unit 9b on the memory area provider side.
Therefore, when the SAM unit 9b generates a memory partitioning package, it is necessary to acquire the memory partitioning source package from the SAM unit 9a by inter-SAM communication.
FIG. 19 is a diagram for explaining generation and transfer processing of a memory partitioning package.
Step ST241:
The server device 19a of the memory operator issues a memory partitioning source package generation command to the SAM unit 9a.
The SAM unit 9a generates a memory partitioning source package in response to the command.
Step ST242:
The server device 19a notifies the server device 19b that the memory partitioning source package has been generated in the SAM unit 9a.
Step ST243:
The server device 19b issues a memory division packet data generation command to the SAM unit 9b.

Step ST244:
After the mutual authentication processing described with reference to FIG. 17 is performed between the SAM units 9b and 9a, the SAM unit 9b sends an inter-SAM element transfer command in the format shown in FIG. Transmit to the SAM unit 9a.
Step ST245:
In response to the inter-SAM element transfer command, the SAM unit 9a transmits the inter-SAM element transfer response shown in FIG. 16 storing the memory partitioning source package generated in step ST241 to the SAM unit 9b.
The SAM unit 9b generates a memory partitioning package using the received memory partitioning source package.
Step ST246:
The SAM unit 9b notifies the server device 19b that the memory partitioning package has been generated.
Step ST247:
The server device 19b notifies the server device 19a that the memory partitioning package has been generated.

Step ST248:
The server device 19a issues to the server device 19a a memory division command that instructs to divide the memory of the IC card 3 and the IC module 42.
Step ST249:
After the mutual authentication processing described with reference to FIG. 17 is performed between the SAM units 9b and 9a, the SAM unit 9a sends an inter-SAM element transfer command in the format shown in FIG. Transmit to unit 9b.
Step ST250:
In response to the inter-SAM element transfer command, the SAM unit 9b transmits the inter-SAM element transfer response shown in FIG. 16 storing the memory partitioning package generated in step ST245 to the SAM unit 9a.
Step ST251:
The SAM unit 9b uses the received memory partitioning package to access the IC module 42 stored in the portable communication device 41 via the server device 19b and the Internet 10, for example, and stores the memory of the IC module 42. Divide the area and let it be used by a predetermined service provider.

  The communication between the SAM units 9a and 9b described above may be performed by simultaneously setting a plurality of communication paths for transferring the application element data APE.

Hereinafter, a method for setting the tag data APE_TAG shown in FIG. 8 for the above-described memory partitioning package (APE) will be described.
When the storage areas in the memory of the IC card 3 and the IC module 42 are divided into multiple parts, names that are assumed to be used for the divided memory areas are set as the tag data APE_TAG. Specifically, as shown in FIG. 20, in the storage area (private) of the IC module 3a of the IC card 3 or the memory 50 of the IC module 42, the area used by the service provider B (Private B), and others After the service provider A is divided into areas used by the service provider A (Public A), the area (Private B) is divided into an area used by the service provider B1 (Private B1) and an area used by the service provider B2 (Private B2). ) And may be used separately.
In this case, the tag name “Public” is used for the Public area, and “PrivateB1” and “PrivateB2” are used for the Private area.
In this case, if the operator managing the SAM units 9a and 9b agrees on the contents of the above-described tag data APE_TAG and the memory partitioning package, a memory partitioning operation specifying the tag data APE_TAG can be realized. is there.

As a naming rule for tag data APE_TAG of a memory partitioning package that assumes multi-partitioning, use a character string that concatenates the type of issue package, memory partitioning package or other package, memory partition area name, area code, or service code To do.
Examples of package element tag instructions in the case shown in FIG. 20 are listed below.
"D: \\ PrivateB2" is used as the tag data APE_TAG of the memory partitioning package in the memory partitioning area B2, and "I: \\ PrivateB1" is used as the tag data APE_TAG of the issuing package of the memory partitioning area B1, and the public “S: ¥¥ Public ¥ 100C” is used as the tag data APE_TAG of the service “100C” in the area.

Hereinafter, the overall operation of the communication system 1 shown in FIG. 1 will be described.
21 and 22 are diagrams for explaining the overall operation of the communication system 1 shown in FIG.

Step ST21:
For example, a personal computer shown in FIG. 1 may be used as a script program in which a service provider 15_1 to 15_3 or a person who has received a request from the service provider describes processing for a transaction performed by the service provider using the IC card 3. Create on 16_1, 16_2, 16_3.
The administrator of the SAM module 8 creates AP management data corresponding to each of the service providers 15_1 to 15_3.

Step ST22:
AP management data is stored in the external memory 7.
Further, the script program created in step ST21 is downloaded from the personal computers 16_1, 16_2, and 16_3 to the external memory 7 of the SAM units 9a and 9b via the Internet 10, the ASP server devices 19a and 19b, and the SAM module 8. The The download process is managed by a script download task in the SAM module 8 as shown in FIG.

Step ST23:
According to the script interpretation task in the SAM module 8, IC card entity template data, input data block, output data block, log data block and calculation are performed for each service provider using AP management data and script programs. A definition data block is generated.
These generated data are stored in the memory 65 of the SAM module 8 shown in FIG.

Step ST24:
The IC card 3 (IC module 42) is issued to the user.
The memory 50 of the IC module 3a and the IC module 42 shown in FIG. 3 stores key data used for transactions with service providers with whom the user has contracted.
Note that the contract between the user and the service provider may be made via the Internet 10 after the IC card 3 is issued.

Step ST25:
For example, when the user accesses the server device 2 via the Internet 10 using the personal computer 5 and tries to purchase a product, the server device 2 requests processing to the ASP server devices 19a and 19b via the Internet 10. Put out.
When the ASP server devices 19 a and 19 b receive a processing request from the server device 2, the ASP server devices 19 a and 19 b access the personal computer 5 via the Internet 10. A processing request for the IC card 3 issued by the card reader / writer 4 is transmitted to the SAM module 8 of the SAM units 9a and 9b via the personal computer 5, the Internet 10, and the ASP server devices 19a and 19b.

Step ST26:
An entity creation request is issued from the ASP server devices 19a and 19b to the SAM module 8. The entity creation request stores data indicating the issuer of the IC card 3.

Step ST27:
When receiving the entity creation request, the SAM module 8 performs polling with the IC card 3.

Step ST28:
The entity generation task 71 of the SAM module 8 determines whether or not the number of IC card entity data existing in the SAM module 8 is within the maximum number defined by the SC command of the script program after the polling ends. If it is within the maximum number, the process proceeds to step ST29, and if not, the process ends.

Step ST29:
The entity generation task specifies, for example, which service provider's IC card entity template data is used based on data indicating the issuer of the IC card 3 stored in the entity creation request, and the specified IC card IC card entity data is generated using the entity plate data.

Step ST30:
The entity ID of the IC card entity data generated in step ST29 is output from the SAM module 8 to the ASP server devices 19a and 19b.

Step ST31:
The services available in the IC card 3 are checked by the IC card procedure management task of the SAM module 8.

Step ST32:
The IC card procedure management task of the SAM module 8 authenticates the validity of the IC card 3.

Step ST33:
The IC card 3 authenticates the validity of the SAM module 8.
Through steps ST32 and ST33, mutual authentication between the IC card 3 and the SAM module 8 is performed.
At this time, as described above, according to the application element data APE executed in the SAM module 8, the AP management data is referred to, the card access key is acquired, and the SAM module 8 and the IC are used by using the key. Mutual authentication is performed with the CPU 51 of the card 3.

Step ST34:
The IC card procedure management task of the SAM module 8 reads and writes data necessary for the procedure with the IC card 3.
Further, the IC card procedure management task 72 performs predetermined arithmetic processing using data read from the IC card 3 using an arithmetic expression specified based on the IC card entity data.

Step ST35:
The IC card procedure management task of the SAM module 8 outputs the processing result of step ST34 to the ASP server devices 19a and 19b.

Step ST36:
For example, the IC card procedure management task of the SAM module 8 erases the IC card entity data.

As described above, according to the communication system 1 and the SAM units 9a and 9b, application element data APE such as a card access key and a key issuing package can be exchanged by the inter-SAM communication.
Further, since the disclosure range of the application element data APE to other SAMs can be defined as a setting for performing inter-SAM communication, the access range from the other application element data APE can be defined on the publishing SAM side.
Further, according to the communication system 1 and the SAM units 9a and 9b, since the access attribute to the application element data APE can be defined as the setting for performing the inter-SAM communication, the public side SAM side can access the application element data APE. Write rights, read rights, and execute rights can be set individually.

Further, according to the communication system 1 and the SAM units 9a and 9b, the authority to set the disclosure range and access attributes of the application element data APE can be defined as settings for performing inter-SAM communication. Can be prevented.
Further, according to the communication system 1 and the SAM units 9a and 9b, the application element data APE is disclosed in order to set the disclosure range of the application element data APE in the mutual authentication key data unit as the setting for performing the inter-SAM communication. This can reduce the burden of mutual authentication processing.

Further, according to the communication system 1 and the SAM units 9a and 9b, in the mutual authentication between the SAMs, in the case of the same mutual authentication key and the mutual authentication range, a part of the mutual authentication process can be omitted. It becomes possible to reduce the communication cost accompanying the authentication and the processing in the SAM.
Further, according to the communication system 1 and the SAM units 9a and 9b, by using the tag data APE_TAG to specify the application element data APE for transfer in the inter-SAM communication, various memory by the service provider and the memory operator can be used. Management becomes possible.
Further, according to the communication system 1 and the SAM units 9a and 9b, in the inter-SAM communication, by expanding the type and contents of the application element data APE for transfer and transferring a log or the like related to card processing, It is possible to notify the previous SAM of the start / end of processing.

Further, according to the communication system 1 and the SAM unit 9a, the application program AP is configured using a plurality of application element data APE, and the processing contents of each application element data APE using the AP management table data and the APP table data. By defining the above, various services using the IC card 3 can be provided.
Further, according to the communication system 1, using the AP management table data and the APP table data, the use of the application element data APE within the same SAM and the use of the application element data APE between different SAMs are highly secure. Can be realized flexibly while keeping.
Further, according to the communication system 1, when application element data APE is used between different SAMs, mutual authentication is performed between the SAMs, so that the security of the application program can be increased.

[Other Embodiments]
FIG. 23 is a diagram for explaining another embodiment of the present invention.
As shown in FIG. 23, in IC card (IC module) 510, data A handled by service provider A that provides a predetermined service using IC module 3a or IC module 42, and data handled by service provider B There are two data areas of B.
Key data A and key data B necessary for accessing the inside of the IC card 510 by the reader / writer 511 are set for each.
The reader / writer 511 (A) is owned by the service provider A, and the reader / writer 513 (B) is owned by the service provider B.
The reader / writer 511 possessed by the service provider A holds the key A generated by the service provider A that enables access to the data A in the IC card 510, and the reader / writer possessed by the service provider B. B holds the key data B generated by the service provider B that enables access to the data B in the IC card.
The key data is set in advance using the control unit 512. When a command indicating key data setting is issued from the control unit 512, the reader / writer 511 holds the key data.

In FIG. 23, there is only one control unit 512 and it is connected to the reader / writer 511, but it is assumed that the service provider B also sets key data by the control unit 512 in advance for the reader / writer 513. . As a result, the key data A generated by the service provider A is not known to the service provider B, and conversely, the key data B generated by the service provider B is not known to the service provider A.
The control unit 512 is connected to the reader / writer 511 via the control communication path, and transmits a command for accessing data in the IC card 510 from the control unit 512 to the reader / writer 511.
The command includes reading of a designated area of the memory in the IC card 510, writing of designated data to the designated area, and the like. In the case of reading, the read data is returned to the control via the communication path. In the case of writing, success / failure is returned to the control unit 512 via the communication path.

For example, assume that an IC card 510 storing data A and data B is connected to a reader / writer 511 via an IC card communication path. The IC card communication path may be any means as long as it can exchange some information such as wired, wireless, and optical. Here, it is assumed that the control unit issues a command to read data A in the IC card 510 and write data A into data B to the reader / writer 511 via the control communication path.
At this time, the reader / writer 511 needs to access both the data A and the data B in the IC card 510 as described above. Since the reader / writer 511 holds only the key data A that can access the data A, the reader / writer 511 issues an acquisition request for the key data B that can access the data B to the cooperation unit A.
The cooperation unit A connects to the cooperation unit B in the reader / writer 513 via the reader / writer communication path, and transmits the acquisition request to the cooperation unit B. The reader / writer communication path may be any means as long as it can exchange some information, such as wired, wireless, and optical, like the above-described IC card communication path. The information flowing through the reader / writer communication path is encrypted by the key data C held by the linkage unit A and the linkage unit B, so that it is not possible to know what information is being exchanged. The cooperation unit B in the reader / writer B that has received the acquisition request sends the key data B that allows access to the data B in the IC card 510 via the reader / writer communication path encrypted by the key data C. The data is returned to the cooperation unit A in the reader / writer 511. Through the above operation, the reader / writer 511 can obtain both the key data A necessary for accessing the data A in the IC card 510 and the key data B necessary for accessing the data B.
As a result, the data A in the IC card 510 can be read and the data A can be written in the data B area.

Since the reader / writers 511 and 513 hold various key data information, they cannot be easily analyzed. FIG. 24 shows an example of the configuration of the reader / writers 511 and 513.
The CPU 532 is an arithmetic control unit that performs overall control. The memory unit 533 is divided into a program unit 541 in which a calculation control procedure of the CPU 532 is recorded, and a data unit 542 that holds a calculation control result by the CPU 532.
The encryption unit 534 uses the key data provided from the CPU 532 to encrypt or decrypt the data provided from the CPU 532.
The CPU 532, the memory unit 533, and the encryption unit 534 are connected via the internal bus 531 and handle a lot of information that needs to be concealed. Therefore, the CPU 532 is mounted on the same chip 520 so that its operation cannot be analyzed from the outside. It has become.
The control IF 523 is an interface that communicates with the control unit 512 illustrated in FIG. 23, transmits data provided from the CPU 532 to the control unit 512, and takes in data received from the control unit 512 to the CPU 532.
The card IF 521 is an interface that communicates with the IC card 510, transmits data provided from the CPU 532 to the IC card 510, and receives data received from the IC card 510 into the CPU 532.
The cooperative IF 522 is an interface that communicates with other readers / writers, transmits data provided from the CPU 532 to other readers / writers, and takes in data received from other readers / writers to the CPU 532.

In the reader / writers 511 and 513 in FIG. 23, only the key data C is set in advance, and the service provider who owns the reader / writer cannot know.
On the other hand, the service provider A generates key data A that can access the data A in the IC card 510 before use, and the CPU 532 controls the control IF 523 from the procedure stored in the program unit 541 in the memory unit 533. The key data data is read and held in a specific area in the memory unit 533.
Further, an information management area for managing which data in the IC card 510 can be accessed by the key data currently held by the reader / writer exists in the data unit 542 in the memory unit 533.
The information management area can know the key data possessed by itself by referring to the table shown in FIG. The 8-digit hexadecimal number 12345678 which is the key data shown in FIG. 25 shows an example.

  When the IC card 510 in which data A and data B are stored is connected via the card IF 521 and a command is sent from the control unit 512 to write the area of the data A to the data B via the control IF 523, the reader The writer 511 checks the information management area. Since there is only key data A that can access data A in the data unit 542 of the memory unit 533, the reader / writer 513 is requested to acquire key data B via the cooperation IF 522. The information management area of the reader / writer 513 that has received the request holds the table shown in FIG. 26 and stores, for example, an 8-digit hexadecimal number “56789ABC” that is key data.

  When the reader / writer 513 that has received the request examines the information management area, it can be seen that the reader / writer 513 holds the key data necessary for accessing the data B. And return it. The linkage IF 522 is encrypted with key data C set in advance, and the key data B returned from the reader / writer 513 to the reader / writer 511 is not leaked.

The lifetime of key data in a reader / writer after being acquired from another reader / writer can be handled as follows.
(1) Hold permanently unless there is an explicit delete command from the control unit 512.
(2) Keep holding until a certain time elapses with a time limit.
(3) Acquire sequentially from the corresponding reader / writer as necessary.
In the above-described example, when the key data necessary for accessing the data in the IC card 510 is held by another reader / writer, the case where the key data is acquired from another reader / writer is described as an example. The information to be handled does not need to be key data, and can be applied to various types of information.
FIG. 27 shows an example of an information management area in consideration of handling data other than key data.
In FIG. 27, two IC card access key data are held, and the accessible areas are data A and data B. The attribute column indicates where the original information exists. If it is with itself, it indicates that it is in its own device. It can be seen that the IC card access key data of data B is obtained from the reader / writer B. As described above, the information management area of information acquired from other than itself changes in accordance with the handling of the set lifetime.
Up to this point, an example in the case of two readers / writers was assumed, but three or more readers / writers may be used. Communication between readers / writers can also be used in a wider network environment. FIG. 28 is a diagram showing a configuration example when the above is applied.
Until now, the cooperation unit has been connected between a one-to-one reader / writer, but in FIG. 28, it is connected to a public network such as the Internet. Here, key data required when the reader / writer 611 and the reader / writer 613 communicate with each other is key data AB, and is necessary when the reader / writer 611 and the reader / writer 614 communicate with each other. If the key data is different from each other as the key data AC, it is not only possible to intercept each other's communication, but for example, the reader / writer 613 is permitted to obtain information from the reader / writer C without permission. Can prevent access.

As described above, according to the embodiments of the present invention, a communication method, a data processing device, and a program that can quickly provide a service linked between a plurality of data processing devices (SAMs) are provided. be able to.
Further, according to the embodiment of the present invention, it is possible to appropriately manage data to be concealed from the other party and data to be disclosed between data processing apparatuses storing data and programs related to service provision of different service providers. A communication method, a data processing device, and a program thereof can be provided.

FIG. 1 is an overall configuration diagram of a communication system according to the present embodiment. FIG. 2 is a functional block diagram of the IC card shown in FIG. FIG. 3 is a diagram for explaining the memory shown in FIG. FIG. 4 is a diagram for explaining the software structure of the SAM module shown in FIG. FIG. 5 is a diagram for explaining the storage area of the external memory shown in FIG. FIG. 6 is a diagram for explaining the application program shown in FIG. 5 as a reference source. FIG. 7 is a diagram for explaining the details of the data PT and OPT shown in FIG. FIG. 8 is a diagram for explaining the application program shown in FIG. FIG. 9 is a diagram for explaining the details of the data PT and OPT shown in FIG. FIG. 10 is a diagram for explaining the type of application element data APE. FIG. 11 is a functional block diagram of the SAM module shown in FIG. FIG. 12 is a diagram for explaining a communication method between the SAM units shown in FIG. FIG. 13 is a diagram for explaining a case where a degenerate key is transferred in the inter-SAM unit communication shown in FIG. FIG. 14 is a diagram for explaining the inter-SAM element transfer command SAMAPETC. FIG. 15 is a diagram for explaining the element attributes shown in FIG. FIG. 16 is a diagram for explaining the inter-SAM element transfer response SAMAPETR. FIG. 17 is a diagram for explaining the procedure of mutual authentication between SAMs. FIG. 18 is a diagram for explaining an operation example of the transfer of the degenerate key data between the SAM units described above with reference to FIG. FIG. 19 is a diagram for explaining generation and transfer processing of a memory partitioning package. FIG. 20 is a diagram for explaining a setting method of the tag data APE_TAG shown in FIG. 8 for the memory division package (APE). FIG. 21 is a diagram for explaining the overall operation of the communication system shown in FIG. FIG. 22 is a diagram for explaining the overall operation of the communication system shown in FIG. FIG. 23 is a diagram for explaining another embodiment of the present invention. FIG. 24 is a view for explaining another embodiment of the present invention. FIG. 25 is a diagram for explaining another embodiment of the present invention. FIG. 26 is a diagram for explaining another embodiment of the present invention. FIG. 27 is a diagram for explaining another embodiment of the present invention. FIG. 28 is a diagram for explaining another embodiment of the present invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Communication system, 2 ... Server apparatus, 3 ... IC card, 3a ... IC module, 4 ... Card reader / writer, 5 ... Personal computer, 7 ... External memory, 8 ... SAM module, 9, 9a ... SAM unit, 15_1 -15_3 ... Service provider, 19 ... ASP server device, 41 ... Mobile communication device, 42 ... IC module, 43 ... Communication processing unit

Claims (14)

Data for providing services using data stored in the memory of an IC card or IC module that communicates with at least the first server device and the second server device via a network using the communication function of the communication device A data processing method for performing processing,
First and second data processing devices that respectively execute first and second application programs required for processing for accessing data stored in the memory are respectively connected to the first server without going through a network. Connected to the device and the second server device,
The first data processing apparatus holds first management data indicating a data module used by the first application program among a plurality of data modules constituting the second application program, and the first application When the second data processing device holds second management data indicating a data module permitted to be used by the program, the first data processing device and the second data processing device respectively Determining whether or not to perform mutual authentication with reference to mutual authentication presence / absence instruction data specifying whether or not to perform mutual authentication included in the first management data and the second management data;
When performing mutual authentication, the first data processing device performs the mutual authentication between the first data processing device and the second data processing device to confirm the validity of each other, and then the first data processing device performs the first authentication. A request specifying the data module to be used with reference to the management data is sent to the second data processing device,
When the second data processing apparatus refers to the second management data in response to the request and determines that the first application program is permitted to use the data module specified in the request Sending the data module specified in the request to the first data processing device;
The first data processing apparatus executes the first application program including the data module acquired from the second data processing apparatus, thereby accessing data necessary for providing a service and performing data processing. Do,
A data processing method. The first server device transmits a first request to the first data processing device;
In response to the first request, the first server device refers to the first management data and sends a second request specifying the data module to be used to the second data processing device. The data processing method according to claim 1. The second server device confirms whether or not the data module used by the first application program is available in the second data processing device, and the result of the confirmation is Notify the first server device,
The second server device confirms whether or not the data module used by the first application program is available in the second data processing device, and the result of the confirmation is Notify the first server device,
The data processing method according to claim 2, wherein the first server device transmits the first request to the first data processing device in response to the notification. The first data processing device holds the first management data storing key data used for mutual authentication performed with the second data processing device in order to use the data module;
The second management in which the second data processing device stores key data used for mutual authentication with the first data processing device in order to make the first application program use the data module. Keep the data,
The first data processing apparatus and the second data processing apparatus perform mutual authentication using key data stored in the first management data and the second management data, respectively. Data processing method. After completing the mutual authentication using the key data, the first data processing device transmits the request to the second data processing device, and then performs the mutual authentication again without performing the mutual authentication. The data processing method according to claim 1, wherein the request designating another data module associated with data is transmitted to the second data processing device. The second data processing device holds the second management data storing data defining a use form of the data module by the first application program;
The second data processing device refers to the second management data and permits the use of the data module by the first application program within the range of the specified usage mode. Data processing method. The second data processing device holds the second management data further defining a subject authorized to set the second management data;
The data processing method according to claim 1, wherein setting of the second management data is permitted only to a subject specified in the second data processing apparatus and the second management data. The first data processing device holds the first management data including tag data indicating the content or usage of the data module constituting the first application program,
2. The data processing method according to claim 1, wherein the second data processing apparatus holds the second management data including tag data indicating a content or usage of the data module constituting the second application program. . The first data processing device holds the first management data including data for managing the use of the port defined in the first application program according to authority or usage;
The second data processing device holds the second management data including data for managing the use of the port defined in the second application program according to authority or usage;
The first data processing device manages the use of the port defined in the first application program according to the authority or use defined in the first management data;
2. The data processing method according to claim 1, wherein the second data processing device manages use of a port defined in the second application program in accordance with an authority or use defined in the second management data. 3. . The first data processing device sends a request specifying the type of the data module to be used to the second data processing device;
The data processing method according to claim 1, wherein the second data processing device transmits a data module corresponding to the type of the designated data module to the first data processing device. Along with the data module related to the request, the second data processing device sends data indicating whether to permit temporary use or storage use of the data module by the data processing device to the first data processing device. Send
The data processing method according to claim 1, wherein the first data processing device temporarily uses or saves the data module received from the second data processing device based on the data. The first data processing device and the second data processing device communicate with an integrated circuit via the server device to provide a predetermined service,
The data processing method according to claim 1, wherein the data module indicates data or a procedure for operating a storage area of the integrated circuit. The data processing method according to claim 1, wherein a plurality of communication paths for transferring the data module are simultaneously set between the first data processing device and the second data processing device. First and second server devices respectively connected to the network;
An IC card or an IC module connected to the first and second server devices via the network and having a memory;
The first and second servers are connected to the first server device and the second server device without going through the network, respectively, and are necessary for processing to access data stored in the memory of the IC card or IC module. A first data processing device and a second data processing device that respectively execute two application programs;
A data processing system for performing data processing for providing a service using data stored in a memory of the IC card or the IC module,
The first data processing device holds first management data indicating a data module used by the first application program among a plurality of data modules constituting the second application program, and When holding second management data indicating a data module that is allowed to be used by the first application program by the data processing device,
Mutual authentication presence / absence instruction data for designating whether or not the first data processing device and the second data processing device perform mutual authentication included in the first management data and the second management data, respectively. Refer to determine whether to perform mutual authentication,
When performing mutual authentication, the first data processing device performs the mutual authentication between the first data processing device and the second data processing device to confirm the validity of each other, and then the first data processing device performs the first authentication. A request specifying the data module to be used with reference to the management data is sent to the second data processing device,
When the second data processing apparatus refers to the second management data in response to the request and determines that the first application program is permitted to use the data module specified in the request Sending the data module specified in the request to the first data processing device;
The first data processing apparatus executes the first application program including the data module acquired from the second data processing apparatus, thereby accessing data necessary for providing a service and performing data processing. Do,
A data processing system characterized by that.

Images