JP2010250364A - Ic chip and data protection method or the like - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an IC chip and an IC card or the like for flexibly responding to various security requests. <P>SOLUTION: In the IC chip, a plurality of failure handling programs having different processing contents, which are executed when a failure is detected, are stored. When control information for designating any of the plurality of handling programs is input from the outside, a CPU 6 stores the control information. When the failure is detected, the CPU 6 executes the failure handling program designated by the control information among the plurality of failure handling programs. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a technical field such as an apparatus and a method capable of setting protection methods against various security attacks on data stored in an IC chip.

  In recent years, extremely important data (information) is stored in an IC chip mounted on an IC card, and various businesses are developed using the data. For example, a contactless IC card having an electronic money function stores data about assets owned by customers, and a business using the data is developed.

  Therefore, for the data stored in the IC card, from the viewpoint of ensuring the safety of transactions or protecting personal information, security is ensured, that is, the confidentiality, integrity and availability of these data. (Availability) needs to be secured.

  One of the factors that hinder the security is a security attack from a malicious third party against the IC chip. There are a plurality of security attacks according to the attack target, and there are a plurality of defense methods against the security attack according to the type of the attack.

  As an example of the security attack, for example, a laser attack with an electron beam can be cited. The laser attack is an attack aimed at reading or falsifying data stored (stored) in the IC chip by irradiating the IC chip with an electron beam to induce malfunction of the IC chip. As an example of a defense method against such a laser attack, a method is adopted in which software in the IC chip deletes the data when the attack is detected.

  The software security level is adjusted by setting the detection condition.

  However, even if the user is not malicious, if the IC card is accidentally removed from the reader / writer device during the operation of the IC card, the data in the IC chip may be destroyed. Then, the software determines that the data has been tampered with by the above-described detection method, and makes the internal data unusable.

  Therefore, high-level security measures with excessive defense functions are effective when used in regions (environments) where there are many malicious third parties, or when the data to be protected is very important. Otherwise, the user may be inconvenient.

  In view of the above points, in the past, assuming a situation in which the product is used in advance, software with security measures (setting the security level appropriately) corresponding to the situation has been developed, and an IC chip It was mounted on.

  The software is generally mounted on a mask ROM of an IC chip. Since the mask ROM is a non-volatile memory that cannot rewrite the stored contents, the contents of the software once stored cannot be changed or modified afterwards.

  Therefore, when the assumed usage environment (the situation in which the IC chip is used) changes and the security countermeasure method applied to the software needs to be changed (for example, the detection condition is changed), the mask is used. Once installed in ROM, such changes could not be made.

  Further, in order to make the above change, it is necessary to recreate the mask ROM, which causes problems such as an increase in manufacturing cost and a delay in delivery time, which is not realistic. It is also possible to write patch data (Patch data) to EEPROM (Electrically Erasable PROM) afterwards to change the operation of the software. However, if there is not enough free space in the EEPROM, the patch data Writing could not be done.

  Accordingly, the present invention has been made in view of the above problems, and an example of the purpose thereof is to set protection methods against various security attacks on data stored in an IC chip. An IC chip and a data protection method that can flexibly respond to various security requirements without modification of software stored in the memory.

  In order to solve the above problem, an IC chip according to claim 1 is an abnormality handling processing program executed when an abnormality is detected, and includes a plurality of the abnormality handling processing programs having different processing contents. An abnormality response processing program storage means for storing; an input means for inputting control information for designating any of the plurality of abnormality response processing programs from outside; a control information storage means for storing the control information; An abnormality response processing means for executing the abnormality response processing program designated by the control information among the plurality of abnormality response processing programs when detected.

  According to the present invention, a plurality of abnormality handling processing programs that are executed when an abnormality is detected and that are different from each other are stored, and the plurality of abnormality handling processes are externally stored. When control information for designating any of the programs is input, the control information is stored, and when an abnormality is detected, the abnormality handling processing program designated by the control information can be executed.

  Therefore, protection methods against various security attacks can be set for the data stored in the IC chip, and various security requirements can be flexibly dealt with without modifying the software stored in the IC chip. . Further, for example, the security level can be freely changed even after the mask ROM is created.

  The IC chip according to claim 2 is the IC chip according to claim 1, wherein a plurality of different application programs are stored in the IC chip so as to be executable, and the control information is stored for each of the application programs. The abnormality handling processing means executes the abnormality handling processing program designated by the control information corresponding to each application program when an abnormality is detected. .

  Therefore, it is possible to set a defense method against a different security attack for each application, and it is possible to respond more flexibly to various security requirements without modifying the software stored in the IC chip. Further, for example, the security level can be freely changed even after the mask ROM is created.

  An IC card according to a third aspect includes the IC chip according to any one of the first or second aspects and an IC card base.

  The data protection method according to claim 4, wherein the abnormality handling program is a malfunction handling program that is executed when a malfunction is detected, and stores a plurality of the malfunction handling programs that have different processing contents. And an input step for inputting control information for designating any of the plurality of abnormality handling processing programs from the outside, a control information storage step for storing the control information, and a plurality of the plurality of abnormality handling programs when an abnormality is detected. An abnormality handling processing step of executing the abnormality handling processing program specified by the control information.

  6. The data protection program according to claim 5, which is an abnormality response processing program executed when an abnormality is detected, and stores a plurality of abnormality response processing programs having different processing contents. An input means for inputting control information for designating one of the plurality of abnormality handling processing programs from the outside, a control information storage means for storing the control information, and an abnormality detected. In this case, the abnormality handling processing unit is configured to execute the abnormality handling processing program designated by the control information among the plurality of abnormality handling processing programs.

  As described above, according to the present invention, a plurality of abnormality handling processing programs that are executed when an abnormality is detected and that have different processing contents are stored. When control information for designating any one of a plurality of abnormality handling processing programs is input, the control information is stored, and when an abnormality is detected, the control information among the plurality of abnormality handling processing programs The abnormality handling processing program specified by the user can be executed, so that protection methods against various security attacks can be set for the data stored in the IC chip, and the software stored in the IC chip Various security requirements can be flexibly handled without modification.

It is a block diagram which shows the example of whole structure of an IC card. It is a conceptual diagram which shows the structure of the program memorize | stored in the storage area of ROM3 and EEPROM5 which concerns on this embodiment. It is a sequence diagram which shows the operation | movement outline | summary after a control flag rewrite command is input until a result is output. It is a figure which shows typically the correspondence which allocated the control flag corresponding to the said abnormality response processing program for every said bit. It is a flowchart which shows operation | movement of IC chip 1 when a control flag rewriting command is received. It is a figure which shows an example of the table by which the code | symbol of the control flag was rewritten based on the bit flag row | line | column. It is a flowchart which shows operation | movement of IC chip 1 at the time of security attack detection. It is a schematic diagram which shows the function outline | summary of an issued prohibition flag. It is a flowchart which shows operation | movement of IC chip 1 after prohibiting rewriting of the said control flag.

  Hereinafter, the best embodiment of the present application will be described with reference to the accompanying drawings. The embodiment described below is an embodiment when the present application is applied to an IC card.

  First, the configuration and functional overview of the IC card according to the present embodiment will be described with reference to FIG.

  FIG. 1 is a block diagram showing an example of the overall configuration of an IC card. As shown in FIG. 1, the IC card 8 includes an IC chip 1 on an IC card base 7.

  The IC chip 1 includes an I / O (input / output) interface 2, a ROM (Read Only Memory) 3, a RAM (Random Access Memory) 4, an EEPROM 5, a CPU (Central Processing Unit) 6, and the like.

  The I / O interface 2 is an input / output circuit for transmitting and receiving data, and the CPU 6 communicates with a reader / writer device and the like (not shown) via the I / O interface 2.

  The I / O interface 2 functions as input means of the present application, and control information and the like input from the outside, which will be described later, are input via the I / O interface 2 under the control of the CPU 6.

  A program to be executed by the CPU 6 is stored in the ROM 3, and the CPU 6 controls the IC chip 1 in an integrated manner based on this program.

  The structure of the program stored in the ROM 3 will be described with reference to FIG.

  FIG. 2A is a conceptual diagram showing the structure of a program stored in the storage area of the ROM 3 according to this embodiment.

  As shown in FIG. 2A, the program 11 stored in the storage area of the ROM 3 is defined with a control flag rewriting module 11a, a processing distribution module 11b, and the like. The functions of these modules will be described later.

  The RAM 4 is a memory used as a work area for the CPU 6 to control the IC chip 1 in an integrated manner.

  The EEPROM 5 is a kind of nonvolatile semiconductor memory, and is a PROM (Programmable Rom) that can erase data stored in a storage area and re-store it any number of times. Further, the EEPROM 5 functions as an abnormality handling processing program storage unit and control information storage unit of the present application, and stores data to be recorded on the IC chip 1 such as an abnormality handling processing program and control information.

  Here, the abnormality handling processing program is a program executed when an abnormality is detected. The abnormality handling processing program according to the present embodiment is defined so that when a security attack is detected as an example of an abnormality, the CPU 6 performs a predetermined operation to protect data stored in the EEPROM 5 or the like from the attack. Has been.

  Specifically, for example, when the CPU 6 detects that it has received a laser attack that is an example of a security attack, the CPU 6 stores the predetermined operation as, for example, the IC chip 1 under the execution of the application program. Deletes data, sends an error code indicating that the attack has occurred, or invalidates (does not accept) other commands. In the EEPROM 5, a plurality of abnormality handling processing programs having different processing contents are recorded.

  The control information is information for designating an abnormality handling processing program. In this embodiment, a control flag group is used as an example of control information.

  Next, programs and control flag groups stored in the storage area of the EEPROM 5 according to the present embodiment will be described with reference to FIGS.

  2B and 2C are conceptual diagrams showing the structure of a program stored in the storage area of the EEPROM 5 according to the present embodiment.

  As shown in FIG. 2B, in the storage area in the EEPROM 5, three application programs of an application program A (12), an application program B (13), and an application program C (14) are stored so as to be executable. Yes.

  Each application program is associated with a control flag group as an example of control information.

  In the present application, control program group A (12a) through control flag group C (14a) are associated with application program A (12) through application program C (14), respectively.

  FIG. 2C is a schematic diagram showing an outline of functions of the control flag group and the control flag.

  The control flag group includes a flag 1, a flag 2, a flag 3, and the like as control flags. The control flag is a code constituting a control flag group, and the code is rewritten by the operation of the CPU 6 or the like.

  The control flag is associated with the above-described abnormality handling processing program, and the CPU 6 designates the abnormality handling processing program associated with the control flag according to the content of the above-mentioned code, and the abnormality handling processing program defines it. It is determined whether or not to execute the operation.

  FIG. 2 (c) is a diagram schematically showing the specification and operation of the above-mentioned abnormality handling processing program of the CPU 6 when true (for example, 1) and false (for example, 0) are used as the control flag symbols. is there.

  For example, if the control flag is flag 1 and flag 1 indicates true, the CPU 6 designates the abnormality handling process program associated with flag 1 and executes operation 1 defined by the abnormality handling process program. On the other hand, if the flag 1 indicates “false”, the CPU 6 does not specify the abnormality handling processing program associated with the flag 1 and does not execute the operation 1 ( In other words, it is schematically shown that the operation 1 is not activated.

  It is also shown that the specification and operation of the abnormality handling program when the control flag is flag 2 and flag 3 are the same as flag 1.

  The CPU 6 controls the overall operation of the IC chip 1 based on the program as described above, and functions as the abnormality handling processing means of the present application.

  Next, the operation of the IC chip 1 included in the IC card 8 will be described with reference to FIGS.

  The operation of the CPU 6 in this embodiment is described in [1. Operation in rewriting control flag] and [2. Operation when security attack is detected].

  Hereinafter, the operation will be described in detail.

[1. Operation in rewriting control flag]
When the CPU 6 included in the IC chip 1 of the present embodiment receives a control flag group for designating one of the plurality of abnormality handling processing programs from the outside, it is stored in association with each application program. The control flag group is rewritten (or stored in the contents indicated by the input control flag group).

  The operation of the CPU 6 in rewriting the control flag will be described with reference to FIGS.

  First, an operation outline from when a control flag rewrite command is input to when a result is output will be described with reference to FIG.

  FIG. 3 is a sequence diagram illustrating an operation outline from when a control flag rewrite command is input to when a result is output.

  In the present embodiment, by inputting a control flag group, an abnormality handling processing program associated with the control flag constituting the control flag group is designated. Since the control flag group is associated with each application program, it can be specified for each application program.

  In order to make the above designation, first, an application program is started. By starting the application program, it is possible to rewrite the code of the control flag constituting the control flag group associated with the application program.

  And when rewriting the code | symbol of the control flag corresponding to another application program, the said other application can be started and the code | symbol of the control flag which comprises the control flag group matched with the said application program can be rewritten. It is like that.

  The above operation will be described in detail below.

  First, a control flag rewrite command (command) is input from a terminal device (not shown) (step S1).

  Here, the control flag rewrite command refers to a command for instructing the CPU 6 to rewrite the sign of the control flag. In the present embodiment, for example, when the user operates the terminal device (not shown), Input.

  In this embodiment, a bit flag string is used as an example of the control flag group, and the bit flag string is input to the IC card 8.

  Here, the bit flag string is a value that holds each bit of an integer type as a sign of a control flag, and in this embodiment, a control flag associated with an abnormality handling processing program for each bit. Is assigned.

  The CPU 6 rewrites the code of the control flag according to the value of the bit under the execution of the control flag rewriting module 11 of the program 11 stored in the storage area of the ROM 3 described above.

  FIG. 4 is a diagram schematically showing a correspondence relationship in which a control flag corresponding to the abnormality handling program is assigned to each bit.

  In the diagram shown in FIG. 4, a bit flag string part having an 8-bit length from bit 1 to bit 8 and a control flag associated with a different abnormality handling program for each bit are assigned and defined by the abnormality handling program. It consists of an action display that shows the contents of the action.

  In the bit flag string, bit 8 that is the eighth bit is assigned to the control flag associated with the abnormality handling processing program whose operation content defined by the abnormality handling processing program is “deletion of application itself”. It shows that.

  When the value of the bit indicates 0, the sign of the control flag is changed to false so that the abnormality handling program is not designated. As a result, since the abnormality handling processing program is not executed, the CPU 6 is prevented from executing “deletion of application itself” which is an operation defined by the abnormality handling processing program.

  On the other hand, when the value of the bit is 1, the sign of the control flag is changed to true, and the abnormality handling processing program is designated. As a result, since the abnormality handling program is executed, the CPU 6 is caused to execute “deletion of application itself” which is an operation defined by the abnormality handling program.

  The seventh bit, bit7, indicates that the content of the action defined by the abnormality handling program is assigned to the control flag associated with the abnormality handling program whose key data is “deleted”. ing.

  When the value of the bit indicates 0, the sign of the control flag is changed to false so that the abnormality handling program is not designated. As a result, since the abnormality handling program is not executed, the CPU 6 is not allowed to execute “deletion of key data” which is an operation defined by the abnormality handling program.

  On the other hand, when the value of the bit is 1, the sign of the control flag is changed to true, and the abnormality handling processing program is designated. As a result, since the abnormality handling processing program is executed, the CPU 6 is caused to execute “deletion of key data” which is an operation defined by the abnormality handling processing program.

  The sixth bit, bit6, indicates that the content of the operation defined by the abnormality handling processing program is assigned to the control flag associated with the program having “deletion of password”. .

  When the value of the bit indicates 0, the sign of the control flag is changed to false so that the abnormality handling program is not designated. As a result, since the abnormality handling program is not executed, the CPU 6 is not allowed to execute “deletion of the personal identification number” which is an operation defined by the abnormality handling program.

  On the other hand, when the value of the bit is 1, the sign of the control flag is changed to true, and the abnormality handling processing program is designated. As a result, since the abnormality handling program is executed, the CPU 6 is caused to execute “deletion of a personal identification number” which is an operation defined by the abnormality handling program.

  The fifth bit, bit5, is assigned to the control flag associated with the program whose operation content defined by the abnormality handling processing program is “returns an error code indicating that an attack has been received”. It shows that.

  When the value of the bit indicates 0, the sign of the control flag is changed to false so that the abnormality handling program is not designated. As a result, since the abnormality handling program is not executed, the CPU 6 is prevented from executing “returning an error code indicating that an attack has been received” which is an operation for defining the abnormality handling program image.

  On the other hand, when the value of the bit is 1, the sign of the control flag is changed to true, and the abnormality handling processing program is designated. As a result, since the abnormality handling program is executed, the CPU 6 is caused to execute “return an error code indicating that an attack has occurred”, which is an operation defined by the abnormality handling program.

  The fourth bit, bit4, is assigned to a control flag associated with the program whose operation content defined by the abnormality handling processing program is “no command accepted when an application is selected”. It is shown that.

  When the value of the bit indicates 0, the sign of the control flag is changed to false so that the abnormality handling program is not designated. As a result, since the abnormality handling program is not executed, the CPU 6 is not allowed to execute “not accepting a command while selecting an application”, which is an operation for defining the abnormality handling program image.

  On the other hand, when the value of the bit is 1, the sign of the control flag is changed to true, and the abnormality handling processing program is designated. As a result, since the abnormality handling processing program is executed, the CPU 6 is caused to execute “the command is not accepted during application selection”, which is an operation defined by the abnormality handling processing program.

  Also, bit 3 as the third bit and bit 1 as the first bit indicate that they are not assigned to the control flag corresponding to any abnormality handling processing program.

  In this way, by expressing the control flag group as a bit flag string, the codes of a plurality of different types of control flags can be rewritten in a batch.

  Returning to the description of FIG. 3, when the command is input, the CPU 6 performs a control flag rewriting process to be described later (step S2). Then, the result is output to the terminal device (step S3).

  In this way, any one of a plurality of abnormality handling processing programs can be designated from the outside using the bit flag string.

  The stage where the bit flag string is input can be performed at any time before or after the control flag rewrite command is input.

  Next, the operation of the IC chip 1 when the control flag rewrite command is received will be described with reference to FIGS.

  FIG. 5 is a flowchart showing the operation of the IC chip 1 when a control flag rewrite command is received.

  First, before the control flag rewrite command is received, the application program is started as described above to make it possible to receive the control flag rewrite command.

  When the IC chip 1 receives the control flag rewrite command (step S10), the CPU 6 analyzes the control flag rewrite command (step S11). Specifically, the CPU 6 that has received the input of the control flag rewrite command recognizes that the command is the control flag rewrite command, and prepares for the process of rewriting the control flag.

  Next, the CPU 6 rewrites (or writes) the code of the control flag associated with a predetermined operation in accordance with the bit flag string that has already been input or will be input (step S12), the EPPROM 5, etc. To remember.

  FIG. 6 is a diagram illustrating an example of a table in which the code of the control flag is rewritten based on the bit flag string.

  FIG. 6A is a diagram illustrating an example of a bit flag string.

  For example, the bit flag string unit 30 is composed of a bit flag string in which the values of bit 1 as the first bit to bit 8 as the eighth bit are “00001110” in order.

  FIG. 6B is a diagram illustrating an example of a table in which the control flag is rewritten based on the command.

  As described above, the CPU 6 rewrites the code of the control flag assigned to the bit having the value of each bit of 1 based on the above-described bit flag string as true.

  In FIG. 6B, since the fifth bit (bit 5) to the seventh bit (bit 7) of the bit flag string unit 30 are 1, the CPU 6 sets the sign of the control flag assigned to the bit to true. To be rewritten.

  Returning to the description of FIG. 5, when the writing of the control flag is completed, the CPU 6 outputs the result (step S13).

[2. Operation when a security attack is detected]
Next, the operation of the IC chip 1 when a security attack is detected as an example of abnormality detection will be described with reference to FIG.

  FIG. 7 is a flowchart showing the operation of the IC chip 1 when a security attack is detected.

  The IC chip 1 detects whether or not an abnormality has occurred during normal processing (for example, while the IC card 8 is used for commercial transactions and settlement processing is performed).

  An example of such an abnormality is a state in which a security attack is applied to the IC chip 1, for example.

  When the IC chip 1 is subjected to a security attack such as a laser attack, the clock frequency of the CPU 6 rapidly decreases, the voltage supplied to the IC chip 1 decreases rapidly, or data stored in the EEPROM 5 or the like is stored. Various phenomena such as rewriting occur. The CPU 6 detects these phenomena.

  If an abnormality is detected during the normal processing (step S20: YES), the CPU 6 is associated with the application program under the execution of the processing distribution module 11b of the program 11 stored in the storage area of the ROM 3 described above. The control flag group is read (step S21), and a predetermined operation of the program in which the sign of the control flag corresponding to the abnormality handling processing program is true is executed (step S22).

  Specifically, for example, the case where the control flag code is the same as the table shown in FIG. 6B will be described as an example. The CPU 6 that has detected the abnormality has a control flag corresponding to the abnormality handling processing program. An abnormality handling program that is true (1) is executed.

  More specifically, in the table of FIG. 6 (b), the abnormality handling program whose control flag corresponding to the abnormality handling program is true (1) indicates that the operation for defining the program image is “deletion of password”. "(Control flag assigning unit 25 in FIG. 6)", "deletion of personal identification number" (control flag assigning unit 26 in FIG. 6) and "returning an error code indicating that an attack has been received" (control flag assigning unit in FIG. 6) 27).

  Accordingly, the CPU 6 executes the processes of “deletion of the password”, “deletion of the password”, and “returning an error code indicating that the attack has been received” under the execution of each abnormality handling program. It has become.

  On the other hand, when no abnormality is detected during the normal process (step S20: NO), the detection is performed until the normal process is completed (step S23: NO). When the normal process is finished (step S24: YES), the process is finished.

[3. Operation of IC chip 1 after issuing process]
Next, the operation of the IC chip 1 after the issuing process will be described with reference to FIGS.

  When the IC card issuance process is completed and the IC card is operated (for example, when the business is developed using the IC card 8), the control flag is rewritten (defined by the abnormality handling program). Changing whether or not to execute the operation) may cause a decrease in security.

  Such rewriting makes it possible to rewrite not to execute all the operations defined by the abnormality handling processing program, and to disable all security countermeasure functions.

  In order to prevent the above problem, rewriting of the control flag can be prohibited after the issuing process.

  Specifically, for example, an issued prohibition flag may be provided in the application program.

  FIG. 8 is a schematic diagram showing a functional outline of the issued prohibition flag.

  The issued flag 40 is a code associated with, for example, an application program, and when the issuing process ends, the code of the issued flag 40 is rewritten by an instruction from the CPU 6 or the like.

  Meaning 15 indicates the content (definition) of the issued flag and the content of the rewritten code. Specifically, the flag indicating whether or not the flag has been issued as the content of the issued flag indicates that the content of the code to be rewritten is set to true (1) as a code if it has been issued. It is shown that the code can be rewritten to false (0) when not issued.

  The CPU 6 rewrites the above code to true when the issuance process is completed.

  When the code is true, the CPU 6 prohibits rewriting of the control flag even if the command is received.

  Next, the operation of the IC chip 1 after prohibiting rewriting of the control flag will be described with reference to FIG.

  FIG. 9 is a flowchart showing the operation of the IC chip 1 after prohibiting rewriting of the control flag.

  In this operation, the case where the issuance process and the control flag rewrite command are received simultaneously will be described. However, the operation is not limited to this operation.

  When the IC chip 1 receives the control flag rewrite command (step S30), the CPU 6 refers to the code of the issued flag 40 and determines whether or not the IC card 8 has been issued (step S31).

  Specifically, the CPU 6 refers to the code of the issued flag 40, and determines that it has been issued when the code is true, and has not been issued when the code is false.

  If it is determined that it has not been issued (step S31: NO), the CPU 6 analyzes the control flag rewriting command and prepares for the control flag rewriting process.

  Then, the CPU 6 rewrites the code of the control flag associated with the predetermined operation according to the bit flag string (step S32).

  Then, the sign of the issued flag is set to true (step S33), the result is output (step S34), and the process is terminated.

  On the other hand, if it is determined that it has been issued (step S31: YES), the control flag is not written, and a result indicating that is output (step S34).

  In the above embodiment, the rewriting of the control flag is prohibited after the issuing process. However, the rewriting of the control flag may be arbitrarily permitted.

  Specifically, for example, when a rewritable flag is provided in the application program, when the code indicated by the flag is true, rewriting of the control flag is always permitted, and when the code indicated by the flag is false May prohibit the rewriting of the control flag.

  When the code is true, the CPU 6 always permits rewriting of the control flag when the command is received.

  In this way, it is possible to take security measures according to the user's usage environment.

  As described above, in the present embodiment, an abnormality response processing program executed when an abnormality is detected, and a plurality of abnormality response processing programs having different processing contents and a plurality of application programs different from each other. Is stored in an executable manner, and when a control flag group for designating one of the plurality of abnormality handling processing programs is input from the outside, the control flag group is stored in association with each application program. When an abnormality is detected, the abnormality handling processing program designated by the control flag corresponding to each application program is executed among the plurality of abnormality handling processing programs.

  Therefore, it is possible to set a defense method against a different security attack for each application by a simple method, and it is possible to respond more flexibly to various security requirements without modifying the software stored in the IC chip. Further, for example, the security level can be freely changed even after the mask ROM is created.

  In the above embodiment, an example in which the present application is applied to an IC chip has been described. However, the present invention can be applied to, for example, a personal computer or an electronic device for home use.

1 IC chip 2 I / O interface 3 ROM
4 RAM
5 EEPROM
6 CPU
7 Card base 8 IC card

Claims (5)

An abnormality handling program that is executed when an abnormality is detected,
Anomaly handling process program storage means for storing a plurality of the anomaly handling process programs whose processing contents are different from each other;
Input means for inputting control information for designating any one of the plurality of abnormality handling processing programs from outside;
Control information storage means for storing the control information;
When an abnormality is detected, among the plurality of abnormality handling processing programs, an abnormality handling processing means for executing the abnormality handling processing program specified by the control information;
An IC chip comprising: The IC chip according to claim 1,
A plurality of different application programs are stored in the IC chip so as to be executable,
The control information is stored in association with each application program,
The abnormality handling processing means executes the abnormality handling processing program designated by the control information corresponding to each application program when an abnormality is detected. The IC chip according to any one of claims 1 and 2, an IC card substrate,
An IC card comprising: An abnormality handling program that is executed when an abnormality is detected,
An abnormality handling process program storage step for storing a plurality of the anomaly handling process programs whose processing contents are different from each other;
An input step for inputting control information for designating any of the plurality of abnormality handling processing programs from outside;
A control information storage step for storing the control information;
When an abnormality is detected, among the plurality of abnormality response processing programs, an abnormality response processing step of executing the abnormality response processing program specified by the control information;
A data protection method for an IC chip, comprising: An abnormality handling program that is executed when an abnormality is detected,
A computer included in an IC chip having an abnormality handling processing program storage means for storing a plurality of the abnormality handling processing programs having different processing contents;
Input means for inputting control information for designating any of the plurality of abnormality handling programs from outside;
Control information storage means for storing the control information;
An abnormality response processing means for executing the abnormality response processing program designated by the control information among the plurality of abnormality response processing programs when an abnormality is detected;
Data protection program characterized by functioning as

Images