JP2014021922A - Ic card and portable electronic device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an IC card which is extremely safe and has a low risk for unauthorized use of the personal identification number, and a portable electronic device.SOLUTION: According to an embodiment, the IC card has receiving means, storage means, matching means, matching frequency counting means, updating means, and sending means. The receiving means receives instructions from an external device. The storage means stores registered data to be compared with data as a matching target contained in a matching instruction received by the receiving means. The matching means matches the registered data stored in the storage means to the matching target data contained in the matching instruction received by the receiving means. The matching frequency counting means counts the frequency of matching the matching target data to the registered data by the matching means. The updating means updates the registered data if the frequency of matching counted by the matching frequency counting means reaches the upper limit of matching frequency for the registered data. The sending means sends to the external device information indicative of the result of updating the registered data by the updating means.

Description

  Embodiments described herein relate generally to an IC card and a portable electronic device.

  Some portable electronic devices such as an IC card have an authentication function for determining whether the password registered in the IC card matches the password entered by the subject in the external terminal. However, if an IC card having an authentication function using a personal identification number is used without changing the personal identification number over a long period of time, the risk of unauthorized use increases.

ISO 7816

  In an embodiment of the present invention, an object is to provide a highly secure IC card and a portable electronic device that can reduce the risk of unauthorized use.

  According to the embodiment, the IC card includes a reception unit, a recording unit, a verification unit, a verification number counting unit, an update unit, and a transmission unit. The receiving means receives a command from an external device. The recording unit records registration data to be compared with the verification target data included in the verification command received by the receiving unit. The collation unit collates the registration data recorded in the recording unit with the collation target data included in the collation command received by the reception unit. The collation number counting means counts the number of collations in which the collation means collates the data to be collated with the registered data. The updating unit updates the registration data when the number of verifications counted by the verification number counting unit reaches an upper limit value of the number of verifications for the registered data. The transmission unit transmits information indicating an update result of the registration data by the update unit to the external device.

It is a figure showing an example of composition of an IC card system which has an IC card concerning a 1st embodiment, and an IC card processing device. It is a block diagram which shows the structural example of the IC card which concerns on 1st Embodiment. It is a figure which shows the example of the information regarding the collation processing of the PIN code which the non-volatile memory of the IC card which concerns on 1st Embodiment hold | maintains. It is a figure which shows the example of the collation state flag which RAM of the IC card which concerns on 1st Embodiment hold | maintains. It is a flowchart for demonstrating the operation example of the collation process of the PIN code in the IC card which concerns on 1st Embodiment. It is a flowchart for demonstrating the operation example of the collation process of the PIN code in the IC card which concerns on 1st Embodiment. It is a figure which shows the example of the information regarding the collation processing of the PIN code which the non-volatile memory of the IC card which concerns on 2nd Embodiment hold | maintains. It is a flowchart for demonstrating the operation example of the collation process of the PIN code by the IC card which concerns on 2nd Embodiment. It is a flowchart for demonstrating the operation example of the collation process of the PIN code in the IC card which concerns on 2nd Embodiment.

Hereinafter, a first embodiment will be described with reference to the drawings.
FIG. 1 is a block diagram for explaining a configuration of an IC card 2 as a portable electronic device according to the first embodiment and an IC card processing device 1 as an external device that communicates with the IC card 2.

  The IC card 2 has a personal authentication function based on a personal identification number. As an operation mode, for example, a cash card, a credit card, an ID card, and the like are assumed. Further, the IC card processing apparatus 1 performs various processes for a person who has been successfully authenticated by personal authentication processing using a personal identification number in the IC card 2 (personal identification number collation processing). A teller machine (ATM), a credit card processor, a personal authentication device, or a traffic control device is assumed.

First, the configuration of the IC card processing apparatus 1 will be described.
As shown in FIG. 1, the IC card processing apparatus 1 includes a control unit 11, a display 12, an operation unit 13, a card reader / writer 14 and the like as shown in FIG. The IC card processing apparatus 1 is assumed to have various operation modes as described above, and may have a configuration corresponding to the operation mode in addition to the configuration shown in FIG.

The control unit 11 controls the operation of the entire IC card processing apparatus 1. The control unit 11 includes a CPU, various memories, various interfaces, and the like. For example, the control unit 11 may be configured by a personal computer (PC).
The control unit 11 has a function of transmitting a command to the IC card 2 by the card reader / writer 14 and a function of performing various processes based on data such as a response received from the IC card 2. For example, the control unit 11 transmits a verification request command including a personal identification number (input personal identification number) as verification target data input by the operation unit 13 to the IC card 2 via the card reader / writer 14, thereby causing the IC card 2. Is controlled to request a password verification process (personal authentication based on the password). In addition, the control unit 11 has a function of performing various processes using information (for example, personal information) stored in the IC card 2 when the IC card 2 has succeeded in personal authentication using a personal identification number.

The display 12 is a display device that displays various information under the control of the control unit 11. The display 12 is, for example, a liquid crystal monitor.
The operation unit 13 is input with various operation instructions and a password by the user of the IC card processing apparatus 1. The operation unit 13 transmits the input operation instruction and data such as a password to the control unit 11. The operation unit 13 is, for example, a keyboard, a numeric keypad, and a touch panel.

  The card reader / writer 14 is an interface device for performing communication with the IC card 2. The card reader / writer 14 is configured by an interface corresponding to the communication method of the IC card 2. For example, when the IC card 2 is a contact type IC card, the card reader / writer 14 is configured by a contact portion for physically and electrically connecting with a contact portion of the IC card 2.

  When the IC card 2 is a non-contact type IC card, the card reader / writer 14 includes an antenna for performing wireless communication with the IC card 2 and a communication control unit. The card reader / writer 14 performs power supply, clock supply, reset control, and data transmission / reception with respect to the IC card 2. With such a function, the card reader / writer 14 performs activation (activation) of the IC card 2, transmission of various commands, reception of responses (responses) to the transmitted commands, and the like based on control by the control unit 11.

Next, the IC card 2 will be described.
The IC card 2 is activated (becomes operable) upon receiving power or the like from a host device such as the IC card processing device 1. For example, when the IC card 2 is connected to the IC card processing device 1 by contact-type communication, that is, when the IC card 2 is configured by a contact-type IC card, the IC card 2 is a contact unit as a communication interface. The IC card processor 1 is activated by receiving the operation power supply and the operation clock from the IC card processing apparatus 1 through the IC card.

  Further, when the IC card 2 is connected to the IC card processing device 1 by a non-contact type communication method, that is, when the IC card 2 is constituted by a non-contact type IC card, the IC card 2 is used as a communication interface. A radio wave is received from the IC card processing apparatus 1 via the antenna and modulation / demodulation circuit, and an operation power supply and an operation clock are generated from the radio wave by a power supply unit (not shown) and activated.

Next, a configuration example of the IC card 2 will be described.
FIG. 2 is a block diagram schematically showing a configuration example of the IC card 2 according to the first embodiment. The IC card 2 has a card-like main body C formed of plastic or the like. The IC card 2 has a module M built in the main body C. The module M is integrally formed in a state where one or a plurality of IC chips Ca and a communication external interface (communication interface) are connected, and is embedded in the main body C of the IC card 2.

  In the configuration example illustrated in FIG. 2, the IC card 2 includes a CPU 21, a ROM 22, a RAM 23, a nonvolatile memory 24, and an external I / F 25. These units are connected to each other via a data bus. Further, the CPU 21, ROM 22, RAM 23, and non-volatile memory 24 are configured by one or a plurality of IC chips Ca, and configure the module M in a state of being connected to the external I / F 25.

  The CPU 21 functions as a control unit that controls the entire IC card 2. The CPU 21 performs various processes based on the control program and control data stored in the ROM 22 or the nonvolatile memory 24. For example, the CPU 21 executes various programs according to the operation control of the IC card 2 or the operation mode of the IC card 2 by executing a program stored in the ROM 22. Note that some of the various functions may be realized by a hardware circuit. In this case, the CPU 21 controls functions executed by the hardware circuit.

  The ROM 22 is a non-volatile memory that stores a control program and control data in advance. The ROM 22 is incorporated in the IC card 2 in a state where a control program, control data, and the like are stored at the manufacturing stage. That is, the control program and control data stored in the ROM 22 are incorporated in advance according to the specifications of the IC card 2.

  The RAM 23 is a volatile memory. The RAM 23 temporarily stores data being processed by the CPU 21. For example, the RAM 23 includes a reception buffer, a calculation buffer, a transmission buffer, and the like. As a reception buffer, a command transmitted from the IC card processing apparatus 1 through the external I / F 25 is held. As a calculation buffer, the CPU 21 holds temporary results for various calculations. As a transmission buffer, data to be transmitted to the IC card processing apparatus 1 through the external I / F 25 is held.

  The nonvolatile memory 24 is configured by a nonvolatile memory capable of writing and rewriting data, such as an EEPROM or a flash ROM. The non-volatile memory 24 stores a control program, an application, and various data according to the usage application of the IC card 2. For example, in the nonvolatile memory 24, a program file and a data file are created. Each created file is written with a control program and various data.

  The external I / F 25 is an interface for communicating with the card reader / writer 14 of the IC card processing apparatus 1. When the IC card 2 is realized as a contact type IC card, the external I / F 25 performs communication control for transmitting and receiving signals in physical and electrical contact with the card reader / writer 14 of the IC card processing apparatus 1. Part and a contact part. When the IC card 2 is realized as a non-contact type IC card, the external I / F 25 includes a communication control unit such as a modulation / demodulation circuit for performing wireless communication with the card reader / writer 14 of the IC card processing device 1. It consists of an antenna.

FIG. 3 is a diagram illustrating an example of information used for a password collation process (personal authentication process using a password) stored in the nonvolatile memory 24 of the IC card 2 according to the first embodiment.
The non-volatile memory 24 of the IC card 2 is provided with a storage area 24a for storing information used for the password collation process. In the configuration example shown in FIG. 3, the storage area 24a stores a personal identification number, a verification error counter, a verification error count upper limit, a verification count counter, a verification count upper limit, an old security code, and the like.

  The personal identification number is verification information stored as registration data used for authentication. For example, the personal identification number may be written in the storage area 24a when the IC card 2 is issued, or the personal identification number designated by the user of the IC card 2 is written (or rewritten) after the IC card 2 is issued. May be. The method of writing (or rewriting) the personal identification number is not limited to a specific configuration.

  The verification error counter is a counter that counts the number of times the verification of the password has failed. The verification error counter is set to an initial value (for example, 0) when the IC card 2 is issued. If the verification fails, the IC card 2 counts up the value of the verification error counter. In other words, the verification error counter stores the number of times the verification of the password has failed.

  The upper limit value of the number of verification errors is the number of verification errors allowed in the authentication process using a password. When the value of the verification error counter reaches the upper limit value of the number of verification errors, the IC card 2 puts the IC card 2 into a state that accepts only a password change request command (a lock state waiting for change). That is, when the collation of the personal identification number fails, the IC card 2 counts up the collation error counter, and compares the counted up collation error counter value with the upper limit value of the collation error count. When the verification error counter has reached the upper limit value of the number of verification errors, the IC card 2 performs a process of setting the lock state waiting for the change.

  The verification number counter is a counter that counts the number of times that the PIN number is verified. The IC card 2 counts the number of verifications whether the verification of the personal identification number fails or succeeds. The verification number counter is set to an initial value (for example, 0) when the IC card 2 is issued. When the collation of the password is performed, the IC card 2 counts up the collation number counter. That is, the verification number counter stores the number of times that the password has been verified.

  The upper limit value of the number of collations is the number of collations allowed by the IC card 2 for one password. When the verification counter reaches the upper limit of the verification count, the IC card 2 determines that the password is to be updated. That is, when the collation of the personal identification number is executed, the IC card 2 counts up the collation number counter, and compares the counted value of the collation number counter with the upper limit value of the collation number. When the verification number counter reaches the upper limit value of the verification number, the IC card 2 determines that the password is to be updated. When it is determined that the password is in a state to be updated, the IC card 2 performs a password update process.

  The old password is a password set before the currently set password. In other words, the old password is the password before being updated to the current password. For example, when the password has never been updated, a number that cannot be used as the password (for example, “0000” or “9999”) may be stored as the old password. Even when the old password is deleted, the old password may not be used as the password. That is, the process of deleting the old password may be a process of rewriting the old password with a number that cannot be used as the password.

  FIG. 4 is a diagram illustrating an example of the collation state flag stored in the RAM 23.

As shown in FIG. 4, the RAM 23 is provided with a storage area 23a for storing a collation state flag.
The collation state flag stored in the storage area 23a of the RAM 23 is information indicating the collation result of the password. For example, the collation state flag is set to “collation mismatch” as a default state when the IC card 2 is activated. Further, when the personal identification number (input personal identification number) input to the IC card processing device 1 matches the personal identification number (registered personal identification number) stored in the storage area 24a of the nonvolatile memory 24, the IC card 2 Information indicating “matching match” is stored in the storage area 23a as a matching status flag. Further, when the input password and the registered password do not match, the IC card 2 stores information indicating “matching mismatch” as the matching status flag in the storage area 23a.

Next, a password comparison process (authentication process using a password) in the IC card 2 according to the first embodiment will be described.
Here, it is assumed that personal authentication is performed on the IC card 2 using a personal identification number. If the input password as the verification target data input to the IC card processing apparatus 1 by the subject using the IC card 2 matches the registered password stored as registration data in the IC card 2, the IC card 2 Determines that the personal authentication processing for the user has succeeded. In addition, the IC card 2 counts the number of times the collation process is executed (the number of collations) every time the collation process is executed. When the number of verifications reaches the upper limit of the number of verifications, the IC card 2 performs a process of updating the personal identification number as registration data.

  The IC card processing apparatus 1 makes the IC card 2 and the card reader / writer 14 presented by the subject communicable. For example, when the IC card 2 is a contactless IC card, the subject holds the IC card 2 over the card reader / writer 14 of the IC card processing device 1. The control unit 11 of the IC card processing apparatus 1 supplies radio waves to the IC card 2 placed on the card reader / writer 14 to activate the IC card 2. When the IC card 2 is activated, the IC card processing device 1 is ready to send a command to the IC card 2.

  When the IC card 2 is a contact communication type IC card, the subject inserts the IC card 2 into the card reader / writer 14 of the IC card processing apparatus 1. The control unit 11 of the IC card processing device 1 supplies the operating power and the operating clock to the IC card 2 inserted in the card reader / writer 14 to activate the IC card 2. When the IC card 2 is activated, the IC card processing device 1 is ready to send a command to the IC card 2.

When communication with the IC card 2 is possible, the IC card processing apparatus 1 performs personal authentication processing for the target person in order to perform processing using the IC card. Here, it is assumed that the IC card 2 performs the personal authentication process of the target person using the personal identification number. In order to perform authentication processing using a personal identification number, the control unit 11 of the IC card processing apparatus 1 prompts the subject to input the personal identification number to the operation unit 13. When the subject inputs a password using the operation unit 13, the control unit 11 generates a verification command (a verification request command) that includes the input security code (input password) as verification target data. The control unit 11 transmits the generated verification request command to the IC card 2 via the card reader / writer 14.
The IC card processing device 1 may perform processing for obtaining the personal information of the target person after performing processing (activation processing) for making the IC card 2 communicable first, The activation process may be performed after the information acquisition process is performed first.

5 and 6 are flowcharts for explaining the flow of the password collation process in the IC card 2 according to the first embodiment.
The IC card 2 is activated upon receiving power supply from the IC card processing device 1. After being activated, the IC card 2 receives various commands from the IC card processing apparatus 1 by the external I / F 25 and performs various processes according to the received commands. Here, it is assumed that the IC card 2 has received a verification request command including an input password as verification target data from the IC card processing device 1 by the external I / F 25.

  When receiving the verification request command from the IC card processing device 1 (step S10, YES), the CPU 21 of the IC card 2 extracts the input personal identification number stored in the received verification request command, and uses the extracted input personal identification number. Store in the RAM 23. When the input password is extracted, the CPU 21 verifies whether the password (registered password) to be compared with the input password is stored in the storage area 24a of the nonvolatile memory 24 as registered data (step S11). For example, when the personal identification number stored in the storage area 24a of the nonvolatile memory 24 is damaged or when the personal identification number is not stored in the nonvolatile memory 24, the CPU 21 sends a verification request command. It is determined that the password to be compared with the input encryption number included is not stored.

  When it is determined that the password to be compared with the input password included in the verification request command is not stored in the nonvolatile memory 24 (step S12, NO), the CPU 21 indicates that there is no password to be compared. A response (response indicating “password specification error”) is generated, and the generated response is transmitted to the IC card processing device 1 (step S13). When the generated response is transmitted to the IC card processing apparatus 1, the CPU 21 ends the process for the received verification request command.

  When it is determined that the password to be compared is stored in the storage area 24a of the non-volatile memory 24 (step S12, YES), the CPU 21 initializes (clears) the collation state flag in the storage area 23a of the RAM 23. (Step S14).

  When the collation state flag is cleared, the CPU 21 verifies whether or not the number of collation errors is within an allowable range (step S15). That is, the CPU 21 reads the value of the collation error counter and the upper limit value of the number of collation errors from the storage area 24a of the nonvolatile memory 24, and compares them. By this comparison, the CPU 21 determines whether or not the value of the collation error counter in the storage area 24a has reached the upper limit of the number of collation errors (whether or not collation error counter <the upper limit of the number of collation errors) (step S16). ). For example, when the upper limit value of the number of verification errors is “5”, the CPU 21 determines whether or not the value of the verification error counter is smaller than 5.

  When it is determined that the value of the verification error counter has reached the upper limit of the number of verification errors (step S16, NO), the CPU 21 generates response data indicating that the IC card 2 is in the “locked state”. The generated response data is transmitted to the IC card processing apparatus 1 (step S17). When the response is transmitted to the IC card processing apparatus 1, the CPU 21 places the IC card 2 in the “locked state” (step S18), and ends the process for the verification request command.

  If it is determined that the collation error counter has not reached the upper limit value of the number of collation errors (collation error counter <collation error counter upper limit value) (step S16, YES), the CPU 21 sets the current setting from the storage area 24a of the nonvolatile memory 24. The registered personal identification number is read, and the input personal identification number included in the verification request command stored in the RAM 23 is compared with the registered personal identification number (step S19). By this comparison, the CPU 21 determines whether or not the input personal identification number matches the registered personal identification number stored in the storage area 24a of the nonvolatile memory 24 (step S20).

  If it is determined that the input password and the registered password match (step S20, YES), the CPU 21 sets data indicating “matching match” as a matching status flag in the storage area 23a of the RAM 23 (step S21). When data indicating “collation match” is set as the collation state flag, the CPU 21 determines whether or not the password (old password) before update is stored in the storage area 24a of the nonvolatile memory 24 (step S22).

  When it is determined that the old password is stored (step S22, YES), the CPU 21 deletes the old password stored in the storage area 24a of the nonvolatile memory 24 (step S23). For example, the CPU 21 deletes the old password by rewriting the old password with a number that cannot be used as the password (for example, “0000” or “9999”). However, the method of deleting the old password is not limited to a specific method as long as the old password is substantially deleted. By deleting the old personal identification number, the CPU 21 counts up the verification error counter even after the target person has input the old personal identification number after successful verification with the new personal identification number.

  When the old password has been deleted or when it is determined that the old password has not been stored in the storage area 24a (step S22, NO), the CPU 21 stores it in the storage area 23a as a verification target flag. Response data including data indicating “matching match” is generated (step S24). For example, the CPU 21 generates (holds) response data including data indicating “matching match” on the RAM 23. The response data may be generated (held) on the nonvolatile memory 24.

  When generating response data including data indicating “matching match”, the CPU 21 counts up the matching number counter in the storage area 24a (step S25). For example, the CPU 21 reads the value of the matching number counter from the storage area 24a of the nonvolatile memory 24, and counts up the value of the matching number counter as a new value of the matching number counter in the storage area 24a of the nonvolatile memory 24. Store (rewrite). Thereby, CPU21 can record the frequency | count that collation was performed.

  When the verification counter is counted up, the CPU 21 determines whether or not the value of the verification counter has reached the upper limit of the verification count (step S26). For example, the CPU 21 reads the value of the verification number counter and the upper limit value of the verification number from the storage area 24a of the nonvolatile memory 24, and compares them. When it is determined that the value of the verification number counter has not reached the upper limit value of the verification number (step S26, YES). The CPU 21 transmits response data generated on the RAM 23 or the like to the IC card processing apparatus 1 through the external I / F 25 (step S27). That is, when the input code number and the registered code number match, the CPU 21 returns data indicating “matching match” to the IC card processing apparatus 1.

  If it is determined that the input password included in the verification request command does not match the registered password stored in the storage area 24a of the nonvolatile memory 24 (NO in step S20), the CPU 21 stores the stored password in the nonvolatile memory 24. It is determined whether or not the old password is present in the area 24a (for example, whether or not the old password is not a numerical value that cannot be used as the password) (step S28). Here, the CPU 21 determines whether the password has not been updated so far, or whether it has been authenticated with the current password after being updated.

  If it is determined that the old password is present (step S28, YES), the CPU 21 determines whether or not the input password matches the old password (step S29). When it is determined that the input personal identification number and the old personal identification number stored in the storage area 24a of the nonvolatile memory 24 do not match (NO in step S29), or the old personal identification number is stored in the storage area 24a of the nonvolatile memory 24. If it is determined that there is not (NO in step S28), the CPU 21 counts up a collation error counter in the storage area 24a (step S30). For example, the CPU 21 reads the value of the collation error counter from the storage area 24a, and stores (rewrites) the value obtained by counting up the value of the collation error counter in the storage area 24a as a new collation error counter.

  When the verification error counter is counted up or when it is determined that the input password and the old password match, the CPU 21 sets data indicating “verification mismatch” as a verification status flag in the storage area 23a of the RAM 23 ( Step S31). That is, when the input code number matches the old code number, the CPU 21 does not increment the verification error counter. Thereby, even if the target person erroneously inputs the password before update (old password), the verification error counter is not counted up, and the IC card 2 is not locked. In addition, when the target person has been input and approved once even after the update, the verification error counter is counted up even if the target person inputs the password before the update. As a result, the state in which the verification error counter is not counted up when the target person inputs the password before update is not continued.

  When data indicating “verification mismatch” is set as the verification status flag in the storage area 23a, the CPU 21 generates response data including data indicating “verification mismatch” stored in the storage area 23a as the verification target flag (step S32). . For example, the CPU 21 generates (holds) response data including data indicating “verification mismatch” on the RAM 23. The response data may be generated (held) on the nonvolatile memory 24.

  When the response data including data indicating “verification mismatch” is generated, the CPU 21 sets the value of the verification number counter to “(the upper limit value of the verification number) −1” (that is, the value of the verification number counter = the upper limit value of the verification number− 1) is determined (step S33). This is to determine whether or not the value of the collation counter reaches the upper limit of the collation count when the collation counter is counted up next time.

  If it is determined that the value of the number of matching counter is the upper limit value-1 of the number of matching times (step S33, YES), the CPU 21 skips the process of counting up the number of matching times counter (the process of step S25) and proceeds to step S26. Then, it is determined whether or not the value of the collation number counter has reached the upper limit value of the collation number. That is, if the value of the verification number counter is the verification number counter upper limit value−1, the CPU 21 prevents the verification number from being updated when the verification of the personal identification number fails by not counting up the verification number counter. be able to.

  If it is determined that the value of the collation counter is not the collation counter upper limit −1 (NO in step S33), the CPU 21 proceeds to step S25 and counts up the collation counter. When the verification counter is counted up, the CPU 21 determines whether or not the value of the verification counter has reached the upper limit of the verification count (step S26).

  When it is determined that the value of the verification number counter has not reached the upper limit value of the verification number (step S26, YES). The CPU 21 transmits the response data generated by the RAM 23 or the like to the IC card processing apparatus 1 through the external I / F 25 (step S27). That is, if the input password and the registered password do not match, the CPU 21 returns data indicating “verification mismatch” to the IC card processing apparatus 1.

  On the other hand, when it is determined that the value of the collation count counter has reached the upper limit value of the collation count (that is, the collation count counter ≧ the collation count counter upper limit value) (step S26, NO), the CPU 21 stores the nonvolatile memory 24. The password stored in the storage area 24a is updated (step S34). Various forms can be applied as a method for updating the personal identification number. For example, an operation mode in which the target person designates a new password may be used, or an operation mode in which the IC card 2 generates a new password.

  The following procedure can be considered as an example of the operation mode in which the target person designates a new password. In other words, when the password of the IC card 2 needs to be updated, the CPU 21 sends data indicating that the password has become unusable (or needs to be updated) through the external I / F 25. It transmits to the IC card processing apparatus 1. When the data indicating that the password has become unusable is received, the control unit 11 of the IC card processing device 1 displays a message prompting the user to change the password on the display 12, and the user is given a new password. Prompt for When the target person inputs a new personal identification number to the operation unit 13, the control unit 11 of the IC card processing apparatus 1 transmits the new personal identification number input by the target person to the IC card 2 through the card reader / writer 14. The CPU 21 of the IC card 2 rewrites the password stored in the storage area 24 a of the nonvolatile memory 24 with a new password received from the IC card processing device 1. At this time, the CPU 21 of the IC card 2 rewrites the old password in the storage area 24a of the nonvolatile memory 24 with the password before update.

  Further, as an example of an operation mode in which the IC card 2 generates a new password, the following procedure can be considered. That is, the CPU 21 of the IC card 2 generates a new password when the password needs to be updated. The new password may be randomly generated or may be generated by applying a predetermined rule to the current password. In addition, as a method of generating a new password by applying a predetermined rule (calculation) to the current password, a new password is created by combining information (personal information) that the person can know with the current password. Generate a new password by performing logical arithmetic processing on the current password, or generate a new password by replacing the number of a specific digit in the current password. Also good. When a new password is generated, the CPU 21 of the IC card 2 rewrites the password stored in the storage area 24a of the non-volatile memory 24 with a new password, and rewrites the old password with the password before update.

After rewriting the personal identification number, the CPU 21 transmits update information of the personal identification number including the new personal identification number together with normal response data to the IC card processing apparatus 1 through the external I / F 25. The control unit 11 of the IC card processing apparatus 1 that has received the password update information displays, for example, a new password on the display 12 and notifies the subject of the new password. When a new password is generated in accordance with a predetermined rule, the IC card 2 uses not the new password itself but the rule applied to generate a new password as update information of the password. 1 may be notified. In this case, the IC card processing apparatus 1 may display the rule that generated the new password without directly displaying the new password.
When the update of the personal identification number in the storage area 24a is completed (step S35, YES), the CPU 21 clears the verification number counter in the storage area 24a of the nonvolatile memory 24 (the value of the verification number counter is 0) (step S36). . In other words, the CPU 21 resets the collation count for counting the collation count to be collated with the new password by clearing the collation count counter.

  When the verification counter is cleared, the CPU 21 transmits the response data generated on the RAM 23 and the update information of the personal identification number to the IC card processing device 1 through the external I / F 25 (step S37), and the process is terminated. Here, the update information of the personal identification number is the personal identification number after the change, or information indicating the rule used for changing the personal identification number.

  For example, if the target person designates a new personal identification number, after changing to the personal identification number designated by the target person, the information indicating the update success or the personal identification number after the change is used as the update information of the personal identification number. It transmits to the card processing apparatus 1. Further, if the IC card 2 is an operation mode for generating a new password, after changing to a new password generated by the IC card 2, the changed password is used as the update information for the password. Transmit to device 1.

  When the update of the password is not completed (for example, when the target does not input a new password in the operation mode in which the target specifies a new password) (step S35, NO), the CPU 21 Sets the IC card 2 in a locked state (password waiting for update of the security code lock state) in which processing other than the security code update processing cannot be executed (step S38). When the password update lock state is entered, the IC card 2 does not execute any processing other than the password update processing until the password update is completed. When entering the lock waiting state for the security code update, the CPU 21 of the IC card 2 transmits a response to the IC card processing device 1 indicating that no processing other than the security code update processing is executed (step S39).

  In addition, the IC card 2 after entering the lock waiting state for the security code may be subjected to a password update process in response to a password update command from an external device such as the IC card processing device 1. In this case, the CPU 21 of the IC card 2 only needs to release the lock waiting state for update of the password and execute processing other than the update processing when the update of the password is completed. According to the processing in steps S34 to S39, when the value of the verification number counter reaches the upper limit value of the verification number, the IC card 2 performs processes other than the security code update process until the security code is updated. By prohibiting execution, it is possible to prompt the subject to forcibly update the password.

  According to the first embodiment as described above, when the collation process with one password reaches a predetermined number of times, the IC card performs an update process for updating the registered password to a new password. . Further, the IC card cannot execute processes other than the password update process until the password update process is completed. Thereby, the IC card 2 can be forced to update the password every time the predetermined number of collations is reached, and the security of the personal authentication process using the password and the password can be improved. In addition, according to the above-described embodiment, the higher the number of password verification processes (password usage frequency) in the IC card 2, the more frequently the password is updated. Is possible.

Next, a second embodiment will be described.
In the second embodiment, the IC card counts the number of times the authentication process using the password is successful, and performs the password update process when the number of successes reaches a predetermined number. However, the hardware of the IC card processing system and the IC card 2 can be realized by the same configuration as that described in the first embodiment as shown in FIGS. For this reason, the hardware configuration of the IC card processing system and the IC card 2 will not be described in detail as shown in FIGS.

FIG. 7 is a diagram illustrating an example of information stored in the storage area 24a of the nonvolatile memory 24 of the IC card 2 according to the second embodiment. FIG. 7 is a diagram illustrating an example of information stored in the storage area 23a of the RAM 23 of the IC card 2 according to the second embodiment.
In the example shown in FIG. 7, the storage area 24 a of the non-volatile memory 24 of the IC card 2 according to the second embodiment includes a personal identification number, a verification error counter, a verification error count upper limit value, a verification success count counter, and a verification success count. The upper limit value and the old password are stored.

  The verification success number counter is a counter that counts the number of times the verification of the password is successful. The successful verification counter counts the number of successful verifications of the password. For example, the verification success counter is set to an initial value (for example, 0) when the IC card 2 is issued. When the verification of the password is successful, the IC card 2 counts up the verification success number counter. The successful verification counter is reset to an initial value when a predetermined condition is satisfied. For example, the number of successful verification counter stores the number of successful verifications of the personal identification number until one personal identification number is updated, and is reset when the personal encryption code is updated to a new personal identification number. .

The upper limit value of the number of successful collations is the number of successful collations allowed by the IC card 2. When the value of the verification success count counter reaches the upper limit of the verification success count, the IC card 2 updates the password. The method for updating the personal identification number may be the same as the method described in the first embodiment. When the password verification is successful, the IC card 2 counts up the verification success count counter, and compares the counted up verification success count counter with the upper limit of the verification success count. When the value of the verification success number counter reaches the upper limit value of the verification success number, the IC card 2 updates the password.
The password, verification error counter, verification error counter upper limit value, and old password number may be in the same state as the password, verification error counter, verification error counter upper limit value, and old password number shown in FIG. That is, the personal identification number is information for verification stored as registration data used for authentication. The verification error counter is a counter that counts the number of times the verification of the password has failed. The upper limit value of the number of verification errors is the number of verification errors allowed in the authentication process using a password. When the value of the verification error counter reaches the upper limit value of the verification error count, the IC card 2 puts the IC card 2 itself into a locked state. The old password is a password set before the currently set password.

  Also in the IC card 2 according to the second embodiment, the RAM 23 is provided with a storage area 23a for storing a collation state flag as shown in FIG. The collation state flag stored in the storage area 23a of the RAM 23 is information indicating the collation result of the password. For example, when the input personal identification number matches the registered personal identification number, the IC card 2 stores information indicating “verification coincidence” as a verification state flag in the storage area 23a. Further, when the input password and the registered password do not match, the IC card 2 stores information indicating “matching mismatch” as the matching status flag in the storage area 23a.

Next, a password verification process in the IC card 2 according to the second embodiment will be described.
Here, as in the first embodiment, it is assumed that the IC card 2 performs a personal authentication process using a personal identification number in response to a verification request command from the IC card processing apparatus 1. If the input password as the verification target data input to the IC card processing apparatus 1 by the subject using the IC card 2 matches the registered password stored as registration data in the IC card 2, the IC card 2 Determines that the personal authentication processing for the user has succeeded. Further, the IC card 2 counts the number of times of successful collation (number of successful collations) every time the collation is successful. When the number of successful collations reaches a predetermined upper limit value, the IC card 2 performs an update process for updating registered data. Here, it is assumed that the verification target data and registration data used for the personal authentication process are passwords.

  First, the control unit 11 of the IC card processing device 1 makes the IC card 2 presented by the subject and the card reader / writer 14 communicable.

  When communication with the IC card 2 is possible, the IC card processing device 1 performs personal authentication processing using a personal identification number in order to perform various processes using the IC card. In order to perform personal authentication processing using a personal identification number, the control unit 11 of the IC card processing apparatus 1 prompts the subject to input the personal identification number to the operation unit 13. When the subject inputs a password using the operation unit 13, the control unit 11 generates a verification command (a verification request command) that includes the input security code (input password) as verification target data. The control unit 11 transmits the generated verification request command to the IC card 2 via the card reader / writer 14.

FIGS. 8 and 9 are flowcharts for explaining the flow of the password collation process in the IC card 2 according to the second embodiment.
That is, the IC card 2 is activated upon receiving power supply from the IC card processing device 1. After being activated, the IC card 2 receives various commands from the IC card processing apparatus 1 by the external I / F 25 and performs various processes according to the received commands. Here, it is assumed that the IC card 2 has received a verification request command including an input password as verification target data from the IC card processing device 1 by the external I / F 25.

  When receiving the verification request command from the IC card processing apparatus 1 (step S40, YES), the CPU 21 of the IC card 2 extracts the input personal identification number stored in the received verification request command, and uses the extracted input personal identification number. Store in the RAM 23. When the input password is extracted, the CPU 21 verifies whether the password (registered password) to be compared with the input password is stored as registration data in the storage area 24a of the nonvolatile memory 24 (step S41). For example, when the personal identification number stored in the storage area 24a of the nonvolatile memory 24 is damaged or when the personal identification number is not stored in the nonvolatile memory 24, the CPU 21 sends a verification request command. It is determined that the password to be compared with the input encryption number included is not stored.

  When it is determined that the password to be compared with the input password included in the verification request command is not stored in the nonvolatile memory 24 (step S42, NO), the CPU 21 indicates that there is no password to be compared. A response (response indicating “password identification error”) is generated, and the generated response is transmitted to the IC card processing device 1 (step S43). When the generated response is transmitted to the IC card processing apparatus 1, the CPU 21 ends the process for the received verification request command.

  When it is determined that the password to be compared is stored in the storage area 24a of the nonvolatile memory 24 (step S42, YES), the CPU 21 initializes (clears) the collation state flag in the storage area 23a of the RAM 23. (Step S44).

  When the collation state flag is cleared, the CPU 21 verifies whether or not the number of collation errors is within an allowable range (step S45). That is, the CPU 21 reads the value of the collation error counter and the upper limit value of the number of collation errors from the storage area 24a of the nonvolatile memory 24, and compares them. By this comparison, the CPU 21 determines whether or not the value of the collation error counter in the storage area 24a has reached the upper limit of the number of collation errors (whether or not collation error counter <the upper limit of the number of collation errors) (step S46). ). For example, when the upper limit value of the number of verification errors is “5”, the CPU 21 determines whether or not the value of the verification error counter is smaller than 5.

  When it is determined that the value of the collation error counter has reached the upper limit value of the number of collation errors (step S46, NO), the CPU 21 generates response data indicating that the IC card 2 is in the “locked state”. The generated response data is transmitted to the IC card processing apparatus 1 (step S47). When the generated response is transmitted to the IC card processing apparatus 1, the CPU 21 places the IC card 2 in the “locked state” (step S48), and ends the process for the verification request command.

  When it is determined that the verification error counter has not reached the upper limit value of the verification error count (verification error counter <matching error counter upper limit value) (step S46, YES), the CPU 21 stores the input password and the nonvolatile memory 24. It is determined whether the registered personal identification numbers stored in the area 24a match (step S49).

  When it is determined that the input password and the registered password match (step S50, YES), the CPU 21 sets data indicating “matching match” as a matching status flag in the storage area 23a of the RAM 23 (step S51). When data indicating “collation match” is set as the collation state flag, the CPU 21 determines whether or not the password (old password) before update is stored in the storage area 24a of the nonvolatile memory 24 (step S52).

  When it is determined that the old password is stored (step S52, YES), the CPU 21 deletes the old password stored in the storage area 24a of the nonvolatile memory 24 (step S53). For example, the CPU 21 deletes the old password by rewriting the old password with a number that cannot be used as the password (for example, “0000” or “9999”). However, the method of deleting the old password is not limited to a specific method as long as the old password is substantially deleted. By deleting the old personal identification number, the CPU 21 counts up the verification error counter even after the target person has input the old personal identification number after successful verification with the new personal identification number.

  When the old password has been deleted or when it is determined that the old password has not been stored in the storage area 24a (step S52, NO), the CPU 21 stores it in the storage area 23a as a verification target flag. Response data including data indicating “matching match” is generated (step S54). For example, the CPU 21 generates (holds) response data including data indicating “matching match” on the RAM 23. The response data may be generated (held) on the nonvolatile memory 24.

  When generating response data including data indicating “matching match”, the CPU 21 counts up the number of successful matching counters in the storage area 24a (step S55). For example, the CPU 21 reads the value of the verification success number counter from the storage area 24a of the nonvolatile memory 24, and stores the value of the verification success number counter in the nonvolatile memory 24 as a new value of the verification success number counter. Store (rewrite) in the area 24a. Thereby, CPU21 can record the frequency | count that collation was successful.

  When the verification success counter is counted up, the CPU 21 determines whether or not the value of the verification success counter has reached the upper limit of the verification success count (step S56). For example, the CPU 21 reads the value of the verification success number counter and the upper limit value of the verification success number from the storage area 24a of the nonvolatile memory 24, and compares them. When it is determined that the value of the number of successful collation counters has not reached the upper limit of the number of successful collation (step S56, YES), the CPU 21 sends the response data generated on the RAM 23 to the IC card processing device 1 through the external I / F 25. Transmit (step S57). In this case, since the input personal identification number matches the registered personal identification number, the IC card 2 returns data indicating “matching match” to the IC card processing apparatus 1.

  When it is determined that the input password included in the verification request command and the registered password stored in the storage area 24a of the nonvolatile memory 24 do not match (step S50, NO), the CPU 21 It is determined whether or not the old password is present in the storage area 24a (for example, whether or not the old password is a numerical value that cannot be used as the password) (step S58). Here, the CPU 21 determines whether the password has not been updated so far, or whether it has been authenticated with the current password after being updated.

  When it is determined that the old password is present (step S58, YES), the CPU 21 determines whether or not the input password matches the old password (step S59). When it is determined that the input security code and the old security code stored in the storage area 24a of the nonvolatile memory 24 do not match (NO in step S59), or the old security code is stored in the storage area 24a of the nonvolatile memory 24. If it is determined that there is not (step S58, NO), the CPU 21 counts up the collation error counter in the storage area 24a (step S60).

  When the verification error counter is counted up, or when it is determined that the input security code matches the old security code (step S59, YES), the CPU 21 sets “verification mismatch” as a verification status flag in the storage area 23a of the RAM 23. The data shown is set (step S61).

  When the input code number and the old code number match, the CPU 21 does not increment the verification error counter. Thereby, even if the target person erroneously inputs the password before update (old password), the verification error counter is not counted up, and the IC card 2 is not locked. In addition, when the target person has been input and approved once even after the update, the verification error counter is counted up even if the target person inputs the password before the update. As a result, the state in which the verification error counter is not counted up when the target person inputs the password before update is not continued.

  When data indicating “collation mismatch” is set as the collation status flag in the storage area 23a, the CPU 21 generates response data including data indicating “collation mismatch” stored in the storage area 23a as the collation target flag (step S62). . When the response data including data indicating “verification mismatch” is generated on the RAM 23, the CPU 21 transmits the response data in the RAM 23 to the IC card processing device 1 through the external I / F 25 (step S63). In this case, since the input personal identification number and the registered personal identification number do not match, the IC card 2 returns response data indicating “verification mismatch” to the IC card processing apparatus 1.

  On the other hand, when it is determined that the value of the collation count counter has reached the upper limit value of the collation count (that is, the collation count counter ≧ the collation count counter upper limit value) (step S56, NO), the CPU 21 stores the nonvolatile memory 24. Update processing for updating the password stored in the storage area 24a is performed (step S64). As a method for updating the personal identification number, various forms as described in the first embodiment can be applied. For example, an operation mode in which the target person designates a new password may be used, or an operation mode in which the IC card 2 generates a new password.

  When the update of the personal identification number in the storage area 24a is completed (step S65, YES), the CPU 21 clears the verification success number counter in the storage area 24a of the nonvolatile memory 24 (the value of the verification success number counter is 0) (step). S66). In other words, the CPU 21 resets the collation count for counting the collation count to be collated with the new password by clearing the collation count counter.

  When the verification counter is cleared, the CPU 21 transmits the update information of the personal identification number to the IC card processing apparatus 1 through the external I / F 25 together with the response data including the data indicating “matching match” generated on the RAM 23 (step S67). ), The process is terminated. Here, as described in the first embodiment, the update information of the security code is a security code after the change or information indicating a rule used for changing the security code.

  If the update of the personal identification number is not completed (step S65, NO), the CPU 21 locks the IC card 2 other than the process for updating the personal identification number (the personal identification number is waiting to be updated). (Step S68). When the password update lock state is entered, the IC card 2 does not execute any processing other than the password update processing until the password update is completed. When entering the lock waiting state for updating the personal identification number, the CPU 21 of the IC card 2 transmits a response to the IC card processing apparatus 1 indicating that no processing other than the processing for updating the personal identification number is performed (step S69).

  In addition, the IC card 2 after entering the lock waiting state for the security code may be subjected to a password update process in response to a password update command from an external device such as the IC card processing device 1. In this case, the CPU 21 of the IC card 2 only needs to release the lock waiting state for update of the password and execute processing other than the update processing when the update of the password is completed. According to the processing in steps S64 to S69, the IC card 2 performs a process other than the password update process until the password is updated when the value of the number of successful matching counter reaches the upper limit of the number of successful matching. By disabling the process, it is possible to prompt the subject to forcibly update the password.

  According to the second embodiment as described above, when the number of successful verifications with one personal identification number reaches a predetermined number of times, the IC card 2 performs a process of updating the registered personal identification number, and shows data indicating successful verification. And a response indicating the updated password. Further, the IC card 2 cannot execute any process other than the password update process until the password update process is completed. As a result, the IC card 2 can forcibly update the personal identification number every time the number of successful verifications reaches a predetermined number, and can improve the security of personal identification processing using the personal identification number and personal identification number. Become.

  In the first embodiment and the second embodiment, the authentication process using the personal identification number has been described as an example. However, the authentication data used for the authentication process may be a character, a symbol, or a combination thereof. Authentication data used for the authentication process is not limited to a specific format.

  Although several embodiments of the present invention have been described, these embodiments are presented by way of example and are not intended to limit the scope of the invention. These novel embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the scope of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

  DESCRIPTION OF SYMBOLS 1 ... IC card processing apparatus (external device), 2 ... IC card (portable electronic device), 11 ... Control part, 12 ... Display, 13 ... Operation part, 14 ... Card reader / writer, C ... IC card main body, M ... IC module, Ca ... IC chip, 21 ... CPU, 22 ... ROM, 23 ... RAM, 24 ... nonvolatile memory, 25 ... external I / F.

Claims (10)

Receiving means for receiving a command from an external device;
Recording means for recording registration data to be compared with data to be collated included in a collation command received by the receiving means;
Collation means for collating the registration data recorded in the recording means and the collation target data included in the collation command received by the receiving means;
A number-of-matching counting unit that counts the number of matchings by which the matching unit collates the target data with the registration data;
An update unit that updates the registration data when the number of verifications counted by the verification number counting unit reaches an upper limit value of the number of verifications for the registered data;
Transmitting means for transmitting information indicating an update result of registration data by the updating means to the external device;
IC card equipped with. The updating means notifies the external device that registration data needs to be updated when the number of matching times reaches the upper limit value of the number of matching times, and follows the registration data update command received from the external device. Rewrite the registration data.
The IC card according to claim 1. Further, when the number of matching times has reached the upper limit value of the number of matching times, there is an operation limiting means that does not execute other than the update command of the registered data,
The transmission means transmits to the external device that only the registration data update command is executed until the update of the registration data is completed.
The IC card according to claim 2. The update means generates new registration data different from the registration data recorded in the recording means when the number of matching times reaches the upper limit value of the number of matching times, and the registration recorded in the recording means Rewrite the data with new registration data,
The transmission means transmits information including the new registration data to the external device;
The IC card according to claim 1. The update means generates new registration data by performing a predetermined calculation on the registration data recorded in the recording means.
The IC card according to claim 4. A verification failure counting unit that counts the number of verification failures between the verification target data and the registered data by the verification unit;
A lock unit that disables the IC card when the number of verification failures counted by the verification failure counting unit reaches an upper limit value of the verification failure;
A second recording unit that records the registration data before the update as the old registration data when the registration data is updated by the updating unit;
The collation unit collates the collation target and the old registration data when collation of the collation target data and the updated registration data updated by the update unit fails.
The collation failure counting means counts the number of collation failures as long as the collation target data matches the old registration data even when collation between the collation target data and the updated registration data fails. do not do,
The IC card according to any one of claims 1 to 5. The collation failure counting unit is configured to perform collation failure even if the collation target data matches the old registration data after the collation unit successfully collates the collation target data with the updated registration data. Count as number of times,
The IC card according to claim 6. Receiving means for receiving a command from an external device;
Recording means for recording registration data to be compared with data to be collated included in a collation command received by the receiving means;
Collation means for collating the registered data recorded in the recording means with the collation target data included in the collation command received by the receiving means;
A collation success counting means for counting the number of times the collation with the collation target data and the registered data by the collation means is successful;
An update unit that updates the registration data when the number of successful verifications counted by the verification success counting unit reaches an upper limit value of the number of successful verifications for the registered data;
Transmitting means for transmitting information indicating an update result of registration data by the updating means to the external device;
IC card equipped with. Receiving means for receiving a command from an external device; recording means for recording registration data to be compared with data to be collated included in a collation command received by the receiving means; the registration data recorded in the recording means; A collation unit that collates the collation target data included in the collation command received by the reception unit; a collation number counting unit that counts the number of collations between the collation target data and the registered data by the collation unit; When the number of verifications counted by the number counting unit reaches the upper limit value of the number of verifications with respect to the registration data, an update unit that updates the registration data and information indicating the update result of the registration data by the update unit are sent to the external device. A module comprising: a transmitting means for transmitting;
A main body comprising the module;
IC card equipped with. Receiving means for receiving a command from an external device;
Recording means for recording registration data to be compared with data to be collated included in a collation command received by the receiving means;
Collation means for collating the registered data recorded in the recording means with the collation target data included in the collation command received by the receiving means;
A number-of-matching counting unit that counts the number of matchings by which the matching unit collates the target data with the registration data;
When the number of verifications counted by the verification number counting unit reaches an upper limit value of the number of verifications with respect to the registration data, an update unit that updates the registration data, and information indicating a registration data update result by the update unit Transmitting means for transmitting to the device;
A portable electronic device comprising:

Images