JP2018163446A - Electronic information storage medium, ic card, tampering check method, and tampering check program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an electronic information storage medium such as an IC chip or the like which is impossible for an attacker who makes laser irradiation attack to easily specify a position in a memory region where data requiring a high security level is stored.SOLUTION: An electronic information storage medium, which includes a normal storage region and a security storage region for storing security data with a high required security level, is configured to store check data in the normal storage region, perform a tampering check on the security storage area and the storage area in which the check data is stored, and perform processing upon tampering detection.SELECTED DRAWING: Figure 2

Description

  The present invention relates to the technical field of electronic information storage media such as IC (Integrated Circuit) chips.

  IC cards are used in credit cards, bank cash cards, ETC (registered trademark) (Electronic Toll Collection System) cards, SIM (Subscriber Identity Module Card) cards, etc., and high security is required due to the characteristics of their use. ing.

  An IC chip mounted on an IC card performs operations for authentication, saves a key, and the like, and is exposed to various external attacks in order to obtain such information illegally. Typical attacks include power consumption analysis attacks such as SPA (Simple Power Analysis) attacks and DPA (Differential Power Analysis) attacks, DFA (Differential Fault Analysis) attacks, and data falsification by laser irradiation.

  In the power consumption analysis attack, paying attention to the fact that the power consumption of the IC card correlates with the processing content, the information is illegally obtained by measuring the power consumption and performing statistical processing. On the other hand, Patent Document 1 discloses a countermeasure technique against a power consumption analysis attack.

JP 2005-322018 A

  On the other hand, an attack by laser irradiation is obtained by illegally obtaining information stored in an IC chip by irradiating a laser to the IC chip and falsifying data stored in the IC chip. It is implemented for the purpose of inducing fraudulent processing (such as successful completion of authentication processing using the wrong key).

  Conventionally, as countermeasures against attacks by laser irradiation, verification of important data with data duplication and error detection data (CRC (Cyclic Redundancy Check) etc.) has been performed, and if fraud is detected, IC Error processing such as stopping the chip function is performed. Here, when an attacker carries out an attack by laser irradiation, where the target data is stored on the IC chip (or where the execution program for the target processing is stored) is the appearance of the IC chip. Can not know from. Therefore, as one of the attack methods, there is a method of narrowing down the attack target while irradiating a plurality of locations on the IC chip with laser and confirming the behavior of the IC chip (whether error processing has been performed). . At this time, the attacker repeats the attack against a large number of IC cards until the attack is successful, but how many IC cards are consumed by the attacker is an index of security evaluation of the IC card. It becomes one of.

  Therefore, the present invention provides an attacker who performs an attack by laser irradiation in a storage area on an electronic information storage medium such as an IC chip, which requires a high security level (for example, a secret key, a PIN (Personal Identification Number), etc. It is an object of the present invention to provide an electronic information storage medium or the like that cannot easily specify the position in which it is stored.

  In order to solve the above problems, the invention described in claim 1 includes a normal storage area, and a security storage area for storing security data having a higher security level required than data recorded in the normal storage area. Storage means for storing check data in the normal storage area, the security storage area, a check means for performing a tampering check on the storage area in which the check data is stored, and the tamper check As a result, there is provided an error processing means for performing error processing when tampering is detected.

  A second aspect of the present invention is the electronic information storage medium according to the first aspect, wherein a plurality of the check data are distributed and stored in the normal storage area. .

  A third aspect of the present invention is the electronic information storage medium according to the first or second aspect, further comprising security processing execution means for executing security processing using the security data, wherein the checking means The tampering check on the storage area in which the check data is stored is performed at least at any time before, during or after execution of the security processing.

  Invention of Claim 4 is an electronic information storage medium as described in any one of Claim 1 thru | or 3, Comprising: The said check means is the same time as the time which performs the tampering check with respect to the said security storage area, A tampering check is performed on a storage area in which the check data is stored.

  A fifth aspect of the present invention is the electronic information storage medium according to any one of the first to fourth aspects, wherein the check data is data consisting of a predetermined value of a fixed length, and the storage means , Further storing comparison data consisting of a predetermined value having the same fixed length as the check data, and the check means, when performing a tampering check on the storage area in which the check data is stored, The comparison data is compared.

  A sixth aspect of the present invention is an IC card including the electronic information storage medium according to any one of the first to fifth aspects.

  The invention according to claim 7 has a normal storage area and a security storage area for storing security data having a higher security level required than data recorded in the normal storage area. An alteration check method in an electronic information storage medium comprising storage means for storing check data in an area, wherein the security storage area and a check step for performing an alteration check on the storage area in which the check data is stored; An error processing step of performing error processing when falsification is detected as a result of the falsification check.

  The invention according to claim 8 includes a normal storage area and a security storage area for storing security data having a higher security level required than data recorded in the normal storage area. A tamper check for the computer included in the electronic information storage medium having storage means for storing check data in the area, the tamper check for the security storage area and the storage area in which the check data is stored, the tamper check As a result, it is characterized by functioning as error processing means for performing error processing when tampering is detected.

  According to the present invention, a tamper check is performed on the security storage area and the normal storage area, and error processing is performed not only when the security storage area is tampered but also when the check data in the normal storage area is tampered. Therefore, when the check data by the attacker is attacked, error processing is performed, so that the attacker can misunderstand that the security data is stored in the check data portion. Therefore, the attacker cannot easily specify the position where the security data having a high required security level is stored.

It is a figure which shows the hardware structural example of IC chip 1a mounted in the IC card 1 in this embodiment. It is a figure which shows the structural example of the storage area of the flash memory 13 in this embodiment. It is a figure which shows the structural example of the data storage position table T for a check in this embodiment. It is a flowchart which shows the operation example of CPU10 in this embodiment. It is a figure which shows the structural example of the data storage position table T2 for a check in a modification.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. First, the schematic configuration and functions of the IC chip 1a mounted on the IC card 1 will be described with reference to FIG. FIG. 1 is a diagram illustrating a hardware configuration example of the IC chip 1a. The IC card 1 is used as a credit card, bank cash card, ETC card, electronic money card, employee card or the like. Alternatively, the IC card 1 is incorporated into a communication device such as a smartphone or a mobile phone. The IC chip 1a constitutes an electronic information storage medium in the present invention, but this electronic information storage medium may be directly incorporated on a circuit board of a communication device.

[1. Outline Configuration and Function of IC Chip 1a]
As shown in FIG. 1, an IC chip 1a includes a CPU 10, a ROM (Read Only Memory) 11, a RAM (Random Access Memory) 12 that is a volatile memory for temporarily storing data, and a flash that is a nonvolatile memory. A memory 13 and an I / O circuit 14 are provided. Note that “Electrically Erasable Programmable Read-Only Memory” may be employed instead of the flash memory.

  The I / O circuit 14 serves as an interface with the external terminal 2. Thereby, the IC chip 1a can communicate with or without contact with an external terminal equipped with an IC reader / writer. In the case of the contact type IC chip 1a, the I / O circuit 14 includes, for example, eight terminals C1 to C8. For example, the C1 terminal is a power supply terminal (terminal for supplying power to the IC chip 1a), the C2 terminal is a reset terminal, the C3 terminal is a clock terminal, the C5 terminal is a ground terminal, and the C7 terminal is for communication with an external terminal. Terminal. On the other hand, in the case of the non-contact type IC chip 1a, the I / O circuit 14 includes, for example, an antenna and a modulation / demodulation circuit. Examples of external terminals include IC card issuing machines, ATMs, ticket gates, authentication gates, and the like. Alternatively, when the IC chip 1a is incorporated in a communication device, the external terminal corresponds to a control unit that performs the function of the communication device.

  The RAM 12 stores, for example, data temporarily necessary for the functioning of the OS, middleware, and various applications.

  The flash memory 13 stores programs such as OS, middleware, and applications, and various data.

  Here, the structure of the storage area formed by the flash memory 13 will be described with reference to FIG. The storage area formed by the flash memory 13 includes a security area 131 and a normal area 132. The security area 131 is used for security such as key data such as a secret key, a telephone function authentication key or a Java (registered trademark) Key class object, a PIN (Personal Identification Number) of the telephone function, and a cryptographic operation or a comparison operation. Security data having a higher security level that is required in comparison with data stored in the normal area 132, such as a program code of related processing, is stored.

  The normal area 132 stores various programs and data not stored in the security area 131. The normal area 132 stores check data C for checking whether a laser attack (data tampering) by an attacker targeting the IC chip 1a has been performed. At this time, in order to uniformly check the entire normal area 132, it is preferable to store a plurality of check data C physically dispersed. Further, the check data C of the present embodiment consists of a predetermined value having a fixed length (for example, 1 byte). The size of the total area for storing the check data C occupying the entire normal area 132 may be set in advance by the designer in consideration of the amount of other data to be stored, etc. It is also possible to adopt a configuration that changes as appropriate according to the amount of data that must be stored elsewhere.

  FIG. 3 is a diagram showing a configuration example of the check data storage position table T used when specifying the position where the check data C is stored (stored) in the normal area 132. The check data storage position table T is stored in the flash memory 13. In the check data storage position table T, for each check data C, INDEX and information indicating an address are described. The address describes information indicating the position where the check data C is stored in the normal area 132. The description method may be an absolute addressing method or a relative addressing method.

  The CPU 10 is an example of a computer and is an arithmetic device that executes various programs stored in the flash memory 13. Various programs include applications written in a program language such as a virtual machine program or Java. The OS and the virtual machine program are described by a plurality of native codes (execution code groups). The OS is software that directly controls the operation of the IC chip 1a. The OS and the virtual machine program may be stored in the ROM 11. In the following description, when the processing is described using the OS as the subject, the processing is actually performed by the CPU 10 executing the OS.

  The OS performs a tampering check to determine whether a laser attack (data tampering) by an attacker targeting the IC chip 1a has been performed. In response to a laser attack on the normal area 132, the OS performs a tampering check using a part or all of the plurality of check data C stored in the normal area 132 as the check data C to be inspected. Specifically, the OS holds comparison data having the same value as the check data C value having a predetermined value of a fixed length in the flash memory 13 (or RAM 12), and this value is the check target to be checked. The tampering check is performed depending on whether or not it coincides with the business data C. Note that the OS also performs a falsification check for the security area 131. The tampering check for the security area 131 may employ a conventionally known method (for example, CRC), and the security area 131 may be checked by the check data C as in the normal area 132.

  The OS performs error processing when falsification is detected by a falsification check on the security area 131 or the normal area 132. As the error process, a conventionally known process (for example, the function stop of the IC chip 1a) is performed.

[2. Operation of CPU 10 (OS)]
Next, the falsification check process of the normal area 132 by the CPU 10 (OS) will be described with reference to FIG. FIG. 4 is a flowchart showing an example of the alteration check process for the normal area 132.

First, the OS (the CPU 10 that executes) determines whether or not it is a check time for performing a tampering check on the normal area 132 (step S101). The check time is set in advance. For example, the following times (1) to (3) can be set.
(1) Before, during or after processing (an example of “security processing”) using data (key data or control data) stored in the security area 131 (2) IC by a signal from the reader / writer Before the chip 1a starts processing (3) Before the IC chip 1a transmits data to the outside However, since it is a falsification check, it may be performed at a time other than the above times (1) to (3). Further, in the falsification check process of the normal area 132, a falsification check is performed with the check data C as an inspection target. It may be performed at the same time as a known time) or at a different time.

  If the OS determines that it is not the tampering check time (step S101: NO), the OS performs the process of step S101 again. On the other hand, when the OS determines that it is the check time for the tampering check (step S101: YES), the OS refers to the check data storage location table T and extracts INDEX at random (step S102). For example, the OS randomly selects a number of INDEXs (set in accordance with the processing performance of the CPU 10 and the processing time allowed for the tampering check process) among the INDEXs described in the check data storage location table T ( For example, a random number value is used).

  Next, the OS specifies an address corresponding to one INDEX extracted in the process of step S102 (step S103). Next, the OS performs a falsification check using the check data C stored at the address specified in the process of step S103 as an inspection target (step S104). Specifically, the OS compares the check data C to be inspected with the comparison data held in the flash memory 13 (or RAM 12).

  Next, the OS determines whether or not it has been falsified as a result of the falsification check in step S104 (step S105). At this time, if the OS determines that the data has been falsified (the check data C and the comparison data do not match) (step S105: YES), the OS performs error processing (step S106) and ends the falsification check processing. To do. On the other hand, if it is determined that the OS has not been tampered (the check data C and the comparison data match) (step S105: NO), then the OS is tampered for the number of INDEXs extracted in the process of step S102. It is determined whether or not a check has been performed (step S107).

  If the OS determines that the tampering check for the number of INDEXs extracted in step S102 has not been performed (step S107: NO), the OS proceeds to step S103. That is, the OS repeats the loop processing from step S103 to step S107 until the tampering check is performed on all the check data C stored in the address corresponding to the INDEX extracted in the processing of step S102. In the process of step S103 during the loop process, the OS specifies an address corresponding to one INDEX that has not been specified during the loop process so far, among the addresses corresponding to the INDEX extracted in the process of step S102. And

  On the other hand, if the OS determines that the tampering check has been performed for the number of INDEXs extracted in step S102 (step S107: YES), the tampering check process ends.

  In the IC chip 1a of the present embodiment described above, the flash memory 13 (an example of “storage means”) is requested from the normal area 132 (an example of “normal storage area”) and data recorded in the normal area 132. Security area 131 (an example of a “security storage area”) that stores security data with a high security level, and stores the check data C in the normal area 132, and the CPU 10 (“check means”, “error processing”). An example of “means” performs a falsification check on the security area 131 and the storage area in which the check data C is stored, and performs error processing when falsification is detected as a result of the falsification check.

  Therefore, according to the IC chip 1a of the present embodiment, the security area 131 and the normal area 132 are falsified, and the check data C in the normal area 132 is falsified not only when the security area 131 is falsified. In this case, error processing is performed, so that when the check data C is attacked by an attacker, error processing is performed, so that the attacker misunderstands that security data is stored in the check data C portion. Can be made. Therefore, the attacker cannot easily specify the position where the security data having a high required security level is stored.

  In the IC chip 1a of the present embodiment, a plurality of check data C are distributed and stored in the normal area 132. As a result, the normal area 132 can be widely checked for tampering, and if tampering has been performed, error processing is performed, making it difficult for an attacker to specify the location where security data is stored. Can be made.

  Further, in the IC chip 1a of the present embodiment, the CPU 10 (an example of “security processing execution unit”) executes security processing using security data, and performs a tampering check on the storage area in which the check data C is stored. In some cases, the security processing is performed before, during, or after execution. Since the attacker tries to leak the data by executing the security process based on the data altered by the laser attack, in this case, at least any time before, during or after the execution of the security process If the tampering check is performed and the tampering is performed, error processing is performed to make it difficult for an attacker to guess the physical position of the security area 131.

  Furthermore, the IC chip 1a according to the present embodiment may perform a falsification check on the storage area in which the check data C is stored at the same time when the CPU 10 performs a falsification check on the security area 131. In this case, even if it is a laser attack on the normal area 132, the same error processing as the attack on the security area 131 is performed at the same time, thereby causing the attacker to misidentify the normal area 132 as the security area 131. Attacks on the area 131 can be reduced, and thus the possibility of security data leaking can be reduced.

  In the IC chip 1a of the present embodiment, the check data C is data having a predetermined value of a fixed length, and the flash memory 13 (or RAM 12) (an example of “storage means”) is the same as the check data C. Further, comparison data consisting of a predetermined value of a fixed length is further stored, and the CPU 10 compares the check data C with the comparison data when performing a falsification check on the storage area in which the check data C is stored. Therefore, the flash memory 13 (or RAM 12) can be used effectively compared to the case where each check data C has different lengths and values (comparison data is stored for each check data C). The processing load of the CPU 10 in the tampering check process can also be reduced.

[3. Modified example]
Next, a modification of the above embodiment will be described. Note that the modifications described below can be combined as appropriate.

[3.1. Modification 1]
In FIG. 2, the check data C is not included in the program, but the check data C may be arranged in the program. For example, in the program code, the check data C is defined as dummy data that is not used for processing. The dummy data is not used in the processing of the program, but by defining it so that it can be referenced from the outside, the OS can know where the dummy data is stored in the flash memory 13, so check It is described in the address field of the data storage position table T. Thereby, the check data C can be stored as dummy data in the area where the program of the flash memory 13 is stored.

[3.2. Modification 2]
In the above embodiment, the check data C is data having a fixed value of a fixed length. However, at least one of the length (Length) and the value may be different for each check data C. In this case, as shown in FIG. 5, in the check data storage location table T2, in addition to the INDEX and the address, the length (Length) and the value of the check data C are described. Then, during the tampering check process, the “length” check data C is identified from the “address” described in the check data storage position table T2, and the check data C and the check data storage are stored. The “value” described in the position table T2 is compared.

[3.3. Modification 3]
In the above embodiment, the check data C having a predetermined value of a fixed length is stored in the normal area 132. However, a bit string that is already stored in the normal area 132 with an arbitrary position, length (Length), and value. May be the check data C. In the third modification, the same check data storage position table T2 as in the second modification can be used. According to this modification, it is not necessary to store the check data C having a predetermined value of a fixed length in the normal area 132, so that a large free area in the normal area 132 can be secured. However, if a bit string whose value changes due to normal program execution or the like is the check data C, it is necessary to rewrite the value in the check data storage location table T2 every time the value changes, and the processing burden on the CPU 10 increases. It is preferable to specify a bit string that does not change as check data C.

[3.4. Modification 4]
The position (address position) where the check data C is stored may be different for each IC card 1 (IC chip 1a). In general, attackers obtain a large number of cards of the same type and guess the position where security data is stored while changing the position of laser irradiation one by one. By making the position of the use data C different for each IC card 1 (IC chip 1a), it is possible to make it more difficult to specify the position where the security data is stored.

1 IC card 1a IC chip 10 CPU
11 ROM
12 RAM
13 Flash memory 131 Security area 132 Normal area 14 I / O circuit C Check data

Claims (8)

A storage having a normal storage area and a security storage area for storing security data having a higher security level required than data recorded in the normal storage area, and storing check data in the normal storage area Means,
Check means for performing falsification check on the security storage area and the storage area in which the check data is stored;
As a result of the falsification check, error processing means for performing error processing when falsification is detected;
An electronic information storage medium comprising: The electronic information storage medium according to claim 1,
An electronic information storage medium, wherein a plurality of the check data are distributed and stored in the normal storage area. The electronic information storage medium according to claim 1 or 2,
Security processing executing means for executing security processing using the security data;
The electronic information storage medium, wherein the check means performs a tampering check on a storage area in which the check data is stored at least before, during or after execution of the security processing. . An electronic information storage medium according to any one of claims 1 to 3,
The electronic information storage medium characterized in that the check means performs a falsification check on a storage area in which the check data is stored at the same time as a falsification check on the security storage area. An electronic information storage medium according to any one of claims 1 to 4,
The check data is data consisting of a predetermined value of a fixed length,
The storage means further stores comparison data consisting of a predetermined value having the same fixed length as the check data,
An electronic information storage medium characterized in that the check means compares the check data with the comparison data when performing a falsification check on a storage area in which the check data is stored.   An IC card comprising the electronic information storage medium according to any one of claims 1 to 5. A storage having a normal storage area and a security storage area for storing security data having a higher security level required than data recorded in the normal storage area, and storing check data in the normal storage area A tamper check method in an electronic information storage medium comprising means,
A check step for performing a tampering check on the security storage area and the storage area in which the check data is stored;
As a result of the falsification check, an error processing step for performing error processing when falsification is detected;
A tamper check method characterized by including: A storage having a normal storage area and a security storage area for storing security data having a higher security level required than data recorded in the normal storage area, and storing check data in the normal storage area A computer included in an electronic information storage medium comprising means,
Checking means for performing tampering checks on the security storage area and the storage area in which the check data is stored;
As a result of the falsification check, error processing means for performing error processing when falsification is detected,
A tamper check program characterized by functioning as

Images