JP2020112855A - IC chip and IC card - Google Patents

Abstract

To prevent memory deterioration in an evacuation area caused by an increase in the number of times of memory-rewriting of an IC card.SOLUTION: An IC card has: means for evacuating and storing original data of a file in an evacuation area of a nonvolatile memory before writing data received from an IC module access device in the file of the nonvolatile memory; and means for writing back the original data stored in the evacuation area to the file. Rollback possible/impossible identification information which stores whether to make the file into an object for evacuating to the evacuation area of the nonvolatile memory is stored in file management information on the file.SELECTED DRAWING: Figure 2

Description

The present invention relates to an IC card on which an IC chip is mounted, and to an IC chip and an IC card of a high security module that guarantees writing of data to the IC chip.

In recent years, IC cards have been used as my number cards, passports, credit cards and the like. The IC card does not have its own power source, and an IC module access device such as a reader/writer (R/W) supplies power to the IC card to operate the IC card. When the IC card is a contact type IC card, the IC card is directly connected to the power source of the IC module access device to share the power source and obtain the power source. When the IC card is a non-contact type IC card, the IC card uses an electromagnetic field generated by the IC module access device, and an antenna of the IC card obtains a power source by electromotive force due to electromagnetic induction of the electromagnetic field.

A non-volatile memory is mounted on the IC chip of the IC card, and various data can be held in the non-volatile memory. When writing or rewriting data to the non-volatile memory of the IC chip, for example, the following events are assumed. (Hereinafter, writing (initial writing) and rewriting (data updating) are not distinguished and expressed as "writing".)

(1) Pulling out during writing.
(2) Power shutdown during writing.
(3) Malfunction during writing.

If these events occur and the current supplied to the IC card drops and/or is interrupted during the writing process, the writing process is not completed and the intended writing to the non-volatile memory to be written is correct. It may not be implemented and the data may be in an indeterminate state.

Therefore, conventionally, when the IC card receives the data to be written to the nonvolatile memory from the IC module access device, as in Patent Document 1, until the process of writing the data to the specified file of the IC card is started. First, the processing of storing the original data of the file of the IC card by saving it in the saving area of the non-volatile memory of the IC card is stored.

Then, the IC card executes a process of writing the data received from the IC module access device into the designated file. If the writing is interrupted during the process, the data saved in the save area is written back to the original file area when the IC card is started next time. Recover the error.

JP, 10-187549, A

Thus, in the conventional technique, the data integrity is secured before and after writing by temporarily saving the original data of the file to be written, but the data is not written to all files during the data writing process. Saving the original data of the file to be written has the following disadvantages.
(1) Memory deterioration in the save area due to an increase in the number of memory rewrites.
(2) Increase in processing time related to save processing and restoration processing.

Therefore, an object of the present invention is to provide an IC card and an IC chip of a high security module that solves the above problems by defining a file that does not save the original data in addition to a file that saves the original data of the file to which the data is written. To do.

In order to solve the above problems, the present invention provides an IC card comprising a communication means for exchanging data with an IC module access device and a non-volatile memory for storing files,
Means for saving the original data of the file by saving it in the save area of the non-volatile memory before writing the data received from the IC module access device to the file of the non-volatile memory; A rollback possibility identification storing means for writing back the original data to the file, and storing in the file management information of the file whether or not the file is to be saved in the save area of the nonvolatile memory. It is an IC card characterized by storing information.

With this configuration, the present invention has an effect that, when creating (issuing) a file of an IC card, the issuer of the file can freely set whether or not to target the file for the save process.

Further, the present invention is the above IC card, wherein the file management information of the file resets the timing of the process of writing back the original data stored in the save area of the nonvolatile memory to the file. The IC card is characterized in that time processing or processing at other timing is designated and stored.

The present invention also provides an IC chip for a high security module,
A communication means for exchanging data with the IC module access device, and a non-volatile memory for storing a file are provided, and the source of the file is written before the data received from the IC module access device is written in the file of the non-volatile memory. The file management information of the file, the file having the means for storing the data in the save area of the non-volatile memory and storing the data, and the means for writing the original data stored in the save area back to the file. Is an IC chip in which rollback availability identification information that stores whether or not to be saved in the save area of the non-volatile memory is stored.

Further, the present invention is the above IC chip, wherein the file management information of the file resets a timing of a process of writing back the original data stored in the save area of the nonvolatile memory to the file. The IC chip is characterized in that time processing or processing at other timing is designated and stored.

According to the present invention, at the time of creating (issuing) a file of an IC card, there is an effect that the issuer of the file can freely set whether or not the file is the target of the save processing. As a result, for files that do not require save processing, unnecessary save processing can be prevented when writing data to the file, and the load on the memory and the processing time due to save data can be reduced. effective.

Further, according to the present invention, the timing of the process of writing back the saved original data to the file is stored in the file management information by designating the process at the time of resetting and the process at other timings. As a result, when the IC card is reset, the IC card can respond to the IC module access device within a prescribed time with a sufficient time, without spending time to recover the file.

It is a block diagram which shows the system configuration|structure of embodiment of this invention. It is a block diagram showing a schematic structure of an IC card of an embodiment of the present invention. FIG. 6 is a block diagram showing a data structure of file management information FCL and save management information RLCL of the IC chip according to the embodiment of the present invention. FIG. 9 is a block diagram showing a data flow of a process of saving original data of a file when writing data to the file of the IC chip according to the embodiment of the present invention. It is a block diagram which shows the data flow of the process which restores the original data of the file of the IC chip of embodiment of this invention. 6 is a flowchart showing a main processing procedure of data writing processing to the IC chip according to the embodiment of the present invention. 6 is a flowchart showing a procedure of a data writing process in the data writing process to the IC chip according to the embodiment of the present invention. 6 is a flowchart showing a procedure of a reset process in the process of writing data to the IC chip according to the embodiment of the present invention. 6 is a flowchart showing a procedure of command processing in the processing of writing data to the IC chip according to the embodiment of the present invention.

<First Embodiment>
Hereinafter, a data writing system to the IC card 100 according to the first embodiment of the present invention will be described with reference to FIGS. 1 to 9.

As shown in FIG. 1, the data writing system to the IC card 100 according to the present embodiment is configured by an IC card 100 that exchanges information with an IC module access device 200 such as a reader/writer (R/W).

(Structure of IC card 100)
The block diagram of FIG. 2 shows a schematic configuration of the IC card 100 according to the embodiment of the present invention. The IC card 100 has an antenna coil 1 and an IC chip 10 of an integrated circuit which is a high security module.

As shown in the block diagram of FIG. 2, the IC card 100 of the present embodiment has a contact terminal or an antenna coil on the surface of the IC card which is directly connected to a terminal provided in the IC module access device 200 for communication. 1 has a communication means 11 for communicating with the IC module access device 200 in a contactless manner. The IC card 100 may include both the contact terminal and the antenna coil 1.

(IC chip 10)
Power is supplied to the IC chip 10 of the high security module for the IC card 100 directly from the IC module access device 200 through the contact terminals, or from the electromagnetic field of the reader/writer of the IC module access device 200. Power is supplied through the antenna coil 1 of 100 to charge the power supply 15.

The IC chip 10 includes a communication unit 11, a control unit 12 such as a microprocessor for controlling the entire IC chip 10, a storage unit 13, and a power supply 15. The antenna coil 1 of the IC card 100 is connected to the communication means 11 of the IC chip 10. Then, the communication means 11 of the IC chip 10 receives the communication data from the IC module access device 200, receives the power, and charges the power supply 15.

(Memory means 13 of IC chip 10)
As shown in the block diagram of FIG. 2, the storage unit 13 of the IC chip 10 includes a fixed storage unit ROM in which a boot program and various fixed data are stored, a volatile memory RAM for temporarily storing various data, and a data storage unit. It is configured with a readable and writable non-volatile memory. A flash memory, an EEPROM (Electrically Erasable and Programmable ROM), or the like can be used as the non-volatile memory.

As shown in FIG. 2, the fixed storage means ROM and the non-volatile memory of the storage means 13 are provided with a program means 13a, a file management information area 13b, a file entity area 13c, a rollback control information area 13d and a save area 13e.

(Program means 13a)
The program means 13a is constituted by a fixed storage means ROM or the like, stores programs such as a card OS (Operating System), and also stores system information such as various setting information. The card OS stores the program of the card manager 14 and also stores the program of the recovery means 14a for recovering file data.

(File management information area 13b)
The file management information FCL is stored in the file management information area 13b, and the data stored in the file entity area 13c of the IC chip 10 is managed in file units by the file management information FCL.

(File management information FCL)
The file management information FCL has information such as a file identifier and a position (directory) in the file structure where the file is placed. The file management information FCL includes a file type column F-1, a file authority column F-2, a file size column F-3, a file address column F-4, and rollback permission/prohibition as shown in FIG. An identification information section F-5 and a rollback execution timing section F-6 are provided.

The file type column F-1 stores file type information indicating whether the file is DF, WEF, or IEF. The file authority column F-2 stores authority information for reading/writing/updating a file. The file size field F-3 stores information on the size of the file data. In the file address column F-4, address information of the actual area of the file is stored at the top address (for example, cluster number) where the file is stored.

The rollback availability identification information field F-5 stores a flag indicating information on whether or not the data of the file is to be rolled back. The rollback execution timing column F-6 stores information on the type of timing for rolling back the data of the file. The information on the type of rollback timing is information that determines the rollback timing at the time of rollback at the time of resetting or by specifying processing at other timing.

According to the present invention, the file management information FCL is provided with the rollback permission/inhibition identification information column F-5, and whether or not the data stored in the file is to be rolled back is distinguished for each IC. At the time of creating (issuing) the file of the chip 10, there is an effect that the issuer of the file can freely set whether or not to subject the file to the save processing.

As a result, for files that do not require save processing, unnecessary save processing can be prevented when data is written to the file, and the effect of reducing the load on the memory and processing time due to the save processing of data can be achieved. is there.

According to the present invention, the file management information FCL is provided with 1-6: rollback execution timing column F-6. As a result, the timing for rolling back the saved data to the file and restoring the file can be freely set to rollback at reset or at any other timing.

As a result, there is an effect that it is possible to freely set the timing for restoring the file with the saved data. As a result, when the IC chip 10 is reset, the IC chip 10 can respond to the IC module access device 200 within a time defined by ISO7816 or the like with a sufficient time, without taking time to recover the file. Therefore, there is an effect that the IC chip 10 can perform processing in a time with a margin with respect to restrictions on processing time and other standards.

(Rollback control information area 13d)
The rollback control information area 13d stores the save management information RLCL. The save management information RLCL saves the original data of the file in the file physical area 13c in the save area 13e when the data is written from the IC module access device 200 to the file in the file physical area 13c of the IC chip 10. Control the process.

(Evacuation management information RLCL)
The save management information RLCL is configured as shown in FIG. 3B, and is provided with a rollback data presence/absence identifying information column R-1, a rollback file address column R-2, and a rollback execution timing column R-3.

The rollback data presence/absence identification information field R-1 stores a flag indicating identification information indicating whether the data saved in the save area 13e is valid or invalid. The rollback file address column R-2 stores the rollback source address. The rollback execution timing column R-3 stores information that defines when rollback should be performed, that is, whether rollback should be performed at reset or when a command is first received.

(Evacuation area 13e)
The save area 13e is rewritten when the IC module access device 200 of FIG. 1 rewrites a file in the file entity area 13c of the IC chip 10 of the IC card 100 or when rewriting the program file of the program means 13a. The original data of the file is saved in the save area 13e and stored for rollback.

For example, when the IC module access device 200 rewrites the data of the work basic file WEF, the internal basic file IEF, or the dedicated file DF of the file substance area 13c of the IC chip 10, the original data of the file to be rewritten is saved in the save area 13e. Evacuate and store for rollback.

(File entity area 13c)
The file entity area 13c is an area for storing user data used by the application.

(Hierarchical structure of dedicated file DF)
As shown in FIG. 2, the file entity area 13c stores a dedicated file DF (Dedicated File) connected in a hierarchical structure below the main file MF (Master File). The dedicated file DF is a file for grouping subordinate files, and stores a basic file EF (Elementary File) and other dedicated files DF under the dedicated file DF.

(Basic file EF)
The basic file EF created under the dedicated file DF is a file that stores data, and is divided into two types: IEF (Internal Elementary File) and WEF (work basic file).

(Basic work file WEF)
The work basic file WEF is a file that can be output from the IC chip 10 to the outside. An individual file of the IC chip 10 is stored in the work basic file WEF.

(Internal basic file IEF)
The internal basic file IEF of the IC chip 10 is a file that cannot be read from the IC module access device 200 for security reasons, and is used only in the IC chip 10.

The internal basic file IEF stores key information such as secure communication key information and authentication key information for authenticating the access right for the IC module access device 200 to read the individual file in the work basic file WEF of the IC chip 10. , The key category to which the key information is assigned is stored.

(Recovery means 14a)
While the IC module access device 200 is in the process of writing data in the file physical area 13c of the IC chip 10 of the IC card 100, the data writing process may fail due to a decrease in power supply voltage, re-supply of power supply voltage, or the like. In that case, the recovery unit 14a, which is one of the functions of the card OS of the IC chip 10, restores the original data by a data write-back process of rolling back the original data stored in the save area 13e.

(Data writing process)
The flow of data by the processing performed by the recovery means 14a is shown in the block diagrams of FIGS. That is, as shown in FIG. 4, the recovery means 14a temporarily stores the data to be written in the work basic file WEF in the volatile memory RAM in step S4 in the data writing process to the file of the IC chip 10. Then, in step S6, the original data of the work basic file WEF is saved and stored in the save area 13e. Then, after the original data of the file is stored and saved, in step S8, the new data for writing temporarily stored in the volatile memory RAM is written to the work basic file WEF.

(Rollback processing)
When the process of writing the data to the work basic file WEF is completed normally, there is no need to restore the data. However, when the data writing process is not normally completed and is interrupted, as shown in FIG. 5, the restoring unit 14a performs the reset process or the command process in step S12 or step S22. Rollback processing is performed in which the original data saved in the save area 13e is written back to the work basic file WEF to restore the data of the work basic file WEF.

(Processing procedure for writing data to the IC chip 10)
Hereinafter, with reference to the flowchart of FIG. 6 and the flowcharts of the processing procedures of the individual functions of FIGS. 7 to 9, the processing in which the IC module access device 200 writes data in the IC chip 10 of the IC card 100, and the writing of data A procedure of processing in which the IC chip 10 restores the original data stored in the save area 13e using the recovery means 14a when the processing fails will be described.

(Step S1) Power Supply to IC Chip 10 The power supply voltage is supplied from the IC module access device 200 to the IC chip 10 of the IC card 100.

In the case of a non-contact type IC card, a voltage is induced by electromagnetic induction from the antenna of the IC module access device 200 to the antenna of the IC card 100, whereby the IC chip 10 of the IC card 100 receives power and the power source 15 is charged with power. To be done. When the power supply voltage of the power supply 15 becomes equal to or higher than the operation threshold value, the power supply control unit of the IC chip 10 outputs a reset signal to the control means 12, whereby the control means 12 is reset.

In the case of a contact type IC card, a power supply voltage is supplied from the IC module access device 200 to the IC chip 10 of the IC card 100, and a reset signal is transmitted from the IC module access device 200 to the reset terminal of the IC chip 10, whereby the IC The chip 10 is reset and returns an initial response.

(Step S1b)
When the IC chip 10 is reset, the process proceeds to the reset process of step S10. In the reset process, by the processes of steps S10 to S14, first, if there is a file that needs to be restored, the data is restored, and then the initialization process after the reset is performed. The IC chip 10 which has already finished processing the reset signal stands by to receive the first command from the IC module access device 200, and when the command is received, the process proceeds to the command processing of step S20.

(Step S2) File Selection Processing The IC module access device 200 sends the IC chip 10 a SELECT FILE command for selecting the work basic file WEF in the file substance area 13c of the IC chip 10.

(Step S2b) First Command Processing When the IC chip 10 receives the SELECT FILE command from the IC module access device 200, the command processing of step S20 causes the IC chip 10 to first execute a process if there is a file that needs data recovery. After recovering the data, the file in which the data of the IC chip 10 is to be written is prepared by the process according to the SELECT FILE command.

(Step S3) File Writing Process Next, the IC module access device 200 transmits to the IC chip 10 a WRITE BINARY command for writing a value to the previously selected work basic file WEF.

(Step S3b)
When the IC chip 10 receives the WRITE BINARY command from the IC module access device 200, the command processing of step S20 first restores the data if there is a file requiring the data restoration, and then the WRITE command. Processing according to the BINARY command is performed to prepare to write data in the work basic file WEF selected by the SELECT FILE command in step S2.

(Data writing process)
According to steps S4 to S9 of FIG. 7, data is written in the designated file as follows.

(Step S4) Store Write Data in Volatile Memory RAM When the IC chip 10 receives the WRITE BINARY command, it extracts the data to be written to the file from the command and stores it in the volatile memory RAM.

(Step S5) Confirmation of File Rollback Approval Identification Information Next, by the processing of step S5, the file management information FCL of the work basic file WEF selected by the SELECT FILE command is read from the file management information area 13b, and the file management is performed. It is confirmed whether or not the file is the target of the save process by the rollback availability identification information field F-5 of the information FCL in FIG. 3A.

Then, the IC chip 10 determines that the file is targeted for rollback by the flag stored in the rollback propriety identification information field F-5 of the file management information FCL of the selected work basic file WEF. If so, the process proceeds to step S6 below; otherwise, the process proceeds to step S8.

(Step S6) Data Saving Process When the selected work basic file WEF is targeted for rollback, the restoring means 14a stores the original data in the saving area 13e of the saving area 13e and saves it.

(Step S7)
When the file data is saved, the recovery means 14a stores the save area in the rollback data presence/absence identification information field R-1 of the save management information RLCL of the rollback control information area 13d as shown in FIG. 3B. A flag indicating information indicating that the data saved in 13e is valid is stored. The rollback file address field R-2 stores the address of the work basic file WEF of the rollback source. In the rollback execution timing column R-3, the information of the rollback execution timing column F-6 of the file management information FCL of the selected work basic file WEF is written.

(Step S8)
Next, the IC chip 10 writes the write data stored in the volatile memory RAM into the selected work basic file WEF.

(Step S9)
When the IC chip 10 normally completes the process of writing the data stored in the volatile memory RAM to the work basic file WEF as a result of the process of step S8, the recovery unit 14a rolls back the save management information RLCL. A flag indicating information indicating that there is no data saved in the save area 13e is stored in the data presence/absence identification information field R-1. Then, the data writing process is completed and the process returns to the first step S1.

(Reset process)
When the IC chip 10 is reset from the IC module access device 200 in the process of step S1, according to steps S10 to S14 of FIG. After restoring, the initialization process after reset is performed.

(Step S10)
When the IC chip 10 is reset by the IC module access device 200 in the processing of step S1, the IC chip 10 starts the reset processing of the processing procedure of FIG. Then, the recovery means 14a of the IC chip 10 reads the save management information RLCL from the rollback control information area 13d and confirms the rollback data presence/absence identifying information field R-1.

If a flag indicating that there is no data saved in the save area 13e is stored in the rollback data presence/absence identification information field R-1, the restoration unit 14a determines that there is no uncompleted write processing. Then, the process proceeds to step S14.

In particular, when a flag indicating that there is no data saved in the save area 13e is stored in the rollback data presence/absence identification information field R-1, a power supply voltage drop occurs during the writing process of the previous file. Even if the file writing process is not completed due to occurrence or the like, the file whose writing process is not completed is not restored by rollback, and the process proceeds to step S14.

If a flag indicating that the data saved in the save area 13e is valid is stored in the rollback data presence/absence identification information field R-1 in FIG. It is determined that the writing process of is not completed, and the process proceeds to step S11.

(Step S11)
The restoration unit 14a reads the rollback execution timing column R-3 of the save management information RLCL of FIG. 3B, and the rollback execution timing column R-3 does not include information indicating that the rollback is performed at the time of reset. In this case, the rollback process is not performed and the process proceeds to step S14.

(Step S12)
When the rollback execution timing column R-3 in FIG. 3B contains information indicating that the rollback is to be performed at the time of reset, the restoration unit 14a saves the work basic file stored in the save area 13e. The original data of the WEF is read out, and a rollback process for writing back to the work basic file WEF is performed to restore the data of the work basic file WEF.

(Step S13)
The recovery unit 14a stores a flag indicating that there is no data saved in the save area 13e in the rollback data presence/absence identification information field R-1 of the save management information RLCL.

(Step S14)
Then, the IC chip 10 performs the initialization process after the reset, and waits to receive the first command from the IC module access device 200.

(Command processing)
When the IC chip 10 receives a command from the IC module access device 200 in the processing of step S2 or the like, and in the case where there is a file for which data recovery is necessary as described below in accordance with steps S20 to S24 of FIG. Executes the command processing after recovering the data.

(Step S20)
When the IC chip 10 receives a command from the IC module access device 200 in the processing of step S2 and the processing of step S3, it starts the command processing. First, the recovery means 14a of the IC chip 10 reads the save management information RLCL from the rollback control information area 13d and confirms the rollback data presence/absence identification information column R-1.

When the rollback data presence/absence identification information field R-1 stores a flag indicating that the data saved in the save area 13e is valid, the recovery unit 14a has performed the previous operation. It is determined that the file writing process is not completed, and the process proceeds to step S21.

If a flag indicating that there is no data saved in the save area 13e is stored in the rollback data presence/absence identification information field R-1, the recovery unit 14a determines that there is no uncompleted write processing. It is determined and the process proceeds to the command processing in step S24.

In particular, when a flag indicating that there is no data saved in the save area 13e is stored in the rollback data presence/absence identification information field R-1, a power supply voltage drop occurs during the writing process of the previous file. Even if the file writing process is not completed due to occurrence or the like, the file whose writing process is not completed is not restored by rollback, and the process proceeds to step S24.

(Step S21)
The restoration means 14a indicates that the data saved in the save area 13e is valid in the rollback data presence/absence identification information column R-1 of the save management information RLCL of FIG. 3B read in the process of step S20. Is stored, the rollback execution timing column R-3 of the save management information RLCL is read.

When the rollback execution timing column R-3 does not include information indicating that the command is to be rolled back when the command is first received, the restoration means 14a proceeds to the command processing in step S24.

If the rollback execution timing column R-3 contains information indicating that the rollback is to be performed when the command is first received, the restoration means 14a proceeds to step S22.

(Step S22)
The recovery unit 14a reads the original data of the work basic file WEF that has been saved and stored in the save area 13e, writes back to the work basic file WEF, and performs rollback processing to restore the data.

(Step S23)
The recovery unit 14a stores a flag indicating that there is no data saved in the save area 13e in the rollback data presence/absence identification information field R-1 of the save management information RLCL.

(Step S24)
Next, the IC chip 10 proceeds to process the received command. Here, the process of the data write command executes the data write process of steps S4 to S9. Then, after the command processing is completed, the procedure returns to the main processing procedure of FIG. 6 and proceeds to the next processing of the main processing.

The present invention is not limited to the above embodiment, and can be applied to the IC chip 10 for a high security module other than the IC card. For example, it can be applied to a system in which the mobile terminal device writes data as the IC module access device 200 to the IC chip 10 of the SIM card which is a high security module mounted in the mobile terminal device.

Further, according to the present invention, when the IC chip 10 is supplied with power and the writing of the data to the work basic file WEF is interrupted by the previous processing of the IC chip 10, the recovery means 14a has various means. In order to restore the data of the work basic file WEF by performing the rollback process of writing back the data saved in the save area 13e to the work basic file WEF at the timing, the rollback execution timing column F-6 of the file management information FCL The timing for performing the rollback can also be designated as various timings other than the timing designations shown in the above embodiments.

For example, even before reset, if power is supplied, the data saved in the save area 13e is rolled back to the work basic file WEF to restore the data of the work basic file WEF. You can also do it.

After resetting, while power is supplied and waiting for the first command, a rollback process is performed to write back the data saved in the save area 13e to the work basic file WEF to restore the data of the work basic file WEF. You can also do it.

1... Antenna coil 10... IC chip 11... Communication means 12... Control means 13... Storage means 13a... Program means 13b... File management information area 13c... File entity Area 13d... Rollback control information area 13e... Save area 14... Card manager 14a... Restoration means 15... Power supply 100... IC card 200... IC module access device DF... -Exclusive file EF...Basic file FCL...File management information F-1...File type column F-2...File authority column F-3...File size column F-4...File Address column F-5... Rollback availability identification information column F-6... Rollback execution timing column IEF... Internal basic file RAM... Volatile memory ROM... Fixed storage means RLCL... Evacuation management information R-1...Rollback data presence/absence information column R-2...Rollback file address column R-3...Rollback execution timing column WEF...Basic work file

Claims (4)

An IC card comprising a communication means for exchanging data with an IC module access device and a non-volatile memory for storing files,
Means for saving the original data of the file by saving it in the save area of the non-volatile memory before writing the data received from the IC module access device to the file of the non-volatile memory; A rollback possibility identification storing means for writing back the original data to the file, and storing in the file management information of the file whether or not the file is to be saved in the save area of the nonvolatile memory. An IC card characterized by storing information. 2. The IC card according to claim 1, wherein, in the file management information of the file, a timing of a process of writing back the original data stored in the save area of the nonvolatile memory to the file is a reset process. Or, an IC card characterized in that processing at other timing is designated and stored. An IC chip for a high security module,
A communication means for exchanging data with the IC module access device, and a non-volatile memory for storing a file are provided, and the source of the file is written before the data received from the IC module access device is written in the file of the non-volatile memory. The file management information of the file, the file having the means for storing the data in the save area of the non-volatile memory and storing the data, and the means for writing the original data stored in the save area back to the file. An IC chip, which stores rollback availability identification information that stores whether or not to be saved in the save area of the nonvolatile memory. 4. The IC chip according to claim 3, wherein in the file management information of the file, the timing of the process of writing back the original data stored in the save area of the non-volatile memory to the file is reset. Or, an IC chip characterized in that processing at other timing is designated and stored.

Images