JP4368130B2 - IC card and IC card program - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to an IC card and an IC card program that manage provision of value information such as application issuance.
[0002]
[Prior art]
In recent years, it has been described in MEL (Multiplex Executable Language) language, Java language ("JAVA" is a registered trademark), etc., and basically what platform (operating system type, environment, settings, etc.) Platform-type IC cards capable of mounting a plurality of applications such as a MULTIOS card and JavaCard capable of mounting a plurality of applications that can operate even on the OS (for example, patent documents) have appeared. 1). Note that the term “mounting” refers to storing in an executable manner.
This platform type IC card is issued by a card issuer who is a business entity that performs card issue and management operations. In addition, the application needs to write card individual information, which is different information depending on each IC card, such as card user information and encryption key necessary for executing the application in advance in the application and perform initial setting. It is issued by an application service provider (hereinafter referred to as a “service provider”) that has customer information that is the source of individual information and provides a card user with a service related to an application. The application issuance means that an application is installed in an application using device such as an information processing device that uses the application, and the application can be executed (used).
The IC card includes at least a CPU such as a SIM card or an IC tag, an external communication means, and a storage means for storing information, regardless of the base material. This means a highly confidential portable information processing device that does not have an input device such as a keyboard or mouse that is a man-machine interface.
[0003]
[Patent Document 1]
JP 2002-56360 A (page 4-5, FIG. 8)
[0004]
[Problems to be solved by the invention]
However, when this application is developed by a person other than the service provider such as a card issuer, the technical know-how used in the program by reverse engineering is known in order to obtain the application code by the service provider. There was a possibility. In addition, even if the card issuer and service provider have signed a confidentiality agreement, the card issuer will recognize and prove that the service issuer has breached the contract. There was a problem that was difficult.
Further, for example, when the card issuer enters into a contract permitting the service provider to copy the application and mount it on 100 IC cards, and the service provider mounts this application on 100 or more IC cards. Even so, the card issuer could not recognize or prove this fact, and there was a risk that the rights to applications such as copyright would be lost.
On the other hand, in order to prevent the technical know-how from leaking out, if an application with encryption or digital signature is supplied to the service provider and decrypted inside the IC card, the card individual information is written in the application and the initial setting is performed. There was a problem that I could not.
If the application requires an encryption key for execution, it is necessary to generate an encryption key, write it to the application, and perform initial settings. Equipment was required, and there was a risk of burdening the service provider that issued the application.
Furthermore, the problem of leakage of technical know-how and the rights related to applications are not only between card issuers and service providers, but also confidential matters such as information, technical know-how, etc. that are subject to rights such as databases, music data, and image data. This is a problem that may arise when providing value information (intellectual property), which is a group of valuable data such as information containing information, and programs to others.
The present applicant has filed a prior application for the invention of “IC card and IC card program” to solve these problems (Japanese Patent Application No. 2003-008621).
[0005]
Here, the IC card and the IC card program according to the prior application will be described. For convenience of explanation of embodiments of the present invention to be described later, the contents of the prior application are appropriately adjusted are described below.
FIG. 7 is a diagram for explaining a usage pattern of the IC card according to the prior application. The IC card according to the prior application is the issue management IC card 10-3.
As shown in FIG. 7, the application issuance management system 1-3 includes an issuance management IC card 10-3, a user IC card 20-3, an issuance management IC card 10-3, and a user IC card 20-3. A reader / writer (hereinafter, “reader / writer” is referred to as “R / W”) 40A and 40B.
The application issuance management system 1-3 uses an application that is value information provided from the issuance management IC card 10-3 by the external device 30 (hereinafter, an application to be provided is referred to as a “target application”). Execute the application, individually write to a plurality of user IC cards 20-3 (20A-3, 20B-3, 20C-3,...) That are predetermined value information use devices to be used, and issue the target application ( Application issuing process).
[0006]
The external device 30 receives data such as input means such as a keyboard, output means such as a display, communication means such as an input / output interface for communicating with the R / W 40A, 40B, control means such as a CPU, program, and card individual information DB. A computer provided with storage means and the like and managed by the service provider, and communicates with the issue management IC card 10-3 via the R / W 40A and the user IC card 20-3 via the R / W 40B. . The card individual information DB stores card individual information corresponding to each user IC card 20-3. The external device 30 reads information from the issue management IC card 10-3 by transmitting a predetermined command, writes the read information to the user IC card 20-3, and similarly from the user IC card 20-3. Information is exchanged between the issue management IC card 10-3 and the user IC card 20-3, such as writing the read information into the issue management IC card 10-3.
[0007]
FIG. 8 is a block diagram showing an embodiment of an IC card according to the prior application.
As shown in FIG. 8, the issue management IC card 10-3 includes a communication unit 11, a CPU 12-3, and three memories 13, 14, and 15-3, and is initially set by a card issuer that provides an application. Will be issued and issued. The communication unit 11 and the memories 13, 14, and 15-3 are connected to the CPU 12-3.
The communication unit 11 includes a plurality of terminals that are in electrical contact with the contact terminals of the R / W 40A. The communication unit 11 is inserted and connected to the R / W 40A to receive power and a clock. Input / output means for transmitting / receiving information to / from the W40A, that is, inputting / outputting information from / to the R / W 40A, and mediating communication between the CPU 12-3 and the external device 30 together with the R / W 40A To do.
[0008]
The three memories are a RAM 13, a ROM 14, and a nonvolatile memory 15-3, and are storage means for storing information necessary for processing of the CPU 12-3 such as programs and data. The RAM 13 is a volatile memory and is used as a work area where the CPU 12-3 performs processing. The ROM 14 is a nonvolatile read-only memory that stores basic software such as an OS, programs such as an execution environment, hardware such as parameters, and stores programs and data that allow applications to use the hardware. Yes.
[0009]
The non-volatile memory 15-3 is a non-volatile rewritable memory such as EEPROM, flash memory, FRAM, etc., and is normally used as a user work area, program area, etc., and can store a plurality of applications. is there. In addition, the nonvolatile memory 15-3 stores a target application, license information, an application issuing public key (hereinafter referred to as “issuing public key”) PKad, issuing information, and the like.
[0010]
FIG. 9 is a diagram for explaining information stored in the non-volatile memory of the issue management IC card and the user IC card according to the prior application.
As shown in FIG. 9, the target application, license information, issuance public key PKad, and issuance information are written in the non-volatile memory 15-3 at the issuance stage for initial setting of the issuance management IC card 10-3. The target application includes a code part for storing the program code and a data part for storing data necessary for executing the program code, and is stored in the nonvolatile memory 15-3 in a confidential state. The data part of the target application is in a state that does not include card individual information.
[0011]
The license information is provided number-of-times limitation information for limiting the number of times the target application is provided to the user IC card 20-3 by limiting the copy of the target application, output to the outside, and the like. Issuance management IC card, which is information based on whether the provision permission determination unit 124 of the CPU 12-3 determines whether or not the encryption unit 121 permits encryption of the target application (see FIG. 10 described later). 10-3 indicates the number of times (100 times) an encrypted application can be generated, and the number decreases every time an encrypted application is generated. Therefore, the issuance management IC card 10-3 can encrypt the target application by this number of times and generate an encrypted application, that is, copy it. In the process of generating the issue management IC card 10-3, the card issuer sets, in this license information, the number of times that the target application permitted by the service provider can be copied and issued (the number of times it can be provided). The license information can be read by a predetermined read command, but writing and rewriting must satisfy a predetermined condition such as authentication. The issuing private key SKad and the issuing public key PKad are a pair of encryption keys used in the public key cryptosystem, and are owned and managed by the card issuer. In particular, the issuing secret key SKad is managed in a confidential state, that is, securely so as not to be leaked to others. The issue information includes the identification information of the provider of the target application, that is, the card issuer (issue management IC card 10-3), application attribute information such as the type, version, and ID number of the target application. .
[0012]
As shown in FIG. 8, the CPU 12-3 performs overall control of the issuance management IC card 10-3 by executing programs such as the OS and applications stored in the ROM 14, the non-volatile memory 15-3, etc. Processing according to the command received from the R / W 40A is performed, and the encryption unit 121, the decryption unit 122, the use validity determination unit 123, the provision permission determination unit 124, the write / rewrite unit 125, the issue certificate generation unit 126, and the like. The processing result is transmitted to the R / W 40A as a response. The function of each part will be described later with reference to FIG.
[0013]
The user IC card 20-3 includes a communication unit 21, a CPU 22-3, three memories 23, 24, 25, and the like, and is issued by a card issuer who is a business subject. The communication unit 21 and the memories 23, 24, and 25 are connected to the CPU 22-3.
The communication unit 21 has the same function as the communication unit 11 of the issuance management IC card 10-3, and mediates communication between the CPU 22-3 and the external device 30 together with the R / W 40B.
The three memories are a RAM 23, a ROM 24, and a nonvolatile memory 25, and have the same functions as the RAM 13, the ROM 14, and the nonvolatile memory 15-3 of the issuance management IC card 10-3. The nonvolatile memory 25 stores a user secret key SKic, a public key certificate PKCic, card information, and the like that are unique to the user IC card 20-3 and are used in a public key cryptosystem such as RSA.
[0014]
As shown in FIG. 9, the public key certificate PKCic, the user secret key SKic, and the card information are written in the nonvolatile memory 25 at the issuance stage of the user IC card 20-3. In particular, the user secret key SKic is stored in the nonvolatile memory. 25 is stored in a confidential state. The user secret key SKic and the user public key PKic are a pair of encryption keys unique to the user IC card used in the public key cryptosystem, and are owned and managed by the card issuer. The card issuer prepares a different encryption key pair for each user IC card 20-3. The card information includes attribute information of the user IC card 20-3 such as identification information of the user IC card 20-3 and identification information of the card issuer.
[0015]
The public key certificate PKCic encrypts information indicating that the user public key PKic included in the public key certificate PKCic is the public key of the user IC card 20-3 with the issuance private key SKad, and adds a digital signature. It is a thing. A digital signature is an electronic signature that certifies the creator of the information to be signed, ensures that the information has not been tampered with, and prevents the signer from denying that the information has been created. It is a kind of signature and is encrypted signature information attached to guarantee the validity of the information. The signer attaches a signature encrypted using its own private key to the information and sends it. The recipient decrypts the signature using the signer's public key and authenticates the validity. Accordingly, the public key certificate PKCic is an administrator of the issuance secret key SKad, and proves that the card issuer who has the right to the target application has permitted the use of the target application in the user IC card 20-3. Information for authenticating that the user IC card 20-3 can properly use the target application.
[0016]
As shown in FIG. 8, the CPU 22-3 performs overall control of the user IC card 20-3 by executing programs such as the OS and applications stored in the ROM 24, the nonvolatile memory 25, etc., and responds to commands. The decryption unit 221, the write / rewrite unit 222, the receipt proof generation unit 223, and the like are realized, and the processing result is transmitted as a response to the R / W 40B. The function of each part will be described later with reference to FIG.
[0017]
FIG. 10 and FIG. 11 are diagrams showing the operation in the embodiment of the IC card according to the prior application and the embodiment of the IC card program according to the prior application, and show the application issuing process. FIG. 10 is a flowchart, and FIG. 11 is a diagram for explaining input / output of information in the issue management IC card and the user IC card. The processing of the issue management IC card 10-3, the user IC card 20-3, and the external device 30 will be mainly described, and the external device 30 is not illustrated.
As shown in FIG. 10, in step 700 and step 800 (hereinafter, “step” is referred to as “S”), the issuance management IC card 10-3 is R / W 40A and the user IC card 20-3 is R. / W40B is inserted and activated by receiving power supply and the like.
In S701, the issuance management IC card 10-3 includes the card individual information, receives a command for requesting writing of the card individual information from the external device 30, and the writing / rewriting unit 125 stores the command in the nonvolatile memory 15-3. The card individual information is written in the stored data section of the target application, and a normal end response is transmitted to the external device 30 (# 410 in FIG. 11).
[0018]
In S801, the user IC card 20-3 receives a command requesting reading of the public key certificate PKCic from the external device 30, and transmits the public key certificate PKCic to the external device 30 as a response (S802, # 420). . Similarly, the user IC card 20-3 receives a command requesting reading of card information (S803), and transmits the card information to the external device 30 (S804, # 430).
In S702, the issuance management IC card 10-3 receives the command including the public key certificate PKCic and requesting generation of the encrypted application (# 440). This command is an application provision request for requesting encryption of the target application in order to provide the target application, that is, requesting to perform processing related to provision of the target application. In step S <b> 703, the provision permission determination unit 124 determines whether to permit encryption of the target application based on the license information stored in the nonvolatile memory 15-3. Specifically, the provision permission / rejection determination unit 124 determines whether or not the license information is one or more times. When the license information is zero or not, the provision permission / non-permission determination unit 124 determines that the license information is zero and sends an error response indicating that to the external device 30 (S713), and the process ends (S714).
[0019]
When the license information is one or more times, the decryption unit 122 decrypts the public key certificate PKCic with the issuance public key PKad (S704). The use validity determination unit 123 verifies the validity of the digital signature based on whether or not the decryption unit 122 can decrypt, that is, whether or not the use of the target application by the user IC card 20-3 is valid. Determination is made (S705, # 450). If it cannot be decrypted and the use validity determination unit 123 determines NO, an error response indicating that is transmitted to the external device 30 (S713), and the process ends (S714).
[0020]
On the other hand, if the use validity determination unit 123 determines affirmative, the CPU 12-3 reduces the license information once (S706, # 460), and the encryption unit 121 includes the target application in which the individual information is written. Is encrypted so that it can be decrypted only by the user IC card 20-3 permitted to be used by the card issuer (S707, # 470). That is, the target application is encrypted with the user public key PKic extracted from the public key certificate PKCic corresponding to the user secret key SKic stored in the user IC card 20-3, and an encrypted application is generated. The issuance management IC card 10-3 transmits a normal end response to the external device 30 (S708), and requests reading of the encrypted application and generation of an issuance certificate including the card information of the user IC card 20-3. A command is received from the external device 30 (S709, # 480). In S710, the issuance certificate generation unit 126 generates an issuance certificate (# 490). The issuance certificate indicates that the corresponding target application has been provided from the issuance management IC card 10-3 to the user IC card 20-3, that is, the card issuer who manages the provision of the target application proves the provision path of the target application. Information. The issue proof generation unit 126 provides the provider card identification information for identifying the user IC card 20-3 that is the provider of the target application, and the provider card identification that identifies the issue management IC card 10-3 that is the provider of the target application. Issuance information and card information including information and attribute information of the target application are encrypted with an issuance secret key SKad, and an issuance certificate is generated with a digital signature. The issue management IC card 10-3 transmits a response including the encrypted application and the issue certificate (S711, # 500).
[0021]
The user IC card 20-3 includes an encrypted application and an issuance certificate, receives a command requesting writing of the target application and the issuance certificate from the external device 30 (S805, # 510), and the decrypting unit 221 The encrypted application is decrypted using the user secret key SKic (S806, # 520), and the writing / rewriting unit 222 writes the decrypted target application to the nonvolatile memory 25 (S807, # 530). The receipt proof generation unit 223 includes the identification information of the IC card in which the target application has been written, that is, the user IC card 20-3, the identification information of the issue management IC card 10-3 that is the provider of the target application, and the target Information including application attribute information is encrypted with the user secret key SKic to generate a receipt certificate (S808). The user IC card 20-3 transmits a normal termination response including this receipt certificate to the external device 30 (S809), and terminates the processing (S810). The nonvolatile memory 25 stores the written target application in a confidential state. The issuance management IC card 10 receives this receipt certificate, writes it into the nonvolatile memory 25 (S712), and ends the process (S714).
When providing the target application to a plurality of user IC cards 20-3, the user IC card 20-3 inserted in the R / W 40B is replaced, and the same processing is repeated. In this case, in S701, the writing / rewriting unit 125 of the issue management IC card 10-3 rewrites the card individual information of the target application stored in the nonvolatile memory 15-3.
[0022]
However, in the invention according to the prior application described above, when the information on the face of the user IC card 20-3 loaded with the issued target application is lost due to a change in the name of the card user due to marriage, etc. In this case, it is necessary to reissue a new user IC card 20-3 whose information on the ticket is changed. When the target application is issued again to the new user IC card 20-3, new license information is consumed. (S706 in FIG. 10). In other words, even if the same target application is issued to the same card user, the license information is consumed, which is not suitable for the concept of license of the target application and may not be convenient. It was.
In addition, the version of the target application is upgraded and the old version of the target application is deleted from the user IC card 20-3. In the case of permitting (issuing) the use of the target application, there is a problem that it is not possible to confirm whether or not the old version of the target application has been invalidated, and lack of feasibility.
[0023]
An object of the present invention is to reduce the burden of providing value information, protect intellectual property related to value information, and address the above-described problems related to invalidation of provided value information. It is to provide an IC card and an IC card program with high applicability and convenience.
[0024]
[Means for Solving the Problems]
The present invention solves the above problems by the following means. In addition, in order to make an understanding easy, although the code | symbol corresponding to embodiment of this invention is attached | subjected and demonstrated, it is not limited to this. That is, the invention of claim 1 is a value information storage means (15, 15) for storing the value information to be provided to the value information using device (20) using the value information as a group of data and / or programs. -2) and provision number limit information storage means (15, 15-2) for storing provision number limit information including the number of times that the value information can be copied and / or outputted to the outside. The invalidation certification information input means (11) for inputting invalidation certification information from the outside, and the invalidation certification information input by the invalidation certification information input means are valid. When the determination is negative by the invalidation certification determination means (127, 127-2) for determining whether or not the invalidation certification determination means is positive, the provisionable number of times is increased. The providing time restriction information rewriting means for rewriting the provided frequency limit information stored by the distribution quota limit information storing means and (125), Processing stage information storage means (15, 15-2) for storing processing stage information including a counter value which is identification information of a processing stage which is incremented each time a transaction having a plurality of related processes as one processing unit commits. And a processing stage information output means (11) for outputting the processing stage information stored in the processing stage information storage means when there is a predetermined request, wherein the invalidation proof judgment means is the invalidation A duplicate input judging means (127, S570, S580) for judging whether or not the same invalidation certification information as the invalidation certification information inputted by the validation certification information input means has been inputted before; The determination means includes the processing stage output by the processing stage information output means included in the invalidation certification information input by the invalidation certification information input means. The counter value included in the information is compared with the counter value included in the processing stage information stored in the processing stage information storage means to determine whether or not there is a duplicate input, and the invalidation proof The determination means determines negative when the overlap input determination means determines affirmative; Is an IC card (10, 10-2).
[0025]
According to a second aspect of the present invention, in the IC card according to the first aspect, the value information stored in the value information storage means is encrypted and encrypted so that the value can be decrypted only by a predetermined value information use device. An encryption unit (121) for generating value information; and a value information output unit (11) for outputting the encrypted value information generated by the encryption unit to the outside. According to the encryption of the value information by the encryption unit and / or the output of the encrypted value information to the outside by the value information output unit, the provision number limit information so as to reduce the number of times of provision. The IC card (10, 10-2) is characterized in that the provision number limit information stored in the storage means is rewritten.
[0026]
The invention of claim 3 is the IC card according to claim 1 or 2, wherein the value information storage means stores one or a plurality of applications to be provided to the value information using device. IC card (10, 10-2).
[0027]
According to a fourth aspect of the present invention, in the IC card according to any one of the first to third aspects of the present invention, the invalidation certification determination means is a predetermined value in the value information using device in which the invalidation certification information is predetermined. Having invalidation process determination means (127) for determining whether or not it is proved that the value information is invalidated, and when the invalidation process determination means determines NO, the determination is NO The IC card (10, 10-2) is characterized by the following.
[0028]
According to a fifth aspect of the present invention, in the IC card according to the fourth aspect, the invalidation process determining means determines whether the predetermined value is based on whether or not a predetermined electronic signature is attached to the invalidation certification information. It has a device validity determining means (127, S510, S520) for determining whether or not the value information is invalidated in the information using device, and it is determined to be NO when the device validity determining means determines NO. This is an IC card (10, 10-2).
[0029]
According to a sixth aspect of the present invention, in the IC card according to the fourth or fifth aspect, the invalidation process determining means includes the attribute information of the value information, the identification information of the provider of the value information, or the value information. Value information validity determination means for determining whether or not the predetermined value information is invalid based on provision route information included in the invalidation certification information including at least one of the identification information of the provision destinations ( 127, S550, S560), and the IC card (10, 10-2) is characterized in that it is determined as NO when it is determined NO by the value information validity determining means.
[0030]
According to a seventh aspect of the present invention, in the IC card according to the sixth aspect, the value information validity determining means determines whether the provision route information is based on whether a predetermined electronic signature is attached to the provision route information. And providing route validity determining means (127, S530, S540) for determining whether or not the information is valid, and when the provided route validity determining means determines NO, it is determined to be NO The IC card (10, 10-2) is characterized by the following.
[0033]
Claim 8 According to the present invention, there is provided value information storage means (15, 15-2) for storing the value information for providing to the value information using device using the value information which is a set of data and / or a program, and the value information. Provision number limit information storage means (15, 15-2) for storing provision number limit information including a provisionable number of times that can be reproduced and / or output to the outside, Processing stage information storage means (15, 15-2) for storing processing stage information including a counter value which is identification information of a processing stage which is incremented each time a transaction having a plurality of related processes as one processing unit commits. When The IC card program to be executed by the CPU (12, 12-2) of the IC card (10, 10-2) including the invalidation certification information input from the outside when there is a predetermined request. The invalidation proof judgment step (S140, S160) for judging whether or not the data is a thing, and the provision number of times restriction so as to increase the provisionable number of times when it is judged positive in the invalidation certification judgment step When there is a predetermined request, the provision number limit information rewriting step (S180) for rewriting the provision number limit information stored by the information storage means, A processing step information output step (S110) for outputting the processing step information stored in the processing step information storage means, wherein the invalidation certification determination step inputs the invalidation certification information input from the outside before; A duplicate input judging step (S570, S580) for judging whether or not it has been performed, and the duplicate input judging step is outputted in the processing stage information output step included in the invalidation certification information inputted from the outside. The counter value included in the processing stage information and the counter value included in the processing stage information stored by the processing stage information storage means are collated to determine whether or not there is a duplicate input, The duplicate input determining step determines negative when it is determined positive in the duplicate input determining step; Is an IC card program characterized by
[0034]
Claim 9 The invention of claim 8 In the IC card program described in ,in front The invalidation certification determination step is an invalidation process determination step (S140, S510) in which it is determined whether or not the invalidation certification information proves that the predetermined value information is invalidated in the predetermined value information use device. To S570), and it is determined as NO when it is determined as NO in the invalidation process determination step.
[0035]
Claim 10 The invention of claim 9 In the IC card program described in the above, the invalidation process determination step determines that the value information is invalid in the predetermined value information using device based on whether or not a predetermined electronic signature is attached to the invalidation certification information. An IC card program characterized in that it has a device validity determination step (S510, S520) for determining whether or not it has been made, and determines NO when it is determined NO in the device validity determination step. .
[0036]
Claim 11 The invention of claim 9 Or claim 10 In the IC card program according to claim 1, the invalidation process determination step includes at least one of attribute information of the value information, identification information of a provider of the value information, or identification information of a provider of the value information, A value information validity determination step (S550, S560) for determining whether or not the predetermined value information has been invalidated based on provision route information included in the invalidation certification information, and the value information validity An IC card program characterized in that a determination of NO is made when it is determined NO in the determination step.
[0037]
Claim 12 The invention of claim 11 In the IC card program according to claim 1, in the value information validity determination step, whether or not the provision route information is valid based on whether or not a predetermined electronic signature is attached to the provision route information. The IC card program is characterized in that it has a provision path validity judgment step (S530, S540) for judging whether or not when it is judged as no in the provision path validity judgment step.
[0040]
DETAILED DESCRIPTION OF THE INVENTION
Hereinafter, embodiments of the present invention will be described in more detail with reference to the drawings.
(First embodiment)
FIG. 1 is a block diagram showing a first embodiment of an IC card according to the present invention.
In addition, the same code | symbol is attached | subjected to the part which fulfill | performs the same function as embodiment mentioned above, and the overlapping description is abbreviate | omitted suitably. The IC card according to the present invention is an issue management IC card 10.
As shown in FIG. 1, the application issuance management system 1 includes an issuance management IC card 10, a user IC card 20, and the issuance management IC card 10 and the user IC card 20 connected via R / W 40A and 40B. And an external device 30 that performs application issuance processing, application deletion confirmation processing for confirming deletion of the target application issued by the issuance management IC card 10, and the like, and manages issuance of the target application.
[0041]
The issue management IC card 10 has the same configuration as the issue management IC card 10-3.
The nonvolatile memory 15 stores a target application, license information, an issuance public key PKad, an issuance secret key SKad, issuance information, a counter value, and the like. The counter value is identification information of a processing stage in which the value is incremented each time each transaction is committed (successful processing is confirmed). A transaction is a collection of a plurality of related processes as one processing unit.
[0042]
The CPU 12 executes programs stored in the ROM 14, the non-volatile memory 15, and the like, so that the encryption unit 121, the decryption unit 122, the use validity determination unit 123, the provision permission determination unit 124, and the writing / rewriting unit 125. , Issue certificate generation unit 126, deletion certificate determination unit 127, and the like. The function of the deletion proof determination unit 127 will be described later with reference to FIGS.
[0043]
The user IC card 20 has the same configuration as that of the user IC card 20-3. The application issuance process shown in FIG. 10 is performed, and the target application and the issuance certificate are provided from the issuance management IC card 10 to the card user. After being distributed, the card is returned to the service provider because the information on the ticket can no longer be used due to reasons such as loss of validity.
The nonvolatile memory 25 stores a target application, an issue certificate, and the like provided from the issue management IC card 10.
[0044]
The CPU 22 implements a decryption unit 221, a write / rewrite unit 222, a receipt certificate generation unit 223, a deletion certificate generation unit 224, and the like by executing programs stored in the ROM 24, the nonvolatile memory 25, and the like. The function of the deletion proof generation unit 224 will be described later with reference to FIGS.
[0045]
2 and 3 are diagrams showing the operation of the first embodiment of the IC card according to the present invention and the first embodiment of the IC card program according to the present invention, and show the application deletion confirmation processing. FIG. 2 is a flowchart, and FIG. 3 is a diagram for explaining input / output of information in the issue management IC card and the user IC card. The processing of the issue management IC card 10, the user IC card 20, and the external device 30 will be mainly described, and the external device 30 is not illustrated. The processes from S100 to S210 of the issuance management IC card 10 are managed as transactions.
As shown in FIG. 2, in S100, the issue management IC card 10 is connected to the R / W 40A, and the user IC card 20 is connected to the R / W 40B.
[0046]
In S110, the issue management IC card 10 receives a predetermined command from the external device 30, and transmits a counter value (# 10 in FIG. 3). The user IC card 20 receives a command for requesting deletion of the designated target application from the external device 30 using the counter value as an argument from the external device 30 (S310, # 20). The user IC card 20 deletes the designated target application (S320, # 30), and the deletion certificate generation unit 224 generates a deletion certificate for proving that the target application has been deleted (S330, # 30). 40). In other words, the deletion certificate generation unit 224 reads the issued certificate of the deleted target application, and encrypts it with the user counter key SKic together with the argument counter value, thereby attaching the deletion certificate with the digital signature of the user IC card 20 Generate a document. The user IC card 20 transmits this deletion certificate as a response to the external device 30 (S340, # 50). Also, the user IC card 20 receives a predetermined command, transmits the public key certificate PKCic to the external device 30 (S350, # 60), and ends the process (S360).
The external device 30 transmits a deletion certificate and public key certificate PKCic to the issuance management IC card 10 by transmitting a predetermined command, and the issuance management IC card 10 receives the received deletion certificate and public key certificate PKCic. Store (S120, # 70). The issuance management IC card 10 receives the license collection request (S130), and the deletion certification determination unit 127 verifies the public key certificate PKCic stored in S120 (S140, # 80), and the public key certificate. It is determined whether PKCic is a valid one that satisfies a predetermined condition (S150).
[0047]
FIG. 4 is a flowchart showing the processing of the deletion certification determination unit 127. FIG. 4A shows the public key certificate verification processing (S140 in FIG. 2), and FIG. 4B shows the deletion certificate. The verification process (S160 in FIG. 2) is shown.
As shown in FIG. 4A, the deletion certificate determination unit 127 first decrypts the public key certificate PKCic with the issuing public key PKad, that is, whether the public key certificate PKCic has a predetermined digital signature. Based on whether or not it is possible, the reliability (whether or not it is reliable) of the public key certificate PKCic is verified (S410, S420). When it is determined that it is not reliable (when decryption is impossible), the deletion certificate determination unit 127 determines that the public key certificate PKCic is not valid (S460). If it is determined that the certificate can be trusted, the deletion certificate determination unit 127 determines that the public key that can be extracted from the public key certificate PKCic is a predetermined user IC card 20 (an IC card that has received provision of the target application from the issue management IC card 10). The user public key PKic is verified based on the public key attribute information included in the public key certificate PKCic (S430). If it is determined that the public key attribute satisfies the condition, the public key certificate PKCic is determined to be valid (S450), and if the condition is not satisfied, it is determined not to be valid. (S460).
[0048]
As shown in FIG. 2, in the verification of the public key certificate PKCic (S140), if the deletion certification determination unit 127 determines that it is not valid, an error response to that effect is transmitted to the external device 30 (S200). The process ends (S210). If it is determined that the deletion certificate is valid, the deletion certificate determination unit 127 verifies the deletion certificate (S160), and determines whether or not the deletion certificate satisfies a predetermined condition (S170).
[0049]
As shown in FIG. 4B, the deletion certificate determination unit 127 verifies the reliability of the deletion certificate based on whether or not the deletion certificate can be decrypted with the user public key PKic verified in S140 (S410). , S420, # 90). If it is determined that it is not reliable, the deletion certificate determination unit 127 determines that the deletion certificate is not valid (S600). If it is determined that the certificate can be trusted, the deletion certificate determination unit 127 verifies the reliability of the issued certificate based on whether or not the issued certificate can be decrypted with the issuing public key PKad (S530, S540, # 100). ). If it is determined that it is not reliable, the deletion certificate determination unit 127 determines that the deletion certificate is not valid (S600). If it is determined that the application can be trusted, the deletion certificate determination unit 127 verifies whether the deleted application is valid based on the issued certificate (S550, S560, # 110). Specifically, the deletion certification determination unit 127 provides the provision path of the deleted target application, that is, the provision destination card identification information, the provision source card identification information, the target application included in the issuance information and card information of the issuance certificate. It is determined with reference to stored issuance information or the like whether or not the attribute information or the like satisfies a predetermined condition.
[0050]
In the present embodiment, the provider of the target application indicated by the provider card identification information is the user IC card 20 indicated by the public key certificate PKCic, and the provider of the target application indicated by the provider card identification information is the issue management IC. It is a predetermined condition that the card 10 and the target application are of a predetermined type. If it is determined that any of the conditions is not satisfied, the deletion certificate determination unit 127 determines that the deletion certificate is not valid (S600).
If it is determined that all of these conditions are satisfied, the deletion certificate determination unit 127 compares the counter value included in the deletion certificate with the stored counter value, and the counter value included in the deletion certificate is It is determined whether or not they are transmitted to the external device 30 in the same transaction (S110) (S570, S580, # 120). If the counter values match, it is determined that the deletion certificate is valid (S590). When the counter values are different, for example, when the same deletion certificate is received after the transaction is committed (S190) and the same processing is performed (from S110 to S160), the deletion certification determination unit 127 is performed. Determines that the deletion certificate is not valid (S600).
[0051]
As shown in FIG. 2, when it is determined that the deletion certificate is not valid (S160), an error response to that effect is transmitted to the external device 30 (S200), and the process is terminated (S210). If it is determined to be valid, the writing / rewriting unit 125 increments the number of times the license information can be provided (S180, # 130), and transmits a response indicating the normal end to the external device 30 (S190). Is finished (S210). Note that the write / rewrite unit 125 increments the counter value once for each transaction, such as immediately after the request for the transaction (S110).
[0052]
As described above, according to the first embodiment, a highly confidential issue management IC card 10 that does not include an input device such as a keyboard or a mouse, which is a man-machine interface through which a user directly inputs a command, is an object. By storing the application, it is possible to prevent the target application from being leaked to the outside unintentionally.
Further, since the issue management IC card 10 includes a provision permission / rejection determination unit 124 that determines whether to permit encryption (duplication) of the target application based on the license information stored in the nonvolatile memory 15. It has become possible to prevent unauthorized use such as unauthorized copying and to protect the intellectual property of the target application.
[0053]
Further, the issue management IC card 10 includes an encryption unit 121 that encrypts the target application stored in the nonvolatile memory 15 with the user public key PKic of the user IC card 20, and outputs the encrypted application to the outside. This makes it possible to prevent leakage and unauthorized use of the target application.
Furthermore, the issue management IC card 10 can issue the target application including the card individual information by outputting the encrypted application generated by encrypting the target application including the card individual information to the outside. It has become possible to improve the convenience of service providers and card users.
In addition, the issue management IC card 10 includes a use validity determination unit 123 that determines whether or not the use of the target application by the user IC card 20 is valid based on the public key certificate PKCic input from the outside. It is possible to identify the user IC card 20 that is a legitimate user and provide the target application.
[0054]
Furthermore, the issue management IC card 10 decrypts the deletion certificate with the user public key PKic whose reliability has been verified, and the target application has been deleted with the predetermined user IC card 20 in order to verify the reliability. It has become possible to confirm this reliably.
Similarly, the issuance management IC card 10 decrypts the issuance certificate included in the deletion certificate with its own issuance public key PKad, verifies its reliability, and issues the issuance information and card information included in the issuance certificate. Therefore, it is possible to reliably confirm that the deleted application is a predetermined target application.
[0055]
Further, the issue management IC card 10 uses, for example, the same public key certificate and deletion certificate after the application deletion confirmation process in which the number of times that the license information can be provided is incremented and committed in order to check the counter value. When an application deletion confirmation process is performed, an error occurs, so it is possible to eliminate unauthorized deletion certificates such as duplicates.
Furthermore, the issuance management IC card 10 confirms that the deleted application is a predetermined target application and that the target application has been deleted by the predetermined user IC card 20, and increments the number of times license information can be provided. Therefore, it is possible to obtain a result equivalent to the collection of the target application that is an intangible object, and it is possible to reliably manage the target application and improve the applicability and convenience.
[0056]
(Second Embodiment)
FIG. 5 is a block diagram showing a second embodiment of the IC card according to the present invention.
As shown in FIG. 5, the application issuance management system 1-2 includes an issuance management IC card 10-2, a user IC card 20, and the issuance management IC card 10-2 and the user IC card 20 are R / W 40A, This is a system that manages issuance of a target application, which includes an external device 30 connected via 40B.
[0057]
With the issue management IC card 10-2, the target application has been upgraded (hereinafter, the target application of the old version is referred to as “target application V1”, and the target application of the new version is referred to as “target application V2”. The same applies to the issue management IC card 10 in the first embodiment, and is provided from the card issuer to the service provider.
The issue management IC card 10-2 includes a CPU 12-2 having a deletion certification determination unit 127-2, a nonvolatile memory 15-2, and the like. The function of the deletion proof determination unit 127-2 will be described later with reference to FIG. The nonvolatile memory 15-2 stores the target application V2, license information, issue public key PKad, issue secret key SKad, issue information V1, issue information V2, a counter value, and the like.
The user IC card 20 performs processing similar to the application issuance processing in the issuance management system 1-3 according to the prior application, receives the target application and the issuance certificate from the issuance management IC card 10, and is distributed to the card user. After that, the card is returned to the service provider with the upgrade of the target application.
[0058]
FIG. 6 is a diagram for explaining the operation in the second embodiment of the IC card according to the present invention and the second embodiment of the IC card program according to the present invention, and shows an application update process. The application update process can be substantially realized by a combination of an application deletion confirmation process (FIG. 2) for the target application V1 and an application issue process (FIG. 10) for the target application V2. Therefore, the description will be made with reference to FIGS. 2, 3 and 10 in addition to FIG.
First, the issue management IC card 10-2 and the user IC card 20 perform the same processing as S110 to S170 in FIG. 2 (# 210 to # 300 in FIG. 6). The deletion certificate determination unit 127 refers to the stored issue information V1 and issue information V2 in the verification of the contents of the issue certificate (S570, # 310 in FIG. 4B) and is included in the deletion certificate. By verifying the issue information V1 and the card information, it is verified whether the deleted application is valid that satisfies a predetermined condition. In the present embodiment, the predetermined target application is that the deleted target application is the target application V1 or the target application V2, and if the target application V1 is the issue management IC card 10. Yes. In this case, when the deleted application is the target application V1, the issue management IC card 10-2 does not increment the number of times license information can be provided (S180 in FIG. 2).
[0059]
Next, the issuance management IC card 10-2 and the user IC card 20 perform the same processing as S701 to S713 in FIG. 10 (the number of times license information can be provided is not decremented in S706), and delete the target application V1. The target application V2 issuance process is performed on the user IC card 20 that has been performed. The use validity determination unit 123 determines whether or not the attribute information included in the public key certificate PKCic received in S702 and the card information included in the deletion certificate received in S120 indicate the same user IC card 20. If the answer is NO, no issue is made (not shown). As a result, the issue management IC card 10-2 issues the target application V2 to the user IC card 20 from which the target application V1 has been deleted, and the issue management IC card 10-2 and the user IC card 20 update the application. The process ends.
[0060]
As described above, according to the second embodiment, in addition to the same effects as those of the first embodiment, the issue management IC card 10-2 has the target application V1 issued from the predetermined issue management IC card 10 as a predetermined user. The target application V2 can be newly issued to the user IC card 20 and the target application can be updated without confirming that the IC card 20 has been deleted and reducing the number of times license information can be provided. It has become possible. In other words, the target application can be reliably managed, and the applicability and convenience can be further improved.
[0061]
(Deformation)
The present invention is not limited to the embodiment described above, and various modifications and changes are possible, and these are also within the equivalent scope of the present invention. For example, in each embodiment, the communication method of the issuance management IC cards 10 and 10-2 and the user IC card 20 is not limited to the contact type, and may be a non-contact type or a contact / non-contact type. The method is not limited.
[0062]
In each embodiment, the non-volatile memories 15 and 15-2 of the issue management IC cards 10 and 10-2 may store a plurality of target applications. Further, license information corresponding to each target application or an attribute of each target application may be stored. It is possible to improve convenience.
[0063]
In each embodiment, the issue management IC cards 10 and 10-2 store license information indicating the number of times that the encryption unit 121 can generate the encrypted application. However, the target application is determined by other processing of the CPUs 12 and 12-2. License information indicating the number of times that copying can be performed may be stored, and license information indicating the number of times the target application or encrypted application can be output from the issue management IC cards 10 and 10-2 may be stored. It is only necessary to limit the number of times the target application is provided from the issue management IC cards 10 and 10-2 to the user IC card 20.
[0064]
In each embodiment, when the access request is input from the outside, the issuance management IC cards 10 and 10-2 permit the access specified by the access request based on the access validity authentication information input from the communication unit 11. There may be provided an access permission / rejection determination unit for determining whether or not to do so. The access request is a request for access to the memory such as writing of information to the ROM 14 and the nonvolatile memories 15 and 15-2, rewriting and reading of stored information, such as a so-called WRITE command and READ command. The access legitimacy authentication information is information for authenticating that the external apparatus 30 that has transmitted the access request is a legitimate apparatus that can perform the access specified by the access request. Including access information indicating access contents such as an access type indicating access type such as rewriting, an accessible area, and the like, and a digital signature of a card issuer managing the issue management IC cards 10 and 10-2 is attached. .
[0065]
For example, when a predetermined command for requesting writing of card individual information is received from the external device 30 (S701), the access permission / rejection determination unit performs digital processing in processing corresponding to the command for requesting authentication received before and after the command. The signature can be decrypted with the issuing public key PKad, that is, the digital signature of the access validity authentication information is authenticated as the card issuer's legitimate, and the access specified by the access request is within the range indicated by the access information Allow if
It is possible to improve the convenience by eliminating unauthorized access to the inside of the issue management IC cards 10 and 10-2, maintaining high confidentiality, and making it accessible if certain conditions are satisfied. . Further, by performing the same process as the process of verifying the signature of the public key certificate PKCic, such as decrypting and authenticating the digital signature with the issuing public key PKad (S704), the ROM 14, the nonvolatile memories 15, 15- 2 can be used efficiently and the processing efficiency can be improved.
[0066]
In addition, when receiving a command for requesting rewriting of license information, the access permission / rejection determination unit may similarly determine based on the access validity authentication information. By making the access information rewritable under the set conditions, the card issuer can easily deal with cases where the service provider has additionally granted the number of times the target application can be provided, which is convenient. Can be improved.
[0067]
In each embodiment, the issue management IC cards 10 and 10-2 each having a card-type base material as an IC card according to the present invention have been described as examples. However, the base material is not limited, and may be a SIM card, an IC tag, or the like. At least a CPU, a means for communication with the outside, a storage means for storing information, a keyboard that inputs commands directly from a user who becomes a man-machine interface, a highly confidential device that does not have an input device such as a mouse, Other portable information processing apparatuses may be used.
In addition, the issue management IC cards 10 and 10-2 store the target application as value information, but include confidential information such as information, technical know-how, and the like that are subject to rights such as databases, music data, and image data. A group of data having a value such as information to be stored and other value information as a program may be stored, and the provision to the user IC card 20 may be managed. Similar effects can be obtained.
Further, the issue management IC cards 10 and 10-2 provide value information to the user IC card 20 which is a value information use device, but are not limited to this, and other value information using this value information such as a computer. Value information may be provided to the device in use.
[0068]
In each embodiment, the user IC card 20 decrypts the encrypted application into the target application and stores it in the nonvolatile memory 25. However, the user IC card 20 stores the encrypted application as it is, and the decryption unit 221 is necessary when it is executed or the like. You may decode.
[0069]
In each embodiment, the issue management IC cards 10 and 10-2 include an encryption key generation unit that generates an encryption key necessary for executing the target application, and the writing / rewriting unit 125 targets the generated encryption key. Writing to the application, the encryption unit 121 may encrypt the target application in which the encryption key is written. It is possible to maintain the confidentiality of the encryption key at a high level and reduce the burden of capital investment for protecting the encryption key.
[0070]
In each embodiment, the issue management IC cards 10 and 10-2 and the user IC card 20 are digitally signed by performing encryption with each secret key, but characters, symbols, marks, etc. are electronically Other electronic signatures expressed in the above may be attached.
[0071]
In each embodiment, the user IC card 20 generates a deletion certificate when the target application is deleted. However, when the target application is made unusable by another method, that is, another method. When the certificate is invalidated in step, an invalidation certificate that is the certificate may be generated. In this case, the deletion certificate determination unit 127 determines the invalidation certificate in the same manner as the deletion certificate.
[0072]
In each embodiment, the issue management IC cards 10 and 10-2 store the issue secret key SKad and the issue public key PKad in the nonvolatile memories 15 and 15-2. Good. Similarly, the user IC card 20 stores the user secret key SKic and the public key certificate PKCic in the nonvolatile memory 25, but stores in the ROM 24 programs and data that are unlikely to be rewritten, such as in the ROM 24. It may be. For example, the issuance management IC cards 10 and 10-2 may store the target application in the ROM 14, read the rewritable memory such as the nonvolatile memories 15 and 15-2, and write the card individual information.
[0073]
In each embodiment, the issue management IC cards 10 and 10-2 and the user IC card 20 include the timing for receiving information necessary for command processing such as a deletion certificate, public key certificate, and counter value in the command. It may be received before the command is received. The timing is not limited as long as it is received when necessary.
In each embodiment, the public key certificate is read after reading the deletion certificate from the user IC card 20 (S340) (S350), but the reverse is also possible. Is not limited.
[0074]
In each embodiment, the deletion certification determination units 127 and 127-2 of the issue management IC cards 10 and 10-2 verify the contents of the issue certificate (S550) and then check the counter value (S570). Or vice versa. If it is possible to verify that the deleted application is a predetermined application and that the IC card from which the application has been deleted is a predetermined IC card based on the deletion certificate and public key certificate PKCic received in S120 The verification method and order performed by the deletion certification determination unit 127 are not limited. For example, the issuance management IC card 10 may store the public key certificate PKCic (S702) received after the application issuance process and use the public key certificate PKCic for verification of the deletion certificate. . Further, history information indicating the history of processing such as the receipt certificate (S712) received in the application issuing process may be used for verification of the deletion certificate.
[0075]
In each embodiment, the deletion certification determination units 127 and 127-2 of the issue management IC cards 10 and 10-2 prevent duplication of application deletion confirmation processing by comparing counter values, Although application deletion confirmation processing for illegal deletion certificates such as duplicates is prevented, for example, application deletion confirmation processing including identification information of the target user IC card 20 and attribute information of the deleted application History information (which may be a processed issuance certificate) is stored, and is referred to when the deletion certificate determination unit 127, 127-2 verifies the deletion certificate, thereby preventing duplicate application deletion confirmation processing. May be.
[0076]
In each embodiment, instead of the external device 30, for example, a server managed by a service provider connected to the issue management IC cards 10 and 10-2, a communication line such as the Internet, and the user IC card 20 are connected. The method is not limited as long as information exchange between the issue management IC card 10 and the user IC card 20 can be mediated.
[0077]
In the first embodiment, the issuance management IC card 10 stores identification information (such as card information) of the user IC card 20 that is the target of processing when the number of times license information can be provided is incremented in the application deletion confirmation processing. Then, after that, one of the targets for issuing the target application may be limited to a new user IC card 20 having the same identification information whose information on the ticket is updated.
[0078]
In the second embodiment, the issuance management IC card 10 performs the application update process without rewriting the license information, but may rewrite it. That is, the issuance management IC card 10 restricts the identity of the target with the identification information of the user IC card 20, etc., performs the application deletion confirmation process (FIGS. 2 and 3), and then performs the application issuance process (FIGS. 10 and 11) may be performed.
Further, an application deletion confirmation process may be performed after the application issuance process, and an application update process may be performed.
[0079]
【The invention's effect】
As described above in detail, according to the present invention, the following effects can be obtained.
(1) Value information to the outside by storing value information in a highly confidential IC card that does not have an input device such as a keyboard or mouse, which is a man-machine interface where a user directly inputs commands. Prevent leakage.
(2) The provision number limit information is stored, and duplication of value information and / or output to the outside is restricted, thereby preventing unauthorized duplication and the like and protecting intellectual property related to the value information.
(3) By rewriting the number of possible provisions when it is determined that the invalidation certification information is valid, a result equivalent to the collection of intangible value information is obtained, the value information is managed reliably, and applicability and Increase convenience.
(4) The stored value information is encrypted so that it can be decrypted only by a predetermined value information use device, and is output to the outside, thereby preventing leakage and unauthorized use of the value information.
(5) In particular, when the value information is an application, the intellectual property of the application is protected and the convenience in providing the value information is improved.
(6) By rewriting the number of possible provisions when it is determined that the predetermined value information is invalidated in the predetermined value information using device, the value information is managed in more detail and reliably, and the applicability and convenience are improved.
(7) When the predetermined electronic signature is attached to the invalidation certification information and the provision route information, the above effect can be obtained more reliably by rewriting the number of times of provision.
(8) By determining whether or not the predetermined value information has been invalidated based on the provision route information, the above effect can be obtained more reliably, and for example, the value information can be provided when the value information is provided to the value information using device. At the same time, the provision route information is provided, and the value information using device generates invalidation certification information based on the provision route information, thereby simplifying the process by effectively using the information.
(9) By determining whether or not the same invalidation certification information as the invalidation certification information has been input, rewriting of the number of possible provisions based on illegal invalidation certification information such as duplication is prevented.
(10) By determining whether or not the same invalidation certification information as the invalidation certification information has been input based on the processing stage information such as the transaction counter value included in the invalidation certification information, The effect (9) can be easily obtained without storing new data.
[Brief description of the drawings]
FIG. 1 is a block diagram showing a first embodiment of an IC card according to the present invention.
FIG. 2 is a flowchart showing the operation of the IC card according to the first embodiment of the present invention and the first embodiment of the IC card program according to the present invention.
FIG. 3 is a diagram for explaining input / output of information in an issue management IC card and a user IC card.
FIG. 4 is a flowchart showing processing of a deletion proof determination unit 127;
FIG. 5 is a block diagram showing a second embodiment of the IC card according to the present invention.
FIG. 6 is a diagram for explaining the operation of the IC card according to the second embodiment of the present invention and the second embodiment of the IC card program according to the present invention;
FIG. 7 is a diagram for explaining a usage pattern of an IC card according to a prior application.
FIG. 8 is a block diagram showing an embodiment of an IC card according to a prior application.
FIG. 9 is a diagram for explaining information stored in the non-volatile memory of the issue management IC card and the user IC card according to the prior application.
FIG. 10 is a flowchart showing the operation of the IC card according to the prior application and the embodiment of the IC card program according to the prior application.
FIG. 11 is a diagram for explaining input / output of information in the issue management IC card and the user IC card according to the prior application;
[Explanation of symbols]
1, 1-2, 1-3 Application issue management system
10, 10-2, 10-3 Issuance management IC card
11 Communication Department
12, 12-2, 12-3 CPU
13 RAM
14, 14-2 ROM
15, 15-2, 15-3 EEPROM
20, 20-3 User IC card
30 External device
40A, 40B Reader / Writer
121 Encryption section
122 Decoding unit
123 Use validity judgment part
124 Provision permission / rejection determination unit
125 Write / Rewrite unit
126 Issuance certificate generator
127, 127-2 Deletion certification determination unit

Claims (12)

Value information storage means for storing the value information to be provided to a value information using device that uses value information that is a piece of data and / or a program, and reproduction and / or output of the value information to the outside. An IC card comprising provision number limit information storage means for storing provision number limit information including the number of times that can be provided, which is the number of times that can be provided,
Invalidation certification information input means for inputting invalidation certification information from outside,
Invalidation certification determination means for determining whether the invalidation certification information input by the invalidation certification information input means is valid, or
Provided number limit information rewriting means for rewriting the provided number limit information stored by the provided number limit information storage means so as to increase the available number of times when it is determined as affirmative by the invalidation proof determining means;
Processing stage information storage means for storing processing stage information including a counter value which is identification information of a processing stage which is incremented each time a transaction having a plurality of related processes as one processing unit commits;
Processing stage information output means for outputting the processing stage information stored in the processing stage information storage means when there is a predetermined request,
The invalidation proof determination means has a duplicate input determination means for determining whether or not the same invalidation certification information as the invalidation certification information inputted by the invalidation certification information input means has been inputted before,
The duplicate input determination means includes a counter value included in the processing stage information output by the processing stage information output means, included in the invalidation certification information input by the invalidation certification information input means, and the processing The counter value included in the processing stage information stored in the stage information storage means is collated to determine whether or not there is a duplicate input,
The invalidation proof determination means determines NO when the duplicate input determination means determines affirmative;
IC card characterized by In the IC card according to claim 1,
Encryption means for encrypting the value information stored by the value information storage means so as to be decrypted only by the predetermined value information use device, and generating encrypted value information;
Value information output means for outputting the encrypted value information generated by the encryption means to the outside,
The provision number limit information rewriting unit is configured to set the number of possible provisions according to the encryption of the value information by the encryption unit and / or the output of the encrypted value information to the outside by the value information output unit. Rewriting the provision number limit information stored by the provision number limit information storage means so as to decrease,
IC card characterized by In the IC card according to claim 1 or 2,
The value information storage means stores one or more applications to be provided to the value information use device;
IC card characterized by In the IC card according to any one of claims 1 to 3,
The invalidation certification determination means includes invalidation process determination means for determining whether or not the invalidation certification information proves that the predetermined value information is invalidated in the predetermined value information use device, When it is determined as NO by the invalidation process determining means,
IC card characterized by In the IC card according to claim 4,
The invalidation process determination means determines whether or not value information is invalidated in the predetermined value information use device based on whether or not a predetermined electronic signature is attached to the invalidation certification information. Having a legitimacy judging means, and judging to be no when the apparatus legitimacy judging means judges no;
IC card characterized by In the IC card according to claim 4 or 5,
The invalidation process determination means is included in the invalidation certification information including at least one of attribute information of the value information, identification information of a provider of the value information, or identification information of a provider of the value information. If there is value information validity determination means for determining whether or not the predetermined value information has been invalidated based on provision route information, and if the value information validity determination means determines NO, Judging,
IC card characterized by In the IC card according to claim 6,
The value information validity determination means determines whether or not the provision route information is valid based on whether or not a predetermined electronic signature is attached to the provision route information. Having a means, and determining that the determination is NO when the provision path validity determining means determines NO,
IC card characterized by Value information storage means for storing the value information to be provided to a value information using device that uses value information that is a piece of data and / or a program, and reproduction and / or output of the value information to the outside. A number-of-provisions information storage unit that stores provision number-of-provisions information including the possible number of times that can be provided, and a process step that is incremented each time a transaction with a plurality of related processes as one processing unit commits. An IC card program to be executed by a CPU of an IC card comprising processing stage information storage means for storing processing stage information including a counter value that is identification information ,
Invalidation certification determination step for determining whether or not invalidation certification information input from the outside is valid when there is a predetermined request;
A provision number limit information rewriting step of rewriting the provision number limit information stored by the provision number limit information storage means so as to increase the provisionable number of times by one when it is determined as affirmative in the invalidation certification determination step; ,
A processing stage information output step for outputting the processing stage information stored in the processing stage information storage means when there is a predetermined request ;
The invalidation certification determination step includes a duplicate input determination step of determining whether or not invalidation certification information input from the outside has been previously input,
In the duplicate input determination step, the counter value included in the processing stage information output step included in the invalidation certification information input from the outside and stored in the processing stage information output step is stored by the processing stage information storage means. The counter value included in the processing stage information that has been
When the duplicate input determination step is determined as affirmative in the duplicate input determination step, it is determined as no;
IC card program characterized by this. In the IC card program according to claim 8,
The invalidation certification determination step includes an invalidation process determination step of determining whether the invalidation certification information proves that the predetermined value information is invalidated in the predetermined value information use device, When it is determined as NO in the invalidation process determination step, it is determined as NO
IC card program characterized by this. The IC card program according to claim 9, wherein
The invalidation process determining step determines whether or not the value information is invalidated in the predetermined value information using device based on whether or not a predetermined electronic signature is attached to the invalidation certification information. Having a legitimacy judging step, and judging that it is no when it is judged as no in the apparatus legitimacy judging step;
IC card program characterized by this. In the IC card program according to claim 9 or 10,
The invalidation process determination step is included in the invalidation certification information including at least one of attribute information of the value information, identification information of a provider of the value information, or identification information of a provider of the value information. It has a value information validity determination step for determining whether or not the predetermined value information has been invalidated based on provision route information, and it is determined as NO when it is determined NO in the value information validity determination step To do,
IC card program characterized by this. In the IC card program according to claim 11,
The value information validity determination step determines whether the provision route information is valid based on whether a predetermined electronic signature is attached to the provision route information. A step, and if it is determined to be NO in the provision route validity determination step, determining NO
IC card program characterized by this.

Images