JP5265452B2 - Application usage system, application usage method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an application utilization system that exports a function of an application for an IC card from a server to the IC card to utilize the function, in a system that stores the function of the IC card in the server to enable the use of the function without using the IC card. <P>SOLUTION: A communication terminal 200 requests a server device 100 to output application data. The server device 100 outputs the application data to the communication terminal 200. The server device 100 disables the application. Then, an IC card 300 processes the application data transmitted via the communication terminal 200 to execute the application. <P>COPYRIGHT: (C)2011,JPO&amp;INPIT

Description

The present invention provides an IC card (Integrated Circuit) capable of executing an application.
The present invention relates to an application usage system and an application usage method using a card.

  Even if a user does not hold an IC card by giving the server the function of a predetermined IC card application (hereinafter referred to as “IC card application” or simply “application”), the function of the IC card A mechanism for making it possible to use this has been proposed (for example, Non-Patent Document 1). This technique can be used in the following cases, for example.

  As an example, consider the case of online shopping at a certain Internet site. Further, it is assumed that the shop of the site only supports payment using a predetermined IC card application. In this case, if the user accesses the site from a terminal to which the IC card reader / writer can be connected, the IC card can be settled by inserting the IC card into the IC card reader / writer. On the other hand, when a user accesses the site from a terminal (for example, a TV terminal) to which an IC card reader / writer cannot be connected, normally, payment cannot be performed at the site. If the technology is used, it becomes possible to make a settlement at the site without using an IC card. Hereinafter, this point will be described in detail with reference to FIG.

  FIG. 9 is a diagram for explaining a conventional settlement method in a shopping site. A service providing server 930 that provides a shopping site is connected to an application server 940 having an IC card application function. Further, the user 910 is connected to the service providing server 930 from the TV terminal 920 and performs shopping. Then, when shopping is completed and payment is made, an ID and a password are input at the television terminal 920 (SS1). The input ID and password are transmitted from the television terminal 920 to the service providing server 930 (SS2). Then, the service providing server 930 transmits the transmitted ID and password to the application server 940 (SS3).

  The application server 940 checks the ID and password transmitted from the service providing server 930 (SS4), and if the user can be authenticated, “OK” indicating that the authentication to the service providing server 930 is successful. Is returned (SS5). In response to this reply, the service providing server 930 transmits an IC card command for settlement (that is, a command dedicated to the IC card application) to the application server 940 (SS6). The application server 940 executes predetermined processing for settlement by the IC card application in response to the received IC card command and returns a response to the service providing server 930 (SS7), and the service providing server 930 receives this response. . In addition, the process of step SS6 and SS7 may be performed twice or more.

Nagaaki Oyama, “Server-Linked Multipurpose IC Card System-Importance of Tamper Resistant Technology-”, [online], Japan Science and Technology Agency, [Search April 24, 2009], Internet <URL: http: //www.dvlsi.jst.go.jp/topics/081206ws/081206DVLSIWS%20ohyama.pdf>

  By the way, in the case as described above, a user who normally performs online shopping from the TV terminal 920 without using an IC card temporarily uses the function of the IC card application stored in the application server 940. There is a demand to take out to an IC card held by a person and use it in an actual store. However, conventionally, a method for bringing an application from a server to an IC card has not been established, and it has been difficult to implement.

  SUMMARY OF THE INVENTION Accordingly, an object of the present invention is to solve the above-described problems and to realize an application use system and an application use method that allow an application to be taken from a server to an IC card.

  In order to solve the above-described problem, the present invention holds an IC card having a function of executing an application, a communication terminal that transmits / receives application data that is data related to the application to / from the IC card, and the application data. An application utilization system comprising: a server device, wherein the communication terminal accepts an output request for the application data to the IC card from the outside, and accepts an application take-out request for transmitting the output request to the server device And a first application storage unit that, when receiving the application data as a response to the output request from the server device, transmits the application data to the IC card. An application holding unit that holds data, an output unit that outputs the held application data to the communication terminal in response to the output request from the application take-out request receiving unit, and the application data to the communication terminal A first processing control unit that, when output, makes it impossible to execute the application in its own device, the IC card holds the application data transmitted from the communication terminal, and The present invention proposes an application utilization system comprising an application execution unit that processes the application data and executes the application.

  With this configuration, the application dedicated to the IC card held in the server device can be taken out to the IC card and used via the communication terminal. At this time, by controlling the server device so that the application taken out to the IC card cannot be executed, the inconvenience that the application is executed on both the server device and the IC card can be avoided.

  In addition, when the output unit receives the output request from the app take-out request accepting unit, the server device requests the communication terminal to request authentication information from the communication terminal; A first authentication execution unit that receives an authentication process from the communication terminal, and the communication terminal receives the authentication information received from outside in response to a request from the first authentication request unit. A first authentication information transmission unit for transmitting to the device, and the output unit outputs the application data to the communication terminal only when the first authentication execution unit succeeds in authentication. Also good.

  According to this configuration, when the application data is output from the server device to the IC card, the IC card and / or the user is authenticated, and the application data is output to the IC card only when the authentication is successful. Thereby, it is possible to output the application data after confirming whether the IC card and / or the user is valid.

  In addition, the output unit encrypts and outputs the application data, and the first application storage unit receives the encrypted application data and transmits the encrypted application data to the IC card. The application execution unit may be configured to decrypt and process the encrypted application data.

  According to this configuration, when the application data is output from the server device to the IC card, the application data is encrypted and transmitted, and the IC card decrypts and processes the encrypted application data. As a result, application data can be transmitted from the server device to the IC card more safely.

  The communication terminal receives an application data return request from the IC card to the server device from the outside, and transmits the return request to the server device; and the server device When the application data read request from the IC card is received as a response to the return request, an application read unit that transmits the read request to the IC card, and a response to the read request from the IC card A second application storage unit that transmits the application data to the server device when the application data is received, and the server device responds to the return request from the application return request reception unit, A read request unit for outputting the read request; In addition, the IC card outputs an application output unit that outputs the application data held in response to the read request from the application read unit, and outputs the application data in the application output unit. A second processing control unit configured to disable execution of the application in the own card, and the application holding unit receives the application data received as a reply to the read request in the read request unit May be held in a processable state.

  With this configuration, after an application is taken out from the server device to the IC card, the application can be returned to the server device. At this time, by controlling the IC card so that the application returned to the server device cannot be executed, it is possible to avoid the inconvenience that the application is executed on both the server device and the IC card.

  The server device, when the read request unit receives the return request from the application return request reception unit, a second authentication request unit that requests authentication information from the communication terminal, and the authentication information. A second authentication execution unit that receives from the communication terminal and executes an authentication process, and the communication terminal receives the authentication information received from outside in response to a request from the second authentication request unit. A second authentication information transmission unit for transmitting to the server device, and the read request unit outputs the read request to the communication terminal only when the authentication is successful in the second authentication execution unit. It may be.

  According to this configuration, when the application data read request is output from the server device, the IC card and / or user is authenticated, and the application data read request is output only when the authentication is successful. As a result, it is possible to output an application data read request after confirming whether the IC card and / or the user is valid.

  The application output unit encrypts and outputs the application data, and the second application storage unit receives the encrypted application data and transmits the encrypted application data to the server device. And the said application holding | maintenance part may hold | maintain the application data transmitted in said 2nd application storage part.

  With this configuration, when an application is returned from the IC card to the server device, the application data is encrypted and transmitted, and the server device decrypts and processes the encrypted application data. Thereby, application data can be more securely transmitted from the IC card to the server device.

  The application data may be configured to include at least one of an entity module that is data constituting the application and related data that is data used for the entity module.

  That is, by transmitting at least one of the entity module and the related data held by the server device to the IC card, the application is taken out from the server device to the IC card. Furthermore, the application is returned from the IC card to the server device by transmitting at least one of the entity module and the related data from the IC card to the server device. As a result, when the application is taken out or returned, only the minimum necessary data can be exchanged between the server device and the IC card.

  Further, the present invention is executed by an IC card having a function of executing an application, a communication terminal that transmits / receives application data that is data related to the application to / from the IC card, and a server device that holds the application data. An application utilization method, wherein the communication terminal accepts an output request for the application data to the IC card from the outside and transmits the output request to the server device; and the server device An output step of outputting the application data held in the own device to the communication terminal in response to the output request transmitted from the communication terminal; and in the server device, the application to the communication terminal. When the application data transmitted from the server device is received at the communication terminal, the application data is received. A first application storing step for transmitting to the IC card, and an application executing step for holding the application data transmitted from the communication terminal in the IC card, and further processing the application data to execute the application An application using method characterized by comprising:

  With this configuration, the application dedicated to the IC card held in the server device can be taken out to the IC card and used via the communication terminal. At this time, by controlling the server device so that the application taken out to the IC card cannot be executed, the inconvenience that the application is executed on both the server device and the IC card can be avoided.

  Further, the application using method includes an application return request receiving step of receiving a return request for the application data from the IC card to the server device from the outside and transmitting the return request to the server device in the communication terminal. A read request step for outputting a read request for the application data from the IC card in response to the return request transmitted from the communication terminal in the server device; and Upon receiving a read request, an application read step of transmitting the read request to the IC card, and outputting the held application data in the IC card in response to the read request transmitted from the communication terminal App output step In the IC card, when the application data is output in the application output step, a second process control step for making the application impossible to execute in the own card; and in the communication terminal, from the IC card When receiving the application data to be transmitted, a second application storing step of transmitting the application data to the server device, and the server device holds the application data transmitted from the communication terminal in a processable state. And a holding step.

  With this configuration, after an application is taken out from the server device to the IC card, the application can be returned to the server device. At this time, by controlling the IC card so that the application returned to the server device cannot be executed, it is possible to avoid the inconvenience that the application is executed on both the server device and the IC card.

  As described above, according to the present invention, the application dedicated to the IC card held in the server device can be taken out to the IC card and used via the communication terminal. Further, after that, the application can be returned from the IC card to the server device and executed on the server device. That is, the application can be shared between the server device and the IC card, and the user can take out the application in the server device using the IC card as necessary.

It is a figure which shows the structural example of an application utilization system. It is a figure which shows the structural example of an application utilization system. 2 is a block diagram illustrating a configuration example of a server device 100. FIG. 3 is a block diagram illustrating a specific example of a configuration of a communication terminal 200. FIG. 2 is a block diagram illustrating a configuration example of an IC card 300. FIG. It is a figure which shows the specific example of the flag which shows whether an IC card application is executable. It is a figure which shows operation | movement of the application utilization system when taking out an IC card application to an IC card. It is a figure which shows operation | movement of the application utilization system in the case of returning an IC card application to a server apparatus. It is a figure explaining the conventional payment method in a shopping site.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

(Application system configuration)
First, the configuration of the application utilization system according to the present embodiment will be described with reference to FIG. FIG. 1 is a diagram illustrating a configuration of an application utilization system.

  The application utilization system shown in FIG. 1 includes a server device 100, a communication terminal 200, and an IC card 300. The server device 100 is a device having a function of holding and executing an IC card application. The IC card 300 has a function of executing an IC card application. The IC card application held in the server device 100 is taken out via the communication terminal 200, or the IC card application taken out is returned to the server device 100. To do.

  Further, the communication terminal 200 is connected to the server apparatus 100 via a network, and when the IC card 300 takes out an IC card application held in the server apparatus 100, the communication terminal 200 transmits an IC card application transmitted from the server apparatus 100. Send to IC card 300. Further, when the IC card application taken out by the IC card 300 is returned to the server apparatus 100, the IC card application transmitted from the IC card 300 is transmitted to the server apparatus 100. Hereinafter, the configuration of the server device 100, the communication terminal 200, and the IC card 300 will be described in detail.

(Configuration of server device)
First, the configuration of the server device 100 will be described. The server apparatus 100 includes an application holding unit 110, an output unit 120, a first processing control unit 130, an authentication request unit 140, an authentication execution unit 150, a read request unit 160, and a storage unit 171.

  The application holding unit 110 holds application data that is data related to the IC card application. This application data includes an entity module (hereinafter referred to as “application entity module”) that is data constituting the IC card application and related data (hereinafter referred to as “application-related data”) that is data used for the entity module. Data including at least one of them. Here, “data used for the entity module” corresponds to data required when using the IC card application, data referred to when processing the entity module, and the like, for example, the IC card application. Is an application that executes payment, data such as a charge balance, the cumulative number of payments, the date and time of final payment, and a user ID can be listed.

  When the IC card application is returned from the IC card 300 to the server device 100, the application holding unit 110 can process application data transmitted from the IC card 300 via the storage unit 171 described later. Hold on. Here, “hold in a processable state” specifically refers to, for example, storing received application data and setting a flag indicating whether or not an IC card application can be executed to an available state, For example, the received application data is stored and held in a memory or the like with no access restriction.

  When the application take-out request accepting unit 210 of the communication terminal 200 transmits an application data output request, the output unit 120 holds the application holding unit 110 in the application holding unit 110 only when the authentication execution unit 150 described later succeeds in authentication. The application data being encrypted is output to the communication terminal 200.

  Examples of the application data encryption method in the output unit 120 include a common key method and a public key method. In the common key method, the server apparatus 100 and the IC card 300 encrypt and decrypt application data with a shared key shared between the server apparatus 100 and the IC card 300. The shared key may be temporarily shared between the server apparatus 100 and the IC card 300 using a public key method or the like. In the public key method, the server apparatus 100 encrypts application data with the IC card public key, and the IC card 300 decrypts the encrypted application data with the IC card private key.

  When the output unit 120 outputs the application data to the communication terminal 200, the first processing control unit 130 makes it impossible to execute the IC card application in its own device. Specifically, “to make it impossible to execute an IC card application” specifically refers to, for example, setting a flag indicating whether or not an IC card application can be executed to an unusable state, or changing application data itself. The case where it deletes is mentioned.

  FIG. 6 is a specific example of a flag indicating whether or not an IC card application can be executed. Information 610 indicates the status of each IC card application “application 1”, “application 2”, “application 3” for each user “A”, “B”, “C” in the “application status” column. . There are three application states: “Normal”, “Now taking out”, and “Not used”. “Normal” means that the IC card application in the server apparatus 100 can be used. Further, “being taken out” means that the IC card application has been transferred to the IC card 300, and means that the IC card application cannot be used in the server device 100. “Unused” means that the IC card application is unused. Note that the “application-related data” column in the information 610 indicates the contents of the application-related data and is irrelevant to whether or not the IC card application can be executed.

  The authentication request unit 140 is triggered by the output unit 120 receiving an application data output request from the application take-out request accepting unit 210, or in the read request unit 160, the application request from the application return request accepting unit 261. The communication terminal 200 is requested for authentication information using the receipt of the return request as a trigger. Here, “authentication information” is information necessary for authenticating a user, and corresponds to a user ID, a password, or the like.

  The authentication execution unit 150 receives the authentication information from the communication terminal 200 as a reply to the authentication information request in the authentication request unit 140 and executes the authentication process.

  When the IC card 300 takes out the IC card application from the server device 100 and the user requests the server device 100 to return the IC card application via the communication terminal 200, the read request unit 160 authenticates the execution unit 150. Only when the authentication is successful in, a request to read application data from the IC card 300 is output. As will be described later, the IC card 300 outputs application data from the application output unit 320 in response to the read request.

  The storage unit 171 causes the application storage unit 110 to store encrypted application data transmitted from the second application storage unit 250 of the communication terminal 200.

(Configuration of communication terminal)
Next, the configuration of the communication terminal 200 will be described. The communication terminal 200 includes an application take-out request reception unit 210, a first application storage unit 220, an authentication information transmission unit 230, an application return request reception unit 261, an application reading unit 240, a second application storage unit 250, Have

  The application take-out request reception unit 210 receives an application data output request to the IC card 300 from the outside, and transmits this output request to the server device 100. Here, “accepting an output request (application data to the IC card 300) from the outside” means receiving an input from a user of the application using system according to the present embodiment, or via an external terminal or the like. This is the case when an output request is received.

  When receiving the application data requested by the application take-out request accepting unit 210 from the server device 100, the first application storage unit 220 transmits the application data to the IC card 300.

  The authentication information transmission unit 230 transmits authentication information received from the outside to the server device 100 in response to a request from the authentication request unit 140 of the server device 100. Here, “accepted from the outside” corresponds to a case where an input from a user of the application using system according to the present embodiment is accepted, a case where authentication information is received via an external terminal, or the like.

  The application return request accepting unit 261 accepts an application data return request from the IC card 300 to the server device 100 from the outside, and transmits the return request to the server device 100.

  When the application read unit 240 receives a read request transmitted by the read request unit 160 of the server device 100, the application read unit 240 transmits the read request to the IC card 300.

  When the application is received from the IC card 300 when the application is returned from the IC card 300 to the server device 100, the second application storage unit 250 transmits the application data to the server device 100.

  Note that the first application storage unit 220, the application reading unit 240, and the second application storage unit 250 described above are modules that merely mediate communication between the server device 100 and the IC card 300 (that is, understand the contents of data). Module).

(Configuration of IC card)
Next, the configuration of the IC card 300 will be described. The IC card 300 includes an application execution unit 310, an application output unit 320, and a second processing control unit 330.

  The application execution unit 310 holds the encrypted application data transmitted from the communication terminal 200, further decrypts and processes the encrypted application data, and executes the IC card application.

  The application output unit 320 encrypts and outputs the application-related data held in response to the read request transmitted by the read request unit 160 of the server device 100.

  Examples of the application data encryption method in the application output unit 320 include a common key method and a public key method. In the common key method, the server apparatus 100 and the IC card 300 encrypt and decrypt application data with a shared key shared between the server apparatus 100 and the IC card 300. The shared key may be temporarily shared between the server apparatus 100 and the IC card 300 using a public key method or the like. In the public key method, the IC card 300 encrypts application data with the server apparatus public key, and the server apparatus 100 decrypts the encrypted application data with the server apparatus private key.

  When the application output unit 320 outputs the application related data, the second processing control unit 330 makes it impossible to execute the IC card application by itself. Here, “to make the IC card application unexecutable” specifically means that, for example, the application data itself is deleted, or a flag indicating whether or not the IC card application can be executed cannot be used. The case where it sets to the state of this etc. is mentioned.

  More specifically, the application utilization system according to the present embodiment can be configured as shown in FIG. FIG. 2 is a diagram illustrating a specific example of the configuration of the application utilization system.

  The application using system is configured to include the server device 100, the communication terminal 200, and the IC card 300, which is the same as the configuration illustrated in FIG. Further, as described above, the server device 100 is connected to the communication terminal 200 via the network 10. The communication terminal 200 is connected with a monitor 400, a keyboard 500, and an IC card reader / writer 600. The communication terminal 200 writes application data to the IC card 300 via the IC card reader / writer 600. Or read out. Hereinafter, configurations of the server device 100 and the communication terminal 200 will be described in detail.

(Configuration of server device)
The server device 100 includes an application 1 (symbol 21), an application 2 (symbol 22),..., An application n (symbol 2n) (n is a positive integer), which are n IC card applications, and an application execution environment 101. A user authentication function unit 102, an application take-out function unit 103, an application return function unit 104, an application state / application related data DB 105, an IC card application entity module DB 106, and an IC card key information DB 107. .

  Application 1, application 2,..., Application n are modules having logic of an IC card application, and are modules that realize application entity modules.

  The application execution environment 101 is a module having a logic necessary for executing an IC card application, and is a module for realizing application-related data.

  The user authentication function unit 102 is a module that executes user authentication. The user authentication function unit 102 is a module for realizing the authentication request unit 140 and the authentication execution unit 150 in FIG.

  The application take-out function unit 103 is a module having a function of storing an application entity module and application-related data in the IC card 300. The application bring-out function unit 103 is a module for realizing the output unit 120 and the like in FIG.

  The application return function unit 104 is a module having a function of reading application-related data from the IC card 300 and storing it in the server device 100. The application return function unit 104 is a module for realizing the storage unit 171 and the like in FIG.

  The application state / application related data DB 105 is a database that manages the state of the IC card application and application related data for each user. That is, it is a database that holds the contents of the information 610 shown in FIG. The application state / application related data DB 105 is a module for realizing the first processing control unit 130 and the like in FIG.

  The IC card application entity module DB 106 is a database that manages application entity modules to be stored in the IC card 300.

  The IC card key information DB 107 is a database that manages key information held by the IC card 300. Specific examples of the key information include a public key corresponding to a secret key held by the IC card and a common key held by the IC card 300.

(Configuration of communication terminal)
The communication terminal 200 has a processing control function unit 201.

  The process control function unit 201 executes a process for the IC card 300 to take out the IC card application from the server apparatus 100 and to return the taken-out IC card application to the server apparatus. The processing control function unit 201 is a module for realizing the application take-out request receiving unit 210 and the like in FIG.

  Next, more specific configurations of the server device 100, the communication terminal 200, and the IC card 300 will be described below with reference to FIGS. 3 to 5 are block diagrams corresponding to the configuration shown in FIG.

(Specific configuration of server device)
First, a more specific configuration of the server device 100 will be described with reference to FIG. FIG. 3 is a block diagram illustrating a configuration example of the server apparatus 100. The server apparatus 100 includes a CPU (Central
Processing Unit (301), nonvolatile storage device 302, RAM (Random Access)
Memory) 303, network interface 304, and the like.

  The nonvolatile storage device 302 includes an application entity module 341, application-related data 342, an output module 351, a first processing control module 352, an authentication request module 353, an authentication execution module 354, and a read request module 355. The storage module 356 is held. The output module 351, the first process control module 352, the authentication request module 353, the authentication execution module 354, the read request module 355, and the storage module 356 are the output unit 120, the first process control unit 130, the authentication request unit 140, and the authentication, respectively. This is a module for realizing the execution unit 150, the read request unit 160, and the storage unit 171. In FIG. 3, the application entity module 341 and the application related data 342 (that is, application data) are held in the nonvolatile storage device 302, and the application holding unit 110 is realized by the nonvolatile storage device 302. The nonvolatile storage device 302 also stores the contents of the information 610 shown in FIG. 6 as data (not shown).

  In such a configuration, the application entity module 341, the application related data 342, and the modules 351, 352, 353, 354, 355, and 356 stored in the non-volatile storage device 302 are necessary as in a general computer. Accordingly, the RAM 303 is expanded as a work area, and various processes are performed by the CPU 301 executing them.

  The network interface 304 is an interface for connecting to the communication terminal 200, and is a wired or wireless communication interface. Specifically, it is an interface for performing communication by optical fiber, coaxial cable, radio, or the like.

(Specific configuration of communication terminal)
Next, a more specific configuration of the communication terminal 200 will be described with reference to FIG. FIG. 4 is a block diagram illustrating a configuration example of the communication terminal 200. Similar to the server apparatus 100, the communication terminal 200 includes a CPU 401, a nonvolatile storage device 402, a RAM 403, a network interface 404, and the like.

  The nonvolatile storage device 402 includes an application take-out request reception module 410, a first application storage module 420, an authentication information transmission module 430, an application read module 440, a second application storage module 450, and an application return request reception module. 461 is held. The application take-out request reception module 410, the first application storage module 420, the authentication information transmission module 430, the application read module 440, the second application storage module 450, and the application return request reception module 461, respectively, This is a module for realizing the one application storage unit 220, the authentication information transmission unit 230, the application reading unit 240, the second application storage unit 250, and the application return request reception unit 261.

  In such a configuration, as with a general computer, each module 410, 420, 430, 440, 450, 461 stored in the nonvolatile storage device 402 is expanded with the RAM 403 as a work area as necessary. These are executed by the CPU 401 to perform various processes.

  The network interface 404 is an interface for connecting to the server apparatus 100 and the IC card 300 (or the IC card reader / writer 600), and is a wired or wireless communication interface. Specifically, it is an interface for performing communication by optical fiber, coaxial cable, radio, or the like.

(Specific configuration of IC card)
Next, a more specific configuration of the IC card 300 will be described with reference to FIG. FIG. 5 is a block diagram illustrating a configuration example of the IC card 300. The IC card 300 includes a CPU 501, a ROM (Read Only Memory) 502, a RAM 503, an I / O port 504, a nonvolatile memory 505, and the like.

The ROM 502 holds an application execution module 510, an application output module 520, a second processing control module 530, and an application input module 541. The application execution module 510, the application input module 541, the application output module 520, and the second process control module 530 are modules for realizing the application execution unit 310, the application output unit 320, and the second process control unit 330, respectively. Each of the modules 510, 520, 530, and 541 described above is replaced with an EEPROM (Electrically) instead of the ROM 502.
(Erasable and Programmable Read Only Memory) or a non-volatile memory 505 such as a flash memory.

  Further, the application entity module 551 and the application related data 552 (that is, application data) taken out from the server device 100 are held in the nonvolatile memory 505.

  In such a configuration, as with a general computer, the application entity module 551, application-related data 552, and modules 510, 520, 530, and 541 stored in the ROM 502 and the nonvolatile memory 505 are stored in the RAM 503 as necessary. Are expanded as work areas, and they are executed by the CPU 501 to perform various processes.

  The I / O port 504 is an interface for connecting to the communication terminal 200 (or the IC card reader / writer 600).

(Operation of application usage system)
Next, the operation of the application use system according to the present embodiment will be described with reference to FIGS. FIG. 7 is a sequence diagram showing the operation of the application using system when the IC card 300 takes out the IC card application from the server device 100. FIG. 8 is a sequence diagram showing the operation of the application use system when the IC card application is returned from the IC card 300 to the server device 100.

(Operation when IC card application is taken out)
First, a case where the IC card 300 takes out an IC card application from the server apparatus 100 will be described with reference to FIG.

The user 700 uses the input interface such as the keyboard 500 connected to the communication terminal 200 to execute an IC card application take-out request (hereinafter referred to as “application take-out request”) to the communication terminal 200 (S701). ). This process is performed by, for example, a GUI (Graphical User) displayed on the monitor 400 connected to the communication terminal 200.
This is realized by inputting an application take-out request in (Interface). Then, the communication terminal 200 that has received the application take-out request makes an application take-out request to the server device 100 at the application take-out request reception unit 210 (S703). This application take-out request is accepted by the output unit 120 of the server device 100.

  Upon receiving the application take-out request, the server apparatus 100 requests authentication information from the communication terminal 200 through the authentication request unit 140 (S705). For example, when this request for authentication information is displayed on the monitor 400 connected to the communication terminal 200, the user 700 uses the input interface such as the keyboard 500 to send the ID and password as authentication information to the communication terminal 200. Is input (S707). The communication terminal 200 that has received the input of the authentication information of the user 700 transmits the input ID and password to the server device 100 in the authentication information transmission unit 230 (S709).

  The server apparatus 100 receives the ID and password at the authentication execution unit 150 and authenticates the user 700 (S711). If the authentication is successful, the output unit 120 reads predetermined application execution data held in the application holding unit 110, encrypts the application entity module in the output unit 120 (S713), and A storage request (that is, transmission of the application entity module) is performed (S715). At this time, the server apparatus 100 transmits a copy of the application entity module, and the application entity module itself remains held in the application holding unit 110.

  When the first application storage unit 220 receives the application entity module storage request from the server device 100, the communication terminal 200 transmits the storage request to the IC card 300 (S717).

  When receiving the application entity module storage request, the IC card 300 uses the application execution unit 310 to decrypt and hold the received application entity module (S719).

  When the storage of the application entity module is completed, the IC card 300 transmits a completion notification to the server device 100 via the communication terminal 200 (S721, S723).

  When the server device 100 receives a completion notification indicating that the application entity module has been stored from the IC card 300, the output unit 120 reads predetermined application-related data held in the application holding unit 110, and the output unit 120 The related data is encrypted (S725), and a storage request for application-related data (that is, transmission of application-related data) is performed (S727). At this time, the server device 100 transmits a copy of the application-related data, and the application-related data itself remains held in the application holding unit 110.

  When receiving a request for storing application-related data from the server device 100 in the first application storage unit 220, the communication terminal 200 transmits this storage request to the IC card 300 (S729).

  When the IC card 300 receives the application-related data storage request, the application execution unit 310 decrypts and holds the received application-related data (S731).

  When the storage of the application related data is completed, the IC card 300 transmits a completion notification to the server device 100 via the communication terminal 200 (S733, S735).

  When the server apparatus 100 receives the completion notification indicating that the application-related data has been stored from the IC card 300, the first process control unit 130 causes the “application” of the flag (information 610 in FIG. 6) indicating the state of the IC card application. "Status" is changed to "Now taking out" (S737).

  Note that the IC card 300 appropriately executes the IC card application by processing the application entity module and application-related data decrypted in steps S719 and S731.

(Operation when IC card application is returned)
Next, a case where an IC card application is returned from the IC card 300 to the server device 100 will be described with reference to FIG.

  The user 700 uses the input interface such as the keyboard 500 connected to the communication terminal 200 to execute an IC card application return request (hereinafter referred to as “application return request”) to the communication terminal 200 (S801). ). This process is realized, for example, by inputting an application return request using a GUI displayed on the monitor 400 connected to the communication terminal 200. And the communication terminal 200 which received this application return request makes an application return request with respect to the server apparatus 100 in the application return request reception part 261 (S803). This application return request is accepted by the read request unit 160 of the server device 100.

  Upon receiving the application return request, the server apparatus 100 requests authentication information from the communication terminal 200 through the authentication request unit 140 (S805). For example, when this request for authentication information is displayed on the monitor 400 connected to the communication terminal 200, the user 700 uses the input interface such as the keyboard 500 to send the ID and password as authentication information to the communication terminal 200. Is input (S807). The communication terminal 200 that has received the input of the authentication information of the user 700 transmits the input ID and password to the server device 100 in the authentication information transmitting unit 230 (S809).

  The server apparatus 100 receives the ID and password at the authentication execution unit 150 and authenticates the user 700 (S811). If the authentication is successful, the read request unit 160 requests the application related data to be read (S813).

  When receiving a request for reading application-related data from server device 100 at application reading unit 240, communication terminal 200 transmits this read request to IC card 300 (S815).

  When the IC card 300 accepts a request for reading application-related data, the application output unit 320 encrypts the application-related data held by the IC card 300 (S817), and passes through the second application storage unit 250 of the communication terminal 200. The encrypted application-related data is transmitted to the server device 100 (S819, S821).

  When receiving application-related data in the storage unit 171, the server apparatus 100 decrypts the application-related data (S 823) and updates the application-related data by holding it again in the application holding unit 110 (S 825).

  Then, the server apparatus 100 issues a deletion request for the application entity module and the application related data via the communication terminal 200 (S827, S829).

  When receiving the request for deleting the application entity module and the application related data, the IC card 300 deletes the application entity module and the application related data (S831). Thereafter, a completion notification is transmitted to the server apparatus 100 via the communication terminal 200 (S833, S835).

  When the server apparatus 100 receives a completion notification indicating that the application entity module and the application-related data have been deleted from the IC card 300, the server apparatus 100 sets the “application state” of the flag (information 610 in FIG. 6) indicating the state of the IC card application to “normal”. (S837).

  Note that the server apparatus 100 appropriately executes the IC card application by processing the held application entity module and the application-related data updated in step S825.

(Correspondence between Terms in Embodiment and Terms in Claims)
In the present embodiment, the authentication request unit 140 corresponds to the “first authentication request unit” and the “second authentication request unit” in the present invention. The authentication execution unit 150 corresponds to the “first authentication execution unit” and the “second authentication execution unit” in the present invention. The authentication information transmission unit 230 corresponds to the “first authentication information transmission unit” and the “second authentication information transmission unit” in the present invention.

  In the present embodiment, the application entity module corresponds to the “entity module” in the present invention. In the present embodiment, application-related data corresponds to “related data” in the present invention.

  Further, in the present embodiment, steps S701 and S703 in FIG. 7 correspond to the “app take-out request accepting step” in the present invention. Steps S715 and S727 in FIG. 7 correspond to the “output step” in the present invention. Step S737 in FIG. 7 corresponds to the “first processing control step” in the present invention. Steps S717 and S729 in FIG. 7 correspond to the “application storage step” in the present invention.

(Other embodiments)
In the above embodiment, the application entity module and the application-related data are separately transmitted when the application data is transmitted from the server apparatus 100 to the IC card (step S715, step S727, etc. in FIG. 7). ), The application entity module and the application-related data may be transmitted simultaneously.

  In the above embodiment, when the IC card application is taken out from the server apparatus 100 to the IC card 300, the application entity module held in the server apparatus 100 is held as it is, and the flag indicating whether or not the IC card application can be executed. Although the IC card application cannot be executed according to (information 610 in FIG. 6) (step S737 in FIG. 7), at least one of the application entity module and the application related data is deleted and the IC card application is returned. In addition, the deleted application entity module or application-related data may be stored in the application holding unit 110 again.

  Similarly, in the case where the IC card application is returned from the IC card 300 to the server device 100, the application entity module and the application-related data are deleted in the above embodiment (step S831 in FIG. 8). In addition, without deleting both of the application-related data and the application-related data, it is possible to make the IC card application unexecutable by deleting only one of them. Further, the IC card application may be disabled by a flag indicating whether or not the IC card application can be executed without deleting the application entity module and the application related data. In this case, when the application is taken out from the server device 100 again, the IC card application can be executed by setting the flag indicating whether or not the IC card application can be executed to an executable state. Good. It is assumed that this control is executed by the second process control unit 330.

  Further, in the above embodiment, when the IC card application is returned from the IC card 300 to the server apparatus 100, only the application related data is transmitted from the IC card 300 to the server apparatus 100 (step of FIG. 8). SS819), the application entity module may also be transmitted.

  Moreover, when outputting the application entity module or the application related data in the output unit 120 or the application output unit 320, the application entity module or the application related data may be divided into a plurality of times and output.

  In the above embodiment, the application take-out request reception unit 210, the authentication information transmission unit 230, and the application return request reception unit 261 are realized by specific software on the communication terminal 200. For example, a web browser In the above, a request for taking out an application, an input of authentication information, a request for returning an application from the user may be accepted.

(Summary)
As described above, according to the present invention, the application dedicated to the IC card held in the server device can be taken out to the IC card and used via the communication terminal. Further, after that, the application can be returned from the IC card to the server device and executed on the server device. That is, the application can be shared between the server device and the IC card, and the user can take out the application in the server device using the IC card as necessary.

DESCRIPTION OF SYMBOLS 10 Network 100 Server apparatus 101 Application execution environment 102 User authentication function part 103 Application take-out function part 104 Application return function part 105 Application state / application related data DB
106 IC card application entity module DB
107 IC card key information DB
DESCRIPTION OF SYMBOLS 110 Application holding | maintenance part 120 Output part 130 1st process control part 140 Authentication request part 150 Authentication execution part 160 Reading request | requirement part 171 Storage part 200 Communication terminal 201 Process control function part 210 Application take-out request reception part 220 1st application storage part 230 Authentication Information transmission unit 240 Application reading unit 250 Second application storage unit 261 Application return request reception unit 300 IC card 310 Application execution unit 320 Application output unit 330 Second processing control unit 400 Monitor 500 Keyboard 600 IC card reader / writer 610 IC card application Status information 700, 910 User

Claims (9)

An application utilization system comprising: an IC card having a function of executing an application; a communication terminal that transmits / receives application data that is data related to the application to / from the IC card; and a server device that holds the application data,
The communication terminal is
An application take-out request accepting unit that accepts an output request for the application data to the IC card from the outside, and transmits the output request to the server device;
A first application storage unit that, when receiving the application data as a response to the output request from the server device, transmits the application data to the IC card;
The server device
An application holding unit for holding the application data;
In response to the output request from the application take-out request receiving unit, an output unit that outputs the held application data to the communication terminal;
When the application data is output to the communication terminal, a first processing control unit that makes it impossible to execute the application in its own device,
The IC card is
An application utilization system comprising: an application execution unit that holds the application data transmitted from the communication terminal and further processes the application data to execute the application. The server device
In the output unit, upon receiving the output request from the application take-out request receiving unit, a first authentication request unit that requests authentication information from the communication terminal;
A first authentication execution unit that receives the authentication information from the communication terminal and executes an authentication process;
The communication terminal is
In response to a request from the first authentication request unit, the first authentication information transmission unit further transmits the authentication information received from the outside to the server device,
The application using system according to claim 1, wherein the output unit outputs the application data to the communication terminal only when authentication is successful in the first authentication execution unit. The output unit encrypts and outputs the application data,
Upon receiving the encrypted application data, the first application storage unit transmits the encrypted application data to the IC card,
The application use system according to claim 1, wherein the application execution unit decrypts and processes the encrypted application data. The communication terminal is
An application return request receiving unit that receives a return request for the application data from the IC card to the server device from the outside, and transmits the return request to the server device;
When receiving a read request for the application data from the IC card as a response to the return request from the server device, an application reading unit that transmits the read request to the IC card;
A second application storage unit that, when receiving the application data as a response to the read request from the IC card, transmits the application data to the server device;
The server device
In response to the return request from the application return request receiving unit, further includes a read request unit that outputs the read request,
The IC card is
In response to the read request from the application reading unit, an application output unit that outputs the held application data;
When the application data is output in the application output unit, a second processing control unit that makes it impossible to execute the application in the own card, and
The application use system according to any one of claims 1 to 3, wherein the application holding unit holds the application data received as a reply to the read request in the read request unit in a processable state. . The server device
In the read request unit, upon receiving the return request from the application return request receiving unit, a second authentication request unit that requests authentication information from the communication terminal;
A second authentication execution unit that receives the authentication information from the communication terminal and executes an authentication process;
The communication terminal is
In response to a request by the second authentication requesting unit, further comprising a second authentication information transmitting unit that transmits the authentication information received from the outside to the server device,
5. The application utilization system according to claim 4, wherein the read request unit outputs the read request to the communication terminal only when authentication is successful in the second authentication execution unit. The application output unit encrypts and outputs the application data,
When the second application storage unit receives the encrypted application data, the second application storage unit transmits the encrypted application data to the server device,
The application use system according to claim 4 or 5, wherein the application holding unit holds application data transmitted from the second application storage unit.   7. The application data according to claim 1, wherein the application data includes at least one of an entity module that is data constituting the application and related data that is data used for the entity module. Application usage system. An application usage method executed by an IC card having a function of executing an application, a communication terminal that transmits / receives application data that is data related to the application to / from the IC card, and a server device that holds the application data. ,
In the communication terminal, accepting an output request for the application data to the IC card from the outside, and an app take-out request accepting step for transmitting the output request to the server device;
In the server device, in response to the output request transmitted from the communication terminal, an output step of outputting the application data held in the own device to the communication terminal;
In the server device, when the application data is output to the communication terminal, a first process control step that makes it impossible to execute the application in the own device;
In the communication terminal, upon receiving the application data transmitted from the server device, a first application storing step of transmitting the application data to the IC card;
In the IC card, holding the application data transmitted from the communication terminal, further, an application execution step of processing the application data to execute the application,
An application using method characterized by comprising: In the communication terminal, from the outside, an application return request reception step of receiving a return request for the application data from the IC card to the server device and transmitting the return request to the server device;
In the server device, in response to the return request transmitted from the communication terminal, a read request step for outputting a read request for the application data from the IC card;
In the communication terminal, when the read request is received from the server device, an application read step of transmitting the read request to the IC card;
In the IC card, in response to the read request transmitted from the communication terminal, an application output step of outputting the held application data;
In the IC card, when the application data is output in the application output step, a second process control step in which the application cannot be executed in the own card;
In the communication terminal, when receiving the application data transmitted from the IC card, a second application storing step of transmitting the application data to the server device;
In the server device, a holding step of holding the application data transmitted from the communication terminal in a processable state;
The application using method according to claim 8, further comprising:

Images